[clamav-users] freshclam frequency ?

Joel Esler (jesler) jesler at cisco.com
Wed Sep 2 12:03:50 UTC 2020 

Several of the problems that we’ve observed are things like a dockerized container or a VM that is reset constantly, so instead of being able to download the cdiffs, those machines have to download the whole daily/main.  Those could benefit from a local mirror. 

Abusers are present but infrequent. If you’re using freshclam, you’re doing it right.   If you have python or curl downloading everything every 5 minutes — I’m going to block you.  

Sent from my  iPhone

> On Sep 2, 2020, at 07:54, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Hi there,
> 
>> On Wed, 2 Sep 2020, Andrew C Aitchison via clamav-users wrote:
>> 
>> The sample freshclam.conf ...
>>       # Default: 12 (every two hours)
>> ...
>> but https://blog.clamav.net/2020/07/freshclam-cdiffs-effect-on-bandwidth.html
>> ...
>>       2. Reduce the checks to once or twice a day.
>> 
>> Would it make sense to make these agree ?
> 
> +1
> 
> Bear in mind that a normal freshclam database update check (which is
> just a DNS query) doesn't necessarily result in the download of any
> file - not even of a .cdiff file.
> 
> In the same blog post it says that the databases are only updated once
> per day.  In view of the types of threat that some folks have to deal
> with that seems a little infrequent, although I do understand that
> there are pressures on resources. Also bear in mind that if the update
> frequency is once per day both at the server and at the client, then
> if the timings are unfortunate the delay between an update at source
> and the update by a client could be almost _two_ days.
> 
> Finally the blog post talks about a small number of IPs which seem to
> be downloading the main and daily databases tens of thousands of times
> per day.  While I suppose it is plausible that these are deliberately
> malicious downloads it seems more likely to me that the explanation is
> incompetence in large organizations which have a lot of workstations
> behind NAT firewalls.  I suspect a local caching proxy or mirror could
> eliminate some of the problems, but the blog post does not mention it.
> 
> -- 
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1872 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200902/ac1fdb09/attachment.bin>

More information about the clamav-users mailing list