[clamav-users] Freshclam - can't apply latest patch 26246

Andrew C Aitchison clamav at aitchison.me.uk
Thu Jul 29 10:18:40 UTC 2021 

On Thu, 29 Jul 2021, Asenova, Elia via clamav-users wrote:

> Thanks for the replies. Yes, deleting daily.cld fixed the
> problem. My concern is that I'm building a docker image with clamav
> inside it and I have to delete daily.cld on every new build if I
> want freshclam to work correctly the first time. About the
> subsequent runs when I tried to run freshclam on two different pods
> after image deploy, daily.cld was updated to the latest version only
> on one of them. These are the logs for both pods:
>
> #1st pod (successful update):
> Connecting via dnat.genesaas.io
> ClamAV update process started at Thu Jul 29 08:54:30 2021
> daily database available for update (local version: 26231, remote version: 26246)
> Current database is 15 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   21.8s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Testing database: '/var/lib/clamav/tmp.98ba2d17af/clamav-474d295bd3248aa18d6abaf0dc93f952.tmp-daily.cvd' ...
> Database test passed.
> daily.cvd updated (version: 26246, sigs: 1964581, f-level: 90, builder: raynman)
> main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Start with daily 26233 (or better whatever is the latest today) and main 61.
By starting with daily 26231 and main 59 you immediately have to do a major
(once in maybe six months) update.

As Matus and Ged have suggested, you should not need to install the 
database on each docker instance.
Unless you have a large anti-virus farm, you don't even need to *run* the
d clam daemon on every VM. Start up a single remote clamd server and the 
other VMs can pass their scans to your clamd server with clamdscan.


> 2nd pod (unsuccessful update):
> Connecting via dnat.genesaas.io
> ClamAV update process started at Thu Jul 29 09:14:16 2021
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   26.5s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   28.0s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   25.5s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

> What might be the reason of this inconsistent behavior?

>From those logs it appears that daily 26247 was advertised between the two runs,
but had't reach the mirror that you downloaded from.


> And about the ReceiveTimeout this is what I have in freshclam.conf:
> # Maximum time in seconds for each download operation. 0 means no timeout.
> # Default: 0
> #ReceiveTimeout 1800

> So, it should have no timeout, right?

I would add a line
   ReceiveTimeout 0
to be sure. Sometimes the commented out line reflects that actual default.

-- 
Andrew C. Aitchison					Kendal, UK
 			andrew at aitchison.me.uk

More information about the clamav-users mailing list