[clamav-users] Manually copy and use local filesystem as DownloadMirror/PrivateMirror
G.W. Haywood
clamav at jubileegroup.co.uk
Mon May 17 17:36:26 UTC 2021
Hi there,
On Mon, 17 May 2021, ANISH SHETTY via clamav-users wrote:
> The machines are running SLES12 ... we need to have an antivirus
> solution in place to meet some compliance requirements mandated by
> the government ...
I used to work for our government (the UK's nuclear power programme,
mostly on security, but that's not important). The site I worked at
was out in the boondocks (in case it blew up) and was home to about
5,000 people. There was a sports club, financed by the government,
just outside the perimiter fence. I went to that club for ten years.
A guy - a plumber by trade - a big fellow, who used to throw us all
around at the judo sessions, said to us out of the blue one day,
"An elephant is a greyhound, built to government specifications."
That made us fall about laughing.
I feel your pain.
My 'virusdb' mail box contains the daily feed of mail messages from
the ClamAV virus DB updates. As you see below in the last three weeks
there have on average been more than 350 new virus signatures per day.
This is quite apart from the typically more than a dozen but perhaps
as many as 50 signatures which might daily be dropped.
$ grep 'New Sigs' ~/mail/lists/virusdb | tail -n 20
New Sigs: 762
New Sigs: 283
New Sigs: 244
New Sigs: 119
New Sigs: 325
New Sigs: 197
New Sigs: 367
New Sigs: 432
New Sigs: 453
New Sigs: 406
New Sigs: 525
New Sigs: 235
New Sigs: 249
New Sigs: 401
New Sigs: 628
New Sigs: 95
New Sigs: 172
New Sigs: 69
New Sigs: 221
New Sigs: 853
New Sigs: 372
> ... if this approach doesn't make sense for quarterly cycle, I can
> think of pushing them each month.
Apart from just complying with some crackpot regulations, I think
you're wasting your time. You may risk giving yourself (and perhaps
ClamAV) a bad reputation with your clients. Based on the numbers
above, even if you update every month you can expect to be missing
over ten thousand signatures after 30 days, and you'll have quite a
few which are known to be suspect - some of which could be false
positives - which clients will be stuck with for a month, and which
may even be more trouble to you than the signatures you don't have.
At least there's the option of maintaining your own 'ignore' lists.
Having said all that
$ grep ' \* ' ./mail/lists/virusdb | tail -n 10000 | sed -e 's/\..*//;' | sort | uniq -c | sort -n
1 * Andr
1 * Lnk
1 * Rtf
1 * Swf
1 * Vbs
2 * Img
2 * Osx
2 * Ps1
3 * Doc
4 * Ole2
4 * Xls
16 * PUA
19 * Archive
35 * Pdf
36 * Multios
63 * Unix
68 * Email
98 * Txt
765 * Html
8878 * Win
as you can see the vast majority of virus signatures are for Windows
threats, to which your SLES machines are immune. That doesn't mean
that they couldn't be compromised and then used to attack machines
which are not immune.
If you can keep a local copy of the database up to date and you have
direct (write) access to the client machines there must be dozens of
ways to keep them updated from a local copy. For example you could
schedule a task on each client to update its own temporary copy from
your master, then replace the working copy with the temporary copy on
the client in some way that makes the operation atomic. Without more
information about the connectivity issues your clients face I can't
really offer more than hand-waving suggestions like that, but just
from the point of view of network traffic I would urge you to look
into ways of making freshclam do something for you rather than trying
to re-invent any wheels. Perhaps you could have a mirror in each
client network which takes its data from a further mirror which you
maintain in your network. Presumably if the clients are running Web
servers on SLES, one (or more) of the client machines in each client
network could also run a mirror for the local network?
Have you looked at anything like 'Puppet'?
--
73,
Ged.
More information about the clamav-users
mailing list