[clamav-users] Clam updates failing

Joel Esler (jesler) jesler at cisco.com
Sat Oct 23 15:57:12 UTC 2021



> On Oct 23, 2021, at 11:49, Paul Kosinski <clamav-users at iment.com> wrote:
> 
> On Fri, 22 Oct 2021 18:47:01 +0000
> "Joel Esler (jesler)" <jesler at cisco.com> wrote:
> 
>>>> On Oct 22, 2021, at 14:16, Paul Kosinski via clamav-users <clamav-users at lists.clamav.net> wrote:
>>> 
>>> On Fri, 22 Oct 2021 13:27:46 +0000
>>> "Joel Esler \(jesler\) via clamav-users" <clamav-users at lists.clamav.net> wrote:
>>> 
>>>>> On Oct 21, 2021, at 18:55, Kenneth Porter <shiva at sewingwitch.com> wrote:
>>>>> 
>>>>> On 10/21/2021 10:14 AM, Paul Kosinski via clamav-users wrote:    
>>>>>> I've never seen a DNS age warning, but that might be because, for several years now, I only run freshclam when the DNS TXT record (which I check hourly) says there is a new signature available compared to a local file's version number (in its header).    
>>>>> 
>>>>> I thought freshclam did the DNS check itself. Why do it again before running freshclam?    
>>>> 
>>>> It does.  No need to do an extra check.  
>>> 
>>> 
>>> Since checking the DNS TXT record costs almost nothing (and is UDP), I figure I can do it more often than running freshclam without ever risking triggering Cloudflare's bandwidth limits. And, although I currently do it only once per hour, if there ever was something like a SANS Threat Level RED, I could up the frequency to get the latest sigs ASAP.
>>> 
>>> 
>> 
>> DNS is unrestricted.  That’s why I am saying it’s unnecessary.  The restrictions are on the files themselves.  
> 
> 
> So you're saying that if -- because I wanted to get an update ASAP in the face of a severe virus alert -- I upped the running of freshclam to every 5 minutes on each of my 3 systems, there is no chance that I would be blocked, because freshclam doesn't do any actual (restricted) file access until after it checks the DNS TXT record?

Correct. 
> 
> Even if that's the case, I think it would generate a lot more junk in the log files than my current approach does (since I run freshclam with the "-v" option).


More information about the clamav-users mailing list