[clamav-users] QNAP Antivirus Updates

Paul Kosinski clamav-users at iment.com
Mon Sep 20 17:07:57 UTC 2021 

On Mon, 20 Sep 2021 08:18:01 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users at lists.clamav.net> wrote:

> Hi there,
> 
> On Sun, 19 Sep 2021, Gregory Poveda via clamav-users wrote:
> 
> > I have several QNAPs  
> 
> It might be worth searching for 'QNAP' in the list archives.  At least
> some of those devices will struggle to run ClamAV - or rather, ClamAV
> out of the box - for lack of memory.
> 
> > on a locked down network that have the Clamav.net antivirus package/
> > software installed. Something changed on the 16th and I have been
> > unable to get updates. I have an ACL that blocks all traffic on this
> > network unless I define its IPs/DNS addresses. I had set the two DNS
> > addresses that I had detected back in March in the ACL, those are as
> > follows: clamav.net (199.62.84.153) which appears to check if the
> > database as an update and database.clamav.net (198.148.79.54) which
> > has the update file.  
> 
> If you don't mind my saying so, that's a fragile setup.  IPs can and
> do change without notice.
> 
> > Did the DNS names change or has the database stopped providing
> > updates?  
> 
> Check the very recent thread  "Virus DB  updates?".

=====================

Using an ACL mechanism that uses DNS names to allow outbound traffic strikes me as also a setup that is either fragile or very slow. Either it does a DNS lookup when started, so if the DNS->IP map changes while it's running, you lose. Or it does a reverse DNS (PTR) lookup for every outbound SYN to see if it's OK, and it's slow.

In my case, I use iptables (on Linux) to block almost all outbound TCP from select servers, and I use two IP addresses (only) to allow ClamAV update traffic, from/to freshclam.

These two IPs are Anycast addresses, and have been unchanged for well over 2 years. (Anycast addresses don't have to change even if the physical servers change, that's their point!) They are:

  104.16.218.84
  104.16.219.84

I don't know if they are appropriate for non-freshclam ways of obtaining the updates, e.g., updating a mirror. (And I don't know if they work world-wide.)

More information about the clamav-users mailing list