On Jul 3, 2018, at 10:37 AM, Benoit Panizzon <benoit.panizzon@imp.ch> wrote:

Sorry I was not following that discussion...

 Host: db.us.clamav.net
 User-Agent: ClamAV/0.99.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

  Error 1003 Ray ID: 4349da2f33f4ae20 • 2018-07-03 13:55:52 UTC
  Direct IP access not allowed

But this cought my attention...

db.us.clamav.net is an alias for db.us.clamav.net.cdn.cloudflare.net.

Cloudflare uses some kind of DDOS protection to detect if the visitor
might be a 'malicious bot' or a 'human' with a 'propper' webbrowser.

I fear, FreshClam does not pass the 'human' test.

I would suggest to the ClamAV team to move away from Cloudflare. Such
issues are bound to occur with CloudFlare.

That feature is turned off for the mirror network.  So, no, those issues will not occur.  In fact, it was on, and yes, it was causing problems, which is why it's now off.

However, the ~60TB of traffic we are passing on a 24 hour basis tells me that freshclam is working fine. You can't hit the cloudflare IPs directly, which is what that error says.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com