Hi all,

1. the daily.cvd file I referring to is on the local server which acts as the private local mirror (not referring to clients at all)

2. The freshclam is running in a docker , his image came from `alpine:3.12` and clamav was install with that command: `apk add --no-cache clamav=0.102.4-r11 clamav-libunrar=0.102.4-r11`

3. I checking the updates twice a day

4. it's not that straightforward to run wireshark on that server, but i can route it to a specific dns record (will update)

5. here are the full logs of the latest update failure (26011 -> 26012),freshclam run takes 19 sec
Tue Dec 8 22:00:02 2020 -> ClamAV update process started at Tue Dec 8 22:00:02 2020
Tue Dec 8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:02 2020 -> *Querying current.cvd.clamav.net
Tue Dec 8 22:00:02 2020 -> *TTL: 30
Tue Dec 8 22:00:02 2020 -> *fc_dns_query_update_info: Software version from DNS: 0.103.0
Tue Dec 8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:02 2020 -> *check_for_new_database_version: Local copy of daily found: daily.cvd.
Tue Dec 8 22:00:02 2020 -> *query_remote_database_version: daily.cvd version from DNS: 26012
Tue Dec 8 22:00:02 2020 -> daily database available for update (local version: 26011, remote version: 26012)
Tue Dec 8 22:00:02 2020 -> *Retrieving https://database.clamav.net/daily.cvd
Tue Dec 8 22:00:02 2020 -> *downloadFile: Download source: https://database.clamav.net/daily.cvd
Tue Dec 8 22:00:02 2020 -> *downloadFile: Download destination: /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp
* Trying 104.16.218.84:443...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Aug 15 00:00:00 2020 GMT
* expire date: Aug 15 12:00:00 2021 GMT
* subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56459985de60)
> GET /daily.cvd HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.4 (OS: linux-musl, ARCH: x86_64, CPU: x86_64)
accept: */*
connection: close

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Tue, 08 Dec 2020 22:00:02 GMT
< content-type: application/octet-stream
< content-length: 114885026
< set-cookie: __cfduid=dc7afe2099393f2517fefc5bfc70645881607464802; expires=Thu, 07-Jan-21 22:00:02 GMT; path=/; domain=.clamav.net; HttpOnly; SameSite=Lax
< last-modified: Mon, 07 Dec 2020 14:37:00 GMT
< etag: "5fce3e0c-6d901a2"
< expires: Wed, 09 Dec 2020 10:00:02 GMT
< cache-control: public, max-age=43200
< cf-cache-status: HIT
< age: 109
< accept-ranges: bytes
< cf-request-id: 06e5f76fd70000dfa591a49000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 5fe9c1c62d72dfa5-FRA
<
* Connection #0 to host database.clamav.net left intact
Tue Dec 8 22:00:05 2020 -> *The daily.cvd database downloaded from https://database.clamav.net is one version older than advertised in the DNS TXT record.
Tue Dec 8 22:00:05 2020 -> *updatedb: Running g_cb_download_complete callback...
Tue Dec 8 22:00:05 2020 -> *download_complete_callback: Download complete for database : /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:05 2020 -> *download_complete_callback: fc_context->bTestDatabases : 1
Tue Dec 8 22:00:05 2020 -> *download_complete_callback: fc_context->bBytecodeEnabled : 1
Tue Dec 8 22:00:05 2020 -> Testing database: '/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd' ...
Tue Dec 8 22:00:05 2020 -> *Loading signatures from /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:20 2020 -> *Properly loaded 4397905 signatures from /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:21 2020 -> Database test passed.
Tue Dec 8 22:00:21 2020 -> daily.cvd updated (version: 26011, sigs: 4351421, f-level: 63, builder: raynman)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: daily.cvd updated.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of main found: main.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version: main.cvd version from DNS: 59
Tue Dec 8 22:00:21 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: main.cvd already up-to-date.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version: bytecode.cvd version from DNS: 331
Tue Dec 8 22:00:21 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: bytecode.cvd already up-to-date.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of safebrowsing found: safebrowsing.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version: safebrowsing.cvd version from DNS: 49191
Tue Dec 8 22:00:21 2020 -> safebrowsing.cvd database is up to date (version: 49191, sigs: 2213119, f-level: 63, builder: google)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: safebrowsing.cvd already up-to-date.