Hi all,

1. the daily.cvd file I referring to is on the local server which acts as the private local mirror (not referring to clients at all)

2. The freshclam is running in a docker , his image came from `alpine:3.12` and clamav was install with that command: `apk add --no-cache clamav=0.102.4-r11 clamav-libunrar=0.102.4-r11`

3. I checking the updates twice a day

4. it's not that straightforward to run wireshark on that server, but i can route it to a specific dns record (will update)

5. here are the full logs of the latest update failure (26011 -> 26012),freshclam run takes 19 sec
Tue Dec  8 22:00:02 2020 -> ClamAV update process started at Tue Dec  8 22:00:02 2020
Tue Dec  8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec  8 22:00:02 2020 -> *Querying current.cvd.clamav.net
Tue Dec  8 22:00:02 2020 -> *TTL: 30
Tue Dec  8 22:00:02 2020 -> *fc_dns_query_update_info: Software version from DNS: 0.103.0
Tue Dec  8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec  8 22:00:02 2020 -> *check_for_new_database_version: Local copy of daily found: daily.cvd.
Tue Dec  8 22:00:02 2020 -> *query_remote_database_version: daily.cvd version from DNS: 26012
Tue Dec  8 22:00:02 2020 -> daily database available for update (local version: 26011, remote version: 26012)
Tue Dec  8 22:00:02 2020 -> *Retrieving https://database.clamav.net/daily.cvd
Tue Dec  8 22:00:02 2020 -> *downloadFile: Download source:      https://database.clamav.net/daily.cvd
Tue Dec  8 22:00:02 2020 -> *downloadFile: Download destination: /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp
*   Trying 104.16.218.84:443...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Aug 15 00:00:00 2020 GMT
*  expire date: Aug 15 12:00:00 2021 GMT
*  subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56459985de60)
> GET /daily.cvd HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.4 (OS: linux-musl, ARCH: x86_64, CPU: x86_64)
accept: */*
connection: close

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Tue, 08 Dec 2020 22:00:02 GMT
< content-type: application/octet-stream
< content-length: 114885026
< set-cookie: __cfduid=dc7afe2099393f2517fefc5bfc70645881607464802; expires=Thu, 07-Jan-21 22:00:02 GMT; path=/; domain=.clamav.net; HttpOnly; SameSite=Lax
< last-modified: Mon, 07 Dec 2020 14:37:00 GMT
< etag: "5fce3e0c-6d901a2"
< expires: Wed, 09 Dec 2020 10:00:02 GMT
< cache-control: public, max-age=43200
< cf-cache-status: HIT
< age: 109
< accept-ranges: bytes
< cf-request-id: 06e5f76fd70000dfa591a49000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 5fe9c1c62d72dfa5-FRA
<
* Connection #0 to host database.clamav.net left intact
Tue Dec  8 22:00:05 2020 -> *The daily.cvd database downloaded from https://database.clamav.net is one version older than advertised in the DNS TXT record.
Tue Dec  8 22:00:05 2020 -> *updatedb: Running g_cb_download_complete callback...
Tue Dec  8 22:00:05 2020 -> *download_complete_callback: Download complete for database : /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec  8 22:00:05 2020 -> *download_complete_callback:   fc_context->bTestDatabases   : 1
Tue Dec  8 22:00:05 2020 -> *download_complete_callback:   fc_context->bBytecodeEnabled : 1
Tue Dec  8 22:00:05 2020 -> Testing database: '/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd' ...
Tue Dec  8 22:00:05 2020 -> *Loading signatures from /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec  8 22:00:20 2020 -> *Properly loaded 4397905 signatures from /data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec  8 22:00:21 2020 -> Database test passed.
Tue Dec  8 22:00:21 2020 -> daily.cvd updated (version: 26011, sigs: 4351421, f-level: 63, builder: raynman)
Tue Dec  8 22:00:21 2020 -> *fc_update_database: daily.cvd updated.
Tue Dec  8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec  8 22:00:21 2020 -> *check_for_new_database_version: Local copy of main found: main.cvd.
Tue Dec  8 22:00:21 2020 -> *query_remote_database_version: main.cvd version from DNS: 59
Tue Dec  8 22:00:21 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Dec  8 22:00:21 2020 -> *fc_update_database: main.cvd already up-to-date.
Tue Dec  8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec  8 22:00:21 2020 -> *check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
Tue Dec  8 22:00:21 2020 -> *query_remote_database_version: bytecode.cvd version from DNS: 331
Tue Dec  8 22:00:21 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Tue Dec  8 22:00:21 2020 -> *fc_update_database: bytecode.cvd already up-to-date.
Tue Dec  8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec  8 22:00:21 2020 -> *check_for_new_database_version: Local copy of safebrowsing found: safebrowsing.cvd.
Tue Dec  8 22:00:21 2020 -> *query_remote_database_version: safebrowsing.cvd version from DNS: 49191
Tue Dec  8 22:00:21 2020 -> safebrowsing.cvd database is up to date (version: 49191, sigs: 2213119, f-level: 63, builder: google)
Tue Dec  8 22:00:21 2020 -> *fc_update_database: safebrowsing.cvd already up-to-date.


On Tue, Dec 8, 2020 at 8:01 PM Gal Cohen <gal.cohen@zooz.com> wrote:
Hello,

I'm serving cvd files from a local server, when I run freshclam on my server it takes some runes until the daily.cvd is updated even though the remote version was updated a while ago.

- the clamav version I'm using is 0.102.4-r1
- freshclam.conf I'm using is:
   DatabaseDirectory /data
   LogSyslog yes
   UpdateLogFile /logs/freshclam.log
   LogTime yes
   PidFile /run/clamav/freshclam.pid
   DatabaseOwner root
   LogVerbose yes
   DatabaseMirror database.clamav.net
   ScriptedUpdates no.  (for serving as local server)
   SafeBrowsing yes
   Bytecode yes

some focused logs from freshclam run which not update the local daily.cvd even though it indicates a newer version remotely:
"daily database available for update (local version: 26009, remote version: 26010)
*The daily.cvd database downloaded from https://database.clamav.net is one version older than advertised in the DNS TXT record.
Database test passed.
daily.cvd updated (version: 26009, sigs: 4351133, f-level: 63, builder: raynman)"

Do I need to change my configuration or is it a bug on the 102.4 clamav version?

Thanks
Gal