Hi Elia,

Regarding your inconsistent freshclam updates, did you by chance pre-install any virus signatures before running freshclam?  I found that if I installed the clamav-data RPM package from the CentOS repository, I ran into the freshclam update errors.   To get past that, you can just delete /var/lib/clamav/* and run freshclam again or don't install clamav-data to begin with so that freshclam can download all the latest signatures.

Kind Regards,
Ray

On Thu, Jul 29, 2021 at 6:19 AM Andrew C Aitchison via clamav-users <clamav-users@lists.clamav.net> wrote:
On Thu, 29 Jul 2021, Asenova, Elia via clamav-users wrote:

> Thanks for the replies. Yes, deleting daily.cld fixed the
> problem. My concern is that I'm building a docker image with clamav
> inside it and I have to delete daily.cld on every new build if I
> want freshclam to work correctly the first time. About the
> subsequent runs when I tried to run freshclam on two different pods
> after image deploy, daily.cld was updated to the latest version only
> on one of them. These are the logs for both pods:
>
> #1st pod (successful update):
> Connecting via dnat.genesaas.io
> ClamAV update process started at Thu Jul 29 08:54:30 2021
> daily database available for update (local version: 26231, remote version: 26246)
> Current database is 15 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   21.8s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Testing database: '/var/lib/clamav/tmp.98ba2d17af/clamav-474d295bd3248aa18d6abaf0dc93f952.tmp-daily.cvd' ...
> Database test passed.
> daily.cvd updated (version: 26246, sigs: 1964581, f-level: 90, builder: raynman)
> main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Start with daily 26233 (or better whatever is the latest today) and main 61.
By starting with daily 26231 and main 59 you immediately have to do a major
(once in maybe six months) update.

As Matus and Ged have suggested, you should not need to install the
database on each docker instance.
Unless you have a large anti-virus farm, you don't even need to *run* the
d clam daemon on every VM. Start up a single remote clamd server and the
other VMs can pass their scans to your clamd server with clamdscan.


> 2nd pod (unsuccessful update):
> Connecting via dnat.genesaas.io
> ClamAV update process started at Thu Jul 29 09:14:16 2021
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   26.5s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   28.0s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> daily database available for update (local version: 26231, remote version: 26247)
> Current database is 16 versions behind.
> Downloading database patch # 26232...
> ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
> ERROR: downloadPatch: Can't apply patch
> WARNING: Incremental update failed, trying to download daily.cvd
> Time:   25.5s, ETA:    0.0s [========================>]   54.95MiB/54.95MiB
> Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
> main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

> What might be the reason of this inconsistent behavior?

>From those logs it appears that daily 26247 was advertised between the two runs,
but had't reach the mirror that you downloaded from.


> And about the ReceiveTimeout this is what I have in freshclam.conf:
> # Maximum time in seconds for each download operation. 0 means no timeout.
> # Default: 0
> #ReceiveTimeout 1800

> So, it should have no timeout, right?

I would add a line
   ReceiveTimeout 0
to be sure. Sometimes the commented out line reflects that actual default.

--
Andrew C. Aitchison                                     Kendal, UK
                        andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy the message and attachments without retaining a copy.