> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Todd Lyons > Sent: Wednesday, April 11, 2007 8:52 PM
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Apr 11, 2007 at 02:24:52PM -0400, Jim Maul wrote: > > >However, it is illogical that clamd would die completely due to issues > >with a recently downloaded definition file. Why can it not just roll > >back to the old, previously working, definitions? Can someone please > >explain this? Im having trouble trying to comprehend the > current behavior. > > Neutral question: > What's worse? > a) AV that dies because of problems with virus definitions > b) AV that reverts back to previously working definitions but then > leaves you with a system that lets the latest things through > and the whole time you think you're protected Taken into account that by default freshclam updates every 2 hours (and it is often configured to update every 1 hour), I would prefer the risk of being running with signatures 4 hours old, than having a denial of service. Obviously, I think to the case where the update failure is sporadic. > a is not great, but then neither is b. In the case of a, cron scripts > watching the daemon process fixes things if it can and notifies you via > pager (and 10 pages coming in simultaneously definitely indicates > that something is wrong). In the case of b, you see no interruption so > you assume all is well (and in this case, all IS well, but suppose some > corporation changes their firewall blocking traffic outbound from your > clamav box and you never know that it's not getting the latest updates). > > Notification is a part of the solution IMHO. If clamd recognizes that > it's not able to load the new ones because the update process is still > occurring, then it should continue running *AND* notify the sysadmin > that it's running in what should be considered a degraded mode. The > ease with which this is attained will vary by system. I agree. Only it's worth noticing that if I have a script that can inform me via a pager that clamd is not running, than it's likely to be able to inform me that an update did not go well, or that sigtool reports my virus signatures to be 4 or 24 or NN hours old. I would be equally informed, but I would have no denial of service. Just my opinion. Luigi _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
