On 2011-07-14 at 17:25-04 James Ralston
<qralston+ml.clamav-us...@andrew.cmu.edu> wrote:
> I've just spent some time testing this, and I think this will be a
> much better solution. In essence, we can use this to force
> freshclam to pull the CLD files from our private mirror, instead of
> the CVD files. freshclam appears to use the timestamps of the files
> on the web server to determine whether they're more recent than the
> local copies, and --quiet suppresses all errors about non-existent
> files and duplicate databases.
>
> I'll test this more thoroughly, and report back how well it works
> for us.
Alas, I was premature: this doesn't work. freshclam will pull the CLD
files, but only if they're not out-of-date. If freshclam detects (via
DNS) that the database is out-of-date, it ignores the
DatabaseCustomURL directive and insists on attempting to grab the CVD
file to update the database:
$ awk -F \# '{print $1}' /etc/freshclam.conf | grep -Ev '^[[:space:]]*$'
LogSyslog yes
LogFacility LOG_DAEMON
DatabaseMirror clam-update.example.org
ScriptedUpdates no
DatabaseCustomURL http://clam-update.example.org/bytecode.cld
DatabaseCustomURL http://clam-update.example.org/daily.cld
DatabaseCustomURL http://clam-update.example.org/main.cld
DatabaseCustomURL http://clam-update.example.org/safebrowsing.cld
SafeBrowsing yes
$ freshclam --verbose
Current working dir is /var/lib/clamav
Max retries == 3
ClamAV update process started at Thu Jul 14 20:09:44 2011
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.97.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.96.5 Recommended version: 0.97.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd version from DNS: 53
main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd version from DNS: 13321
daily.cld is up to date (version: 13321, sigs: 151983, f-level: 60, builder:
ccordes)
safebrowsing.cvd version from DNS: 30812
Retrieving http://clam-update.example.org/safebrowsing.cvd
Trying to download http://clam-update.example.org/safebrowsing.cvd (IP: 1.2.3.4)
WARNING: getfile: safebrowsing.cvd not found on remote server (IP: 1.2.3.4)
ERROR: Can't download safebrowsing.cvd from clam-update.example.org
Giving up on clam-update.example.org...
Update failed. Your network may be down or none of the mirrors listed in
/etc/freshclam.conf is working. Check
http://www.clamav.net/support/mirror-problem for possible reasons.
Honestly, the more I think about this, the more I wonder whether the
real problem here is that freshclam (at least currently) is the wrong
tool for this job.
freshclam was designed to efficiently update the clam database on a
single host, using the master clam servers as the source for updates.
It does a very good job of that, whether it hits the update servers
directly, or whether it goes through an HTTP proxy.
But freshclam falls over fairly badly if you try to use it to update
internal clients from a private mirror, even though it has some
options to help adjust its behavior for that purpose.
Now I'm thinking that if freshclam is going to be a good tool for
updating clients behind a private mirror, there really needs to be an
option to specify that directly. Something like:
# If PrivateMirror is set, freshclam assumes that the server it
# names is a private mirror. In this case, freshclam does not
# attempt to use DNS to determine whether its databases are
# out-of-date, but instead downloads the database files from the
# private mirror every time it runs. For each database, freshclam
# first attempts to download the CVD file. If that fails,
# freshclam tries to grab the CLD file. If the attempt to
# download the CVD file and attempt to download the CLD file both
# fail, then that counts as a single attempt against MaxAttempts.
# Default: disabled.
#PrivateMirror clam-update.example.org
But a counterargument would be that rather than turn freshclam into a
glorified wget, if someone really wants to mirror a private mirror,
they should just write a script using wget to do it.
Thoughts?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
