At 12:36 PM -0400 9/13/2011, Bryan Burke wrote:
> Noone has suggested "maximum". The issue is that the mirrors are so
overloaded that it's often taking freshclam an excessive amount of
time to do its thing, because of the time-outs / connection
failures. No big deal if it's the update run in the background. But
if it's on-demand update preceding a user-driven scan, it's making
the user sit there, twiddling its thumbs, for up to a minute or two.
Are we really having this protracted discussion, because we don't
want someone to have to sit for "up to a minute or two"?
This problem seems overstated. I mean, are we talking about
on-demand scans perhaps a dozen or more times per day, every day?
i.e. is this adding up to hours of lost time every week? If so, is
it really such a problem to have a database that is *at most* 2
hours out-of-date (the default)? Do you need to do an update before
*every* on-demand scan? And why can't that be solved (if it is, in
fact, an issue) by increasing the check frequency to, say, every
hour?
Is it appropriate to ever do a scan against an outdated database?
I've been told time and again never to do that!
When a user launches their anti-virus app, they're going to want to
check to see that their definitions are up-to-date. (I would argue
that any app that doesn't force the update check by default is poorly
designed). If that step takes a minute, instead of a few seconds,
then the app becomes painful to use -- making them less likely to do
scans in the future. Not good. Wanna make it worse? Put the user
on a time-metered network connection!
As for overstated... People that are both busy and security conscious
tend to run quite a few scans per day. If each one halts their work
for minutes... Or even if 1000 users have to wait that one minute
just twice a day... then thats many hours wasted. And how many
ClamAV users are there? (By "user", in this context, I mean human
at a desktop or laptop).
"*at most* 2 hours". Are you saying that freshclam should *always*
be run in the background every hour or two *by everyone*, not just on
servers? Can the current mirror infrastructure handle that?
Currently, as a user app, ClamXav only runs freshclam in the
background once per day, if the user enables such, but I'm sure we
could get the author (Mark) to enhance its scheduling preferences.
No big deal, IF that's the right thing to do. But even then...
shouldn't every on-demand scan first do an update anyway??? (Running
the update once per day isn't my fav design choice. Back in the day,
when there were virtually no malwares for Mac OS X, I didn't have a
problem with that. But these days, I think it needs to be fixed.
Not an issue for this forum tho).
At 3:49 PM -0400 9/13/2011, Bryan Burke wrote:
> I don't know the frequency, but it was enough of a problem for him to
complain...three times before I brought it up here.
So is this issue specifically with ClamXav?
No. This is an issue specifically with *** freshclam *** and the
reliability of *** ClamAV's Mirrors ***. I've seen the problem most
often with ClamXav because me and mine use Macs. But I've received
complaints about Clam from several of my clients recently - they use
Clam on both their Macs and Windows machines. The update lag + the
recent 2x not-updating-DNS has started the whole "maybe it's time to
evaluate other AV products" cycle.
Al wrote:
Sending my browser to db.US.clamav.net gives me
Safari can't open the page "http://db.us.big.clamav.net/" because
Safari can't
connect to the server "db.us.big.clamav.net".
No matter how many times I try it.
Ditto. Last night and this morning. The other mirrors respond
quickly, but .125 - never.
Just ran this:
http://host-tracker.com/check_res_ajx/8730640-0/
and adding the results from this, previously in the thread:
http://host-tracker.com/check_res_ajx/8730391-0/
It shows the average response time was under 3/4 of a second. Going
down the lists, I see only a few sites took more than one second! So
perhaps a time-out of 3 to 4 seconds would be more reasonable? 30s
seems like painful overkill.
At 6:15 PM -0400 9/13/2011, Bryan Burke wrote:
If not, then at this point, I'm guessing there's enough data here
for the team to make a
decision one way or the other concerning this host. Even if removed,
it can always be
re-added when the cause of this issue is tracked down and fixed.
At least concerning this issue, is there anything more to be done?
1) Fix freshclam so it doesn't stall for so long.
2) Fix freshclam so it doesn't ever use the same inaccessible mirror
again, especially during the same run.
3) Get the unavailable mirror OUT of the rotation.
- Dan.
--
- Psychoceramic Emeritus; South Jersey, USA, Earth.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml