On Jun 30, 2015, at 9:13 AM, Steve Basford <steveb_cla...@sanesecurity.com<mailto:steveb_cla...@sanesecurity.com>> wrote:
On Tue, June 30, 2015 1:57 pm, Nixon, R A (AL) CIV USARMY SEC (US) wrote: My organization has been using Freshcalm to update virus definitions for a number of years. We are United States based and set the database mirror accordingly. In the past month we have notice that the Database mirror used is now connecting us to a mirror in Russia. Within the last week our cyber team has had to block the Russia IP because it is now attempting to probe our network. Is there any way to setup the Freshclam mirror database to only attempt connections to US based mirrors? if you are using (US code), eg: db.us.clamav.net<http://db.us.clamav.net> There as some non-US IPs contained, mainly... 128.199.133.36 - Asia - Singapore 150.214.142.197 - Europe - Spain 194.186.47.19 - Europe - Russian Federation 194.8.197.22 - Europe - Germany 78.46.84.244 - Europe - Germany Not sure why, other than perhaps US code needs a lot of mirrors, so some have been placed outside US. One for the team I think to answer. Cheers, We’ll take a look at this and follow up. Thanks. -- Joel Esler Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml