Citeren Paul Smith via clamav-users <clamav-users@lists.clamav.net>:
You *may* be forgetting NAT.
Eg, it's possible the first one is a network of a few thousand
computers going through a NAT firewall where each of them has had an
old daily.cvd copied onto them in an internal release cycle or
something, so each of the computers on that network is trying to
download a backlog of CDIFFs. (Or maybe another problem stopping the
updates has been discovered and fixed, or something)
In that case, the organisation behind that NAT should provide a local
mirror. There is no excuse for running thousands of systems on a
single IP (if that is even possible) and not use a local mirror.
I'm not saying it is, but it may be. If you are only analysing by IP
address, NAT will innocently cause strange results.
There is nothing innocent about the above scenario, it's either
negliance or incompetence.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml