Hey Ged, Thank you for reply.
The network connectivity issue is indeed the main blocker for me. Perhaps I should have been clearer on that. For now, the update operation performed by clients is the only time when I can manage what data goes into the machines. I can't setup a cron or such alternatives. I could use the web server on the same machine as a server for freshclam (since I guess I need a webserver and can't do it from local filesystem). But like a lot a few people have already mentioned, the signatures will be out of date. And the false positives were something I hadn't considered (thanks for that ). Given all this, I'm not sure if it's worth the effort. I'll see if I can think of any other approaches where the client machines can access a server which is kept up to date. Anish ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> Sent: 17 May 2021 23:06 To: ANISH SHETTY via clamav-users <clamav-users@lists.clamav.net> Cc: G.W. Haywood <cla...@jubileegroup.co.uk> Subject: Re: [clamav-users] Manually copy and use local filesystem as DownloadMirror/PrivateMirror Hi there, On Mon, 17 May 2021, ANISH SHETTY via clamav-users wrote: > The machines are running SLES12 ... we need to have an antivirus > solution in place to meet some compliance requirements mandated by > the government ... I used to work for our government (the UK's nuclear power programme, mostly on security, but that's not important). The site I worked at was out in the boondocks (in case it blew up) and was home to about 5,000 people. There was a sports club, financed by the government, just outside the perimiter fence. I went to that club for ten years. A guy - a plumber by trade - a big fellow, who used to throw us all around at the judo sessions, said to us out of the blue one day, "An elephant is a greyhound, built to government specifications." That made us fall about laughing. I feel your pain. My 'virusdb' mail box contains the daily feed of mail messages from the ClamAV virus DB updates. As you see below in the last three weeks there have on average been more than 350 new virus signatures per day. This is quite apart from the typically more than a dozen but perhaps as many as 50 signatures which might daily be dropped. $ grep 'New Sigs' ~/mail/lists/virusdb | tail -n 20 New Sigs: 762 New Sigs: 283 New Sigs: 244 New Sigs: 119 New Sigs: 325 New Sigs: 197 New Sigs: 367 New Sigs: 432 New Sigs: 453 New Sigs: 406 New Sigs: 525 New Sigs: 235 New Sigs: 249 New Sigs: 401 New Sigs: 628 New Sigs: 95 New Sigs: 172 New Sigs: 69 New Sigs: 221 New Sigs: 853 New Sigs: 372 > ... if this approach doesn't make sense for quarterly cycle, I can > think of pushing them each month. Apart from just complying with some crackpot regulations, I think you're wasting your time. You may risk giving yourself (and perhaps ClamAV) a bad reputation with your clients. Based on the numbers above, even if you update every month you can expect to be missing over ten thousand signatures after 30 days, and you'll have quite a few which are known to be suspect - some of which could be false positives - which clients will be stuck with for a month, and which may even be more trouble to you than the signatures you don't have. At least there's the option of maintaining your own 'ignore' lists. Having said all that $ grep ' \* ' ./mail/lists/virusdb | tail -n 10000 | sed -e 's/\..*//;' | sort | uniq -c | sort -n 1 * Andr 1 * Lnk 1 * Rtf 1 * Swf 1 * Vbs 2 * Img 2 * Osx 2 * Ps1 3 * Doc 4 * Ole2 4 * Xls 16 * PUA 19 * Archive 35 * Pdf 36 * Multios 63 * Unix 68 * Email 98 * Txt 765 * Html 8878 * Win as you can see the vast majority of virus signatures are for Windows threats, to which your SLES machines are immune. That doesn't mean that they couldn't be compromised and then used to attack machines which are not immune. If you can keep a local copy of the database up to date and you have direct (write) access to the client machines there must be dozens of ways to keep them updated from a local copy. For example you could schedule a task on each client to update its own temporary copy from your master, then replace the working copy with the temporary copy on the client in some way that makes the operation atomic. Without more information about the connectivity issues your clients face I can't really offer more than hand-waving suggestions like that, but just from the point of view of network traffic I would urge you to look into ways of making freshclam do something for you rather than trying to re-invent any wheels. Perhaps you could have a mirror in each client network which takes its data from a further mirror which you maintain in your network. Presumably if the clients are running Web servers on SLES, one (or more) of the client machines in each client network could also run a mirror for the local network? Have you looked at anything like 'Puppet'? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml