You can look at https://atomicorp.com. They have clamav feeds.
On Thursday, July 31, 2025 at 08:41:13 AM EDT, lists--- via clamav-users
<[email protected]> wrote:
Grant suggested this, and the best option if dynamically adding to a
firewall is to use ipset.
You can write iptables rules, but the identifier is an ipset list.
In your firewall script (or at boot), create a list:
ipset -exist new clamavlist hash:net timeout 86400
The timeout is set to a day above. That means, after a day, any IP or
network added will automatically be removed from the list. Change this
to your liking.
Then use iptables to allow that list, something like:
iptables -w -I OUTPUT -o interface -p tcp --dport 443 -m set --match-set
clamavlist dst -j ACCEPT
Now, anything on that list will be accepted for egress.
You could get fancier and restrict it to the UID of freshclam, but you
get the idea. You can also reduce the time to 1 hr or some such.
Then, in whatever clam script you have (with optional blocktime):
ipset -exist add clamavlist ${ip}/32 timeout $blocktime
Done.
On Thu, 31 Jul 2025 01:16:36 -0400
Paul Kosinski via clamav-users <[email protected]> wrote:
> On Wed, 30 Jul 2025 12:38:29 -0500
> Nick Suan via clamav-users <[email protected]> wrote:
>
> > On Wed, Jul 30, 2025, at 10:05 AM, Paul Kosinski via clamav-users
> > wrote:
> > > If I 'dig', I get:
> > >
> > > $ dig database.clamav.net
> > > ;database.clamav.net. IN A
> > > database.clamav.net. 60 IN CNAME
> > > database.clamav.net.cdn.cloudflare.net.
> > > database.clamav.net.cdn.cloudflare.net. 300 IN A
> > > 104.18.203.90 database.clamav.net.cdn.cloudflare.net. 300 IN A
> > > 104.17.196.15
> > >
> > > suggesting that the IP addresses have a TTL of only 5 minutes! This
> > > would seem to make it impractical to update my firewall rules often
> > > enough. (Also, if I do repeated digs on this URL, I see the TTL
> > > counting down -- and then recycling! Very strange.)
> > >
> >
> > Yes, it's very much 5 minutes, and the reason you see it counting
> > down is because your local resolver is only going to cache it for
> > that maximum of five minutes.
>
>
> Good explanation! I found it strange because I don't remember any other
> dig (using the exact same caching DNS resolver instance) showing a TTL
> count-down. But when I just now tried repeating a different dig in a
> short time frame I do indeed see a count-down! (But most TTLs are much
> longer, so they don't actually repeat before I give up digging.)
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
