Re: [clamav-users] Update problem today
On 23/04/2022 19:26, Mark Pizzolato - Clamav-Win32 wrote: Yesterday afternoon, the desktop computer's freshclam update attempts continued failing and along with these failures I was getting Windows Defender alerts about an issue being detected with the onaccess Windows Defender scanning. When I dug into those reports, they pointed at a temp file in the clamav database directory that freshclam was creating during the unpacking/update process. The Windows Defender quarantine process interrupted the freshclam update... This may be happening to you... I added a Windows Defender exclusion form the clamav database directory and the updates subsequently succeeded. Thanks for the idea, but it wasn't that. The ClamAV directory was not being scanned by any other virus scanner, and surely, even if it was, that wouldn't cause Freshclam to download an out-dated daily.cvd file The problem 'magically' disappeared as soon as the 26522 update was published, so, to me, it really looks as if there were bad files on one of the mirrors. The later update would have replaced that with a correct file, so it all works again. Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today
On 23/04/2022 18:34, Paul Smith via clamav-users wrote: It downloads (what looks like) the wrong version. Then when it sees the mismatch, it downloads the patch, but then can't merge them. Maybe it downloaded the right file, with the wrong version identifier, so the patch fails? FWIW, This is the result of sigtool --info daily.cvd after the failed freshclam run C:\temp]sigtool --info db\daily.cvd File: db\daily.cvd Build time: 22 Apr 2022 04:30 -0400 Version: 26520 Signatures: 1980741 Functionality level: 90 Builder: raynman MD5: cb756214fb68e5b6bdec6fa4357015f2 Digital signature: uncyw2Ck5ZNYjZS7mIbhJcZ+1HXazERef7SKSbfHJCVCULBQstTBeRRD+qrNVDSJygv+zWyJvBCv8+Gf BX6H4Jjazk2YOoXfyfS5G3AyCXdOfHgggUiWn49/6UMt0Mz9uQUSuQg4Ogrwer40Q6QIYJW9MUIeNPYo++lxg34RrRb Verification OK. If I run freshclam with that database in place, I get: ClamAV update process started at Sat Apr 23 18:56:50 2022 daily database available for update (local version: 26520, remote version: 26521) Current database is 1 version behind. Downloading database patch # 26521... Time: 0.1s, ETA: 0.0s [>] 18.32KiB/18.32KiB ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if there is enough disk space available ERROR: updatedb: Incremental update failed. Failed to build CLD. ERROR: Unexpected error when attempting to update daily: Failed to update database ERROR: Database update process failed: Failed to update database ERROR: Update failed. (there is plenty of free disk space) I can't see what the patch file is like as that doesn't seem to get left after freshclam terminates, and I can't see an option to prevent it being deleted -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today
On 23 April 2022 19:11:06 "G.W. Haywood via clamav-users"> ... ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if there is enough disk space available Did you check? Of course. I presume 290GB is enough In any case why would it download the wrong version if there was a disk space problem? If you look at its output, Freshclam is even reporting that the version it downloaded isn't what it was expecting to download. It downloads (what looks like) the wrong version. Then when it sees the mismatch, it downloads the patch, but then can't merge them. Maybe it downloaded the right file, with the wrong version identifier, so the patch fails? I don't doubt that it works for many people, otherwise someone else would probably have noticed, but it's not working here, and it's repeatable. It's been fine until this morning I've just tried again, and again (emptying the DB before each test, but no other changes) . It worked twice, and then stopped working again. Out of about 20 attempts, 2 worked, the others failed with this problem. So, I'd guess that that one of the mirrors has a broken file on it, and I'm just unlucky to be allocated that mirror most of the time. Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Update problem today
buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xf8f928) > GET /daily.cvd HTTP/2 Host: database.clamav.net user-agent: ClamAV/0.104.2 (OS: Windows, ARCH: AMD64, CPU: AMD64, UUID: 4ec0d961-a67d-40ef-852e-817ebaf45c05) accept: */* connection: close * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 < date: Sat, 23 Apr 2022 16:08:04 GMT < content-type: application/octet-stream < content-length: 58361055 < last-modified: Fri, 22 Apr 2022 08:30:00 GMT < etag: "62626788-37a84df" < expires: Sun, 24 Apr 2022 04:08:04 GMT < cache-control: public, max-age=43200 < cf-cache-status: HIT < age: 27707 < accept-ranges: bytes < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"; < strict-transport-security: max-age=15552000 < x-content-type-options: nosniff < server: cloudflare < cf-ray: 7007db130dd5770b-LHR < * Connection #0 to host database.clamav.net left intact The daily.cvd database downloaded from https://database.clamav.net is older than the version advertised in the DNS TXT record. Received an older daily CVD than was advertised. We'll keep it and try updating to the latest version with CDIFFs. updatedb: Running g_cb_download_complete callback... Testing database: 'd:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd' ... Loading signatures from d:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd Properly loaded 1980741 signatures from d:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd Database test passed. daily.cvd updated (version: 26520, sigs: 1980741, f-level: 90, builder: raynman) Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date. check_for_new_database_version: Local copy of daily found: daily.cvd. query_remote_database_version: daily.cvd version from DNS: 26521 daily database available for update (local version: 26520, remote version: 26521) Current database is 1 version behind. Downloading database patch # 26521... Retrieving https://database.clamav.net/daily-26521.cdiff downloadFile: Download source: https://database.clamav.net/daily-26521.cdiff downloadFile: Download destination: .\clamav-6e1f598f965bf1c38a7567ea4dbb5a57.tmp * Trying 104.16.218.84:443... * Connected to database.clamav.net (104.16.218.84) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Jul 15 00:00:00 2021 GMT * expire date: Jul 14 23:59:59 2022 GMT * subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x103dec0) > GET /daily-26521.cdiff HTTP/2 Host: database.clamav.net user-agent: ClamAV/0.104.2 (OS: Windows, ARCH: AMD64, CPU: AMD64, UUID: 4ec0d961-a67d-40ef-852e-817ebaf45c05) accept: */* connection: close * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 < date: Sat, 23 Apr 2022 16:08:25 GMT < content-type: application/octet-stream < content-length: 18762 < last-modified: Sat, 23 Apr 2022 08:22:00 GMT < etag: "6263b728-494a" < expires: Sun, 23 Apr 2023 16:03:59 GMT < cache-control: public, max-age=31535734 < cf-cache-status: HIT < age: 27688 < accept-ranges: bytes < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"; < strict-transport-security: max-age=15552000 < x-content-type-options: nosniff < server: cloudflare < cf-ray: 7007db983eeb774d-LHR < Time: 0.1s, ETA: 0.1s [=> ] 10.37KiB/18.32KiB Time: 0.1s, ETA: 0.1s [=> ] 10.37KiB/18.32KiB Time: 0.1s, ETA: 0.0s [>] 18.32KiB/18.32KiB * Connection #0 to host database.clamav.net left intact cdiff_apply: Parsed 228 lines and executed 228 commands ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if there is enough disk space available ERROR: updatedb: Incremental update failed. Failed to build CLD. ERROR: Unexpected error when attempting to update daily: Failed to update database ERROR: Database update process failed: Failed to update database ERROR: Update fail
Re: [clamav-users] Scanning a large file through HTTP
On 07/04/2021 15:38, Saurav Sarkar via clamav-users wrote: We have files like CAD files which can go in GBs and want to send to this malware scanning service. Why are you scanning CAD files? Can your CAD files contain arbitrary executable code which is blindly executed by the CAD software? If not, there's no reason to scan them? If they can, then I'd consider getting different CAD software... Is there a possibility to send the file in chunks and get it scanned in the server side in chunks That would depend on the HTTP scanning service software. Clam AV needs the whole file at once to scan it, but the HTTP scanning service may be able to upload in chunks and reassemble it before sending it to Clam AV. I observed that there is a INSTREAM command in clamd for this purpose and also there is a 4GB size limit. https://linux.die.net/man/8/clamd <https://linux.die.net/man/8/clamd> INSTREAM basically lets you send a file to clamd, it saves it as a temporary file, and then scans it, then deletes it. It lets you scan files that don't exist on the same computer as the clamd daemon without having to set up network shares etc. So, all the limits (eg the 4GB limit) which apply to normal files also apply to INSTREAM -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Getting 403 Forbidden Error
On 31/03/2021 07:28, Varun, Michael via clamav-users wrote: Hello Team, We are receiving 403 Forbidden error for our freshclam downloads. We have disabled the frequency of downloads since last 1 week and still we see rate limiting enabled on us Is there a way that we know when our ips would get blacklisted as well do we get to the reason for blacklisting ? Which version of Freshclam are you using? Versions older than 0.100 won't work any more, so you need to upgrade to a later version -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam Update Error
On 25/03/2021 13:04, Wayne Florence via clamav-users wrote: Hello, Since March 3^rd 2021, I have been unable to download the Virus definitions. I have verified that it is not the local firewalls or anything else blocking it so I can only guess I have been added to the blocked IP list. Which version of Freshclam are you using? If it's earlier than 0.100, then it's no longer supported, and you need to update to a later version. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Linode Clam AV Updates
On 22/03/2021 10:04, G.W. Haywood via clamav-users wrote: ... what the cvdupdate method is supposed to help with. That does NOT use the 'PrivateMirror' option with the private mirror as you originally said it did. I don't recall describing any use of the cvdupdate method. If I gave the impression that I'm familiar with it (it's brand new, and I have never used it, nor even looked at it) then it's my turn to apologize. I said "it's a bad idea to run cvdupdate just a couple of times a day because freshclam gets upset when the DNS doesn't match the CDIFFs available" and you replied that you should use the "privatemirror" configuration so it doesn't use the DNS. But all the cvdupdate documentation says to use the standard 'databasemirror' *not* 'privatemirror' (so that Freshclam DOES download CDIFFs, to reduce bandwidth usage - with 'privatemirror', Freshclam just downloads full CVDs) Running cvdupdate very frequently is fine (AFAICS), because it downloads nothing until the DNS record changes. Maybe the misunderstanding was because I used the term 'private mirror' (as used on the page https://www.clamav.net/documents/private-local-mirrors ) and you assumed I meant method (2) on that page, whereas my previous sentence had indicated I was talking about method (3). -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Linode Clam AV Updates
On 21/03/2021 18:29, G.W. Haywood via clamav-users wrote: Hi there, On Sun, 21 Mar 2021, Paul Smith via clamav-users wrote: On 20/03/2021 17:12, G.W. Haywood via clamav-users wrote: My understanding is that if you're using a private mirror you're supposed to set the 'PrivateMirror' option, which does not use DNS to check for the existence of updated files, but checks the files themselves directly. ... I'm sorry, but this is definitively NOT what the website says! https://www.clamav.net/documents/private-local-mirrors Option (2) (which is still documented but won't work any more) says ... Maybe I've missed something. Can you explain why it won't work? As I understand it, as far as the Cloudflare service is concerned, option 2 effectively makes a bunch of clients into a single client. I tested it and couldn't get this to work to download the CVD files. I believed it was because it was trying to repeatedly download full CVD files rather than the CDIFFs, but maybe it was something else at my end or the Cloudflare throttling not liking my tests at the time I tried it. Because cvdupdate worked well and is better, I didn't persue this option. If it should work, then I apologise. > and your LAN will probably have at least Gigabit/s capacity Yes, this option is fine if all your clients are on a fast LAN, but not when private mirror serves clients over WANs, VPNs, remote Internet users, etc This is exactly what the cvdupdate method is supposed to help with. That does NOT use the 'PrivateMirror' option with the private mirror as you originally said it did. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Linode Clam AV Updates
On 20/03/2021 17:12, G.W. Haywood via clamav-users wrote: On 20/03/2021 04:31, Joel Esler (jesler) via clamav-users wrote: Please check out cvdupdate or Freshclam for your updates. Once or twice a day to check is fine. FWIW, running cvdupdate only once or twice a day is a BAD idea. If you are running a private mirror, then if Freshclam tries to get the latest CDIFF (according to DNS) from the private mirror ... My understanding is that if you're using a private mirror you're supposed to set the 'PrivateMirror' option, which does not use DNS to check for the existence of updated files, but checks the files themselves directly. On 20/03/2021 19:08, Joel Esler (jesler) via clamav-users wrote: Ged is correct. I'm sorry, but this is definitively NOT what the website says! https://www.clamav.net/documents/private-local-mirrors Option (2) (which is still documented but won't work any more) says "For this to work you have to change freshclam.conf on each client so that it reads PrivateMirror machine1.mylan ScriptedUpdates no" This is NOT what we are doing! Option (3) (using cvdupdate) says: "Set up your Freshclam clients’ freshclam.conf config file to point to: DatabaseMirror http://machine1.mylan"; So, the cvdupdate method is meant to use 'DatabaseMirror' NOT 'PrivateMirror' The 'PrivateMirror' option means that Freshclam does not download CDIFF files at all, but that is how the 'cvdupdate' method expects the clients to work. Cvdupdate makes CDIFF files available to the mirror 'clients', just like the normal ClamAV method does. It is designed to be bandwidth efficient by allowing clients to get the CDIFFs, as opposed to the 'PrivateMirror' method which requires them to get the full CVD file It works absolutely fine, and wonderfully, as long as the private mirror is up to date, so cvdupdate needs to be run frequently. It will not download anything unless the DNS TXT record has updated. Also, in case of doubt: https://github.com/micahsnyder/cvdupdate says "You can test it by running freshclam or freshclam.exe locally, where you've configured freshclam.conf with: DatabaseMirror http://localhost:8000"; (There is no mention of the 'PrivateMirror' configuration option in the cvdupdate docs) -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Linode Clam AV Updates
On 20/03/2021 04:31, Joel Esler (jesler) via clamav-users wrote: Please check out cvdupdate or Freshclam for your updates. Once or twice a day to check is fine. FWIW, running cvdupdate only once or twice a day is a BAD idea. If you are running a private mirror, then if Freshclam tries to get the latest CDIFF (according to DNS) from the private mirror, and it's not there, it immediately downloads the full CVD from the private mirror. So, if CDIFF 26116 is advertised in DNS but has not been downloaded by cvdupdate yet, then the private mirror gets hammered by all the Freshclam clients getting the full CVD - and the next time all the Freshclams check, they will get the full CVD *again*, and *again*, until cvdupdate finally updates the private mirror with the latest CDIFF. So, you need to run cvdupdate at least every hour or so, so that hopefully each Freshclam instance doesn't download the full CVD more than once per released CDIFF... Hopefully there'll soon either be a documented way to run our own 'DNSDatabaseInfo' server in conjunction with cvdupdate, or a Freshclam update will make it be less impatient before it downloads the full CVD after a new CDIFF is published. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Re :Re: Re :Re: Offline Updating
On 18/03/2021 14:22, Joel Esler (jesler) via clamav-users wrote: Everyone please check, this should be cleared up. It's fine for me now. Thanks -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Re :Re: Re :Re: Offline Updating
On 18/03/2021 11:50, Rick Cooper wrote: Just looked at the page source, fired up internet explorer 11 and can navigate the site, pulled out firefox and can also navigate the site. Appears to be no go with chrome and Edge Yep, same here in the UK. Firefox, IE11 and Safari are OK here. Chrome, Edge and Opera all give the 1020 error. Guess it's an attempt to stop people faking UserAgent strings to get the CVDs, but it's affecting the whole site... -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Re :Re: Re :Re: Offline Updating
On 18/03/2021 11:28, G.W. Haywood via clamav-users wrote: Another user on this list says that he sees problems with the ClamAV Website certificate. I do not see that - I see that the certificate is current, valid, and expires at noon (GMT) on 4th August 2021. I've only just noticed it today (prompted to look by presario's message). Now, I'm getting the same response as they are. I didn't visit the website yesterday, so can't comment on when it started. I am in England. Perhaps something is wrong with the geographical caching by Cloudflare. If so, to know more about it we may need to wait until the people in the USA start their working day. I'm in England also... At my first message, the certificate was wrong. NOW it is showing as valid, expiring on 4th August 2021, but I'm getting the 1020 error - this is just going to https://www.clamav.net (not downloading CVDs). This IP address is not used for anything else ClamAV related, so it shouldn't be hitting rate limiters or anything like that. I suspect the Cloudflare settings have been tweaked, and have gone badly wrong. My IP address is 82.68.48.206. If I remote into my office PC and try from there, I get the same 1020 error, that IP address is 195.224.19.190 and on a totally different ISP from my home network. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Re :Re: Offline Updating
On 18/03/2021 10:58, Paul Smith via clamav-users wrote: Clamav.net is broken... Chrome shows an invalid certificate. If I go to www.clamav.net, I get a certificate for 'ssl392509.cloudflaressl.com which expired on 13 October 2020... I've attached a screenshot Now I'm getting the 1020 error Note that this is for the MAIN ClamAV website https://www.clamav.net - NOT trying to download CVD files or similar. (FWIW, I'm trying to connect from the UK) -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Re :Re: Offline Updating
On 18/03/2021 10:51, G.W. Haywood via clamav-users wrote: Since this moraine, it"s impossible to access at :ClamavNet I do not understand your message. It appears to be garbled. You so not appear to explain what you are doing, so I do not know. Clamav.net is broken... Chrome shows an invalid certificate. If I go to www.clamav.net, I get a certificate for 'ssl392509.cloudflaressl.com which expired on 13 October 2020... I've attached a screenshot -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline Updating
On 17/03/2021 09:34, James Mcloughlin via clamav-users wrote: I have a stand alone machine that is not connected to the internet or any other device and for security reasons it cannot be connected at all. I have looked into getting the Clamav software updated, but seem to be struggling, is there a common method of carrying out this job at all? You could run FreshClam on a computer that is connected to the Internet, and periodically copy the CVD files over to the air-gapped computer, just as you would have done before. The difference is that before you'd download the CVD files manually and then copy them, now you'll use FreshClam and copy them. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Restriction of downloads
On 13/03/2021 11:50, Matus UHLAR - fantomas wrote: On 13.03.21 11:16, Paul Smith via clamav-users wrote: Maybe Synology and QNAP, etc could run private mirrors for their devices which they don't provide up-to-date Freshclam for... QNAP runs freshclam. checked now with my 419P+: ClamAV update process started at Sat Mar 13 12:47:36 2021 WARNING: getpatch: Can't download main-55.cdiff from database.clamav.net ERROR: getpatch: Can't download main-55.cdiff from database.clamav.net That looks like an obsolete version, which won't work with database.clamav.net, but would work if QNAP (or anyone else) provided a private mirror for it. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Restriction of downloads
On 13/03/2021 00:47, G.W. Haywood via clamav-users wrote: I just found that my "antivirus essentiel" installed package provided by Synology is unable to update virus definition file since 03/06/2021 ! Then should you not be talking to Synology? Maybe Synology and QNAP, etc could run private mirrors for their devices which they don't provide up-to-date Freshclam for... -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Private Mirror Via Artifactory
On 11/03/2021 23:28, adam.cop...@arola.co.uk via clamav-users wrote: Hi Thank you for replying however we are using freshclam the approved method. The problem is that our setup is not allowed to go out via a proxy, the only method is to have artifactory mirror the public repo, but as that is now being blocked this is very problematic. You can set up a private mirror using the cvdupdate software: https://github.com/micahsnyder/cvdupdate . This works fine and is easy to setup and use. If your only option is to use artifactory, then you need to contact JFrog's technical support because they're the only people who can fix that. After all, that's what you're paying them for. I'm sure they'll be working on (or will already have) an update to work with the new restrictions. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam HTTP 429 ERROR
On 11/03/2021 11:14, Samuel Girard via clamav-users wrote: Hello, we've just upgraded clamav in 0.100-3.1. Since then, it's impossible to download signatures from one of our proxies. (it works from another one) Do you have any clue ? [admsnant] $ sudo freshclam ClamAV update process started at Wed Mar 10 16:26:41 2021 WARNING: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. Connecting via X.X.X.X Reading CVD header (main.cvd): WARNING: remote_cvdhead: Unknown response from db.fr.clamav.net (IP: X.X.X.X): HTTP/1.0 429 429 is 'Too many requests' So, there are too many requests for the updates from your IP address. If you have a proxy, then it's likely that lots of client computers are each asking for their own updates via the proxy, making it look as if the proxy's IP address is making lots of requests itself. Why is Freshclam unable to query current.cvd.clamav.net? Because of that it seems to be getting a fresh main.cvd to check if it needs to update, rather than doing nothing when there is nothing to update and just getting CDIFFs if an update is needed. If you fix that, it should help a lot. You could set up the proxy to force caching of the files so that it only gets fresh copies every few hours, or you could set up a private mirror instead of a proxy (using cvdupdate) https://www.clamav.net/documents/private-local-mirrors -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download clamav cvd file using google cloud python function
On 10/03/2021 22:29, Joel Esler (jesler) via clamav-users wrote: 100 CDIFFs or so behind, and they download it nearly 2k times in a row? Why? This is not a partial download either. It’s the full file. Stuck cron? Who in the past 24 hours has created 22.17M file downloads /all by themselves/ from a single IP. (The main.cvd btw) You *may* be forgetting NAT. Eg, it's possible the first one is a network of a few thousand computers going through a NAT firewall where each of them has had an old daily.cvd copied onto them in an internal release cycle or something, so each of the computers on that network is trying to download a backlog of CDIFFs. (Or maybe another problem stopping the updates has been discovered and fixed, or something) I'm not saying it is, but it may be. If you are only analysing by IP address, NAT will innocently cause strange results. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] looks like I have a problem too
On 10/03/2021 20:29, Paul Kosinski via clamav-users wrote: I wrote a little script that run off cron every hour or so. But it *only* invokes freshclam after querying ClamAV's DNS TXT record to see if any advertised versions of 'daily', 'bytecode' or 'main' are newer than the local versions of the CVD files As I understand it, Freshclam already won't do anything if the DNS record shows the same versions as the locally available CVD files, so you don't need to do that. That's certainly how it seems to behave here. If the DNS record hasn't changed, then it just says "everything's fine" and does nothing else. So, if you ran Freshclam every minute, it wouldn't download anything except lots of DNS queries (which would be cached more locally). The bandwidth problem is due to people NOT using Freshclam at all. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download clamav cvd file using google cloud python function
On 10/03/2021 18:42, Arjen de Korte via clamav-users wrote: Indeed. There does seem to be a view from some people here that anyone using ClamAV should be regularly updating, monitoring this list, monitoring blogs, etc. Ordinary people just don't do that. I wonder how many ordinary users are actually *not* using freshclam for updates. Pretty much every major distribution I know of will setup ClamAV in a way that updates are handled through freshclam. Yes - but many people won't be using ClamAV from (reasonably up-to-date) Linux distributions... Many will be using ClamWin, or ClamAV otherwise installed on Windows, or on a NAS, or whatever. Those could well be using old versions or unusual installations without necessarily realising what's going on. All they'll know is that suddenly it's stopped working. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download clamav cvd file using google cloud python function
On 10/03/2021 17:00, Paul Kosinski via clamav-users wrote: I wonder how many "ordinary" users of ClamAV are giving up on using it after getting permanent 403s. I would imagine there are lots of people who don't pursue the issue. They may even tell others that ClamAV is unreliable (which would tarnish its reputation). Indeed. There does seem to be a view from some people here that anyone using ClamAV should be regularly updating, monitoring this list, monitoring blogs, etc. Ordinary people just don't do that. I expect many will just be thinking that the database servers are broken, and are waiting for them to recover on their own (as they've done in the past) and they'll eventually go elsewhere. The change should really be published everywhere possible - at least in big letters on the ClamAV home page, and possibly including going to popular computer press, etc. A blog article (which is actually very hard to find) or announcement list post (which is even harder to find) which vaguely says that databases won't be tested on older versions isn't quite the same as a home page announcement that old versions & wget just won't work any more! Of course, people have limited rights to complain - it's not like we're paying for it. -- Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam getfile failed - and clamav links Cloudfare 1020 error.
On 10/03/2021 16:49, Rémy DODIN via clamav-users wrote: Hi, Since several weeks (may be since clamav migrated to cloudflare), Freshclam is no more able to get updates and fails not been able to get any databases (main, daily etc..) - It stopped to work sudently making me think it could be a cloudflare issue. - Environment ArcaOS - latest available build 0.99 That version of ClamAV (and thus FreshClam) is EOL and now no longer works after they've put in place rate-limiting and other restrictions to stop abuse of the database servers. Either upgrade to a more recent version of ClamAV, or if you have a lot of client PCs, you could set up a private mirror using cvdupdate and have your old version get from that private mirror instead (but be aware that, at some point, the CVDs may stop working totally on your version, so it's worth upgrading to a more recent version in any case). -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database update downloads blocked with 403 error
On 10/03/2021 16:07, Arjen de Korte via clamav-users wrote: You're downloading over 2.5 GB of data daily between these four servers, where only a few kB would suffice had you used freshclam. That's abuse in my book. (More like about 1GB between the 4 servers as opposed to about 60kB) And they may be running a private mirror from those servers for their thousands of users But still - People think if they're downloading to a server and then their users' PCs download from that server, then they're saving bandwidth, but about 11,000 client computers getting a CDIFF is similar in terms of bandwidth usage to *one* server downloading 'daily.cvd' and 'main.cvd' - plus the internal bandwidth is *vastly* smaller if the users' computers get the CDIFFs than if they redownload the whole daily.cvd every day across the LAN/WAN -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database update downloads blocked with 403 error
On 10/03/2021 15:37, Matt Forsdike via clamav-users wrote: We are unable to use Freshclam but instead have 4 servers which download the main.cvd, daily.cvd and bytecode.cvd files daily at around 4am GMT. Why can you not use Freshclam? If you want to run your own private mirrors (eg to reduce your Internet bandwidth) then see: https://github.com/micahsnyder/cvdupdate -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download clamav cvd file using google cloud python function
I am getting error http client 403 where I have deployed google cloud function using python to download the daily clamav virus definitions from http://database.clamav.net <http://database.clamav.net>. ClamAV have implemented rate-limiting and restrictions because some people were downloading updates far too frequently from AWS and Google Cloud servers. See: https://lists.clamav.net/pipermail/clamav-users/2021-March/010559.html You should use FreshClam to download the updates. If you are running a private mirror, then use this tool to refresh your mirror: https://github.com/micahsnyder/cvdupdate -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Downloading CVD files manually..
On 08/03/2021 05:55, Micah Snyder (micasnyd) wrote: I'm really happy to hear you're using Mussels, sad to hear it was frustrating at first. Please feel free to document any sharp edges in the github repo so we can try to make it a better experience. Thanks. It worked in the end, and wasn't as painful as I'd feared. The problem with Mussels was weird. I guess it couldn't work out what platform I was using, as all the recipes were there, just 'not for my platform'. I had trusted the cookbook and everything. As I was composing a message to put on the Discord to ask for tips, I was running through the commands to reproduce the problem, and then suddenly it worked. So, I have no idea what changed, so I can't really report a bug or what I did to fix it, because I simply don't know... I don't know if using a different command prompt messed it up (I use Take Command by default, not cmd.exe), but now it works OK in Take Command as well as in cmd. It would have been useful if 'list -a' (or 'list -a -V') showed whether cookbooks were trusted or not, and which platform it thought I was using. 'list -a -V' shows details, but not that. -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I can't update Clamav database for 5 days
On 07/03/2021 15:55, Arjen de Korte via clamav-users wrote: This was announced almost a month ago on on both the clamav-announce and clamav-users mailinglists. This has not been caused by the changes to prevent excessive downloads. See https://blog.clamav.net/2021/02/clamav-eol-versions-prior-to-0100.html I'm sorry, but that does not say "it will not work", just "we won't test signatures". As it happens the current CVDs work perfectly well with ClamAV 0.99, it's just that FreshClam 0.99 can't download them (because of the way the rate limiting has been implemented) "End of life (EOL) for ClamAV essentially means that we will no longer be testing against that version when we write signatures, and we may break something with a future release. So, while signatures may work past March 1, we are no longer testing that configuration." That announcement is saying that things may break with a future release. There hasn't been a future release of ClamAV since that announcement. It's also not saying that the old FreshClam won't be able to download the updates, just that they may not work in ClamAV. The changes to prevent excessive downloads are what triggered old FreshClam failing. It's the same reason that wget won't work (for implementing private mirrors). It all happened at exactly the same time. See: https://lists.clamav.net/pipermail/clamav-users/2021-March/010559.html Note that I'm not complaining that the rate limiting has been implemented, but a warning that private mirrors and old Freshclam would definitely stop working would have been nice, but, as I understand it, the rate limiting was forced upon them by external factors, so prior warning wasn't possible. -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I can't update Clamav database for 5 days
On 07/03/2021 15:21, Jérôme Giry via clamav-users wrote: I use it with Clamwin-0.99.4 downloaded on his official site. As it is the last version of Clamwin, I assume it uses the last version of Clamav too (0.103.1) Clamwin-0.99.4 (released in March 2018) uses ClamAV 0.99, which is EOL and unsupported by ClamAV. A sudden configuration change (due to excessive updates by some parties) on the ClamAV servers has broken updates for any EOL versions of ClamAV. (It's caught quite a few of us out!) Clamwin needs to upgrade to a more recent version of ClamAV, or you can download a standard version of ClamAV and use the command-line options for scanning. https://www.clamav.net/downloads#otherversions -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Downloading CVD files manually..
On 07/03/2021 04:07, Micah Snyder (micasnyd) wrote: The immediate crisis that led to Joel restricting the downloads to use freshclam was unexpected. I'm working on a tool as fast as I'm able to replace the Perl-wget script for those that need to host private mirrors. It will have built-in features to minimize the possibility for abuse. I'll share it with the list as soon as I'm able. Thanks for working on this. In the meantime we're using FreshClam to get the CVDs and are copying those into the local webserver's DocumentRoot. Not ideal at all because of the lack of cdiffs, but it seems to work for now. -- Paul Paul Smith Computer Services supp...@pscs.co.uk - 01484 855800 -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Downloading CVD files manually..
On 07/03/2021 00:17, Joel Esler (jesler) wrote: Correct. Wget is restricted. I wrote that in my email. So if you upgrade your version of freshclam/ClamAV, you should be good. Please see our blog post made back in the beginning of February. Sorry if I sounded a bit harsh, I totally understand the rate limiting etc. The problem with upgrading is that we use a customised Windows version of ClamAV, and building ClamAV on Windows is never trivial... I think I've managed to get Mussels working yesterday after about 4 hours. I'm not sure what I did, but it wouldn't believe that it had a recipe for clamav_deps which was valid for Windows ("python3 -m mussels list" returned a blank list, but "python3 -m mussels list -a" showed all the recipes). Then, suddenly, for no obvious reason, it just started working properly (just as I'd decided to join the Discord to ask for help), so I left it building the dependencies overnight I'm going to give building ClamAV a go today and see how far we get. And then we've got to test it etc. The bigger problem was the inability to make a private mirror using the instructions on the ClamAV site, especially since the announcement said that we should do just that... If it was possible to make private mirrors now, then the issue would be much less. Hopefully there'll be a solution for that soon. Paul -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Downloading CVD files manually..
OK, I've seen the rate limiting post, and that's understandable. We're running an (old) version of Freshclam every hour, and that's just started failing with '403 Forbidden' errors. I guess we'll need to update to a more recent version, which is OK, but not trivial in our case so may take us a few days to implement properly. (It needs doing, so I'm not too bothered by having to do it, but it'd be nice to have a workaround until that can be done). So, I thought we'd run a private mirror using the instructions here: https://www.clamav.net/documents/private-local-mirrors as then we wouldn't have any issues with rate limiting, and would help by reducing the load on your servers, etc. Unfortunately, those don't work any more, because "wget http://database.clamav.net/main.cvd"; also fails with a 403 Forbidden error. I've tried from multiple PCs on multiple networks, and it always fails. (Note that we're not getting a 429, so we're not being rate limited, just blocked totally) So, your request in your rate limiting post of "2. Consider setting up a local mirror on your network" is seemingly impossible to do. Is there any new trick to setting up a local mirror? (PS - also, on my PC, 'wget' fails, but Chrome can download the updates absolutely fine, so it's not blocking my IP address, just the use of wget) -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 15:21, Tim Smith wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. Not if I want to make my own signatures... It also beats the others on price and (IMHO) usability. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! Yes you do. We have AVG, Avira, Sophos and ClamAV. Yes, AVG, Avira and Sophos will release virus definition updates before ClamAV. But usually by the time even Sophos have released their updates we've already received a few thousand copies of the virus. With ClamAV we can beat Sophos by adding our own definitions, so we can beat even the fastest AV vendors by a few hours (that's not knocking them, we have different requirements from them, so we can knock together a simple signature test and if we cause false positives, it's our problem. We're not going to have zillions of other people complaining and be on news channels because we broke something). Seriously, why should I mess around with creating virus signatures, its a waste of my time. OK. That's a valid choice, in which case YOU will probably be better off spending money on a commercial product. For other people, the few seconds to generate a signature is worth the many thousands of pounds savings they'll make from not using a commercial product. Neither is wrong, just different priorities. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 14:37, Tim Smith wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! It's only on the slow side if you expect it to be quicker... Personally, I'm glad this is available at all from a free solution. As other people have said, you can make YOUR Clam AV installation detect the virus pretty much instantly - which is much quicker than any paid solution. (eg http://www.clamav.net/doc/latest/signatures.pdf) Analysing a virus & updating signatures is not a quick & trivial job, and they'll get lots of samples submitted (I've heard figures of a million a day). Many will be duplicates, but many will also be innocuous files where someone has been paranoid, or even where files are maliciously submitted, so I expect that files that are submitted have to be checked somehow to make sure they really are malicious files, and a useful signature has to be generated and tested. I'm fairly sure you'd be (rightly) miffed if an update was released which suddenly generated lots of false positives because corners had been cut. If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) or send a financial donation to help with the process. Obviously the paid AV solutions will have more resources to do this task than a community maintained one will have, so you'd expect the paid ones to be considerably quicker. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] PLEASE REMOVE
On 03/09/2014 01:38, YSPSC IT wrote: There's no unsubscribe there... Please just do it, Al. Al isn't a list administrator, just someone who understands how things work, so he can't remove you from the list, but he's told you what to do - it takes about 10 seconds (if that). Go to http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Put your email address into the box just to the left of the "Unsubscribe or edit options" button, and press that button - hey presto, magicko You can also send a message to clamav-users-requ...@lists.clamav.net with the subject: unsubscribe In case you're interested (or other people are), the message headers of mailing list messages should show you what to do, eg messages from this list will have the header: List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>, <mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe> which lists the two links you can use for unsubscribing. Thus, you never need to embarrass yourself by sending an unsubscribe message to the list members ever again. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malformed database?
On 25/06/2014 13:25, Joel Esler (jesler) wrote: On Jun 25, 2014, at 7:15 AM, Paul Smith mailto:p...@pscs.co.uk>> wrote: Oh? The FAQ says that the latest two major versions (0.97 and 0.98 ?) are tested against the DB, so it should work as far as I can see. You’re right. I’m sorry. My brain must have transposed “0.97.2” to “0.92.7” Ah! I'm actually not sure what version I had - the READMEs all said 0.97.2, but the source was quite different from a fresh version of 0.97.2 I downloaded to check, so it's a mystery... The source files were dated May 2012, so 0.97.x looks right for that date, but it must have been a strange port... Anyway, I think I've got the important bits of 0.98 built from the ClamWin ClamAV port now that I've downloaded VS 2010 (I can't get the official version built because of the OpenSSL dependency - there's nothing saying which bits/version of OpenSSL I need and where they need to be) - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Malformed database?
On 25/06/2014 12:10, Joel Esler (jesler) wrote: On Jun 25, 2014, at 5:22, "Steve Basford" wrote: On Wed, June 25, 2014 9:57 am, Paul Smith wrote: Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when trying to download a fresh database: Hi Paul, Much newer binaries here (0.98.4), does it work ok with this version... http://sourceforge.net/projects/clamav/files/clamav/win32/0.98.4/ Agreed that versions is EOL. We haven't supported that in a long time. Oh? The FAQ says that the latest two major versions (0.97 and 0.98 ?) are tested against the DB, so it should work as far as I can see. Anyway, I'm just trying to get the latest version to compile on Windows, and failing badly, but that's not your problem... - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Malformed database?
On 25/06/2014 10:22, Steve Basford wrote: On Wed, June 25, 2014 9:57 am, Paul Smith wrote: Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when trying to download a fresh database: Hi Paul, Much newer binaries here (0.98.4), does it work ok with this version... http://sourceforge.net/projects/clamav/files/clamav/win32/0.98.4/ Yes, and it works with 0.97.6 in Linux It looks like my version is from the ClamWin ClamAV Unofficial Win32 port. It's slightly customised which is why it's still an old version. It looks as if we're going to have to put our modifications into the latest build (and try to get the Win32 build working in the official version) and see if that works - it was getting time to do that anyway, just didn't want to have to do it in a panic ;-) - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Malformed database?
Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when trying to download a fresh database: Max retries == 3 ClamAV update process started at Wed Jun 25 09:27:38 2014 Using IPv6 aware code TTL: 807 Software version from DNS: 0.98.4 Retrieving http://database.clamav.net/main.cvd Trying to download http://database.clamav.net/main.cvd (IP: 81.91.100.173) Downloading main.cvd [100%] Loading signatures from main.cvd Properly loaded 2424222 signatures from new main.cvd main.cvd updated (version: 55, sigs: 2424225, f-level: 60, builder: neo) Retrieving http://database.clamav.net/daily.cvd Trying to download http://database.clamav.net/daily.cvd (IP: 81.91.100.173) Downloading daily.cvd [100%] Loading signatures from daily.cvd Properly loaded 1000939 signatures from new daily.cvd daily.cvd updated (version: 19125, sigs: 1000939, f-level: 63, builder: mcd) Retrieving http://database.clamav.net/bytecode.cvd Trying to download http://database.clamav.net/bytecode.cvd (IP: 81.91.100.173) Downloading bytecode.cvd [100%] Loading signatures from bytecode.cvd WARNING: [LibClamAV] Bytecode logical signature skipped, but bytecode itself not?WARNING: [LibClamAV] Can't load 0005534921.cbc: Malformed dat abase WARNING: [LibClamAV] cli_tgzload: Can't load 0005534921.cbc WARNING: [LibClamAV] Can't load C:\clamav\db\clamav-7ae11198ab3eda30b68d7d932d9d8941.3f04.clamtmp\clamav-c44757d98b81dc4dc6 285a2a4b2d9c46.3f04.cla.cvd: Malformed database ERROR: Failed to load new database: Malformed database ERROR: Failed to load new database It's been working fine until now. I realise 0.97.2 is old, but I thought it was still supported according to the FAQ. Any ideas? - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Silly question - clamav - linux viruses?
On 17/04/2014 17:03, Benny Pedersen wrote: Dave Shevett skrev den 2014-04-17 16:46: But, can I say "clamav does not scan for linux viruses" or is that not true? there is talented fools on every distros whats the point of tripwire when upstream management md5 sum there installs ? okay windows have there problems aswell to allow unsigned installs to be allowed, but in linux its still need atleast root access to let this happend elf scanner in clamav might be waste of resources For a strict definition of 'virus' that may be true - but you can run malware without being root... You can do a lot of bad stuff from a PHP or Python script (or user level executable)! You can easily have a trojan script or executable which participates in DDoS attacks or spamming without having any privileged access. It may not run as root, but it can still send emails or issue HTTP requests or scan for Heartbleed. Just because everything doesn't run as root, it doesn't mean that Linux is immune from malware. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Licensing & DLLs
On 14/05/2012 20:57, Chuck Swiger wrote: On May 14, 2012, at 12:02 PM, Simon Hobson wrote: Chuck Swiger wrote: What if WE made an AV plugin DLL to link our software with libclamav? If your software license isn't GPL-miscible, then you should not redistribute the combination of your software, the plugin, and ClamAV. Isn't this a case where the component they've linked with (in this case) ClamAV would need to be GPL, but the other component it talks to doesn't need to be ? Yes, if "talks to" means an external connection to a network port or local filesystem socket, then the other component doesn't need to be GPL-miscible. If the other component gets linked into a single program, then the GPL folks claim that makes them a single work which needs to be licensed under GPL-compatible terms. Actually it seems a bit wooly even to the GPL folks... http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#NFUseGPLPlugins What we have is a DLL with essentially 3 functions, 'init', 'shutdown' and 'scan(memoryblock)'. (to use with ClamAV,the DLL has to save the memory block to a temporary file and scan that). This seems to fall into this category: "If the program dynamically links plug-ins, but the communication between them is limited to invoking the 'main' function of the plug-in with some options and waiting for it to return, that is a borderline case." It doesn't say what happens in that case, but even the GPL folks see it as a 'borderline' case, not a clear-cut case. (BTW - There are plugins listed on the ClamAV wiki for Exchange & Communigate, so how are those 'legal'?) We could talk to clamd using TCP/IP, but since the clamd protocol doesn't seem to be clearly documented, that would involve reverse engineering clamdscan and rewriting it. We have considered making our own GPL daemon based on clamscan which communicates with our software using a socket or named pipe using our own protocol. While that would seem to meet the letter of the license (as we won't be linking non-GPL software with clamav directly), it seems to me to be more against the spirit of it than linking in using the standard API... (We've actually tried to contact SourceFire to start investigating whether a commercial licence would be possible, but had no response so far - I'll get in touch with Joel Essler about it,since he seems to know the right person to talk to...) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Licensing & DLLs
OK, I know this will probably have come up over and over, but I couldn't find anything in the archives. We produce a commercial mail server (not GPLed) which has a defined DLL interface to allow people to create plugins to integrate with virus scanners (I'll call that an 'AV plugin DLL'). It's not specifically designed for ClamAV, but for any 'reasonable' virus scanner, and that interface has been . Also, you don't need a virus scanner at all to use our software, although, obviously without one, messages won't be scanned for viruses - so it adds optional functionality. This AV plugin DLL functionality has been in our software for about 8 years, so it's not something we've added specifically to try to get around GPL. If we made our software link directly with libclamav, then, as far as I can see we'd need to GPL our software, which isn't desirable What if another person made an AV plugin DLL to link our software with libclamav? I presume that by doing so, their DLL would have to be released under the GPL, but I also presume that wouldn't force us to GPL our software even though our software is now linking with (their) GPL software. What if WE made an AV plugin DLL to link our software with libclamav? (At the moment we're thinking of making an AV plugin DLL which execs clamdscan, which, AFAICS is totally 'safe' for our licensing, but it would be much more efficient (on Windows) to have it link directly with libclamav - we don't mind releasing the source to the AV plugin DLL - it could be a useful example for our more technical customers) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How infectious is the GPL?
On Mon, Jun 21, 2004 at 06:20:14PM -0400, Tomasz Kojm wrote: > > > - link against libclamav > > > - directly use the virus databases > > > - include our code in your software (obvious ;-)) > > could he write a shim that is LGPL'd that links to libclamav? > Well, I don't know. This is a question to a lawyer. 1) The shim should be GPL'd, especially if it will be linked with GPL code. 2) The GPL'd shim should only use published API calls (such that any 3rd party could have written it - 3rd parties do this frequently for other commercial products) 3) The non-GPL product must publish the API calls that the GPL shim uses, such that any 3rd party could write their own GPL'd shim or similar. 4) The GPL'd shim should be released and distributed separately, with source code. The GPL'd shim should be made freely available on a ftp and web site (even if the product that it is designed for is not). Use sourceforge.net or similar to disassociate yourself from it. 5) The product should not rely only on GPL products. Either a persuasive case needs to be made as part of the marketting strategy, that the product is only an infrastructure product - incomplete on its own, or it must come with a non-GPL product, but with the option to use a GPL product instead. (i.e. you can't sell the solution as complete, if it isn't complete) The above five bits of advice are from a non-lawyer, who has tried to be aware of the issues from a legal standpoint. Many companies choose to do less than the above. They get away with it. Do so at your own risk. All those things would be OK in our case (except for (4) as written. The shim would be released separately with source code, but not on sourceforge.net - that just makes life hard for our users). For (5), 'out of the box', the commercial product simply doesn't use a virus scanner to check for infected emails. You could decide to buy Sophos, avast!, Panda (and soon several others) to use as virus scanners, or you could use ClamAV. So, the product wouldn't rely in any way on the use of the GPL software, it'd work quite happily without it, just with a slightly restricted featureset unless you purchase a commercial product instead. But, in any case, it looks like we'll be using clamd for technical reasons anyway, so all this might be irrelevant for us, but possibly still relevant for others. (Can we persuade the developers of ClamAV to release the DLL under the LGPL instead, life would be much simpler then, and still keep the spirit of the thing? :) ) PaulVPOP3 - Internet Email Server/Gateway [EMAIL PROTECTED] http://www.pscs.co.uk/ --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How infectious is the GPL?
IANAL. Take my answers below with a grain of salt. Of course :-) > - our software supports 'shim' DLLs with a standard interface which can > talk to a third party antivirus product to add the capability for more > virus scanners without recompilation. WE could make one of those to talk to > clamav instead. That shim DLL could then be GPLed without a problem for us. > But, then, because our email server software would dynamically load the > shim, which is GPLed, our server would have to be GPLed as well... Again, > not acceptable. no, the GPL allows for private license agreements. Simply license the shim to yourself, done. Ah, so we can say 'this is GPL for everyone, except for ourselves to whom we grant a licence to allow unrestricted use'? I didn't realise that - thanks. > - we could, simply, not support ClamAV :-( But then, someone else might > come along and write a shim for it - they'd have to GPL the shim - then > because our software would dynamically link to it, would our software need > to be GPLed?? that would be horribly infectious. That's like saying "Ooo, I wrote an GPL'd for outlook, now microsoft has to give me their source!" Yep.. But, that's how I read the GPL.. It is bizarre though, but I thought I'd check first... :) I think having a "shim" is how a lot of closed-source projects handle these types of situations. You simply write a piece of software, GPL it, license it to yourself for commercial use, bam. Okey dokey. Thanks for the answers :-) PaulVPOP3 - Internet Email Server/Gateway [EMAIL PROTECTED] http://www.pscs.co.uk/ --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] How infectious is the GPL?
Sorry if this is a FAQ - I've searched and can't find anything about it anywhere.. We have a commercial product, which we want to keep commercial. It's some email server software, which has the capability to run an external virus scanner (currently it supports several commercial virus scanners) We tend to either use commercial components, or truly free components (lua, sqlite etc) rather than GPL ones, because GPL is such a minefield - but, unfortunately, there don't seem to be any truly free virus scanners around. We've been considering adding support for our server software to use ClamAV (which won't be distributed with the software, and which won't be necessary for the operation of our software) for scanning emails as they pass through it (as it currently can do with Sophos, avast!, Panda etc) There are several possibilities I've come up with: - add support for our software to either load libclamav or talk to clamd directly, if those things are installed. This seems to me that we'd then need to make our software GPLed - which isn't acceptable for us - our software supports 'shim' DLLs with a standard interface which can talk to a third party antivirus product to add the capability for more virus scanners without recompilation. WE could make one of those to talk to clamav instead. That shim DLL could then be GPLed without a problem for us. But, then, because our email server software would dynamically load the shim, which is GPLed, our server would have to be GPLed as well... Again, not acceptable. - we could, simply, not support ClamAV :-( But then, someone else might come along and write a shim for it - they'd have to GPL the shim - then because our software would dynamically link to it, would our software need to be GPLed?? (Is talking to clamd different from loading libclamav? So, if we talk to clamd using TCP/IP would that infer the GPL requirement or not?) PaulVPOP3 - Internet Email Server/Gateway [EMAIL PROTECTED] http://www.pscs.co.uk/ --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users