Re: [clamav-users] offline updates
Maybe I didn't state my point clearly enough. Apparently, my siting http as something I wanted to avoid made you think that it was http in particular that I object to. Not so. It is networking in general I'm trying to avoid. Did you notice that I said the target machine is not on any kind of network, not even a local LAN? It has no wireless. There's no ethernet cable plugged into it. Okay, so the local private mirror solution does not require the final target to use http. So I could do without a web server. But it does require the final target to use networking, yes? DNS? So I *could* make it work, but I'd have to run a domain name server on the target machine, and it would need its loopback network interface running. All this just so the final target, which is the client, can ask the server, which is also the final target machine, one little question that has a short text string for an answer. That seems to me like an awfully big hammer, considering that otherwise, on a stand-alone machine, networking is entirely unnecessary. All I'm saying is that, for the admittedly unusual but definitely simpler situation of an entirely stand-alone, completely non-networked machine, it would be nice if there were a solution that was correspondingly simpler. One that used the file system only, not networking. On Wed, Jul 22, 2015 at 7:00 PM, Al Varnell alvarn...@mac.com wrote: Please read the solutions a bit more closely. The HTTP portion of some of those solutions is to bring the database to the local mirror. Since you have already said you plan to burn optical disks and manually install them on the private mirror, that should not be an issue. From there you can just tell freshclam where to find the mirror on your network with an IP address and path to the database. Be aware that even freshclam will fall back to an http solution should a direct download fail, but that should not be a problem with a stable network. -Al- On Jul 22, 2015, at 12:13 PM, Phil Dumont p...@solidstatescientific.com wrote: I *did* read the private local mirrors stuff. It offers 3 alternative solutions, all of which require http. If you'll read my original post more carefully, you'll see that that is what I'm trying to avoid. On Wed, Jul 22, 2015 at 2:22 PM, Al Varnell alvarn...@mac.com wrote: See Private Local Mirrors: http://www.clamav.net/doc/mirrors-private.html -Al- On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that’s because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
On Thu, Jul 23, 2015 at 2:08 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote: Hi there, On Thu, 23 Jul 2015, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). Unless you can give more detail amounting to some sort of a case for doing this, my immediate reaction would be a little less circumspect than Mr. Swiger's. I'd say forget the idea, it's a waste of time, and it might even be counterproductive. Firstly, the detection rate that you'll get is likely to be poor for very recent threats (not least) because your out-of-band updates will probably be tardy. True enough. But would this not be mitigated by the fact that the more recent threats will propagate to the machine more slowly without a network connection? Secondly, without any network connection you'll have trouble keeping the software on this mysterious machine up-to-date, which will mean that it's rather more vulnerable to attack than it otherwise would be. Also true enough, but same mitigating factor. Taken together these things lead me to postulate that your non-networked computer will be more likely to be compromised by things like malicious files on removable media (precisely the sort of thing you'll be using to tardily transfer the database updates I suppose), than it would be if it were networked after all. Exactly correct. There is no network-borne threat. Removable media is the only thing being protected against. But as Chuck says, it's all really up to you. Well, as I said in my reply to Chuck, it's not really up to me. It's up to the folk I'm maintaining the system for. Which is exactly why I wanted logging of the definition updates -- so I could show them it's being done. Out of interest, what operating system will the unsociable computer run? CentOS 6 -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
If you have a stand-alone system with no networking and presumably no shared storage (scsi or SAN, by example) then you have to span the air gap manually. Your isolated system will only be as safe as the last networked system used to manually span the air gap. A work-around for that is to have a second isolated system, possibly a virtual machine, that can be used to pre-scan files before they are transferred to the target machine. dp On 7/23/15 9:00 AM, Phil Dumont wrote: On Thu, Jul 23, 2015 at 11:52 AM, Charles Swiger cswi...@mac.com wrote: On Jul 23, 2015, at 7:48 AM, Phil Dumont p...@solidstatescientific.com wrote: [ ... ] All I'm saying is that, for the admittedly unusual but definitely simpler situation of an entirely stand-alone, completely non-networked machine, it would be nice if there were a solution that was correspondingly simpler. One that used the file system only, not networking. The use-case for virus/malware scanning on a networked machine is obvious, as is the need to be able to update A/V signatures. It's not obvious why a machine which is entirely stand-alone, completely non-networked would require virus scanning or a way to update the A/V signatures. Granted, the requirement is not as great without a network. But there's still potential for virus introduction via removable media. However, if that's what you want, ... Not what I want particularly. A requirement imposed upon me. ...fine-- do a manual copy of the A/V signatures into place via USB stick, CD/DVD image, etc and then restart clamd to reload them. Roger. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] offline updates
I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that's because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
See Private Local Mirrors: http://www.clamav.net/doc/mirrors-private.html. -Al- On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that's because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
I *did* read the private local mirrors stuff. It offers 3 alternative solutions, all of which require http. If you'll read my original post more carefully, you'll see that that is what I'm trying to avoid. On Wed, Jul 22, 2015 at 2:22 PM, Al Varnell alvarn...@mac.com wrote: See Private Local Mirrors: http://www.clamav.net/doc/mirrors-private.html . -Al- On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that's because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
Please read the solutions a bit more closely. The HTTP portion of some of those solutions is to bring the database to the local mirror. Since you have already said you plan to burn optical disks and manually install them on the private mirror, that should not be an issue. From there you can just tell freshclam where to find the mirror on your network with an IP address and path to the database. Be aware that even freshclam will fall back to an http solution should a direct download fail, but that should not be a problem with a stable network. -Al- On Jul 22, 2015, at 12:13 PM, Phil Dumont p...@solidstatescientific.com wrote: I *did* read the private local mirrors stuff. It offers 3 alternative solutions, all of which require http. If you'll read my original post more carefully, you'll see that that is what I'm trying to avoid. On Wed, Jul 22, 2015 at 2:22 PM, Al Varnell alvarn...@mac.com wrote: See Private Local Mirrors: http://www.clamav.net/doc/mirrors-private.html -Al- On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that’s because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
Thanks Al -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Al Varnell Sent: Thursday, January 29, 2015 1:35 AM To: ClamAV users ML Subject: Re: [clamav-users] Offline updates It went to the list which was where the OP posted the question, so we all got it. -Al- On Wed, Jan 28, 2015 at 09:14 PM, Joseph Krinsky wrote: Team, Looks like you sent this to the wrong person. -Joe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
$ host -t txt current.cvd.clamav.net -Al- On Thu, Jan 29, 2015 at 09:22 AM, Ed Christiansen MS wrote: I need to verify the versions of my definitions are the most recent. These used to be shown on the webpage with the main and daily files and their versions. Where is this info now? On 1/28/2015 9:33 PM, Joel Esler (jesler) wrote: The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
Team, Looks like you sent this to the wrong person. -Joe -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Wednesday, January 28, 2015 9:34 PM To: ClamAV users ML Subject: Re: [clamav-users] Offline updates The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Offline updates
Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
Under the section Set Up Freshclam they are the three .cvd links at the very bottom: If your network is segmented or the end hosts are unable to reach the Internet, you should investigate setting up a private local mirror. If this is not viable, you may use these direct download links: main.cvd | daily.cvd | bytecode.cvd -Al- On Wed, Dec 03, 2014 at 01:57 AM, Pascal wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
I think I have to go see my optician !!! Thanks, lacsaP. 2014-12-03 11:41 GMT+01:00 Al Varnell alvarn...@mac.com: Under the section Set Up Freshclam they are the three .cvd links at the very bottom: If your network is segmented or the end hosts are unable to reach the Internet, you should investigate setting up a private local mirror. If this is not viable, you may use these direct download links: main.cvd | daily.cvd | bytecode.cvd -Al- On Wed, Dec 03, 2014 at 01:57 AM, Pascal wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml