Mailing List Archive

Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release
On 2021-04-07 20:06, Joel Esler (jesler) wrote:
>>
> https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
>>
>> CLAMAV 0.103.2 SECURITY PATCH RELEASE

default freshclam.conf have checks 24 with currently for me overloads
cdn, so i am on cool down, very good

hope to see its resolved to the old stable downloads

main.cld is here dataed 10-04-2021
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV? blog: ClamAV 0.103.2 security patch release [ In reply to ]
Hi Benny,

Please describe your configuration, how you are running freshclam and in what environment.

To my knowledge, if you are on cooldown frequently, that means you're downloading the whole database set frequently instead of updating an existing database set. Updating an existing database should download small .cdiff patch files instead, which are not rate limited and will not put you on cooldown.

-Micah

> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> Benny Pedersen
> Sent: Tuesday, April 27, 2021 6:34 PM
> To: clamav-devel@lists.clamav.net
> Subject: Re: [Clamav-devel] [Clamav-announce] ClamAV? blog: ClamAV
> 0.103.2 security patch release
>
> On 2021-04-07 20:06, Joel Esler (jesler) wrote:
> >>
> > https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.ht
> > ml
> >>
> >> CLAMAV 0.103.2 SECURITY PATCH RELEASE
>
> default freshclam.conf have checks 24 with currently for me overloads cdn,
> so i am on cool down, very good
>
> hope to see its resolved to the old stable downloads
>
> main.cld is here dataed 10-04-2021
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 2021-05-01 00:39, Micah Snyder (micasnyd) wrote:
> Hi Benny,
>
> Please describe your configuration, how you are running freshclam and
> in what environment.
>
> To my knowledge, if you are on cooldown frequently, that means you're
> downloading the whole database set frequently instead of updating an
> existing database set. Updating an existing database should download
> small .cdiff patch files instead, which are not rate limited and will
> not put you on cooldown.

daily-26155 puts me on cool down again

then freshclam try to get daily.cvd, and this is the overload for
claudflare ?

maybe freshclam should not failback to download cvd ?, eg let missing
cdiff be tempfails until all diff is on cloadflare ?

its currently brokken

again consider torrent protocol in freshclamd, with scales much more
then cloudflare ever can

windows defender works, with end user share data to microsoft, why cant
freshclamd not learn from it ?
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 02/05/2021 01:27, Benny Pedersen wrote:
[SNIP]
>
> again consider torrent protocol in freshclamd, with scales much more
> then cloudflare ever can
>
Hahaha.

No way will anyone with the proverbial brains that god gave bastard
geese in Ireland open up their firewalls to use bit torrent in relation
to security software.

And it is just the sort of mistake that would encourage what hasn't yet
been done: scripting up a way to pass malicious content masquerading as
valid file pieces.

You appear to be doing something - I can't tell what - that is
triggering the slap on the wrist of cooldown, work out what you are
doing that is wrong.

Freshclam works for everybody who follows the rules, work out what you
are doing that violates those rules, and stop doing it.

Cheers,
Gary B-)
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 2021-05-01 17:48, Gary R. Schmidt wrote:

> Freshclam works for everybody who follows the rules, work out what you
> are doing that violates those rules, and stop doing it.

willing to share your freshclamd.conf ?

or make daily.cvd public ?

sorry, you need help

should i just dissable freshclamd and run it daily :/
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
We’re not considering BitTorrent.

As Gary said, you’re obviously violating the rate limits.

If you’re not using 103.2, you should upgrade to that.

If you want to give me your public IP, I can look at the logs and tell you what you’re doing wrong.

Sent from my ? iPhone

> On May 1, 2021, at 13:29, Benny Pedersen <me@junc.eu> wrote:
>
> ?On 2021-05-01 17:48, Gary R. Schmidt wrote:
>
>> Freshclam works for everybody who follows the rules, work out what you
>> are doing that violates those rules, and stop doing it.
>
> willing to share your freshclamd.conf ?
>
> or make daily.cvd public ?
>
> sorry, you need help
>
> should i just dissable freshclamd and run it daily :/
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 2021-05-01 23:04, Joel Esler (jesler) wrote:
> We’re not considering BitTorrent.
>
> As Gary said, you’re obviously violating the rate limits.
>
> If you’re not using 103.2, you should upgrade to that.
>
> If you want to give me your public IP, I can look at the logs and tell
> you what you’re doing wrong.


stop

i just did not have freshclamd running, how can this violate anyting ?

to reproduce problem

stop freshclamd in 7 days,

after 7 days daily updates missing files

freshclamd try then tu get the daily.cvd, after that freshclamd on get
cool down

fix this problem

what ever the problem is
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 02/05/2021 03:29, Benny Pedersen wrote:
> On 2021-05-01 17:48, Gary R. Schmidt wrote:
>
>> Freshclam works for everybody who follows the rules, work out what you
>> are doing that violates those rules, and stop doing it.
>
> willing to share your freshclamd.conf ?
>
> or make daily.cvd public ?
>
> sorry, you need help
>
> should i just dissable freshclamd and run it daily :/
> Well, here's the diff between my freshclam.conf and freshclam.conf.sample:
$ diff /opt/local/etc/freshclam.conf /opt/local/etc/freshclam.conf.sample
8c8
< # Example
---
> Example
30c30
< LogTime yes
---
> #LogTime yes
34c34
< LogVerbose yes
---
> #LogVerbose yes
38c38
< LogSyslog yes
---
> #LogSyslog yes
54c54
< PidFile /var/run/freshclam.pid
---
> #PidFile /var/run/freshclam.pid
148c148
< NotifyClamd /opt/local/etc/clamd.conf
---
> #NotifyClamd /path/to/clamd.conf

I start freshclam when the system starts, so it just sits there and
check for new data every 2 hours, the default. I seldom see it do an
update more often than once a day, but why risk anything?

It just works, and has worked for years.

NOTE: I build from source, and keep up to date.

Cheers,
Gary B-)
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
On 02/05/2021 07:22, Benny Pedersen wrote:
> On 2021-05-01 23:04, Joel Esler (jesler) wrote:
>> We’re not considering BitTorrent.
>>
>> As Gary said, you’re obviously violating the rate limits.
>>
>> If you’re not using 103.2, you should upgrade to that.
>>
>> If you want to give me your public IP, I can look at the logs and tell
>> you what you’re doing wrong.
>
>
> stop
>
> i just did not have freshclamd running, how can this violate anyting ?
>
> to reproduce problem
>
> stop freshclamd in 7 days,
What?? Why??

> after 7 days daily updates missing files
>
> freshclamd try then tu get the daily.cvd, after that freshclamd on get
> cool down
>
> fix this problem
>
> what ever the problem is
>
The problem is that you aren't running freshclam correctly.
It should just be left running, and it will check for updates every -
the default is 2 - hours.

Stopping freshclam means that your system is not getting updates when
they are published, so it is no longer protected.

Cheers,
Gary B-)
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
I’ll repeat my question one more time: if you want me to find out what is going on, I can look it up if you give me your public facing IP. Otherwise continued pursuit of this conversation is pointless.

Sent from my ? iPhone

> On May 1, 2021, at 17:23, Benny Pedersen <me@junc.eu> wrote:
>
> ?On 2021-05-01 23:04, Joel Esler (jesler) wrote:
>> We’re not considering BitTorrent.
>> As Gary said, you’re obviously violating the rate limits.
>> If you’re not using 103.2, you should upgrade to that.
>> If you want to give me your public IP, I can look at the logs and tell
>> you what you’re doing wrong.
>
>
> stop
>
> i just did not have freshclamd running, how can this violate anyting ?
>
> to reproduce problem
>
> stop freshclamd in 7 days,
>
> after 7 days daily updates missing files
>
> freshclamd try then tu get the daily.cvd, after that freshclamd on get cool down
>
> fix this problem
>
> what ever the problem is
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
Benny,

Can I trouble you to provide a snippet of your update log with verbose mode enabled? It may help identify the issue.

One possibility is that your FreshClam is doing database version check over HTTP instead of DNS. If it is using HTTP to do the version check, that will quickly put you on cooldown, even if it is using the cdiff/scripted update. Because of the new rate limiting, freshclam must do the version check over DNS.

I saw your configuration diff and I based on that I don't really think this is the issue, but... it could be.
Of course, it could also be something else. The log will help.

Regards,
Micah

> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> Benny Pedersen
> Sent: Saturday, May 1, 2021 2:23 PM
> To: clamav-devel@lists.clamav.net
> Subject: Re: [Clamav-devel] [Clamav-announce] ClamAV® blog: ClamAV 0.103.2
> security patch release
>
> On 2021-05-01 23:04, Joel Esler (jesler) wrote:
> > We’re not considering BitTorrent.
> >
> > As Gary said, you’re obviously violating the rate limits.
> >
> > If you’re not using 103.2, you should upgrade to that.
> >
> > If you want to give me your public IP, I can look at the logs and tell
> > you what you’re doing wrong.
>
>
> stop
>
> i just did not have freshclamd running, how can this violate anyting ?
>
> to reproduce problem
>
> stop freshclamd in 7 days,
>
> after 7 days daily updates missing files
>
> freshclamd try then tu get the daily.cvd, after that freshclamd on get cool down
>
> fix this problem
>
> what ever the problem is
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release [ In reply to ]
(But also, getting Joel your public IP address will really help.)

> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> Micah Snyder (micasnyd)
> Sent: Sunday, May 2, 2021 10:29 AM
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] [Clamav-announce] ClamAV® blog: ClamAV
> 0.103.2 security patch release
>
> Benny,
>
> Can I trouble you to provide a snippet of your update log with verbose mode
> enabled? It may help identify the issue.
>
> One possibility is that your FreshClam is doing database version check over
> HTTP instead of DNS. If it is using HTTP to do the version check, that will
> quickly put you on cooldown, even if it is using the cdiff/scripted update.
> Because of the new rate limiting, freshclam must do the version check over
> DNS.
>
> I saw your configuration diff and I based on that I don't really think this is the
> issue, but... it could be.
> Of course, it could also be something else. The log will help.
>
> Regards,
> Micah
>
> > -----Original Message-----
> > From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf
> > Of Benny Pedersen
> > Sent: Saturday, May 1, 2021 2:23 PM
> > To: clamav-devel@lists.clamav.net
> > Subject: Re: [Clamav-devel] [Clamav-announce] ClamAV® blog: ClamAV
> > 0.103.2 security patch release
> >
> > On 2021-05-01 23:04, Joel Esler (jesler) wrote:
> > > We’re not considering BitTorrent.
> > >
> > > As Gary said, you’re obviously violating the rate limits.
> > >
> > > If you’re not using 103.2, you should upgrade to that.
> > >
> > > If you want to give me your public IP, I can look at the logs and
> > > tell you what you’re doing wrong.
> >
> >
> > stop
> >
> > i just did not have freshclamd running, how can this violate anyting ?
> >
> > to reproduce problem
> >
> > stop freshclamd in 7 days,
> >
> > after 7 days daily updates missing files
> >
> > freshclamd try then tu get the daily.cvd, after that freshclamd on get
> > cool down
> >
> > fix this problem
> >
> > what ever the problem is
> > _______________________________________________
> >
> > clamav-devel mailing list
> > clamav-devel@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-devel
> >
> > Please submit your patches to our Github: https://github.com/Cisco-
> > Talos/clamav-devel/pulls
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml