Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Clamav with VPN
clamav-users at lists
May 5, 2020, 3:01 AM
Post #1 of 5 (807 views)
Permalink
Hy everybody,

I'm facing an issue with update  of Clamav's database.

I use ExpressVPN and each time i want to update the database i see a
message in the logs files (syslog and freshclam) as examples :

* syslog :
o May  4 00:43:17 tux-P17SM freshclam[1967]: Mon May  4 00:43:17
2020 -> ^Failed to get daily database version information from
server: https://database.clamav.net
May  4 00:43:17 tux-P17SM freshclam[1967]: Mon May  4 00:43:17
2020 -> !check_for_new_database_version: Failed to find daily
database using server https://database.clamav.net.
May  4 00:43:17 tux-P17SM freshclam[1967]: Mon May  4 00:43:17
2020 -> Trying again in 5 secs...
May  4 00:43:22 tux-P17SM freshclam[1967]: Mon May  4 00:43:22
2020 -> Reading CVD header (daily.cvd): Mon May  4 00:43:22 2020
-> ^remote_cvdhead: Download failed (6) Mon May  4 00:43:22 2020
-> ^ Message: Couldn't resolve host name

* freshclam :
o Mon May  4 00:43:17 2020 -> ClamAV update process started at Mon
May  4 00:43:17 2020
Mon May  4 00:43:17 2020 -> WARNING: Can't query
current.cvd.clamav.net
Mon May  4 00:43:17 2020 -> WARNING: Invalid DNS reply. Falling
back to HTTP mode.
Mon May  4 00:43:17 2020 -> Reading CVD header (daily.cvd): Mon
May  4 00:43:17 2020 -> WARNING: remote_cvdhead: Download failed
(6) Mon May  4 00:43:17 2020 -> WARNING:  Message: Couldn't
resolve host name
Mon May  4 00:43:17 2020 -> WARNING: Failed to get daily
database version information from server:
https://database.clamav.net
Mon May  4 00:43:17 2020 -> ERROR:
check_for_new_database_version: Failed to find daily database
using server https://database.clamav.net.
Mon May  4 00:43:17 2020 -> Trying again in 5 secs...
Mon May  4 00:43:22 2020 -> Reading CVD header (daily.cvd): Mon
May  4 00:43:22 2020 -> WARNING: remote_cvdhead: Download failed
(6) Mon May  4 00:43:22 2020 -> WARNING:  Message: Couldn't
resolve host name
Mon May  4 00:43:22 2020 -> WARNING: Failed to get daily
database version information from server:
https://database.clamav.net
Mon May  4 00:43:22 2020 -> ERROR:
check_for_new_database_version: Failed to find daily database
using server https://database.clamav.net.
Mon May  4 00:43:22 2020 -> Trying again in 5 secs...

To try to solve this issue, i have added this line in my /etc/hosts file :

* 104.16.218.84    database.clamav.net

But it seems the issue is not solve.

Please note that the update work well if i switch off my VPN.

Is someone could give me some solutions to solve this issue please ?

Thank in advance.

With my best regards
Re: [clamav-users] Clamav with VPN [ In reply to ]
clamav-users at lists
May 5, 2020, 4:23 AM
Post #2 of 5 (807 views)
Permalink
Hi there,

On Tue, 5 May 2020, 21ch181 via clamav-users wrote:

> I use ExpressVPN and each time i want to update the database i see a
> message in the logs files (syslog and freshclam) ...
> To try to solve this issue, i have added this line in my /etc/hosts file :
>
> * 104.16.218.84 database.clamav.net

Don't do things like that. Sooner or later it will break, and you'll
find yourself back here again asking why.

> Please note that the update work well if i switch off my VPN.

It's clear from your log messages that your problem is caused by name
resolution issues. It isn't clear exactly what they are, but it's
obviously associated with the DNS service provided when the VPN is
running. Since the ExpressVPN sales pitch makes a thing of encrypting
your DNS traffic as well as other traffic this isn't a great surprise.
You could try to debug the name resolution using tools like 'dig', but
it's not necessarily straightforward and in any case I'm not persuaded
that there's a case for sending ClamAV database traffic over a VPN.
All the information (including, now that you've posted to this list,
the fact that you are using it) is in the public domain.

> Is someone could give me some solutions to solve this issue please ?

Send ClamAV traffic over normal routes. It's possible that Cloudflare
is blocking ExpressVPN traffic, but I don't know what you'd be able to
do about that. Joel (on this list) might have insights to offer.

I'd never use a VPN service provided by someone else. You can't trust
them. It's very easy to set up your own, then you know what's going
on, and you aren't providing raw material from which someone probably
intends to make a profit.

I'll leave aside the legality or otherwise of using strong encryption
in your country, but if you can tell us why you think you need ClamAV
on your Linux box that might be useful.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav with VPN [ In reply to ]
clamav-users at lists
May 5, 2020, 7:45 AM
Post #3 of 5 (806 views)
Permalink
> > To try to solve this issue, i have added this line in my /etc/hosts file :
> >
> > * 104.16.218.84 database.clamav.net
>
> Don't do things like that. Sooner or later it will break, and you'll
> find yourself back here again asking why.


Our firewall blocks our mail server from issuing requests via ports 80
and 443, but, after our failure to set up a private mirror that worked
reliably after the switch to Cloudflare (their BOS mirror was usually
behind the DNS TXT reported version, as detailed in many previous
posts), I had to add exceptions for 104.16.218.84 and 104.16.219.84 so
that our mail server could update ClamAV. (And Joel said last July that
these IPs are quite stable for our geo-location "Unless cloudflare
drastically changes things".)

The only other alternative was to set up some sort of on-LAN relay or
proxy (e.g., Squid), which seemed like way overkill.


P.S. Since "G.W. Haywood" <clamav@jubileegroup.co.uk> never accepts
incoming mail, why not switch from CC to BCC in your submissions to
clamav-users and save us a lot of frustration. (Also, your private
email address from which you sent me a private email never accepted my
private reply, it just "timed out" -- twice.)



On Tue, 5 May 2020 12:23:10 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 5 May 2020, 21ch181 via clamav-users wrote:
>
> > I use ExpressVPN and each time i want to update the database i see a
> > message in the logs files (syslog and freshclam) ...
> > To try to solve this issue, i have added this line in my /etc/hosts file :
> >
> > * 104.16.218.84 database.clamav.net
>
> Don't do things like that. Sooner or later it will break, and you'll
> find yourself back here again asking why.
>
> > Please note that the update work well if i switch off my VPN.
>
> It's clear from your log messages that your problem is caused by name
> resolution issues. It isn't clear exactly what they are, but it's
> obviously associated with the DNS service provided when the VPN is
> running. Since the ExpressVPN sales pitch makes a thing of encrypting
> your DNS traffic as well as other traffic this isn't a great surprise.
> You could try to debug the name resolution using tools like 'dig', but
> it's not necessarily straightforward and in any case I'm not persuaded
> that there's a case for sending ClamAV database traffic over a VPN.
> All the information (including, now that you've posted to this list,
> the fact that you are using it) is in the public domain.
>
> > Is someone could give me some solutions to solve this issue please ?
>
> Send ClamAV traffic over normal routes. It's possible that Cloudflare
> is blocking ExpressVPN traffic, but I don't know what you'd be able to
> do about that. Joel (on this list) might have insights to offer.
>
> I'd never use a VPN service provided by someone else. You can't trust
> them. It's very easy to set up your own, then you know what's going
> on, and you aren't providing raw material from which someone probably
> intends to make a profit.
>
> I'll leave aside the legality or otherwise of using strong encryption
> in your country, but if you can tell us why you think you need ClamAV
> on your Linux box that might be useful.
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav with VPN [ In reply to ]
clamav-users at lists
May 5, 2020, 11:02 AM
Post #4 of 5 (806 views)
Permalink
Hi there,

On Tue, 5 May 2020, Paul Kosinski via clamav-users wrote:

>>> To try to solve this issue, i have added this line in my /etc/hosts file :
>>>
>>> * 104.16.218.84 database.clamav.net
>>
>> Don't do things like that. Sooner or later it will break, and you'll
>> find yourself back here again asking why.
>
> Our firewall blocks our mail server from issuing requests via ports 80
> and 443, but, after our failure to set up a private mirror that worked
> reliably after the switch to Cloudflare (their BOS mirror was usually
> behind the DNS TXT reported version, as detailed in many previous
> posts), I had to add exceptions for 104.16.218.84 and 104.16.219.84 ...

I'm not sure that I understand your point. Mine was that hacks like
tweaking resolv.conf to try to get round a broken name service instead
of fixing the service are bound to come back and bite you.

> P.S. Since "G.W. Haywood" <clamav@jubileegroup.co.uk> never accepts
> incoming mail, why not switch from CC to BCC in your submissions to
> clamav-users and save us a lot of frustration.

Sorry for any frustration but I think you misunderstand. The address
you mentioned there does indeed accept incoming mail, but (as I have
already explained) only from the list server. Also, normally I send
mail from my list addresses only to the list addresses - there's no CC
in my mail to the lists. For example, this message will be sent to

Paul Kosinski via clamav-users <clamav-users@lists.clamav.net>

and only to that address. The list server does what it does, there's
nothing I can do about that but you might be able to configure what it
does for you to be more to your liking, see

https://lists.clamav.net/mailman/options/clamav-users

You can always reach me via the list of course.

> (Also, your private email address from which you sent me a private
> email never accepted my private reply, it just "timed out" -- twice.)

My private and public email addresses are all served by the same MX,
and use the same systems for filtering mail (obviously with different
configurations for private and list mail). So either your sending IPs
(216.55.100.245 or 216.55.100.246) or IPs nearby in the IP block are,
or have recently been, sending spam:

http://multirbl.valli.org/lookup/216.55.100.245.html
http://multirbl.valli.org/lookup/216.55.100.246.html

Admittedly some of the blacklists that we use are a bit broad-brush,
but we do see an awful lot of spam attempts from Level3 IPs. When it
comes to service providers I'm in the "vote with your chequebook" camp
and I'll do anything I can to encourage ISPs to develop good hygiene.
Regrettably that does sometimes mean that there's collateral damage.

Incidentally those two IPs seem to be the only nameservers for the
iment.com domain. As they're both on the same network, you might be
vulnerable to a single point failure taking your domain offline.

https://mxtoolbox.com/domain/iment.com/

You'd be much better advised to worry about that than worry about a
tadpole-sized mail server in the UK dropping your packets.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav with VPN [ In reply to ]
clamav-users at lists
May 5, 2020, 8:47 PM
Post #5 of 5 (803 views)
Permalink
My point about letting two IP addresses through our firewall was that
it was also a hack that might eventually fail (according to Joel, if
"cloudflare drastically changes things"). In other words I put in a
hack to work around a external problem that was beyond my ability to
fix (having no clout with Cloudflare).


On Tue, 5 May 2020 19:02:20 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 5 May 2020, Paul Kosinski via clamav-users wrote:
>
> >>> To try to solve this issue, i have added this line in my /etc/hosts file :
> >>>
> >>> * 104.16.218.84 database.clamav.net
> >>
> >> Don't do things like that. Sooner or later it will break, and you'll
> >> find yourself back here again asking why.
> >
> > Our firewall blocks our mail server from issuing requests via ports 80
> > and 443, but, after our failure to set up a private mirror that worked
> > reliably after the switch to Cloudflare (their BOS mirror was usually
> > behind the DNS TXT reported version, as detailed in many previous
> > posts), I had to add exceptions for 104.16.218.84 and 104.16.219.84 ...
>
> I'm not sure that I understand your point. Mine was that hacks like
> tweaking resolv.conf to try to get round a broken name service instead
> of fixing the service are bound to come back and bite you.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal