Mailing List Archive

Hi there,

On Wed, 2 Sep 2020, Andrew C Aitchison via clamav-users wrote:

> The sample freshclam.conf ...
> # Default: 12 (every two hours)
> ...
> but https://blog.clamav.net/2020/07/freshclam-cdiffs-effect-on-bandwidth.html
> ...
> 2. Reduce the checks to once or twice a day.
>
> Would it make sense to make these agree ?

+1

Bear in mind that a normal freshclam database update check (which is
just a DNS query) doesn't necessarily result in the download of any
file - not even of a .cdiff file.

In the same blog post it says that the databases are only updated once
per day. In view of the types of threat that some folks have to deal
with that seems a little infrequent, although I do understand that
there are pressures on resources. Also bear in mind that if the update
frequency is once per day both at the server and at the client, then
if the timings are unfortunate the delay between an update at source
and the update by a client could be almost _two_ days.

Finally the blog post talks about a small number of IPs which seem to
be downloading the main and daily databases tens of thousands of times
per day. While I suppose it is plausible that these are deliberately
malicious downloads it seems more likely to me that the explanation is
incompetence in large organizations which have a lot of workstations
behind NAT firewalls. I suspect a local caching proxy or mirror could
eliminate some of the problems, but the blog post does not mention it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Several of the problems that we’ve observed are things like a dockerized container or a VM that is reset constantly, so instead of being able to download the cdiffs, those machines have to download the whole daily/main. Those could benefit from a local mirror.

Abusers are present but infrequent. If you’re using freshclam, you’re doing it right. If you have python or curl downloading everything every 5 minutes — I’m going to block you.

Sent from my ? iPhone

> On Sep 2, 2020, at 07:54, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?Hi there,
>
>> On Wed, 2 Sep 2020, Andrew C Aitchison via clamav-users wrote:
>>
>> The sample freshclam.conf ...
>> # Default: 12 (every two hours)
>> ...
>> but https://blog.clamav.net/2020/07/freshclam-cdiffs-effect-on-bandwidth.html
>> ...
>> 2. Reduce the checks to once or twice a day.
>>
>> Would it make sense to make these agree ?
>
> +1
>
> Bear in mind that a normal freshclam database update check (which is
> just a DNS query) doesn't necessarily result in the download of any
> file - not even of a .cdiff file.
>
> In the same blog post it says that the databases are only updated once
> per day. In view of the types of threat that some folks have to deal
> with that seems a little infrequent, although I do understand that
> there are pressures on resources. Also bear in mind that if the update
> frequency is once per day both at the server and at the client, then
> if the timings are unfortunate the delay between an update at source
> and the update by a client could be almost _two_ days.
>
> Finally the blog post talks about a small number of IPs which seem to
> be downloading the main and daily databases tens of thousands of times
> per day. While I suppose it is plausible that these are deliberately
> malicious downloads it seems more likely to me that the explanation is
> incompetence in large organizations which have a lot of workstations
> behind NAT firewalls. I suspect a local caching proxy or mirror could
> eliminate some of the problems, but the blog post does not mention it.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml