Hi all,
1. the daily.cvd file I referring to is on the local server which acts as
the private local mirror (not referring to clients at all)
2. The freshclam is running in a docker , his image came from `alpine:3.12`
and clamav was install with that command: `apk add --no-cache
clamav=0.102.4-r11 clamav-libunrar=0.102.4-r11`
3. I checking the updates twice a day
4. it's not that straightforward to run wireshark on that server, but i can
route it to a specific dns record (will update)
5. here are the full logs of the latest update failure (26011 ->
26012),freshclam run takes 19 sec
Tue Dec 8 22:00:02 2020 -> ClamAV update process started at Tue Dec 8
22:00:02 2020
Tue Dec 8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:02 2020 -> *Querying current.cvd.clamav.net
Tue Dec 8 22:00:02 2020 -> *TTL: 30
Tue Dec 8 22:00:02 2020 -> *fc_dns_query_update_info: Software version
from DNS: 0.103.0
Tue Dec 8 22:00:02 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:02 2020 -> *check_for_new_database_version: Local copy of
daily found: daily.cvd.
Tue Dec 8 22:00:02 2020 -> *query_remote_database_version: daily.cvd
version from DNS: 26012
Tue Dec 8 22:00:02 2020 -> daily database available for update (local
version: 26011, remote version: 26012)
Tue Dec 8 22:00:02 2020 -> *Retrieving
https://database.clamav.net/daily.cvd Tue Dec 8 22:00:02 2020 -> *downloadFile: Download source:
https://database.clamav.net/daily.cvd Tue Dec 8 22:00:02 2020 -> *downloadFile: Download destination:
/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp
* Trying 104.16.218.84:443...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=
sni.cloudflaressl.com
* start date: Aug 15 00:00:00 2020 GMT
* expire date: Aug 15 12:00:00 2021 GMT
* subjectAltName: host "database.clamav.net" matched cert's "
database.clamav.net"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* Using Stream ID: 1 (easy handle 0x56459985de60)
> GET /daily.cvd HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.4 (OS: linux-musl, ARCH: x86_64, CPU: x86_64)
accept: */*
connection: close
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Tue, 08 Dec 2020 22:00:02 GMT
< content-type: application/octet-stream
< content-length: 114885026
< set-cookie: __cfduid=dc7afe2099393f2517fefc5bfc70645881607464802;
expires=Thu, 07-Jan-21 22:00:02 GMT; path=/; domain=.clamav.net; HttpOnly;
SameSite=Lax
< last-modified: Mon, 07 Dec 2020 14:37:00 GMT
< etag: "5fce3e0c-6d901a2"
< expires: Wed, 09 Dec 2020 10:00:02 GMT
< cache-control: public, max-age=43200
< cf-cache-status: HIT
< age: 109
< accept-ranges: bytes
< cf-request-id: 06e5f76fd70000dfa591a49000000001
< expect-ct: max-age=604800, report-uri="
https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 5fe9c1c62d72dfa5-FRA
<
* Connection #0 to host database.clamav.net left intact
Tue Dec 8 22:00:05 2020 -> *The daily.cvd database downloaded from
https://database.clamav.net is one version older than advertised in the DNS
TXT record.
Tue Dec 8 22:00:05 2020 -> *updatedb: Running g_cb_download_complete
callback...
Tue Dec 8 22:00:05 2020 -> *download_complete_callback: Download complete
for database :
/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:05 2020 -> *download_complete_callback:
fc_context->bTestDatabases : 1
Tue Dec 8 22:00:05 2020 -> *download_complete_callback:
fc_context->bBytecodeEnabled : 1
Tue Dec 8 22:00:05 2020 -> Testing database:
'/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd' ...
Tue Dec 8 22:00:05 2020 -> *Loading signatures from
/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:20 2020 -> *Properly loaded 4397905 signatures from
/data/tmp.7624b/clamav-cde3734f56b3b9351a0261c3b140966f.tmp-daily.cvd
Tue Dec 8 22:00:21 2020 -> Database test passed.
Tue Dec 8 22:00:21 2020 -> daily.cvd updated (version: 26011, sigs:
4351421, f-level: 63, builder: raynman)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: daily.cvd updated.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of
main found: main.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version: main.cvd
version from DNS: 59
Tue Dec 8 22:00:21 2020 -> main.cvd database is up to date (version: 59,
sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: main.cvd already
up-to-date.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of
bytecode found: bytecode.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version: bytecode.cvd
version from DNS: 331
Tue Dec 8 22:00:21 2020 -> bytecode.cvd database is up to date (version:
331, sigs: 94, f-level: 63, builder: anvilleg)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: bytecode.cvd already
up-to-date.
Tue Dec 8 22:00:21 2020 -> *Current working dir is /data/
Tue Dec 8 22:00:21 2020 -> *check_for_new_database_version: Local copy of
safebrowsing found: safebrowsing.cvd.
Tue Dec 8 22:00:21 2020 -> *query_remote_database_version:
safebrowsing.cvd version from DNS: 49191
Tue Dec 8 22:00:21 2020 -> safebrowsing.cvd database is up to date
(version: 49191, sigs: 2213119, f-level: 63, builder: google)
Tue Dec 8 22:00:21 2020 -> *fc_update_database: safebrowsing.cvd already
up-to-date.
On Tue, Dec 8, 2020 at 8:01 PM Gal Cohen <gal.cohen@zooz.com> wrote:
> Hello,
>
> I'm serving cvd files from a local server, when I run freshclam on my
> server it takes some runes until the daily.cvd is updated even though the
> remote version was updated a while ago.
>
> - the clamav version I'm using is 0.102.4-r1
> - freshclam.conf I'm using is:
> DatabaseDirectory /data
> LogSyslog yes
> UpdateLogFile /logs/freshclam.log
> LogTime yes
> PidFile /run/clamav/freshclam.pid
> DatabaseOwner root
> LogVerbose yes
> DatabaseMirror database.clamav.net
> ScriptedUpdates no. (for serving as local server)
> SafeBrowsing yes
> Bytecode yes
>
> some focused logs from freshclam run which not update the local daily.cvd
> even though it indicates a newer version remotely:
> "daily database available for update (local version: 26009, remote
> version: 26010)
> *The daily.cvd database downloaded from https://database.clamav.net is
> one version older than advertised in the DNS TXT record.
> Database test passed.
> daily.cvd updated (version: 26009, sigs: 4351133, f-level: 63, builder:
> raynman)"
>
> Do I need to change my configuration or is it a bug on the 102.4 clamav
> version?
>
> Thanks
> Gal
>