Mailing List Archive

My server is behind a proxy, is it blocked somehow since I use curl for download cvd files before?

[cid:7e17dc76-3b4f-427f-a427-d34dede60d9f]
________________________________
$B4s7o<T(B: clamav-users <clamav-users-bounces@lists.clamav.net> $BBeI=(B Joel Esler (jesler) via clamav-users <clamav-users@lists.clamav.net>
$B4s7oF|4|(B: 2021$BG/(B3$B7n(B9$BF|(B 2:18
$BZ@7o<T(B: Todd Aiken <todd.aiken@ubishops.ca>
$BI{K\(B: Joel Esler (jesler) <jesler@cisco.com>; ClamAV users ML <clamav-users@lists.clamav.net>; G.W. Haywood <clamav@jubileegroup.co.uk>
$B<g;](B: Re: [clamav-users] Not able to use curl to download the cvd files successfully



On Mar 8, 2021, at 11:30 AM, Todd Aiken <todd.aiken@ubishops.ca<mailto:todd.aiken@ubishops.ca>> wrote:

> From: clamav-users <clamav-users-bounces@lists.clamav.net<mailto:clamav-users-bounces@lists.clamav.net>> on behalf of "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
> Date: Monday, March 8, 2021 at 9:47 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
> Cc: "Joel Esler (jesler)" <jesler@cisco.com<mailto:jesler@cisco.com>>
> Subject: [EXTERNAL] Re: [clamav-users] Not able to use curl to download the cvd files successfully

> No! Don$B!G(Bt $B!H(Bbypass$B!I(B it.
>
> And $B!H(Bprotecting$B!I(B does not need to be in quotes, it$B!G(Bs quite literally what we are doing. And people doing the above are the problem.
>
> As I said in countless other emails, either use Freshclam or https://github.com/micahsnyder/cvdupdate. The more people that do the above will force us to take drastic
> measures

Here's the reason I bypassed it.

I had a very old machine that I needed to do a scan on. I had to boot the machine with a recovery CD which was a very basic version of Linux. I compiled a statically linked version of ClamAV on another machine and transferred it to the problem machine, but needed to transfer two additional libraries (libpcre2 and libltdl I believe) before clamscan would run. Trying to get freshclam was a pain because it required all sorts of extra libraries, so rather than fetch them one at a time and transfer them, I decided to download main.cvd, daily.cvd, and bytecode.cvd myself. No Python on the machine, so I couldn't use the cvdupdate script. So I figured out that changing the User Agent string would allow me to use wget to download the files, and that's what I did.

If you want to protect your site, I completely understand, but do so by limiting or rate limiting the amount of transfers that happen from IP addresses to the database sites. There is nothing stopping people from abusing downloading full copies of these files using a real browser with some sort of automated download plugin, especially when you provide links to these files on your download page. Blocking valid transfer applications like wget from downloading legitimately just because they don't send a browser as a user agent is a dumb way of protection.

As well, if you don't want people using stuff like wget or curl to download these files, why do you specifically tell them to do so in your own Troubleshooting FAQ? A quote from the page https://www.clamav.net/documents/troubleshooting-faq: "Try to download daily.cvd with curl, wget, or lynx from the same machine that is running freshclam."

I am not being stupid as G.W. Haywood claimed, I was just trying to solve a problem that I had, and that other legitimate, responsible people might have in the future.



Yup. We$B!G(Bre in emergency mode, and we$B!G(Bll be fixing a lot of the documentation point to better solutions.