Mailing List Archive

Hi there,

On Thu, 11 Mar 2021, Adam Copley via clamav-users wrote:

> I have an airgapped setup which only has one route out to the
> internet for select destinations…

Sounds like a contradiction in terms... :/

> ... artifactory rather than acting as a proxy Is actually making a
> request itself so possibly behaving similarly as though I were to do
> a curl. As such our setup is broken.

The Artifactory home page says it is "too integrated to fail". My
response to that would be "read my previous email to this list", the
part about the Tacoma Narrows Bridge especially.

If you've read the posts to this mailing list for that last week or so
you'll have some idea of wat's happening, I suspect that what you're
seeing is part of the fallout from the response by the ClamAV team to
what has effectively been a DDOS attack on ClamAV's database servers.

You need to use one of the approved ways of updating the data.

I think it's really that simple.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Thank you for your email. As a result of events documented in places here:
https://lists.clamav.net/pipermail/clamav-users/2021-March/010577.html
and
https://lists.clamav.net/pipermail/clamav-users/2021-March/010543.html

We’ve been forced to take emergency measures to protect the ClamAV environment.

Please Immediately switch to using Freshclam or https://github.com/micahsnyder/cvdupdate to update your AV definitions.

Sorry for the inconvenience, but we are currently in emergency mode and have to make several drastic changes over the last several days.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org



Sent from my ? iPhone

On Mar 11, 2021, at 07:11, Adam Copley via clamav-users <clamav-users@lists.clamav.net> wrote:

? Hi

I have an airgapped setup which only has one route out to the internet for select destinations…

The freshclam clients connect to an nginx vhost and ultimately forwards the requests to an artifactory instance which has a remote repository setup to use database.clamav.net<http://database.clamav.net> as its source in order to be able to pull the cvd updates.

This was working before Christmas, and has probably gone un-noticed as artifactory has caching enabled

However when removing the cvd files from the cache, and freshclam attempts to update the db it returns a 404 from the cache. Artifactory would normally at this point fetch files from the remote. However this isn’t happening anymore.

I see in the docs that scripting for things like curl return 403, amongst other error codes. I believe artifactory rather than acting as a proxy Is actually making a request itself so possibly behaving similarly as though I were to do a curl. As such our setup is broken.

Has anyone had any experience with a similar setup, primarily artifactory —> database.clamav.net<http://database.clamav.net> if anyone can share thoughts it would be greatly appreciated.

Kind Regards

Adam Copley
E: adam.copley@arola.co.uk<mailto:adam.copley@arola.co.uk> | M: 07500937181
W: http://www.arola.co.uk | Jabber: xmpp:adam.copley@arola.co.uk

Online Meeting
https://meet.arola.co.uk/AdamCopley


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi
Thank you for replying however we are using freshclam the approved method. The problem is that our setup is not allowed to go out via a proxy, the only method is to have artifactory mirror the public repo, but as that is now being blocked this is very problematic.
The reason for the setup is because I work for a government organisation so security is extremely tight. They only have limited ways of allowing public access and unfortunately this is the way currently.

Regards
Adam CopleyArola IT LtdE: adam.copley@arola.co.uk | M: 07500937181
Online Meeting: https://meet.arola.co.uk/AdamCopley

-------- Original message --------
From: "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net>
Date: Thu, 11 Mar 2021, 14:03
To: Adam Copley via clamav-users <clamav-users@lists.clamav.net>
Cc: "G.W. Haywood" <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Private Mirror Via Artifactory
Hi there,

On Thu, 11 Mar 2021, Adam Copley via clamav-users wrote:

> I have an airgapped setup which only has one route out to the
> internet for select destinations&#8230;

Sounds like a contradiction in terms... :/

> ... artifactory rather than acting as a proxy Is actually making a
> request itself so possibly behaving similarly as though I were to do
> a curl. As such our setup is broken.

The Artifactory home page says it is "too integrated to fail". My
response to that would be "read my previous email to this list", the
part about the Tacoma Narrows Bridge especially.

If you've read the posts to this mailing list for that last week or so
you'll have some idea of wat's happening, I suspect that what you're
seeing is part of the fallout from the response by the ClamAV team to
what has effectively been a DDOS attack on ClamAV's database servers.

You need to use one of the approved ways of updating the data.

I think it's really that simple.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 11 Mar 2021, adam.copley@arola.co.uk via clamav-users wrote:

> ... however we are using freshclam the approved method. The problem
> is that our setup is not allowed to go out via a proxy, the only
> method is to have artifactory mirror the public repo, but as that is
> now being blocked this is very problematic.

If I understand correctly, you are trying to use freshclam on a system
which cannot connect to the ClamAV database servers. Of course that's
not going to work. It seems to me that you are running freshclam on
the wrong device - it needs to be run on the artifactory mirror. This
is likely something that you will need to talk to your supplier about.

An alternative to freshclam exists for use with private mirrors but it
would still need to run on your mirror:

https://marc.info/?l=clamav-users&m=161518336616237&w=2

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 11/03/2021 23:28, adam.copley@arola.co.uk via clamav-users wrote:
> Hi
>
> Thank you for replying however we are using freshclam the approved
> method. The problem is that our setup is not allowed to go out via a
> proxy, the only method is to have artifactory mirror the public repo,
> but as that is now being blocked this is very problematic.

You can set up a private mirror using the cvdupdate software:
https://github.com/micahsnyder/cvdupdate . This works fine and is easy
to setup and use.

If your only option is to use artifactory, then you need to contact
JFrog's technical support because they're the only people who can fix
that. After all, that's what you're paying them for. I'm sure they'll be
working on (or will already have) an update to work with the new
restrictions.

--
Paul


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 11.03.21 23:28, adam.copley@arola.co.uk via clamav-users wrote:
> Thank you for replying however we are using freshclam the approved method.
> The problem is that our setup is not allowed to go out via a proxy, the
> only method is to have artifactory mirror the public repo, but as that is
> now being blocked this is very problematic.

I believe you should contact artifactory to fix their mirror.

Using any mirror should lower the load on clamav servers, apparently they
messed it up.

> The reason for the setup is because I work for a government organisation
> so security is extremely tight. They only have limited ways of allowing
> public access and unfortunately this is the way currently.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Citeren Paul Smith via clamav-users <clamav-users@lists.clamav.net>:

> If your only option is to use artifactory, then you need to contact
> JFrog's technical support because they're the only people who can
> fix that. After all, that's what you're paying them for. I'm sure
> they'll be working on (or will already have) an update to work with
> the new restrictions.

One might still workaround this issue, by setting up a private mirror
*outside* of your network perimeter and point your internal freshclam
clients to use that mirror instead of the ClamAV servers. As long as
the private mirror is well behaved when it contacts the ClamAV
servers, you can have any or none restrictions for the files the
private mirror serves (including allowing full downloads of the .cvd
files as often as you like). Other than changing the freshclam
configuration files to point to your private mirror, it would require
no changes to artifactory at all.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 12 Mar 2021, Arjen de Korte via clamav-users wrote:

> One might still workaround this issue, by setting up a private
> mirror *outside* of your network perimeter ...

I think the OP was saying that he's not allowed to do that. The way
things are for him at the moment, the path of least resistance might
be a USB stick...

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Citeren "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net>:

>> One might still workaround this issue, by setting up a private
>> mirror *outside* of your network perimeter ...
> I think the OP was saying that he's not allowed to do that. The way
> things are for him at the moment, the path of least resistance might
> be a USB stick...

I see no reason why. If the internal freshclam clients are allowed to
connect to the ClamAV servers on the outside through Artifactory, why
wouldn't they be allowed to connect to a private mirror on the outside
through Artifactory? As long as the connection is made through
Artifactory, there is no real difference: neither the ClamAV servers,
nor the private mirror is in the protected environment. The benefit of
putting the private mirror in between, is that one has full control
over the access restrictions. This private mirror could be hosted
almost anywhere (as long as it has sufficient bandwidth available).




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 12 Mar 2021, Arjen de Korte via clamav-users wrote:

> Citeren "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net>:
>
>> I think the OP was saying that he's not allowed to do that. ...
>
> I see no reason why. ...

Nor do I. But he said it was for the government, which says to me
that rational argument will have precious little to do with it. :/

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Fri, 12 Mar 2021 15:47:02 +0000 (GMT)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 12 Mar 2021, Arjen de Korte via clamav-users wrote:
>
> > Citeren "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net>:
> >
> >> I think the OP was saying that he's not allowed to do that. ...
> >
> > I see no reason why. ...
>
> Nor do I. But he said it was for the government, which says to me
> that rational argument will have precious little to do with it. :/


The same applies to many organizations that are big enough -- and have
been established long enough -- to have Policies.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml