Mailing List Archive

Hi there,

On Mon, 22 Mar 2021, Paul Smith via clamav-users wrote:
> On 21/03/2021 18:29, G.W. Haywood via clamav-users wrote:
>
>> ... and your LAN will probably have at least Gigabit/s capacity
>
> Yes, this option is fine if all your clients are on a fast LAN, but not when
> private mirror serves clients over WANs, VPNs, remote Internet users, etc

You'd need to look at those more or less case by case. Some might be
better treated as separate Cloudflare clients, and in any case they'd
likely be connecting from different public IPs so there'd be little
risk that Cloudflare's abuse prevention would be an issue. Proposed
changes to freshclam to permit the retention of difference files might
invite reconsideration of any decision in the not too distant future.
I generally use my very simple-minded diary to remind me to return to
things like that.

> ... what the cvdupdate method is supposed to help with. That does
> NOT use the 'PrivateMirror' option with the private mirror as you
> originally said it did.

I don't recall describing any use of the cvdupdate method. If I gave
the impression that I'm familiar with it (it's brand new, and I have
never used it, nor even looked at it) then it's my turn to apologize.
In my defence things have been pretty crazy on the list this last few
days and I might have rushed the odd message. My intention was only
to describe the use of the 'PrivateMirror' option according to the
current documentation in the freshclam.conf 'man' page.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 22/03/2021 10:04, G.W. Haywood via clamav-users wrote:
>
>> ... what the cvdupdate method is supposed to help with.  That does
>> NOT use the 'PrivateMirror' option with the private mirror as you
>> originally said it did.
>
> I don't recall describing any use of the cvdupdate method.  If I gave
> the impression that I'm familiar with it (it's brand new, and I have
> never used it, nor even looked at it) then it's my turn to apologize.

I said "it's a bad idea to run cvdupdate just a couple of times a day
because freshclam gets upset when the DNS doesn't match the CDIFFs
available" and you replied that you should use the "privatemirror"
configuration so it doesn't use the DNS. But all the cvdupdate
documentation says to use the standard 'databasemirror' *not*
'privatemirror' (so that Freshclam DOES download CDIFFs, to reduce
bandwidth usage - with 'privatemirror', Freshclam just downloads full CVDs)

Running cvdupdate very frequently is fine (AFAICS), because it downloads
nothing until the DNS record changes.

Maybe the misunderstanding was because I used the term 'private mirror'
(as used on the page
https://www.clamav.net/documents/private-local-mirrors ) and you assumed
I meant method (2) on that page, whereas my previous sentence had
indicated I was talking about method (3).

--
Paul


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi folks,

Jim at Linode here. I’m interested in helping resolve this problem, as we’d
like to continue to recommend to Linode customers that they use ClamAV for
their needs.

> Slow your updater down.

> I'm fairly certain that my system is still configured with the defaults
> freshclam configuration. It looks like it's checking once an hour.

We generally recommend customers use ClamAV in response to a system
compromise, so they’re just using whatever default configuration that came
with the package they installed. Most customers only run ClamAV when
they’re specifically looking for malware, usually from our recovery
environment (called Rescue Mode). Freshclam is usually run once in Rescue
Mode.

> Linode is our second biggest abuser.

Is this “abuse” being caused by specific IP addresses? Or is the volume of
traffic sending from our network being categorized as “abusive”? Any
specifics you can share would be helpful in us understanding the cause of
this problem. Our impression is that use of ClamAV on our platform hasn’t
meaningfully changed recently.

Would a private mirror help the situation? I believe we could configure
Rescue Mode to fetch updates from whatever private mirror we configure, but
if this problem originates somewhere else, I don’t know how much good that
will do.

- Jim

Jim,

Glad to work with you, let’s take our conversation off list so we’re not flooding everyone.

—
Sent from my ? iPad

> On Mar 22, 2021, at 15:20, Jim Ackley via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> Hi folks,
>
> Jim at Linode here. I’m interested in helping resolve this problem, as we’d like to continue to recommend to Linode customers that they use ClamAV for their needs.
>
> > Slow your updater down.
>
> > I'm fairly certain that my system is still configured with the defaults
> > freshclam configuration. It looks like it's checking once an hour.
>
> We generally recommend customers use ClamAV in response to a system compromise, so they’re just using whatever default configuration that came with the package they installed. Most customers only run ClamAV when they’re specifically looking for malware, usually from our recovery environment (called Rescue Mode). Freshclam is usually run once in Rescue Mode.
>
> > Linode is our second biggest abuser.
>
> Is this “abuse” being caused by specific IP addresses? Or is the volume of traffic sending from our network being categorized as “abusive”? Any specifics you can share would be helpful in us understanding the cause of this problem. Our impression is that use of ClamAV on our platform hasn’t meaningfully changed recently.
>
> Would a private mirror help the situation? I believe we could configure Rescue Mode to fetch updates from whatever private mirror we configure, but if this problem originates somewhere else, I don’t know how much good that will do.
>
> - Jim
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

On 3/22/21 1:34 PM, Joel Esler (jesler) via clamav-users wrote:
> Glad to work with you, let’s take our conversation off list so
> we’re not flooding everyone.

As a Linode and ClamAV user, I'm interested in seeing what I can of this
discussion that could be made public.

I'm both curious and want to make sure that what my Linode is (and has
been) doing is not a problem.

So, if you don't mind, and other's don't object, please have part of
this conversation publicly.



--
Grant. . . .
unix || die

On 3/22/21 1:53 PM, Grant Taylor via clamav-users wrote:
> I'm both curious and want to make sure that what my Linode is (and has
> been) doing is not a problem.

I want to make sure:

1) That what my Linode is doing is not a problem. -- fresh clam is
waking up hourly and checking DNS to see if there are version updates.
Upon new versions being published, downloading a cdiff and integrating it.
2) That whatever solution Linode puts in place won't interfere with or
otherwise get in the middle between well behaved clients and ClamAV
infrastructure.

P.S. Sorry, I hit send before adding this to the last message.



--
Grant. . . .
unix || die

On 2021-03-22 13:56, Grant Taylor via clamav-users wrote:
> On 3/22/21 1:53 PM, Grant Taylor via clamav-users wrote:
>> I'm both curious and want to make sure that what my Linode is (and has
>> been) doing is not a problem.
>
> I want to make sure:
>
> 1)  That what my Linode is doing is not a problem.  --  fresh clam is
> waking up hourly and checking DNS to see if there are version updates.
> Upon new versions being published, downloading a cdiff and integrating it.
> 2)  That whatever solution Linode puts in place won't interfere with or
> otherwise get in the middle between well behaved clients and ClamAV
> infrastructure.

And as another Linode+ClamAV+Cloudflare customer...

3) That I take advantage of whatever solution Linode puts in place if it
requires a configuration update (and therefore would otherwise only
apply to new deployments based on their images, and/or their rescue image).

Plus it is nice to see the sausage being made, but I realize that this
doesn't apply to everyone.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml