Hi there,
On Tue, 23 Mar 2021, Pierre Olivier KAPLAN wrote:
> G.W. Haywood wrote:
> > On Tue, 23 Mar 2021, Pierre Olivier KAPLAN wrote:
> >
> >> A few days ago, it seems that you have changed your hosts and your
> >> signatures file base format. Since, we noticed that the amount of
> >> included signatures has been divided by 3 (from 1.904 M to 641 k).
> >> A lot of hashes have disappeared. Did the get replace by something
> >> else ?
> >
> > Are you sure that you have the right product and/or mailing list?
> >
> > # grep sigs /var/log/clamav/freshclam.log | tail -n 3
> > Tue Mar 23 01:39:15 2021 -> daily.cld database is up to date (version: 26117, sigs: 3964846, f-level: 63, builder: raynman)
> > Tue Mar 23 01:39:16 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
> > Tue Mar 23 01:39:16 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
> >
> > As you can see there are more than eight million signatures ('sigs')
> > in the current ClamAV databases.
>
> We are actually using freschlam to retrieve the sigs base. So were
> there significant changes on the files format on those previous days?
No.
Irrespective of whatever you are using freshclam to retrieve, the
ClamAV 'main' database was last modified in February 2020 and I am
using it this morning:
# ls -l main.cvd
-rw-r--r-- 1 clamav clamav 117859675 Feb 5 2020 main.cvd
This file *alone* contains more than 4.5 million signatures:
# sigtool -u main.cvd
# wc -l main*b
1 main.crb
58950 main.hdb
346254 main.hsb
4058864 main.mdb
1 main.msb
100481 main.ndb
4564551 total
See my previous mail to you, which shows that.
If you are seeing that something has changed in recent days it is much
more likely to be that your use of ClamAV has been found to be abusive
than that there have been significant changes in the databases. There
have been two recent changes which might have had some impact on your
use of the ClamAV databases. Firstly, obsolete versions of the ClamAV
tools are no longer permitted to download the data. Obsolete in this
case means "older than version 0.100", but this definition is subject
to change. Secondly, abusive clients are being treated more sternly
than they have been in the past. It is now more or less mandatory to
use one of the (two) recommended methods to download the databases.
However you have said that you are using freshclam, and, assuming it
is reasonably up to date, that is one of the recommended methods.
Please now take a good look at what you are doing. If you can provide
useful, verifiable information instead of your inaccurate speculation
then we can probably help.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml