Mailing List Archive

[clamav-users] Rate limited
Dear Support,

I use Clamav on my private NAS, and since the 20th of August I cannot
make any updates.
From March 2021 till the 20th of August 2021 I made a single daily
update (every 24 hours).

After the automated updates failed, I tried manually, and received an
Error 1015, Rate Limited. So I completely turned off the automated
updates for about 3 weeks, then tried again, setting the updates to a
3 days period, but still no luck. When I try a manual update, I get
this message:

"Error 1015 Ray ID: 6987b88d0d24d6b9 • 2021-10-03 16:59:25 UTC
You are being rate limited
What happened?
The owner of this website (db.local.clamav.net) has banned you
temporarily from accessing this website."

I have the following questions to this:
1. Was one update per day too much?
2. If not, then why is my IP banned?
3. How can this ban be lifted?
4. What would be an optimal update period to avoid such bans in the future?

I appreciate you help and support.

Best regards,
Adam Baliko

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Rate limited [ In reply to ]
Hi there,

On Sun, 3 Oct 2021, Adam Baliko via clamav-users wrote:

> I use Clamav on my private NAS, and since the 20th of August I cannot
> make any updates.

You have been veru patient to wait for so long before mentioning it. :)

> After the automated updates failed, I tried manually ...

I have the feeling that manual updates aren't a good idea now.

> 1. Was one update per day too much?

No.

> 2. If not, then why is my IP banned?

What is your IP?
Perhaps you are sharing your IP with other users?
Perhaps you are using an out-of-date version of ClamAV?

> 3. How can this ban be lifted?

You're doing it right by contacting this list. The people who need to
know read it. But they need to know the IP address(es) you're using.

> 4. What would be an optimal update period to avoid such bans in the future?

It doesn't seem to me that the very modest frequency of updates which
you're using will be the issue. We update twice per day and have done
for many years, with no problems.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Rate limited [ In reply to ]
Hi Ged,

thank you for your answers.

Yes, I have been patient because it said that it is a temporary
blocking. I thought that means it'll be lifted after some (reasonable)
time.

I have a private VLAN here, but my public IP is granted by my ISP. I'm
assuming this is a dynamic IP but I have no idea how often that
changes (maybe I should start noting the IPs which are banned, if they
are different). And there is only one machine making Clamav updates
within my VLAN, so if there are multiple downloads from the same IP,
then the only explanation I can think of is on the ISP level (I get a
public IP which was banned previously).
BTW, my public IP is 84.189.37.183.

I can't seem to be able to check the versions of Clamav. I have a QNAP
NAS, and as I understand Clamav is somehow baked into the firmware. I
am currently on the latest Firmware release if that is of any help.

Interestingly, today I wanted to try the manual update again to see
what IP is displayed there (should be the same, but who knows), and
instead of the usual Error 1015 successfully downloaded the daily.cvd
file. So currently my virus definitions are up to date, but I have
worries about getting my IP blocked again in the future.

BR,
Adam

On Sun, Oct 3, 2021 at 11:57 PM G.W. Haywood via clamav-users
<clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Sun, 3 Oct 2021, Adam Baliko via clamav-users wrote:
>
> > I use Clamav on my private NAS, and since the 20th of August I cannot
> > make any updates.
>
> You have been veru patient to wait for so long before mentioning it. :)
>
> > After the automated updates failed, I tried manually ...
>
> I have the feeling that manual updates aren't a good idea now.
>
> > 1. Was one update per day too much?
>
> No.
>
> > 2. If not, then why is my IP banned?
>
> What is your IP?
> Perhaps you are sharing your IP with other users?
> Perhaps you are using an out-of-date version of ClamAV?
>
> > 3. How can this ban be lifted?
>
> You're doing it right by contacting this list. The people who need to
> know read it. But they need to know the IP address(es) you're using.
>
> > 4. What would be an optimal update period to avoid such bans in the future?
>
> It doesn't seem to me that the very modest frequency of updates which
> you're using will be the issue. We update twice per day and have done
> for many years, with no problems.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Rate limited [ In reply to ]
Hi there,

On Tue, 5 Oct 2021, Adam Baliko via clamav-users wrote:

> ... my public IP is granted by my ISP. I'm assuming this is a
> dynamic IP but I have no idea how often that changes (maybe I should
> start noting the IPs which are banned, if they are different).

If I were using a dynamic IP I'd certainly want to log the IP whenever
it changed. But it's easy (and probably free) to get a static IP, and
that's much better for tracing the causes of assorted network issues.

> ... only one machine making Clamav updates within my VLAN, so if
> there are multiple downloads from the same IP, then the only
> explanation I can think of is on the ISP level (I get a public IP
> which was banned previously). BTW, my public IP is 84.189.37.183.

It's possible, these things happen. Now that you've given the IP, the
people who manage the abuse protection systems can take a look.

> I can't seem to be able to check the versions of Clamav.

clamscan -V

See also

man clamscan

etc. and

htps://docs.clamav.net

which is the ClamAV official documentation site, but be aware that
this is a relatively new site. It tells you that ClamAV provides a
daemon, but not what a daemon is nor why you might want to run one.
There are more examples than I'd expect to see of things like strange
capitalization of the names of executables, and mentions of versions
of ClamAV which don't yet exist. :/ The 'man' pages are IMO generally
better, but you need to be familiar with using man pages to get the
best out of them and it sounds like you are not. Try to work on that,
it's very useful but definitely a skill which needs to be acquired.

> I have a QNAP NAS, and as I understand Clamav is somehow baked into
> the firmware. I am currently on the latest Firmware release if that
> is of any help.

You should search the archives of this mailing list for discussions
which mention QNAP. There have been several in the last year or so.
There are other issues which you might need to consider.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Rate limited [ In reply to ]
On Oct 5, 2021, at 4:41 AM, Adam Baliko via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

I have a private VLAN here, but my public IP is granted by my ISP. I'm
assuming this is a dynamic IP but I have no idea how often that
changes (maybe I should start noting the IPs which are banned, if they
are different). And there is only one machine making Clamav updates
within my VLAN, so if there are multiple downloads from the same IP,
then the only explanation I can think of is on the ISP level (I get a
public IP which was banned previously).
BTW, my public IP is 84.189.37.183.

I can't seem to be able to check the versions of Clamav. I have a QNAP
NAS, and as I understand Clamav is somehow baked into the firmware. I
am currently on the latest Firmware release if that is of any help.

Interestingly, today I wanted to try the manual update again to see
what IP is displayed there (should be the same, but who knows), and
instead of the usual Error 1015 successfully downloaded the daily.cvd
file. So currently my virus definitions are up to date, but I have
worries about getting my IP blocked again in the future.

1015 means you are not using Freshclam or cvdupdate to download definitions.

--
Joel Esler
Strategy, Cisco Talos Intelligence Group
Re: [clamav-users] Rate limited [ In reply to ]
It seems my problem was solved. I reduced the Update frequency to
every 2nd day and since then it's working like a charm. There was a
problem for about one week, but I figured that it was on my side.
After I fixed it (network error), I was a bit careless and made 2
quick updates, one after another to test it, and it worked. I was a
bit worried that my click-happy-ness will result in getting rate
limited again, but seemingly no. Ever since I fixed the network issue,
the updates are running flawlessly (once every 2nd day, for about a
week now).
So thanks for your help, I hope it remains fixed by now.

BR,
Adam

On Tue, Oct 5, 2021 at 4:09 PM Joel Esler (jesler) <jesler@cisco.com> wrote:
>
>
>
> On Oct 5, 2021, at 4:41 AM, Adam Baliko via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> I have a private VLAN here, but my public IP is granted by my ISP. I'm
> assuming this is a dynamic IP but I have no idea how often that
> changes (maybe I should start noting the IPs which are banned, if they
> are different). And there is only one machine making Clamav updates
> within my VLAN, so if there are multiple downloads from the same IP,
> then the only explanation I can think of is on the ISP level (I get a
> public IP which was banned previously).
> BTW, my public IP is 84.189.37.183.
>
> I can't seem to be able to check the versions of Clamav. I have a QNAP
> NAS, and as I understand Clamav is somehow baked into the firmware. I
> am currently on the latest Firmware release if that is of any help.
>
> Interestingly, today I wanted to try the manual update again to see
> what IP is displayed there (should be the same, but who knows), and
> instead of the usual Error 1015 successfully downloaded the daily.cvd
> file. So currently my virus definitions are up to date, but I have
> worries about getting my IP blocked again in the future.
>
>
> 1015 means you are not using Freshclam or cvdupdate to download definitions.
>
> --
> Joel Esler
> Strategy, Cisco Talos Intelligence Group

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml