Mailing List Archive

[clamav-users] Error 403 downloading virus updates
I am running CLAMAV on a number of servers running different linux distributions and, therefore, different versions of the clamav engine. 2 of the servers have started to give errors when trying to upload the definition files. These errors came to light as emails I received,

In following this through, it would appear that cloudfare is returning an "Error 1020" which ripples down to CLAMAV as a 403 error.

Cloudfare say that this error is because the client has contravened a firewall rule but, as the client, I cannot see what this is so have no idea how to fix it.

One test I have carried out is to download the file from another computer on the same network using the same firewall fro NAT (so the same ip address to the remote servers) using a web browser and the file downloads OK. This would suggest that I am not being blocked due to a limit on how many requests can be delivered from a given IP address

I have tried to update Clamav but there is no newer package for the distribution. It is possible (although I can't prove ite) that cloudfare is checking the user agent and seeing my installation is too old?

This is the email that warned me of the problem:
===========================================================================
ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily-26440.cdiff
ERROR: getpatch: Can't download daily-26440.cdiff from database.clamav.net/daily-26440.cdiff
ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily.cvd
ERROR: getcvd: Can't download daily.cvd from database.clamav.net/daily.cvd
ERROR: Update failed for database: daily
ERROR: Database update process failed: HTTP GET failed (11)
ERROR: Update failed.
===========================================================================



and this is the output from freshclam --debug --verbose
===========================================================================
ClamAV update process started at Thu Feb 10 15:21:42 2022
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 587
fc_dns_query_update_info: Software version from DNS: 0.103.5
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.102.4 Recommended version: 0.103.5
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Current working dir is /var/lib/clamav/
check_for_new_database_version: No local copy of "daily" database.
query_remote_database_version: daily.cvd version from DNS: 26449
daily database available for download (remote version: 26449)
Retrieving https://database.clamav.net/daily.cvd
downloadFile: Download source: https://database.clamav.net/daily.cvd
downloadFile: Download destination: /var/lib/clamav/tmp.d974a/clamav-57c27d81b66a259b02e9dc00177a1f51.tmp
* About to connect() to database.clamav.net port 443 (#0)
* Trying 104.16.218.84...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=sni.cloudflaressl.com,O="Cloudflare, Inc.",L=San Francisco,ST=California,C=US
* start date: Jul 15 00:00:00 2021 GMT
* expire date: Jul 14 23:59:59 2022 GMT
* common name: sni.cloudflaressl.com
* issuer: CN=Cloudflare Inc ECC CA-3,O="Cloudflare, Inc.",C=US
> GET /daily.cvd HTTP/1.1
User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Host: database.clamav.net
Accept: */*
Connection: close

< HTTP/1.1 403 Forbidden
< Date: Thu, 10 Feb 2022 15:21:42 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 16
< Connection: close
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: same-origin
< Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Strict-Transport-Security: max-age=15552000
< X-Content-Type-Options: nosniff
< Server: cloudflare
< CF-RAY: 6db6542848e5f3df-LHR
<
Time: 0.3s, ETA: 0.0s [=============================>] 16B/16B
* Closing connection 0
WARNING: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd
WARNING: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
======================================================================================================

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Error 403 downloading virus updates [ In reply to ]
On Thu, 10 Feb 2022, Paul Furnival via clamav-users wrote:

> I am running CLAMAV on a number of servers running different linux
> distributions and, therefore, different versions of the clamav
> engine. 2 of the servers have started to give errors when trying to
> upload the definition files. These errors came to light as emails I
> received,

> I have tried to update Clamav but there is no newer package for the
> distribution. It is possible (although I can't prove ite) that
> cloudfare is checking the user agent and seeing my installation is
> too old?

You are correct.

> This is the email that warned me of the problem:
> ===========================================================================
> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily-26440.cdiff
> ERROR: getpatch: Can't download daily-26440.cdiff from database.clamav.net/daily-26440.cdiff
> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily.cvd
> ERROR: getcvd: Can't download daily.cvd from database.clamav.net/daily.cvd
> ERROR: Update failed for database: daily
> ERROR: Database update process failed: HTTP GET failed (11)
> ERROR: Update failed.
> ===========================================================================
>
>
>
> and this is the output from freshclam --debug --verbose
> ===========================================================================
> ClamAV update process started at Thu Feb 10 15:21:42 2022
> Current working dir is /var/lib/clamav/
> Querying current.cvd.clamav.net
> TTL: 587
> fc_dns_query_update_info: Software version from DNS: 0.103.5
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.102.4 Recommended version: 0.103.5

This is your problem.

> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav

https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
might be more helpfully accurate.

You could host a local mirror
https://docs.clamav.net/appendix/CvdPrivateMirror.html
(includes suggestion of an HTTP proxy)
or run a networked clamd and replace clamscan with clamscan on the problem machines
or even network share /var/lib/clamav/

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Error 403 downloading virus updates [ In reply to ]
Hi Paul,

According to _https://docs.clamav.net/faq/faq-eol.html_ , version 102
reached EOL Jan 3, with database downloads no longer permitted.

Dave.

On 2022-02-10 10:25, Paul Furnival via clamav-users wrote:
> I am running CLAMAV on a number of servers running different linux distributions and, therefore, different versions of the clamav engine. 2 of the servers have started to give errors when trying to upload the definition files. These errors came to light as emails I received,
>
> In following this through, it would appear that cloudfare is returning an "Error 1020" which ripples down to CLAMAV as a 403 error.
>
> Cloudfare say that this error is because the client has contravened a firewall rule but, as the client, I cannot see what this is so have no idea how to fix it.
>
> One test I have carried out is to download the file from another computer on the same network using the same firewall fro NAT (so the same ip address to the remote servers) using a web browser and the file downloads OK. This would suggest that I am not being blocked due to a limit on how many requests can be delivered from a given IP address
>
> I have tried to update Clamav but there is no newer package for the distribution. It is possible (although I can't prove ite) that cloudfare is checking the user agent and seeing my installation is too old?
>
> This is the email that warned me of the problem:
> ===========================================================================
> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily-26440.cdiff
> ERROR: getpatch: Can't download daily-26440.cdiff from database.clamav.net/daily-26440.cdiff
> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily.cvd
> ERROR: getcvd: Can't download daily.cvd from database.clamav.net/daily.cvd
> ERROR: Update failed for database: daily
> ERROR: Database update process failed: HTTP GET failed (11)
> ERROR: Update failed.
> ===========================================================================
>
>
>
> and this is the output from freshclam --debug --verbose
> ===========================================================================
> ClamAV update process started at Thu Feb 10 15:21:42 2022
> Current working dir is /var/lib/clamav/
> Querying current.cvd.clamav.net
> TTL: 587
> fc_dns_query_update_info: Software version from DNS: 0.103.5
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.102.4 Recommended version: 0.103.5
> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
> Current working dir is /var/lib/clamav/
> check_for_new_database_version: No local copy of "daily" database.
> query_remote_database_version: daily.cvd version from DNS: 26449
> daily database available for download (remote version: 26449)
> Retrieving https://database.clamav.net/daily.cvd
> downloadFile: Download source: https://database.clamav.net/daily.cvd
> downloadFile: Download destination: /var/lib/clamav/tmp.d974a/clamav-57c27d81b66a259b02e9dc00177a1f51.tmp
> * About to connect() to database.clamav.net port 443 (#0)
> * Trying 104.16.218.84...
> * Connected to database.clamav.net (104.16.218.84) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> * Server certificate:
> * subject: CN=sni.cloudflaressl.com,O="Cloudflare, Inc.",L=San Francisco,ST=California,C=US
> * start date: Jul 15 00:00:00 2021 GMT
> * expire date: Jul 14 23:59:59 2022 GMT
> * common name: sni.cloudflaressl.com
> * issuer: CN=Cloudflare Inc ECC CA-3,O="Cloudflare, Inc.",C=US
>> GET /daily.cvd HTTP/1.1
> User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
> Host: database.clamav.net
> Accept: */*
> Connection: close
>
> < HTTP/1.1 403 Forbidden
> < Date: Thu, 10 Feb 2022 15:21:42 GMT
> < Content-Type: text/plain; charset=UTF-8
> < Content-Length: 16
> < Connection: close
> < X-Frame-Options: SAMEORIGIN
> < Referrer-Policy: same-origin
> < Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> < Expires: Thu, 01 Jan 1970 00:00:01 GMT
> < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
> < Strict-Transport-Security: max-age=15552000
> < X-Content-Type-Options: nosniff
> < Server: cloudflare
> < CF-RAY: 6db6542848e5f3df-LHR
> <
> Time: 0.3s, ETA: 0.0s [=============================>] 16B/16B
> * Closing connection 0
> WARNING: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd
> WARNING: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
> Trying again in 5 secs...
> ======================================================================================================
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] Error 403 downloading virus updates [ In reply to ]
You’ll definitely need to upgrade. I imagine the minimum fLevel for the cvd files will have been moved as well, and if so, won’t work on older installations at all.

> On Feb 10, 2022, at 10:55 AM, David Copeland via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi Paul,
>
> According to https://docs.clamav.net/faq/faq-eol.html <https://docs.clamav.net/faq/faq-eol.html> , version 102 reached EOL Jan 3, with database downloads no longer permitted.
>
> Dave.
>
> On 2022-02-10 10:25, Paul Furnival via clamav-users wrote:
>> I am running CLAMAV on a number of servers running different linux distributions and, therefore, different versions of the clamav engine. 2 of the servers have started to give errors when trying to upload the definition files. These errors came to light as emails I received,
>>
>> In following this through, it would appear that cloudfare is returning an "Error 1020" which ripples down to CLAMAV as a 403 error.
>>
>> Cloudfare say that this error is because the client has contravened a firewall rule but, as the client, I cannot see what this is so have no idea how to fix it.
>>
>> One test I have carried out is to download the file from another computer on the same network using the same firewall fro NAT (so the same ip address to the remote servers) using a web browser and the file downloads OK. This would suggest that I am not being blocked due to a limit on how many requests can be delivered from a given IP address
>>
>> I have tried to update Clamav but there is no newer package for the distribution. It is possible (although I can't prove ite) that cloudfare is checking the user agent and seeing my installation is too old?
>>
>> This is the email that warned me of the problem:
>> ===========================================================================
>> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily-26440.cdiff
>> ERROR: getpatch: Can't download daily-26440.cdiff from database.clamav.net/daily-26440.cdiff
>> ERROR: downloadFile: Unexpected response (403) from database.clamav.net/daily.cvd
>> ERROR: getcvd: Can't download daily.cvd from database.clamav.net/daily.cvd
>> ERROR: Update failed for database: daily
>> ERROR: Database update process failed: HTTP GET failed (11)
>> ERROR: Update failed.
>> ===========================================================================
>>
>>
>>
>> and this is the output from freshclam --debug --verbose
>> ===========================================================================
>> ClamAV update process started at Thu Feb 10 15:21:42 2022
>> Current working dir is /var/lib/clamav/
>> Querying current.cvd.clamav.net
>> TTL: 587
>> fc_dns_query_update_info: Software version from DNS: 0.103.5
>> WARNING: Your ClamAV installation is OUTDATED!
>> WARNING: Local version: 0.102.4 Recommended version: 0.103.5
>> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav <https://www.clamav.net/documents/upgrading-clamav>
>> Current working dir is /var/lib/clamav/
>> check_for_new_database_version: No local copy of "daily" database.
>> query_remote_database_version: daily.cvd version from DNS: 26449
>> daily database available for download (remote version: 26449)
>> Retrieving https://database.clamav.net/daily.cvd <https://database.clamav.net/daily.cvd>
>> downloadFile: Download source: https://database.clamav.net/daily.cvd <https://database.clamav.net/daily.cvd>
>> downloadFile: Download destination: /var/lib/clamav/tmp.d974a/clamav-57c27d81b66a259b02e9dc00177a1f51.tmp
>> * About to connect() to database.clamav.net port 443 (#0)
>> * Trying 104.16.218.84...
>> * Connected to database.clamav.net (104.16.218.84) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> CApath: none
>> * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> * Server certificate:
>> * subject: CN=sni.cloudflaressl.com,O="Cloudflare, Inc.",L=San Francisco,ST=California,C=US
>> * start date: Jul 15 00:00:00 2021 GMT
>> * expire date: Jul 14 23:59:59 2022 GMT
>> * common name: sni.cloudflaressl.com
>> * issuer: CN=Cloudflare Inc ECC CA-3,O="Cloudflare, Inc.",C=US
>>> GET /daily.cvd HTTP/1.1
>> User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
>> Host: database.clamav.net
>> Accept: */*
>> Connection: close
>>
>> < HTTP/1.1 403 Forbidden
>> < Date: Thu, 10 Feb 2022 15:21:42 GMT
>> < Content-Type: text/plain; charset=UTF-8
>> < Content-Length: 16
>> < Connection: close
>> < X-Frame-Options: SAMEORIGIN
>> < Referrer-Policy: same-origin
>> < Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
>> < Expires: Thu, 01 Jan 1970 00:00:01 GMT
>> < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" <https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct>
>> < Strict-Transport-Security: max-age=15552000
>> < X-Content-Type-Options: nosniff
>> < Server: cloudflare
>> < CF-RAY: 6db6542848e5f3df-LHR
>> <
>> Time: 0.3s, ETA: 0.0s [=============================>] 16B/16B
>> * Closing connection 0
>> WARNING: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd <https://database.clamav.net/daily.cvd>
>> WARNING: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd <https://database.clamav.net/daily.cvd>
>> Trying again in 5 secs...
>> ======================================================================================================
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>>
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml