Mailing List Archive

[clamav-users] Update problem today
Hi, I'm using ClamAV 104.2 (for Windows) and am getting an update
problem which looks like one of the mirrors isn't updated properly. It's
been doing this all day.

It's seeing that the latest version is 26521, but the file it's
downloading is 26520 and then it's trying to download a patch and that
is failing

(The daily.cvd database downloaded from https://database.clamav.net is
older than the version advertised in the DNS TXT record.
Received an older daily CVD than was advertised. We'll keep it and try
updating to the latest version with CDIFFs.)

Here's the output of freshclam -v on a blank database

Current working dir is d:\clam\db\
Can't open freshclam.dat in d:\clam\db
It probably doesn't exist yet. That's ok.
Failed to load freshclam.dat; will create a new freshclam.dat
Creating new freshclam.dat
Saved freshclam.dat
ClamAV update process started at Sat Apr 23 17:08:04 2022
Current working dir is d:\clam\db\
Querying current.cvd.clamav.net
TTL: 747
fc_dns_query_update_info: Software version from DNS: 0.103.5
Current working dir is d:\clam\db\
check_for_new_database_version: No local copy of "daily" database.
query_remote_database_version: daily.cvd version from DNS: 26521
daily database available for download (remote version: 26521)
Retrieving https://database.clamav.net/daily.cvd
downloadFile: Download source: https://database.clamav.net/daily.cvd
downloadFile: Download destination:
d:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp
*   Trying 104.16.218.84:443...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Certificate loaded from Windows certificate store: Microsoft Root
Certificate Authority
Certificate loaded from Windows certificate store: Thawte Timestamping CA
Certificate loaded from Windows certificate store: Microsoft Root Authority
Certificate loaded from Windows certificate store: Symantec Enterprise
Mobile Root for Microsoft
Certificate loaded from Windows certificate store: Microsoft Root
Certificate Authority 2011
Certificate loaded from Windows certificate store: Microsoft
Authenticode(tm) Root
Certificate loaded from Windows certificate store: Microsoft Root
Certificate Authority 2010
Certificate loaded from Windows certificate store: Microsoft Timestamp Root
Certificate loaded from Windows certificate store: VeriSign Time Stamping CA
Certificate loaded from Windows certificate store: Sectigo (UTN Object)
Certificate loaded from Windows certificate store: DigiCert Global Root G2
Certificate loaded from Windows certificate store: GeoTrust Global CA
Certificate loaded from Windows certificate store: DigiCert Trusted Root G4
Certificate loaded from Windows certificate store: DST Root CA X3
Certificate loaded from Windows certificate store: GlobalSign Root CA - R3
Certificate loaded from Windows certificate store: DigiCert Baltimore Root
Certificate loaded from Windows certificate store: GeoTrust
Certificate loaded from Windows certificate store: Sectigo (AAA)
Certificate loaded from Windows certificate store: GlobalSign Root CA - R1
Certificate loaded from Windows certificate store: Sectigo (formerly
Comodo CA)
Certificate loaded from Windows certificate store: Starfield Class 2
Certification Authority
Certificate loaded from Windows certificate store: DigiCert
Certificate loaded from Windows certificate store: thawte
Certificate loaded from Windows certificate store: Google Trust Services
- GlobalSign Root CA-R2
Certificate loaded from Windows certificate store: VeriSign Class 3
Public Primary CA
Certificate loaded from Windows certificate store: DigiCert
Certificate loaded from Windows certificate store: VeriSign
Certificate loaded from Windows certificate store: VeriSign Universal
Root Certification Authority
Certificate loaded from Windows certificate store: Sectigo
Certificate loaded from Windows certificate store: Go Daddy Class 2
Certification Authority
Certificate loaded from Windows certificate store: DigiCert
Certificate loaded from Windows certificate store: Sectigo (AddTrust)
Certificate loaded from Windows certificate store: pscs-PLUTO-CA
Certificate loaded from Windows certificate store: pscs-VMHOST1-CA
Certificate loaded from Windows certificate store: pscs-VMHOST1-CA
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.;
CN=sni.cloudflaressl.com
*  start date: Jul 15 00:00:00 2021 GMT
*  expire date: Jul 14 23:59:59 2022 GMT
*  subjectAltName: host "database.clamav.net" matched cert's
"database.clamav.net"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after
upgrade: len=0
* Using Stream ID: 1 (easy handle 0xf8f928)
> GET /daily.cvd HTTP/2

Host: database.clamav.net

user-agent: ClamAV/0.104.2 (OS: Windows, ARCH: AMD64, CPU: AMD64, UUID:
4ec0d961-a67d-40ef-852e-817ebaf45c05)

accept: */*

connection: close



* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200

< date: Sat, 23 Apr 2022 16:08:04 GMT

< content-type: application/octet-stream

< content-length: 58361055

< last-modified: Fri, 22 Apr 2022 08:30:00 GMT

< etag: "62626788-37a84df"

< expires: Sun, 24 Apr 2022 04:08:04 GMT

< cache-control: public, max-age=43200

< cf-cache-status: HIT

< age: 27707

< accept-ranges: bytes

< expect-ct: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

< strict-transport-security: max-age=15552000

< x-content-type-options: nosniff

< server: cloudflare

< cf-ray: 7007db130dd5770b-LHR

<


* Connection #0 to host database.clamav.net left intact
The daily.cvd database downloaded from https://database.clamav.net is
older than the version advertised in the DNS TXT record.
Received an older daily CVD than was advertised. We'll keep it and try
updating to the latest version with CDIFFs.
updatedb: Running g_cb_download_complete callback...
Testing database:
'd:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd'
...
Loading signatures from
d:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd
Properly loaded 1980741 signatures from
d:\clam\db\tmp.b7b76a09b1\clamav-a9c4531a90e867ba4f628badafcd9650.tmp-daily.cvd
Database test passed.
daily.cvd updated (version: 26520, sigs: 1980741, f-level: 90, builder:
raynman)
Received an older daily CVD than was advertised. We'll retry so the
incremental update will ensure we're up-to-date.
check_for_new_database_version: Local copy of daily found: daily.cvd.
query_remote_database_version: daily.cvd version from DNS: 26521
daily database available for update (local version: 26520, remote
version: 26521)
Current database is 1 version behind.
Downloading database patch # 26521...
Retrieving https://database.clamav.net/daily-26521.cdiff
downloadFile: Download source: https://database.clamav.net/daily-26521.cdiff
downloadFile: Download destination:
.\clamav-6e1f598f965bf1c38a7567ea4dbb5a57.tmp
*   Trying 104.16.218.84:443...
* Connected to database.clamav.net (104.16.218.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.;
CN=sni.cloudflaressl.com
*  start date: Jul 15 00:00:00 2021 GMT
*  expire date: Jul 14 23:59:59 2022 GMT
*  subjectAltName: host "database.clamav.net" matched cert's
"database.clamav.net"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after
upgrade: len=0
* Using Stream ID: 1 (easy handle 0x103dec0)
> GET /daily-26521.cdiff HTTP/2

Host: database.clamav.net

user-agent: ClamAV/0.104.2 (OS: Windows, ARCH: AMD64, CPU: AMD64, UUID:
4ec0d961-a67d-40ef-852e-817ebaf45c05)

accept: */*

connection: close



* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200

< date: Sat, 23 Apr 2022 16:08:25 GMT

< content-type: application/octet-stream

< content-length: 18762

< last-modified: Sat, 23 Apr 2022 08:22:00 GMT

< etag: "6263b728-494a"

< expires: Sun, 23 Apr 2023 16:03:59 GMT

< cache-control: public, max-age=31535734

< cf-cache-status: HIT

< age: 27688

< accept-ranges: bytes

< expect-ct: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

< strict-transport-security: max-age=15552000

< x-content-type-options: nosniff

< server: cloudflare

< cf-ray: 7007db983eeb774d-LHR

<

Time:    0.1s, ETA:    0.1s [=============>           ] 10.37KiB/18.32KiB
Time:    0.1s, ETA:    0.1s [=============>           ] 10.37KiB/18.32KiB
Time:    0.1s, ETA:    0.0s [========================>] 18.32KiB/18.32KiB
* Connection #0 to host database.clamav.net left intact
cdiff_apply: Parsed 228 lines and executed 228 commands

ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if
there is enough disk space
available
ERROR: updatedb: Incremental update failed. Failed to build CLD.
ERROR: Unexpected error when attempting to update daily: Failed to
update database
ERROR: Database update process failed: Failed to update database
ERROR: Update failed.



--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
Hi there,

On Sat, 23 Apr 2022, Paul Smith via clamav-users wrote:

> Hi, I'm using ClamAV 104.2 (for Windows) and am getting an update problem
> which looks like one of the mirrors isn't updated properly. It's been doing
> this all day.
> It's seeing that the latest version is 26521, but the file it's downloading
> is 26520 and then it's trying to download a patch and that is failing ...

The update to 26521 happened here at 13:29 UTC today, no problem.

> ...
> ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if there is enough disk space available

Did you check?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
On 23 April 2022 19:11:06 "G.W. Haywood via clamav-users">
>
>> ...
>> ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if
>> there is enough disk space available
>
> Did you check?

Of course. I presume 290GB is enough

In any case why would it download the wrong version if there was a disk
space problem?

If you look at its output, Freshclam is even reporting that the version it
downloaded isn't what it was expecting to download.

It downloads (what looks like) the wrong version. Then when it sees the
mismatch, it downloads the patch, but then can't merge them. Maybe it
downloaded the right file, with the wrong version identifier, so the patch
fails?

I don't doubt that it works for many people, otherwise someone else would
probably have noticed, but it's not working here, and it's repeatable. It's
been fine until this morning

I've just tried again, and again (emptying the DB before each test, but no
other changes) . It worked twice, and then stopped working again. Out of
about 20 attempts, 2 worked, the others failed with this problem. So, I'd
guess that that one of the mirrors has a broken file on it, and I'm just
unlucky to be allocated that mirror most of the time.



Paul




--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
Re: [clamav-users] Update problem today [ In reply to ]
On 23/04/2022 18:34, Paul Smith via clamav-users wrote:
>
> It downloads (what looks like) the wrong version. Then when it sees
> the mismatch, it downloads the patch, but then can't merge them. Maybe
> it downloaded the right file, with the wrong version identifier, so
> the patch fails?

FWIW, This is the result of sigtool --info daily.cvd after the failed
freshclam run

C:\temp]sigtool --info db\daily.cvd
File: db\daily.cvd
Build time: 22 Apr 2022 04:30 -0400
Version: 26520
Signatures: 1980741
Functionality level: 90
Builder: raynman
MD5: cb756214fb68e5b6bdec6fa4357015f2
Digital signature:
uncyw2Ck5ZNYjZS7mIbhJcZ+1HXazERef7SKSbfHJCVCULBQstTBeRRD+qrNVDSJygv+zWyJvBCv8+Gf
BX6H4Jjazk2YOoXfyfS5G3AyCXdOfHgggUiWn49/6UMt0Mz9uQUSuQg4Ogrwer40Q6QIYJW9MUIeNPYo++lxg34RrRb
Verification OK.

If I run freshclam with that database in place, I get:

ClamAV update process started at Sat Apr 23 18:56:50 2022
daily database available for update (local version: 26520, remote
version: 26521)
Current database is 1 version behind.
Downloading database patch # 26521...
Time:    0.1s, ETA:    0.0s [========================>] 18.32KiB/18.32KiB
ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if
there is enough disk space
available
ERROR: updatedb: Incremental update failed. Failed to build CLD.
ERROR: Unexpected error when attempting to update daily: Failed to
update database
ERROR: Database update process failed: Failed to update database
ERROR: Update failed.

(there is plenty of free disk space)

I can't see what the patch file is like as that doesn't seem to get left
after freshclam terminates, and I can't see an option to prevent it
being deleted



--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
On Saturday, April 23, 2022 at 8:00 AM, Paul Smith wrote:
> On 23/04/2022 18:34, Paul Smith via clamav-users wrote:
> >
> > It downloads (what looks like) the wrong version. Then when it sees
> > the mismatch, it downloads the patch, but then can't merge them. Maybe
> > it downloaded the right file, with the wrong version identifier, so
> > the patch fails?
>
> FWIW, This is the result of sigtool --info daily.cvd after the failed freshclam
> run

I'm not sure when the latest update you're trying to pick up was issued, BUT
I've also got this stuff running under windows and the mail gateway server and
also for testing on my desktop computer.

Yesterday afternoon, the desktop computer's freshclam update attempts continued
failing and along with these failures I was getting Windows Defender alerts about an
issue being detected with the onaccess Windows Defender scanning. When I dug
into those reports, they pointed at a temp file in the clamav database directory
that freshclam was creating during the unpacking/update process. The Windows
Defender quarantine process interrupted the freshclam update... This may be
happening to you... I added a Windows Defender exclusion form the clamav
database directory and the updates subsequently succeeded.

- Mark

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
On 23/04/2022 19:26, Mark Pizzolato - Clamav-Win32 wrote:
> Yesterday afternoon, the desktop computer's freshclam update attempts continued
> failing and along with these failures I was getting Windows Defender alerts about an
> issue being detected with the onaccess Windows Defender scanning. When I dug
> into those reports, they pointed at a temp file in the clamav database directory
> that freshclam was creating during the unpacking/update process. The Windows
> Defender quarantine process interrupted the freshclam update... This may be
> happening to you... I added a Windows Defender exclusion form the clamav
> database directory and the updates subsequently succeeded.
Thanks for the idea, but it wasn't that. The ClamAV directory was not
being scanned by any other virus scanner, and surely, even if it was,
that wouldn't cause Freshclam to download an out-dated daily.cvd file

The problem 'magically' disappeared as soon as the 26522 update was
published, so, to me, it really looks as if there were bad files on one
of the mirrors. The later update would have replaced that with a correct
file, so it all works again.

Paul

--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
On 2022-04-25 11:14, Paul Smith via clamav-users wrote:
> The problem 'magically' disappeared as soon as the 26522 update was
> published, so, to me, it really looks as if there were bad files on one
> of the mirrors. The later update would have replaced that with a correct
> file, so it all works again.

I spotted a similar problem on another (unrelated) mirror hosted by
Cloudflare.

I'll dig into it if I can reproduce it again, but a cache clear seems to
have resolved it at the time.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today [ In reply to ]
What about proxy?

best,

Ivan Cilento

Web Developer

+551139232986

On 26/04/2022 03:32, Dave Warren via clamav-users wrote:
> On 2022-04-25 11:14, Paul Smith via clamav-users wrote:
>> The problem 'magically' disappeared as soon as the 26522 update was
>> published, so, to me, it really looks as if there were bad files on
>> one of the mirrors. The later update would have replaced that with a
>> correct file, so it all works again.
>
> I spotted a similar problem on another (unrelated) mirror hosted by
> Cloudflare.
>
> I'll dig into it if I can reproduce it again, but a cache clear seems
> to have resolved it at the time.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml