On 2011-07-14 at 20:33+03 Török Edwin <[email protected]> wrote:
> I think you might be able to configure freshclam to download CLDs > with DatabaseCustomURL. > > Something like this (untested): > > DatabaseMirror <internal-server-with-some-older-version-of-cvds> > DatabaseCustomURL http://<your-internal-webserver>/main.cld > DatabaseCustomURL http://<your-internal-webserver>/main.cvd > DatabaseCustomURL http://<your-internal-webserver>/daily.cld > DatabaseCustomURL http://<your-internal-webserver>/daily.cvd > DatabaseCustomURL http://<your-internal-webserver>/bytecode.cld > DatabaseCustomURL http://<your-internal-webserver>/bytecode.cvd > DatabaseCustomURL http://<your-internal-webserver>/safebrowsing.cld > DatabaseCustomURL http://<your-internal-webserver>/safebrowsing.cvd I've just spent some time testing this, and I think this will be a much better solution. In essence, we can use this to force freshclam to pull the CLD files from our private mirror, instead of the CVD files. freshclam appears to use the timestamps of the files on the web server to determine whether they're more recent than the local copies, and --quiet suppresses all errors about non-existent files and duplicate databases. I'll test this more thoroughly, and report back how well it works for us. > I think downloading CLD file is sufficient. On a LAN it'll probably > be faster than downloading & applying all the individual updates. It wouldn't surprise me. The cost of pulling the full CVD/CLD files versus the CDIFF files over the LAN is negligible for us; we have plenty of bandwidth there. What we're trying to minimize is the amount of data we have to pull from the (public) clam mirrors. > The CLD files are digitally signed too, so you get almost the same > integrity checks as with the CVD already. Are you sure about that? Because sigtool says: $ sigtool -i safebrowsing.cvd File: safebrowsing.cvd Build time: 14 Jul 2011 14:45 -0400 Version: 30807 Signatures: 710259 Functionality level: 60 Builder: google MD5: 2b1b2e868dd74f2aab83bb79c55a68d8 Digital signature: ZstS5RdHytv71PgvErgszQPaVbPqtqgmNrE+w//3lgS0bhP6rrPb87NVfncufL9H2kh/LLx1wwyMPPIJVWsbSYKck4vcwz+ErezX+81gTilryxcrmmEMTWH6WjRvKj24wuqSIF78473JuZWB6Wwi8q2Wgojh1BgBaCB7ghuV/3j LibClamAV Warning: Detected duplicate databases safebrowsing.cvd and safebrowsing.cld, please manually remove one of them Verification OK. $ sigtool -i safebrowsing.cld File: safebrowsing.cld Build time: 14 Jul 2011 14:45 -0400 Version: 30807 Signatures: 710259 Functionality level: 60 Builder: google Verification OK. The CLD file lacks the "MD5" and "Digital signature" info. Is there another signature that sigtool isn't displaying? But even if the CLD files aren't digitally signed, that's not a dealbreaker, as we can create other mechanisms to verify that the CLD files weren't tampered with on the wire. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
