Re: [clamav-users] Possible problem with daily.cld 25460 / CVE-2019-0903

2019-05-26 Thread Simon Mousey Smith via clamav-users 
Hi

Same here UK clamav with our mailcleaner 

Every one of our backup pdfs are being marked with this even tho they have been 
fine for years

Prob a false positive

Regards

Simom

Sent from my iPhone

> On 25 May 2019, at 21:54, Hans Morten Kind via clamav-users 
>  wrote:
> 
> Seems like evry pdf-file is marked as infected by
>  Win.Exploit.CVE_2019_0903-6966169-0
> 
> I have put it into local.ign2 and restarted my clamd 
> hmk
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-09 Thread Simon Mousey Smith 
Hi,

We started seeing the same problem here

It was fine during the night but then this morning started again with the 
WARNING messages?

[root@mailgw ~]# host -t txt current.cvd.clamav.net
current.cvd.clamav.net descriptive text 
"0.99.2:58:24027:1510207861:1:63:46632:318"
[root@mailgw ~]# date
Thu Nov  9 10:27:43 GMT 2017
[root@mailgw ~]# 

Regards

Simon

> On 9 Nov 2017, at 10:05, Adolf Belka  wrote:
> 
> I am still seeing the message. Periodically it stops and when I check that is 
> when the time from the DNS record has become closer to my computers time but 
> then the delta progressively increases and exceeds the 3 hours and the 
> message starts again. Today it started again at 10:12 (Netherlands time 
> zone). At 9:56 it was fine.
> 
> Here is the DNS TXT value I get:-
> 
> current.cvd.clamav.net descriptive text 
> "0.99.2:58:24027:1510207861:1:63:46632:318"
> 
> My current computer time was 1510221600.
> 
> The following came from the dig command:-
> 
> ; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> current.cvd.clamav.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20331
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;current.cvd.clamav.net.INA
> 
> ;; AUTHORITY SECTION:
> cvd.clamav.net.3600INSOAns3.clamav.net. 
> hostmaster.oltrelinux.com. 2006375260 1800 900 604800 7200
> 
> ;; Query time: 281 msec
> ;; SERVER: 192.168.26.254#53(192.168.26.254)
> ;; WHEN: Thu Nov 09 11:03:50 CET 2017
> ;; MSG SIZE  rcvd: 116
> 
> Regards,
> 
> Adolf Belka
> 
> Sent from my Desktop Computer
> 
> On 08/11/17 20:47, David Raynor wrote:
>> The DNS records are being updated at the source properly now. If you are
>> still seeing an error, then the proper record is not reaching the server
>> you are contacting for DNS or not propagating correctly to your area or
>> something like that.
>> 
>> If you are still seeing those errors, let us know what the value of the DNS
>> TXT record you are seeing for current.cvd.clamav.net. You can use "host" or
>> "dig" or another command to check it.
>> 
>> Example (with current value):
>> 
>> $ host -t txt current.cvd.clamav.net
>> current.cvd.clamav.net descriptive text
>> "0.99.2:58:24025:1510165084:1:63:46630:318"
>> 
>> Dave R.
>> 
>> On Wed, Nov 8, 2017 at 11:34 AM, Noel Jones  wrote:
>> 
>>> I'm still getting these errors too.   :\
>>> 
>>> 
>>> 
>>> 
>>>   -- Noel Jones
>>> 
>>> 
>>> On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote:
 The team working on these issues is seeing these emails, so it’s good
>>> that you are writing in, if you are still experiencing issues.
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> 
>> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-08 Thread Simon Mousey Smith 
Maybe not every day but every week maybe?

Has the issue been resolved yet?

Simon

> On 8 Nov 2017, at 14:02, Reindl Harald  wrote:
> 
> 
> 
> Am 08.11.2017 um 14:43 schrieb Jeff:
>> Since October 31st, I get the following DNS warnings every time freshclam
>> runs:
>> ...
>> ClamAV update process started at Tue Nov 07 09:26:33 2017
>> +++WARNING: DNS record is older than 3 hours.+++
>> +++WARNING: Invalid DNS reply. Falling back to HTTP mode.+++
> 
> do we really need each day a new thread about it?
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fail updates

2017-11-07 Thread Simon Mousey Smith 
Hi,

Still having a few issues here, even after ' rm -rfv mirrors.dat '

Reading CVD header (main.cvd): WARNING: main.cvd not found on remote server
WARNING: Can't read main.cvd header from db.gb.clamav.net (IP: 193.1.193.64)

WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.

Regards

Simon

> On 7 Nov 2017, at 00:41, Paul Kosinski  wrote:
> 
> I killed our "mirrors.dat" at 2017-11-06 19:35:35 (EST). It was last
> modified at 2017-11-06 18:06:29 (EST). We'll see what happens.
> 
> Paul Kosinski
> 
> 
> 
> On Mon, 6 Nov 2017 21:21:58 +
> "Joel Esler (jesler)"  wrote:
> 
>> It would be helpful, if, starting now, deleting mirrors.dat and
>> *then* telling us about failing mirrors…. Cause…. We’ve done many
>> changes in the past month, it would be good to start from a clean
>> slate.
>> 
>> 
>> --
>> Joel Esler | Talos: Manager |
>> jes...@cisco.com
> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] update mirror trouble?

2017-11-06 Thread Simon Mousey Smith 
Hi,

Same here still having problems but slightly different

ClamAV update process started at Mon Nov  6 09:46:22 2017
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
junk.ndb is up to date (version: custom database)
jurlbl.ndb is up to date (version: custom database)
phish.ndb is up to date (version: custom database)
rogue.hdb is up to date (version: custom database)
sanesecurity.ftm is up to date (version: custom database)
scam.ndb is up to date (version: custom database)
spamimg.hdb is up to date (version: custom database)
winnow_malware.hdb is up to date (version: custom database)
winnow_malware_links.ndb is up to date (version: custom database)
sigwhitelist.ign2 is up to date (version: custom database)
spamattach.hdb is up to date (version: custom database)
spear.ndb is up to date (version: custom database)
spearl.ndb is up to date (version: custom database)
blurl.ndb is up to date (version: custom database)
winnow.attachments.hdb is up to date (version: custom database)
winnow_bad_cw.hdb is up to date (version: custom database)
winnow_extended_malware.hdb is up to date (version: custom database)
bofhland_cracked_URL.ndb is up to date (version: custom database)
bofhland_malware_URL.ndb is up to date (version: custom database)
bofhland_phishing_URL.ndb is up to date (version: custom database)
bofhland_malware_attach.hdb is up to date (version: custom database)
crdfam.clamav.hdb is up to date (version: custom database)
malwarehash.hsb is up to date (version: custom database)
porcupine.ndb is up to date (version: custom database)
phishtank.ndb is up to date (version: custom database)
porcupine.hsb is up to date (version: custom database)
hackingteam.hsb is up to date (version: custom database)
badmacro.ndb is up to date (version: custom database)
Sanesecurity_sigtest.yara is up to date (version: custom database)
Sanesecurity_spam.yara is up to date (version: custom database)
Reading CVD header (main.cvd): WARNING: Can't read main.cvd header from 
database.clamav.net (IP: )
Trying again in 5 secs…

Regards

Simon

> On 6 Nov 2017, at 06:16, Tsutomu Oyamada  wrote:
> 
> Hi,
> 
> It looks like that Updating of CVD in database.clamav.net is not working
> (stopping).
> Do you have any trouble problem happened?
> 
> We are in Japan, and it set CNAME for database.clamav.net as
> db.jp.clamav.net.
> db.jp.clamav.net has 4 IP addresses and those are working in roundrobin.
> Every sites are working, but CVD version stops at 24010 as follows.
> 
> db.jp.clamav.net.   39  IN  A   218.44.253.75
> db.jp.clamav.net.   39  IN  A   203.178.137.175
> db.jp.clamav.net.   39  IN  A   27.96.54.66
> db.jp.clamav.net.   39  IN  A   124.35.85.83
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror Sync Outage for ClamAV updates

2017-11-01 Thread Simon Mousey Smith 
Would this explain why all morning ive been getting this error ?

WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.

Regards

Simon

> On 1 Nov 2017, at 14:43, Joel Esler (jesler)  wrote:
> 
> http://blog.clamav.net/2017/11/mirror-sync-outage-for-clamav-av-updates.html
> 
> ClamAV Community --
> 
> ClamAV is currently experiencing an issue with one of our sync servers that 
> provides updates from our infrastructure out to the ClamAV mirrors.
> 
> Since end-users receive their updates from the ClamAV mirrors, this means 
> that currently, ClamAV AV updates are currently not available.
> 
> Our operations team is currently working on the issue, and we will provide 
> updates as needed.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Ppt.Exploit.CVE_2017_0199-6336815-1 FP?

2017-10-05 Thread Simon Mousey Smith 
Hi,

We have a few this morning from a few of our servers too which contain docx 
files

thisisasecretfile.docx: Ppt.Exploit.CVE_2017_0199-6336815-1 FOUND

Regards

Simon

> On 5 Oct 2017, at 09:49, Al Varnell  wrote:
> 
> Please don't include signatures that apply to "Any File" in an e-mail as it 
> was detected as infected upon arrival and could easily be blocked by 
> intermediate mail servers.
> 
> -Al-
> 
> On Thu, Oct 05, 2017 at 01:42 AM, Hajo Locke wrote:
>> since yesterday we found a lot of malware called 
>> Ppt.Exploit.CVE_2017_0199-6336815-1
>> Hitrate is extremly increasing. Currently i believe this is a FP.
>> Signature looks short:
>> Ppt.Exploit.CVE_2017_0199-6336815-1 
>> This decodes to:
>> 
>> 
>> Unfortunately i cant sent samples of found docx-files, because they are 
>> privat.
>> Anybody else noticed this behaviour?
>> 
>> Thanks,
>> Hajo
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread Simon Mousey Smith 
Hi

I think the is a fault with that particular provider of the mirror

whois 193.1.193.64 os showing as HEANET-MIRROR

My 'dig database.clamav.net ' in the UK Liverpool 
here WAS showing as that IP address,

however the round-robin doesn’t seem to use that server anymore strangely 
enough? and NOW using others instead

Maybe contact heanet and ask them if the is an issue with there mirror server

Or change ya freshclam.conf to use another dns like db.uk.clamav.net 


Regards

Simon

> On 25 Aug 2017, at 09:37, briancullen  wrote:
> 
> The problem has me (also in Australia) still stuck on 23695:
> 
> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> ERROR: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> WARNING: Incremental update failed, trying to download daily.cvd
> WARNING: getfile: daily.cvd not found on remote server (IP: 193.1.193.64)
> ERROR: Can't download daily.cvd from database.clamav.net
> Giving up on database.clamav.net...
> 
>> On 25 Aug 2017, at 6:24 pm, Paul Dean  wrote:
>> 
>> Hi,
>> 
>> I've checked the lists and nuked the mirror.dat file as suggested, but still 
>> getting failure on dling daily-23699.cdiff via freshclam.
>> Also tried via wget, and got a 404 error. So currently I'm stuck on 23698.
>> 
>> Also nuked all .cld files and still failed.
>> 
>> I've got a few servers/machines that use ClamAV, so hoping a overall fix 
>> instead of each machine would be preferable.
>> 
>> All machines are based in AU and failures happen with db.local.clamav.net 
>> and database.clamav.net.
>> 
>> -- 
>> 
>> Thanks
>> 
>> Paul Dean.
>> 
>> "Life is not WHAT you make it, it's WHO you have in it..."
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to download database

2017-08-24 Thread Simon Mousey Smith 
Managed to get it working again from a user who helped 

Toss your /usr/lib/clamav/mirrors.dat file to eliminate the Ignoring mirror 
messages.

And then seemed to start working again

Simon

Sent from my iPhone

> On 24 Aug 2017, at 11:49, Gene Heskett  wrote:
> 
>> On Thursday 24 August 2017 04:11:55 Simon Mousey Smith wrote:
>> 
>> Hi All
>> 
>> Still having issue here in UK Liverpool
>> 
>> WARNING: getfile: daily.cvd not found on database.clamav.net (IP:
>> 193.1.193.64)
>> 
>> Regards
>> 
>> Simon
>> 
>> Sent from my iPhone
> 
> I'm having trouble with a couple sites in the last few hours too:
> 
> Wed Aug 23 03:10:11 2017 -> main.cld is up to date (version: 58, sigs: 
> 4566249, f-level: 60, builder: sigmgr)
> Wed Aug 23 03:10:31 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 204.130.133.50)
> Wed Aug 23 03:10:31 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:10:33 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 194.8.197.22)
> Wed Aug 23 03:10:34 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:10:34 2017 -> Trying host db.us.clamav.net 
> (69.163.100.14)...
> Wed Aug 23 03:11:04 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:11:04 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.163.100.14)
> Wed Aug 23 03:11:04 2017 -> Trying host db.us.clamav.net 
> (200.236.31.1)...
> Wed Aug 23 03:11:10 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 200.236.31.1)
> Wed Aug 23 03:11:10 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:11:40 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:11:40 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.12.162.28)
> Wed Aug 23 03:11:40 2017 -> Trying host db.us.clamav.net 
> (64.6.100.177)...
> Wed Aug 23 03:12:10 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:12:10 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.6.100.177)
> Wed Aug 23 03:12:10 2017 -> Trying host db.us.clamav.net 
> (150.214.142.197)...
> Wed Aug 23 03:12:40 2017 -> nonblock_recv: recv timing out (30 secs)
> Wed Aug 23 03:12:40 2017 -> WARNING: getfile: Error while reading 
> database from db.us.clamav.net (IP: 150.214.142.197): Operation now in 
> progress
> Wed Aug 23 03:12:40 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:12:40 2017 -> Trying host db.us.clamav.net 
> (194.186.47.19)...
> Wed Aug 23 03:13:38 2017 -> nonblock_recv: recv timing out (30 secs)
> Wed Aug 23 03:13:38 2017 -> WARNING: getfile: Error while reading 
> database from db.us.clamav.net (IP: 194.186.47.19): Operation now in 
> progress
> Wed Aug 23 03:13:38 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:13:38 2017 -> WARNING: Incremental update failed, trying to 
> download daily.cvd
> Wed Aug 23 03:14:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:14:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 204.130.133.50)
> Wed Aug 23 03:14:38 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:14:38 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 207.57.106.31)
> Wed Aug 23 03:14:38 2017 -> Trying host db.us.clamav.net 
> (69.12.162.28)...
> Wed Aug 23 03:15:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:15:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.12.162.28)
> Wed Aug 23 03:15:08 2017 -> Trying host db.us.clamav.net 
> (64.6.100.177)...
> Wed Aug 23 03:15:38 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:15:38 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.6.100.177)
> Wed Aug 23 03:15:38 2017 -> Trying host db.us.clamav.net (64.22.33.90)...
> Wed Aug 23 03:16:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:16:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.22.33.90)
> Wed Aug 23 03:16:08 2017 -> Trying host db.us.clamav.net 
> (200.236.31.1)...
> Wed Aug 23 03:29:28 2017 -> Downloading daily.cvd [100%]
> Wed Aug 23 03:29:29 2017 -> ERROR: Verification: Can'

Re: [clamav-users] Freshclam failure

2017-08-24 Thread Simon Mousey Smith 
BINGO!!!   GENIUS!!!   FIXED!!!

Been banging my head against the wall all morning trying to resolve it

Simon

> On 24 Aug 2017, at 11:05, Al Varnell  wrote:
> 
> Toss your mirrors.dat file to eliminate the Ignoring mirror messages.
> 
> -Al-
> 
> On Aug 24, 2017, at 3:02 AM, Simon Mousey Smith  
> wrote:
> 
>> Still having probs here in the uk liverpool and sadly can’t change the DNS 
>> records as its using a local dns internally
>> 
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> WARNING: Incremental update failed, trying to download daily.cvd
>> Whitelisting short-term blacklisted mirrors
>> Retrieving http://database.clamav.net/daily.cvd
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Trying host database.clamav.net (193.1.193.64)...
>> Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64)
>> WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 
>> 193.1.193.64)
>> ERROR: Can't download daily.cvd from database.clamav.net
>> Querying daily.0.82.0.0.C101C140.ping.clamav.net
>> Giving up on database.clamav.net...
>> Update failed. Your network may be down or none of the mirrors listed in 
>> /etc/freshclam.conf is working. Check 
>> http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
>> 
>> [root@mailgw etc]# dig database.clamav.net
>> 
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;database.clamav.net.   IN  A
>> 
>> ;; ANSWER SECTION:
>> database.clamav.net.24  IN  CNAME   db.local.clamav.net.
>> db.local.clamav.net.7200IN  CNAME   db.uk.clamav.net.
>> db.uk.clamav.net.   24  IN  A   81.91.100.173
>> db.uk.clamav.net.   24  IN  A   193.1.193.64
>> db.uk.clamav.net.   24  IN  A   178.79.177.182
>> db.uk.clamav.net.   24  IN  A   129.67.1.218
>> 
>> ;; Query time: 79 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Thu Aug 24 11:00:42 2017
>> ;; MSG SIZE  rcvd: 144
>> 
>> Any ideas?
>> 
>> Simon
>> 
>>> On 24 Aug 2017, at 10:49, Bill Maidment  wrote:
>>> 
>>> Yeah that worked. Thanks
>>> I guess that server will get a good working over now.
>>> 
>>> 
>>> -Original message-
>>>> From:Simon Wilson 
>>>> Sent: Thursday 24th August 2017 19:26
>>>> To: clamav-users@lists.clamav.net
>>>> Subject: Re: [clamav-users] Freshclam failure
>>>> 
>>>> I got mine working by pointing it to 'de' in /etc/freshclam.conf
>>>> 
>>>> - Message from Bill Maidment  -
>>>>   Date: Thu, 24 Aug 2017 19:24:04 +1000
>>>>   From: Bill Maidment 
>>>> Reply-To: ClamAV users ML 
>>>> Subject: Re: [clamav-users] Freshclam failure
>>>> To: ClamAV users ML 
>>>> 
>>>> 
>>>>> It's stil failing here:
>>>>> 
>>>>> wget http://database.clamav.net/main.cvd
>>>>> --2017-08-24 19:21:28--  http://database.clamav.net/main.cvd
>>>>>

Re: [clamav-users] Freshclam failure

2017-08-24 Thread Simon Mousey Smith 
Still having probs here in the uk liverpool and sadly can’t change the DNS 
records as its using a local dns internally

Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
Ignoring mirror 81.91.100.173 (due to previous errors)
ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Whitelisting short-term blacklisted mirrors
Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Trying host database.clamav.net (193.1.193.64)...
Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64)
WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64)
ERROR: Can't download daily.cvd from database.clamav.net
Querying daily.0.82.0.0.C101C140.ping.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in 
/etc/freshclam.conf is working. Check 
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

[root@mailgw etc]# dig database.clamav.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;database.clamav.net.   IN  A

;; ANSWER SECTION:
database.clamav.net.24  IN  CNAME   db.local.clamav.net.
db.local.clamav.net.7200IN  CNAME   db.uk.clamav.net.
db.uk.clamav.net.   24  IN  A   81.91.100.173
db.uk.clamav.net.   24  IN  A   193.1.193.64
db.uk.clamav.net.   24  IN  A   178.79.177.182
db.uk.clamav.net.   24  IN  A   129.67.1.218

;; Query time: 79 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 24 11:00:42 2017
;; MSG SIZE  rcvd: 144

Any ideas?

Simon

> On 24 Aug 2017, at 10:49, Bill Maidment  wrote:
> 
> Yeah that worked. Thanks
> I guess that server will get a good working over now.
> 
> 
> -Original message-
>> From:Simon Wilson 
>> Sent: Thursday 24th August 2017 19:26
>> To: clamav-users@lists.clamav.net
>> Subject: Re: [clamav-users] Freshclam failure
>> 
>> I got mine working by pointing it to 'de' in /etc/freshclam.conf
>> 
>> - Message from Bill Maidment  -
>> Date: Thu, 24 Aug 2017 19:24:04 +1000
>> From: Bill Maidment 
>> Reply-To: ClamAV users ML 
>>  Subject: Re: [clamav-users] Freshclam failure
>>   To: ClamAV users ML 
>> 
>> 
>>> It's stil failing here:
>>> 
>>> wget http://database.clamav.net/main.cvd
>>> --2017-08-24 19:21:28--  http://database.clamav.net/main.cvd
>>> Resolving database.clamav.net (database.clamav.net)... 193.1.193.64
>>> Connecting to database.clamav.net  
>>> (database.clamav.net)|193.1.193.64|:80... connected.
>>> HTTP request sent, awaiting response... 404 Not Found
>>> 2017-08-24 19:21:29 ERROR 404: Not Found.
>>> 
>>> 
>>> 
>>> -Original message-
 From:Al Varnell 
 Sent: Thursday 24th August 2017 18:42
 To: ClamAV users ML 
 Subject: Re: [clamav-users] Freshclam failure
 
 See previous discussion  
 
 
 And Blog announcement earlier today  
 .
 
 Except that users are having some continuing issues tonight.
 
 -Al-
 
 On Aug 24, 2017, at 1:34 AM, Bill Maidment  wrote:
 
> Hi
> I've been using clamav for many years ans suddenly yesterday  
 freshclam failed, first on the JP mirror, then on the AU mirror and  
 now everywhere.
> I've tried all the suggested solutions, but nothing obvious in  
 the logs apart from the following:
> 
> ERROR: getpatch: Can't download daily-23699.cdiff from db.AU.clamav.net
> ERROR: Can't download daily.cvd from db.AU.clamav.net
> ERROR: getpatch: Can't download daily-23699.cdiff from db.local.clam

Re: [clamav-users] Unable to download database

2017-08-24 Thread Simon Mousey Smith 
Hi All

Still having issue here in UK Liverpool

WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64)

Regards 

Simon

Sent from my iPhone

> On 24 Aug 2017, at 08:48, maxal  wrote:
> 
> hi,
> 
> also some issues here on 193.1.193.64
> 
> Thu Aug 24 09:40:07 2017 -> ERROR: getpatch: Can't download daily-
> 23699.cdiff from database.clamav.net
> Thu Aug 24 09:40:07 2017 -> WARNING: Incremental update failed, trying
> to download daily.cvd
> Thu Aug 24 09:40:07 2017 -> WARNING: getfile: daily.cvd not found on
> database.clamav.net (IP: 193.1.193.64)
> 
> http://193.1.193.64/daily-23699.cdiff --header
> "Host:database.clamav.net"
> --2017-08-24 09:42:00--  http://193.1.193.64/daily-23699.cdiff
> Connecting to 193.1.193.64:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2017-08-24 09:42:00 ERROR 404: Not Found.
> 
> inetnum:193.1.193.0 - 193.1.193.127
> org:ORG-HA8-RIPE
> netname:HEANET-MIRROR
> country:IE
> 
> regards
> max
> 
>> On Thu, 2017-08-24 at 09:21 +0200, lukn555 wrote:
>> Thank you for your effort, Joel.
>> 
>> I still have issues with the following server from
>> db.centraleu.clamav.net group:
>> 
>> $ wget http://193.230.240.8/daily-23697.cdiff --header
>> "Host:database.clamav.net"
>> --2017-08-24 09:02:01--  http://193.230.240.8/daily-23697.cdiff
>> Connecting to 193.230.240.8:80... connected.
>> HTTP request sent, awaiting response... 403 Forbidden
>> 2017-08-24 09:02:01 ERROR 403: Forbidden.
>> 
>> 
>>> On 23.08.2017 23:21, Joel Esler (jesler) wrote:
>>> All — I sent a note earlier, but this should be fixed/recovering
>>> now.  We are working on an idea that may prevent this kind of thing
>>> from happening in the future.
>>> 
>>> Dennis — If you do a health check, and you find things that are…
>>> not matching up with our results… please let me know your failure
>>> list?
>>> 
>>> 
>>> --
>>> Joel Esler | Talos: Manager | jes...@cisco.com>> com>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Aug 23, 2017, at 3:16 PM, Dennis Peterson >> ailto:denni...@inetnw.com>> wrote:
>>> 
>>> After testing several of the DNS round robin aliases I found the
>>> db.ca.clamav.net had the most reliable
>>> server set for North America. After editing the freshclam.conf file
>>> the files updated on the next cron.hourly cycle.
>>> 
>>> I also found that the number of viable mirror sites is a small
>>> portion of the total number of mirrors. I also found that a lot of
>>> "local" mirrors are not all that local.
>>> 
>>> I think I'll run a health check of every mirror in the western
>>> hemisphere and use the results in a local DNS round robin running
>>> my own servers. It is a form of dynamic load balancing using real-
>>> time network response time. If nothing else it will stop most if
>>> not all attempts to missing mirrors which seem to be the majority.
>>> Obviously it will also ignore mirrors that disallow icmp traffic.
>>> 
>>> dp
>>> 
>>> On 8/23/17 9:48 AM, Dennis Peterson wrote:
>>> nslookup db.local.clamav.net |awk
>>> '/Address:/ {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.us.clamav.net |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.ca.clamav.net |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.ru.clamav.net |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.uk.clamav.net |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> 
>>> Nobody home.
>>> 
>>> dp
>>> 
>>> On 8/23/17 12:26 AM, lukn555 wrote:
>>> Good Day ClamAV List
>>> 
>>> Since yesterday at around noon CET I've been having issues
>>> downloading
>>> the ClamAV database:
>>> 
>>> freshclam --version
>>> ClamAV 0.99.2/23696/Tue Aug 22 14:36:14 2017
>>> 
>>> 
>>> # /usr/local/bin/freshclam --verbose
>>> Current working dir is /usr/local/share/clamav
>>> Max retries == 3
>>> ClamAV update process started at Wed Aug 23 09:11:52 2017
>>> Using IPv6 aware code
>>> Querying current.cvd.clamav.net
>>> TTL: 609
>>> Software version from DNS: 0.99.2
>>> main.cvd version from DNS: 58
>>> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
>>> builder: sigmgr)
>>> daily.cvd version from DNS: 23700
>>> Retrieving http://database.clamav.net/daily-23697.cdiff
>>> Ignoring mirror 130.59.113.36 (due to previous errors)
>>> Ignoring mirror 193.230.240.8 (due to previous errors)
>>> Ignoring mirror 130.59.113.36 (due to previous errors)
>>> Ignoring mirror 193.230.240.8 (due to previous errors)
>>> WARNING: getpatch: Can't download daily-23697.cdiff from
>>> database.clamav.net
>>> Retrieving http://database.clamav.net/daily-23697.cdiff
>>> Ignoring mirror 130.59.113.36 (due to previous errors)
>>> Ignoring mirror 193.230.240.8 (due to previou

Re: [clamav-users] Unable to download database

2017-08-23 Thread Simon Mousey Smith 
Same here from UK Liverpool datacenter

Was able to download a few hours ago but then stopped again

Simon 

Sent from my iPhone

> On 23 Aug 2017, at 18:33, Maarten Broekman  wrote:
> 
> Similar issues with addresses for db.us.clamav.net. 7 of 16 mirrors aren't
> reachable.
> 
> $ host db.us.clamav.net
> db.us.clamav.net is an alias for db.us.big.clamav.net.
> *db.us.big.clamav.net  has address
> 208.72.56.53*
> *db.us.big.clamav.net  has address
> 64.6.100.177*
> *db.us.big.clamav.net  has address 64.22.33.90*
> db.us.big.clamav.net has address 69.12.162.28
> db.us.big.clamav.net has address 69.163.100.14
> db.us.big.clamav.net has address 104.131.196.175
> db.us.big.clamav.net has address 128.199.133.36
> db.us.big.clamav.net has address 150.214.142.197
> *db.us.big.clamav.net  has address
> 155.98.64.87*
> *db.us.big.clamav.net  has address
> 168.143.19.95*
> db.us.big.clamav.net has address 194.8.197.22
> *db.us.big.clamav.net  has address
> 194.186.47.19*
> db.us.big.clamav.net has address 198.148.78.4
> db.us.big.clamav.net has address 200.236.31.1
> db.us.big.clamav.net has address 204.130.133.50
> *db.us.big.clamav.net  has address
> 207.57.106.31*
> 
> $ host db.us.clamav.net | awk '/address/ { print $NF }' | xargs -L1 ping -c
> 1
> 
> *--- 208.72.56.53 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 64.6.100.177 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 64.22.33.90 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 69.12.162.28 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 69.163.100.14 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 104.131.196.175 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 128.199.133.36 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 150.214.142.197 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 155.98.64.87 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 168.143.19.95 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 194.8.197.22 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 194.186.47.19 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 198.148.78.4 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 200.236.31.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 204.130.133.50 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 207.57.106.31 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> 
> On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
> 
>> For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss:
>> 
>> $ host db.local.clamav.net
>> db.local.clamav.net is an alias for db.us.rr.clamav.net.
>> db.us.rr.clamav.net has address 200.236.31.1
>> db.us.rr.clamav.net has address 208.72.56.53
>> db.us.rr.clamav.net has address 69.12.162.28
>> db.us.rr.clamav.net has address 150.214.142.197
>> db.us.rr.clamav.net has address 194.186.47.19
>> 
>> $ host db.local.clamav.net | awk '/address/ { print $NF }' | xargs -L1
>> ping -c 1
>> --- 200.236.31.1 ping statistics ---
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>> 
>> *--- 208.72.56.53 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> --- 69.12.162.28 ping statistics ---
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>> 
>> *--- 150.214.142.197 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> *--- 194.186.47.19 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> 
>> 
>> 
>> On Wed, Aug 23, 2017 at 12:48 PM, Dennis Peterson 
>> wrote:
>> 
>>> nslookup db.local.clamav.net |awk '/Address:/ {print $2}' |xargs -L1
>>> ping -c 1
>>> 
>>> nslookup db.us.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping
>>> -c 1
>>> 
>>> nslookup db.ca.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping
>>> -c 1
>>> 
>>> nslookup db.ru.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping
>>> -c 1
>>> 
>>> nslookup db.uk.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping
>>> -c 1
>>> 
>>> 
>>> Nobody home.
>>> 
>>> dp
>>> 
>>> 
 On 8/23/17 12:26 AM, lukn555 wrote:
 
 Good Day ClamAV List