Re: [clamav-users] QNAP Antivirus Updates
On Mon, 20 Sep 2021 17:17:34 + "Joel Esler (jesler)" wrote: > > On Sep 20, 2021, at 13:08, Paul Kosinski via clamav-users > > wrote: > > > > These two IPs are Anycast addresses, and have been unchanged for well over > > 2 years. (Anycast addresses don't have to change even if the physical > > servers change, that's their point!) They are: > > > > 104.16.218.84 > > 104.16.219.84 > That’s what they are for you. Cloudflare routes you to the closest pop to > your network. Your mileage may vary === I thought the IP addresses, being Anycast, were what are routed to the closest POP. No matter, when I resolve "database.clamav.net" via various DNS servers, using TCP to bypass the default local DNS server (as our firewall blocks outbound UDP port 53 otherwise), I always get these same two IP addresses as results (see below) Given that the servers at 1.1.1.1, 8.8.8.8 and 9.9.9.9 are "public", and likely Anycast, while 71.243.0.12 is local Verizon/FIOS, I suppose that the Authoritative server and the public (Anycast) servers could conceivably be distributing different IP addresses depending on who is querying. (BIND/named has become incredibly complicated these days.) But since the two IP addresses are themselves Anycast, what would be the point? In any case, does anyone, anywhere, get IP addresses other than 104.16.218.84 104.16.219.84 when resolving "database.clamav.net"? $ dig +tcp +all @1.1.1.1 database.clamav.net ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all @1.1.1.1 database.clamav.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5920 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net. 31 IN CNAME database.clamav.net.cdn.cloudflare.net. database.clamav.net.cdn.cloudflare.net. 271 IN A 104.16.219.84 database.clamav.net.cdn.cloudflare.net. 271 IN A 104.16.218.84 ;; Query time: 11 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Sep 20 15:28:17 2021 ;; MSG SIZE rcvd: 118 --- $ dig +tcp +all @8.8.8.8 database.clamav.net ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all @8.8.8.8 database.clamav.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49012 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net. 19 IN CNAME database.clamav.net.cdn.cloudflare.net. database.clamav.net.cdn.cloudflare.net. 300 IN A 104.16.218.84 database.clamav.net.cdn.cloudflare.net. 300 IN A 104.16.219.84 ;; Query time: 31 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Sep 20 15:21:13 2021 ;; MSG SIZE rcvd: 118 --- $ dig +tcp +all @9.9.9.9 database.clamav.net ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all @9.9.9.9 database.clamav.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29165 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net. 60 IN CNAME database.clamav.net.cdn.cloudflare.net. database.clamav.net.cdn.cloudflare.net. 300 IN A 104.16.218.84 database.clamav.net.cdn.cloudflare.net. 300 IN A 104.16.219.84 ;; Query time: 91 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Mon Sep 20 15:30:17 2021 ;; MSG SIZE rcvd: 118 --- $ dig +tcp +all @71.243.0.12 database.clamav.net ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all @71.243.0.12 database.clamav.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net. 60 IN CNAME database.clamav.net.cdn.cloudflare.net. database.clamav.net.cdn.cloudflare.net. 144 IN A 104.16.218.84 database.clamav.net.cdn.cloudflare.net. 144 IN A 104.16.219.84 ;; Query time: 16 msec ;; SERVER: 71.243.0.12#53(71.243.0.12) ;; WHEN: Mon Sep 20 15:21:39 2021 ;; MSG SIZE rcvd: 118 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV
Re: [clamav-users] QNAP Antivirus Updates
> On Sep 20, 2021, at 13:08, Paul Kosinski via clamav-users > wrote: > > These two IPs are Anycast addresses, and have been unchanged for well over 2 > years. (Anycast addresses don't have to change even if the physical servers > change, that's their point!) They are: > > 104.16.218.84 > 104.16.219.84 That’s what they are for you. Cloudflare routes you to the closest pop to your network. Your mileage may vary > I don't know if they are appropriate for non-freshclam ways of obtaining the > updates, e.g., updating a mirror. (And I don't know if they work world-wide.) FreshClam or cvdupdate. That’s what we recommend, that’s what we enforce. Use one of those two or risk being cut off completely in the future. smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] QNAP Antivirus Updates
On Mon, 20 Sep 2021 08:18:01 +0100 (BST) "G.W. Haywood via clamav-users" wrote: > Hi there, > > On Sun, 19 Sep 2021, Gregory Poveda via clamav-users wrote: > > > I have several QNAPs > > It might be worth searching for 'QNAP' in the list archives. At least > some of those devices will struggle to run ClamAV - or rather, ClamAV > out of the box - for lack of memory. > > > on a locked down network that have the Clamav.net antivirus package/ > > software installed. Something changed on the 16th and I have been > > unable to get updates. I have an ACL that blocks all traffic on this > > network unless I define its IPs/DNS addresses. I had set the two DNS > > addresses that I had detected back in March in the ACL, those are as > > follows: clamav.net (199.62.84.153) which appears to check if the > > database as an update and database.clamav.net (198.148.79.54) which > > has the update file. > > If you don't mind my saying so, that's a fragile setup. IPs can and > do change without notice. > > > Did the DNS names change or has the database stopped providing > > updates? > > Check the very recent thread "Virus DB updates?". = Using an ACL mechanism that uses DNS names to allow outbound traffic strikes me as also a setup that is either fragile or very slow. Either it does a DNS lookup when started, so if the DNS->IP map changes while it's running, you lose. Or it does a reverse DNS (PTR) lookup for every outbound SYN to see if it's OK, and it's slow. In my case, I use iptables (on Linux) to block almost all outbound TCP from select servers, and I use two IP addresses (only) to allow ClamAV update traffic, from/to freshclam. These two IPs are Anycast addresses, and have been unchanged for well over 2 years. (Anycast addresses don't have to change even if the physical servers change, that's their point!) They are: 104.16.218.84 104.16.219.84 I don't know if they are appropriate for non-freshclam ways of obtaining the updates, e.g., updating a mirror. (And I don't know if they work world-wide.) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] QNAP Antivirus Updates
Hi there, On Sun, 19 Sep 2021, Gregory Poveda via clamav-users wrote: I have several QNAPs It might be worth searching for 'QNAP' in the list archives. At least some of those devices will struggle to run ClamAV - or rather, ClamAV out of the box - for lack of memory. on a locked down network that have the Clamav.net antivirus package/ software installed. Something changed on the 16th and I have been unable to get updates. I have an ACL that blocks all traffic on this network unless I define its IPs/DNS addresses. I had set the two DNS addresses that I had detected back in March in the ACL, those are as follows: clamav.net (199.62.84.153) which appears to check if the database as an update and database.clamav.net (198.148.79.54) which has the update file. If you don't mind my saying so, that's a fragile setup. IPs can and do change without notice. Did the DNS names change or has the database stopped providing updates? Check the very recent thread "Virus DB updates?". -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Windows Side of Clamav
Ged, Thank you for your response. I was asking these questions because I have put the new .104.0 on one of my computers. When I installed the msi, there was nothing in the Clamav Folder. I then downloaded the zip file and placed the items in the zip into the clamav folder. When I run the clamd.exe and then the clamdscan.exe, I get an error message when the Clamdscan.exe starts that the clamd.log file is too large or too small. I was asked to submit a bug ticket on the github website. I submitted that ticket on the github and I got an answer back that I need to run PowerShell as an admin and to make sure that the Config file had the path for the log file a c:\program files\clamav. Well, I always opened Powershell as an Admin and I am also logged on as an admin and my config file does have the correct path to the log file. I answered the git hub replay and have not heard anything back as of yet. I was working on troubleshooting this until I heard something and the only thing that I noticed was the paths in the registry. I am guessing, from the look of the machines that I have with ClamAV .103.3 that the registry keys are not in that version and have been added to the new version of ClamAV. If that is so, then the .msi did not put the registry keys in place and I need to add them manually. If I need to add them manually, I am guessing there is more than one key under the clamav key. If that is so, I would like to know the rest of them all so that I can add them and see if I still get the error message. I hope that explains things better. Thanks, Marcy On Thu, Sep 16, 2021 at 1:51 PM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Thu, 16 Sep 2021, Marcy Rogers via clamav-users wrote: > > > I have a question about the Windows Installation of the ClamAV .104.0 > > software. > > I don't use Windows any more but I'll try to help in case nobody with > more current Windows experience chips in. > > > I know that the .msi is not working correctly. On your documentation > > For the avoidance of doubt, I'm just another user like you, and this > mailing list is mostly populated by users. A couple of people from > the Sourcefire which is (now) the provider of ClamAV keep an eye on > things here and make announcements etc. There are third parties who > provide packages to install ClamAV on Windows but AFAIK the Windows > installation instructions in the official ClamAV documentation assume > that you've installed from the source. FWIW I think that's the best > way to do it and it's what I always do. (on Linux, however). > > > under the configuration, you have to check the Registry to confirm the > > location of the Databases. > > > > When I search my registry for the paths you have listed, Clamav is not > > listed under the software folder at all. > > > > Config files path search order: > > > > 1. The content of the registry key: > > "HKEY_LOCAL_MACHINE/Software/ClamAV/ConfDir" > > 2. The directory where libclamav.dll is located: "C:\Program > > Files\ClamAV" > > 3. "C:\ClamAV" > > > > Database files path search order: > > > > 1. The content of the registry key: > > "HKEY_LOCAL_MACHINE/Software/ClamAV/DataDir" > > 2. The directory "database" inside the directory where libclamav.dll is > > located: "C:\Program Files\ClamAV\database" > > 3. "C:\ClamAV\db" > > > > The number 1's is not on my machine at all. I can add it but is there > > anything else that should be listed under ClamAV path? > > As I understand it, the paths in the sections above which you have > copied from the official documentation are telling you where ClamAV > WILL look under normal circumstances (i.e. when you have installed > ClamAV as directed and not modified things too much) for the library > and database files. It doesn't actually EXPECT you to have modified > those Registry keys but you can if you wish. If you don't modify the > Registry keys, all you need to do is make sure that the library and > database files are in the places where ClamAV will look for them when > it needs them. It's up to you where you store the database files but > the configuration file for freshclam (freshclam.conf) needs to have > the location of the datbase files in its 'DatabaseDirectory' line. > Here's mine: > > $ grep DatabaseDirectory /etc/mail/clamav/freshclam.conf > DatabaseDirectory /EXPORTS/clamav/databases > $ > > The path is in /EXPORTS because in our case the database directory is > on a network-mounted partition remote from the server itself. If for > example you decided NOT to put your database files in the directory > "C:\ClamAV\db" or in the directory "C:\Program Files\ClamAV\database" > then set the value of "HKEY_LOCAL_MACHINE/Software/ClamAV/DataDir" to > tell ClamAV where you've put them. But I think it's there for that > reason, and under normal circumstances you won't need to change it. > > > I have looked at the machines that are still running the .103.3
[clamav-users] clamav static binary
Hi All, Is there way to build static binary for clamav? Eero ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
