Re: [clamav-users] Help, we are still seeing issues
Correct. Sent from my iPhone > On Apr 18, 2021, at 13:55, Paul Kosinski via clamav-users > wrote: > > You're comparing daily.CLD with main.CVD: as I understand it, CVDs are > compressed, CLDs aren't. > > >> On Sat, 17 Apr 2021 21:15:29 +0200 (CEST) >> "Robert M. Stockmann via clamav-users" wrote: >> >> Here's the freshclam virus data files which were first downloaded when >> i upgraded to 0.103.2 : >> >> [hubble:stock]:(/var/lib/clamav)$ ll >> total 429572 >> -rw-r--r-- 1 clamav clamav293670 Apr 8 02:37 bytecode.cvd >> -rw-r--r-- 1 clamav clamav 321713152 Apr 17 14:07 daily.cld >> -rw-r--r-- 1 clamav clamav 117859675 Apr 8 02:37 main.cvd >> -rw-r--r-- 1 clamav clamav69 Apr 8 02:36 mirrors.dat >> [hubble:stock]:(/var/lib/clamav)$ clamdscan --version >> ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021 >> [hubble:stock]:(/var/lib/clamav)$ >> >> As you can see, the daily.cld is from today, Apr 17, and the others >> were downloaded on the day of upgrade. However one would expect the >> daily.cvd to be the smallest file, instead its the biggest >> with 307M in size. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Help, we are still seeing issues
You're comparing daily.CLD with main.CVD: as I understand it, CVDs are compressed, CLDs aren't. On Sat, 17 Apr 2021 21:15:29 +0200 (CEST) "Robert M. Stockmann via clamav-users" wrote: > Here's the freshclam virus data files which were first downloaded when > i upgraded to 0.103.2 : > >[hubble:stock]:(/var/lib/clamav)$ ll >total 429572 >-rw-r--r-- 1 clamav clamav293670 Apr 8 02:37 bytecode.cvd >-rw-r--r-- 1 clamav clamav 321713152 Apr 17 14:07 daily.cld >-rw-r--r-- 1 clamav clamav 117859675 Apr 8 02:37 main.cvd >-rw-r--r-- 1 clamav clamav69 Apr 8 02:36 mirrors.dat >[hubble:stock]:(/var/lib/clamav)$ clamdscan --version >ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021 >[hubble:stock]:(/var/lib/clamav)$ > > As you can see, the daily.cld is from today, Apr 17, and the others > were downloaded on the day of upgrade. However one would expect the > daily.cvd to be the smallest file, instead its the biggest > with 307M in size. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Help, we are still seeing issues
Hi there, On Sat, 17 Apr 2021, Robert M. Stockmann via clamav-users wrote: ... one would expect the daily.cvd to be the smallest file ... Nope. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Help, we are still seeing issues
On Sat, 17 Apr 2021, Joel Esler (jesler) via clamav-users wrote: > Date: Sat, 17 Apr 2021 18:58:04 + > From: "Joel Esler (jesler) via clamav-users" > > To: "Joel Esler (jesler) via clamav-users" > Cc: "Joel Esler (jesler)" > Subject: [clamav-users] Help, we are still seeing issues > > Please take a few moments to check your ClamAV freshclam installations. Are > you removing your mirrors.dat file after every run of Freshclam or cvdupdate? > > We are seeing a few IPs, who have upgraded to 103.2 still downloading the > entire daily.cvd and main.cvd every update. I am thinking this is because > the installation has a script that is deleting the mirrors.dat file, or has > the âOnErrorExecuteâ command in the Freshclam.conf file set to delete > this file, or freshclam canât write the file in the first place (which > shouldnât be possible). > > Please double check your installations? You may need even go so far as to > create a new freshclam.conf file. > > If your downloads were working and now you are getting 403âs from > Cloudflare and youâre on 103.2, the above situation may be the reason. > Please double check the situation and feel free to write me back. Weâve > seen about 34,000 downloads of the main and daily in the past 24 hours from > these couple of IPs. > > I can tell the difference between a properly functioning copy of freshclam > and not, very easily by looking at the files being downloaded. If an > installation grabs the cvd and then grabs the cdiffs the next day, itâs > properly functioning. > > But downloading the entire daily and main every 5 minutes or so indicates to > me that something is broken. > Here's the freshclam virus data files which were first downloaded when i upgraded to 0.103.2 : [hubble:stock]:(/var/lib/clamav)$ ll total 429572 -rw-r--r-- 1 clamav clamav293670 Apr 8 02:37 bytecode.cvd -rw-r--r-- 1 clamav clamav 321713152 Apr 17 14:07 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Apr 8 02:37 main.cvd -rw-r--r-- 1 clamav clamav69 Apr 8 02:36 mirrors.dat [hubble:stock]:(/var/lib/clamav)$ clamdscan --version ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021 [hubble:stock]:(/var/lib/clamav)$ As you can see, the daily.cld is from today, Apr 17, and the others were downloaded on the day of upgrade. However one would expect the daily.cvd to be the smallest file, instead its the biggest with 307M in size. -- Robert M. Stockmann - RHCE Network Engineer - UNIX/Linux Specialist crashrecovery.org st...@stokkie.net ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Help, we are still seeing issues
Please take a few moments to check your ClamAV freshclam installations. Are you removing your mirrors.dat file after every run of Freshclam or cvdupdate? We are seeing a few IPs, who have upgraded to 103.2 still downloading the entire daily.cvd and main.cvd every update. I am thinking this is because the installation has a script that is deleting the mirrors.dat file, or has the “OnErrorExecute” command in the Freshclam.conf file set to delete this file, or freshclam can’t write the file in the first place (which shouldn’t be possible). Please double check your installations? You may need even go so far as to create a new freshclam.conf file. If your downloads were working and now you are getting 403’s from Cloudflare and you’re on 103.2, the above situation may be the reason. Please double check the situation and feel free to write me back. We’ve seen about 34,000 downloads of the main and daily in the past 24 hours from these couple of IPs. I can tell the difference between a properly functioning copy of freshclam and not, very easily by looking at the files being downloaded. If an installation grabs the cvd and then grabs the cdiffs the next day, it’s properly functioning. But downloading the entire daily and main every 5 minutes or so indicates to me that something is broken. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group https://www.talosintelligence.com | https://www.snort.org | https://www.clamav.net ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
