Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Checking less frequently would be nice, but there seems to be a fair amount of jitter in the update times. Or that an artifact of caching (DNS or otherwise)? On Thu, 20 Dec 2018 15:23:13 + "Joel Esler (jesler)" wrote: > Right. We only publish at certain times a day. I think a check once

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

When talking about averages, I agree. But what I am worried about is the "worst case" malicious payload: for example, a brand new and particularly effective piece of ransomware. It's like car, life or medical insurance. The probability of needing it is low, but when you do, you don't want your

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

On 12/20/18 10:56 AM, Dennis Peterson wrote: This can be calculated by counting the number of ClamAV hits in the clamd log using ClamAV signatures and the time period between the first and last hits. In my case I have clamd logs back to April (252 days) and 58 hits on ClamAV signatures or

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

This can be calculated by counting the number of ClamAV hits in the clamd log using ClamAV signatures and the time period between the first and last hits. In my case I have clamd logs back to April (252 days) and 58 hits on ClamAV signatures or about 4 per day. Total hits from all signature

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Hi there, Attempting to bring some sort of perspective to all this... The number of updates per day (or hour or minute), and the currency or otherwise of the updated data are not, I think, the things that matter. Isn't what matters most the probability that some malicious payload will get past

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Right. We only publish at certain times a day. I think a check once an hour is probably fine. Sent from my  iPhone > On Dec 20, 2018, at 09:55, Paul Kosinski wrote: > > Only DNS TXT queries are done 3-5 times per hour. Freshclam itself is > only run whenever that reports that there is

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Only DNS TXT queries are done 3-5 times per hour. Freshclam itself is only run whenever that reports that there is something new available, as determined by the DNS TXT result showing a higher version number than the *local* CLD file shows. In practice, this means that freshclam is only run a few

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Al... > Note these restrictions: You must either be running an old version of ClamAV or using an old .conf file... Relevant part from my freshclam.conf below... Doing a DNS lookup requires very little data transfer since it's just a small UDP packet (~100 bytes maybe) back & forth (and is

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Inline > On Dec 19, 2018, at 4:08 PM, J.R. wrote: > > Joel - In regards to the comment on pointing everyone to Cloudflare... > I'm guessing that statement means you are using a mix of the > Cloudflare CDN and the original volunteer mirrors still? No. Cloudflare is currently handling

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Note these restrictions: > How many times per hour shall I run freshclam? > You can check for database update as often as 4 times per hour provided that > you have the following options in freshclam.conf: > > DNSDatabaseInfo current.cvd.clamav.net > > DatabaseMirror db.XY.clamav.net > >

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Whatever the TTL is, there's no reason to make the notification even more out of date than it needs to be. Suggestion: Whenever the ClamAV Team puts out an "important" update, they should set the DNS TXT TTL low (and then raise it after a while). -pk On Wed, 19 Dec 2018 13:22:26 -0800 Dennis

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Yeah, I know that the CDIFFs will/may be cached, but it shouldn't matter. The file daily-25221.cdiff has the same contents no matter when you download it via freshclam or whatever (assuming its contents hasn't been munged by "HTTP-Transform"). But daily.cvd changes over time, as it should. Thus

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

The TTL of the TXT record is 30 minutes so unless you are directly polling one of the clamav.net dns servers you are going to get what ever is in your local NSCD cache. dp On 12/19/18 12:26 PM, Paul Kosinski wrote: snip They all do DNS TXT queries 3-5 times per hour, and *only* if that

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Joel - In regards to the comment on pointing everyone to Cloudflare... I'm guessing that statement means you are using a mix of the Cloudflare CDN and the original volunteer mirrors still? Also, is there a way to force a selection of a particular mirror (either by CF datacenter or previous

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

In light of The Delays, and the fact that CVDs are so much bigger than CDIFFs, I have changed our ClamAVs to use Scripted Update (CDIFFs) and thus fetch directly from database.clamav.net. We currently have fewer than a half-dozen machines on our LAN, which share a single Comcast dynamic IP

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

> On Dec 17, 2018, at 3:01 PM, Dennis Peterson wrote: > > On 12/17/18 11:57 AM, Joel Esler (jesler) wrote: >> Inline: >> >>> On Dec 15, 2018, at 6:23 PM, Paul Kosinski >> > wrote: >>> >>> I don't know if flushing the daily.cvd cache would be adequate, since >>>

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

On 12/17/18 11:57 AM, Joel Esler (jesler) wrote: Inline: On Dec 15, 2018, at 6:23 PM, Paul Kosinski wrote: I don't know if flushing the daily.cvd cache would be adequate, since there are probably some downstream caches that wouldn't follow suit. Actually I had someone correct me after I

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Inline: > On Dec 15, 2018, at 6:23 PM, Paul Kosinski wrote: > > I don't know if flushing the daily.cvd cache would be adequate, since > there are probably some downstream caches that wouldn't follow suit. Actually I had someone correct me after I wrote this email, we already have been doing

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Ignoring latency which is probably no where near the problem it was with the volunteer network of mirrors. dp On 12/15/18 2:43 PM, Alain Zidouemba wrote: When a new cdiff is released, is a new daily.cvd also released at the same time? Yes. -Alain On Dec 15, 2018, at 4:26 PM, J.R. wrote:

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

> When a new cdiff is released, is a new daily.cvd also released at the same time? Yes. -Alain > On Dec 15, 2018, at 4:26 PM, J.R. wrote: > > When a new > cdiff is released, is a new daily.cvd also released at the same time? ___ clamav-users mailing

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

First question hopefully someone from ClamAV can answer... When a new cdiff is released, is a new daily.cvd also released at the same time? I would assume so, but best to get this question answered clearly than continue to speculate. Second, I don't think doing a manual flush of the cached file

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

This raises another point which is and has been the DNS version does not and has not meant there was an update to the daily CVD file - just that the cdiffs exist to update the users' local copy of the CLD to the current version using a reliable and efficient signed process. This only ever

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

When Sourcefire acquired ClamAV "back in the day", we stopped accepting donations, as accounting for them on a corporate revenue side is more of a hassle than it is worth, so we just support it out of pocket. That being said, this thread is long and I wanted to reply to is. What if I flushed

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Things have changed a lot since Thomasz and Lucia were bearing the brunt of support, but other things change slowly. https://lists.gt.net/clamav/users/115 dp On 12/15/18 10:32 AM, Gene Heskett wrote: On Saturday 15 December 2018 10:58:12 Micah Snyder (micasnyd) wrote: I was actually

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Indeed, Scripted Update via cdiffs is far more efficient until one has *lots* of machines running ClamAV on one's LAN. This tradeoff should be (and have been) documented. Better yet, the current Local Mirror mechanism should be either fixed to support cld files (if it doesn't already) or removed

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

On Saturday 15 December 2018 10:58:12 Micah Snyder (micasnyd) wrote: > I was actually wondering about this part too. You would need quite a > few machines downstream of your local mirror to make up the difference > switching from cdiffs for each machine to CVD's, at least given the > current

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

Our Comcast account in in MA and is not a business account (which I presume would cost more). My view is that Comcast tech support is on the level of "try restarting your modem" or "try restarting Windows", so I doubt asking about transparent caching would get very far. I don't think it's

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

I seem to recall you said you had comcast, and I'm assuming it is a business account. Have you tried calling their business support and talked to someone that is actually local to explain your problem and see if they possibly have a transparent cache in place and if it would be possible to exclude

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

From a best practices perspective it is best to use freshclam when talking to ClamAV resources. Once you have what you need from them you can do anything you like internally. You don't have to be nice to them at this point. I had a couple hundred RedHat servers to manage and they all required

[clamav-users] No good deed goes unpunished, or, why CVD files don't work

The Good Deed When we started using ClamAV, we wanted to distribute the database to the several machines on our LAN in order to reduce the load on the volunteer servers and minimize the load on our old DSL (now gone). The best way to do this, it seemed, was to set up a trivial HTTP server to