[opensuse-security] What's up with clamav?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have been getting this messages in my warning log for days: Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 12 14:48:46 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Feb 13 11:13:29 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 11:13:29 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 11:13:29 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 11:13:29 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 11:13:30 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 11:13:30 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 11:13:30 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 13 11:13:40 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Feb 13 23:43:30 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Feb 13 23:43:36 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 23:43:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 23:43:36 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 23:43:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 23:43:36 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 13 23:43:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 13 23:43:36 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 13 23:43:48 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Feb 14 01:44:09 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 01:44:09 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 01:44:09 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 01:44:09 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 01:44:10 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 01:44:10 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 01:44:10 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 14 01:44:20 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Feb 14 19:52:18 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 19:52:18 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 19:52:18 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 19:52:18 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 19:52:18 nimrodel freshclam[3605]: getfile: daily-8986.cdiff not found on remote server (IP: 62.236.254.228) Feb 14 19:52:18 nimrodel freshclam[3605]: getpatch: Can't download daily-8986.cdiff from database.clamav.net Feb 14 19:52:18 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 14 19:52:29 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized. Is clamav out of business, have they stopped making updates? Why doesn't the program blacklist that mirror and use another, silently? I see in the configuration file this: # Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net So I search that iana thing, and find EU is for Europe. I try: DatabaseMirror db.EU.clamav.net and now I get: Feb 14 20:28:22 nimrodel freshclam[12084]: getpatch: Can't download daily-8986.cdiff from db.EU.clamav.net Feb 14 20:28:22 nimrodel freshclam[12084]: Incremental update failed, trying to download daily.cvd Feb 14 20:28:22 nimrodel freshclam[12084]: Can't get information about db.EU.clamav.net: Name or service not known Feb 14 20:28:22 nimrodel freshclam[12084]: Can't download daily.cvd from db.EU.clamav.net Good grief! Not very reasuring, how this people handle their mirrors... :-( - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmXHNkACgkQtTMYHG2NR9WuuQCfR1Cu3m59/ujso30dA36tMi4t qNQAn1GiH5+HcZR3ncmRf60wswjuVmq1 =S0eZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
"Carlos E. R." schrieb:
# Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net
So I search that iana thing, and find EU is for Europe. I try:
Europe is not a country.
DatabaseMirror db.EU.clamav.net
| thomas@xerxes:~$ host db.EU.clamav.net | Host db.EU.clamav.net not found: 3(NXDOMAIN) There is no such server. But: | thomas@xerxes:~$ host db.de.clamav.net | db.de.clamav.net has address 62.26.160.3 | db.de.clamav.net has address 62.75.166.141 [...] | thomas@xerxes:~$ host db.uk.clamav.net | db.uk.clamav.net has address 217.135.32.99 | db.uk.clamav.net has address 80.82.245.8 [...] | thomas@xerxes:~$ host db.es.clamav.net | db.es.clamav.net has address 80.80.88.40 | db.es.clamav.net has address 82.159.137.16 [...] | thomas@xerxes:~$ host db.fr.clamav.net | db.fr.clamav.net has address 91.193.56.105 | db.fr.clamav.net has address 193.52.101.131 [...]
Feb 14 20:28:22 nimrodel freshclam[12084]: Can't get information about db.EU.clamav.net: Name or service not known
That's correct. -thh -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Feb 14, 2009 at 08:34:42PM +0100, Carlos E. R. wrote:
Hi,
I have been getting this messages in my warning log for days:
Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 12 14:48:46 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized.
You pretty much should ask this the clamav folks. I just run freshclam and it went through fine, so it seemed temporary. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-02-14 at 23:24 +0100, Thomas Hochstein wrote:
"Carlos E. R." schrieb:
# Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net
So I search that iana thing, and find EU is for Europe. I try:
Europe is not a country.
So what? I'm following the instructions to the letter, "see ... for the full list". So whichever letters are listed there are valid. And that's not the point of the problem I described. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmXYXQACgkQtTMYHG2NR9WkVACfZsdp1esXVNTGHyOcz2FOZ2Fv HyoAoJIkliqeLwXNP3Fc1T2P+L2c/0RC =URWV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-02-15 at 00:12 +0100, Marcus Meissner wrote:
On Sat, Feb 14, 2009 at 08:34:42PM +0100, Carlos E. R. wrote:
Hi,
I have been getting this messages in my warning log for days:
Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:35 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:35 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: getfile: daily-8983.cdiff not found on remote server (IP: 62.236.254.228) Feb 12 14:48:36 nimrodel freshclam[3605]: getpatch: Can't download daily-8983.cdiff from database.clamav.net Feb 12 14:48:36 nimrodel freshclam[3605]: Incremental update failed, trying to download daily.cvd Feb 12 14:48:46 nimrodel freshclam[3605]: Mirror 62.236.254.228 is not synchronized.
You pretty much should ask this the clamav folks.
I just run freshclam and it went through fine, so it seemed temporary.
No, it's not proof. You have to verify using the exact same server IP I got. My configuration was using "database.clamav.net", which yields a list of hosts: nimrodel:~ # host database.clamav.net database.clamav.net is an alias for db.local.clamav.net. db.local.clamav.net is an alias for db.eu.rr.clamav.net. db.eu.rr.clamav.net has address 195.70.36.141 db.eu.rr.clamav.net has address 213.174.32.130 db.eu.rr.clamav.net has address 217.19.16.188 db.eu.rr.clamav.net has address 62.236.254.228 <====== db.eu.rr.clamav.net has address 80.69.67.43 db.eu.rr.clamav.net has address 85.30.129.18 db.eu.rr.clamav.net has address 85.214.115.224 db.eu.rr.clamav.net has address 147.229.3.16 db.eu.rr.clamav.net has address 193.1.193.64 db.eu.rr.clamav.net has address 193.27.50.222 db.eu.rr.clamav.net has address 194.47.250.218 Interesting... "eu" does work here. >>:-) The thing is that the daemon should be poling any server from the list, but somehow it was trying the same broken server repeatedly. When that server failed the algorithm should try another, but it didn't. That's probably a bug. And another is that the server is/was down, for days. About reporting it upstream... I was just asking for comments here. My issue was solved by restarting and reconfiguring the daemon. And as I don't have any windows machine to protect, I'm not really affected. If the issue repeats, I'll think about it. [...] The issue is known, google finds it - recent hits: http://www.nabble.com/freshclam-fails,-but-tries-only-one-IP-address-td20980... freshclam fails, but tries only one IP address - Dec 12, 2008; 07:21pm and it is the same IP I have problems with. [clamav-users] Problem with a mirror (209.8.40.140) Thu, 15 Jan 2009 10:11:38 -0800 http://www.mail-archive.com/clamav-users@lists.clamav.net/msg31389.html - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmXajoACgkQtTMYHG2NR9UTFACdG6OnH3Wg3HqXo/O0ox9ooFVZ LiwAn05twFhL9kTW7IAM/aN3brLiGoEg =GYVa -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello, Am Sonntag, 15. Februar 2009 schrieb Carlos E. R.:
My configuration was using "database.clamav.net", which yields a list of hosts:
nimrodel:~ # host database.clamav.net database.clamav.net is an alias for db.local.clamav.net. db.local.clamav.net is an alias for db.eu.rr.clamav.net. db.eu.rr.clamav.net has address 195.70.36.141 db.eu.rr.clamav.net has address 213.174.32.130 db.eu.rr.clamav.net has address 217.19.16.188 db.eu.rr.clamav.net has address 62.236.254.228 <====== ... The thing is that the daemon should be poling any server from the list, but somehow it was trying the same broken server repeatedly. When that server failed the algorithm should try another, but it didn't. That's probably a bug.
The problem is how DNS round robin works. It is intended for load balancing, not for being failsafe in case one of the servers is broken. Basically: - clamav asks your nameserver for "database.clamav.net" - Your nameserver queries the upstream nameserver and gets multiple results as listed above - Your nameserver [1] picks one(!) of the results and gives clamav the answer "database.clamav.net -> 62.236.254.228" A proper solution would be to make clamav asking for multiple servernames, for example something like "1.database.clamav.net" and "2.database.clamav.net" Regards, Christian Boltz [1] I'm not exactly sure about this fact - I hope there's someone who corrects me if I'm wrong ;-) -- The mission statement is simply 'world domination', but we don't tell anybody. :-) [Juergen Weigert in opensuse-project] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
"Carlos E. R." schrieb:
My configuration was using "database.clamav.net", which yields a list of hosts:
nimrodel:~ # host database.clamav.net database.clamav.net is an alias for db.local.clamav.net. db.local.clamav.net is an alias for db.eu.rr.clamav.net. db.eu.rr.clamav.net has address 195.70.36.141 [...]
Round robin DNS, yes.
The thing is that the daemon should be poling any server from the list,
It polls database.clamav.net. Your nameserver will resolve that to one IP out of the list you posted. Then clamav will connect to that IP.
but somehow it was trying the same broken server repeatedly.
That depends on your DNS configuration, I think.
When that server failed the algorithm should try another, but it didn't.
There is no "algorithm", there is just a round robin DNS configuration, a cheap way to do load balancing.
And another is that the server is/was down, for days.
That's why there's more than one server. Did you report the broken server? If not, how do you think it will get fixed? ;) -thh -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
"Carlos E. R." schrieb:
# Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net So I search that iana thing, and find EU is for Europe. I try: Europe is not a country.
So what? I'm following the instructions to the letter,
No, you aren't. You did not replacy XY "with your country code", because Europe is not a country, and the "European Union" - which EU is for - is neither a country nor identical with Europe.
So whichever letters are listed there are valid.
As long as they are "your country code", yes.
And that's not the point of the problem I described.
It's the point of the second problem you described. -thh -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-02-15 at 20:07 +0100, Thomas Hochstein wrote:
"Carlos E. R." schrieb:
And another is that the server is/was down, for days.
That's why there's more than one server.
What for, if freshclam doesn't go and ask another server?
Did you report the broken server? If not, how do you think it will get fixed? ;)
To whom, exactly? Exact mail address, no subscription, please. Or web form - again, without registering, same as for sending virus samples. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmYvsAACgkQtTMYHG2NR9XAMACfanyVY65yGi/zIjsgP832j6GD PPUAn1k0W0OOfKNEZi6cmdd0wTCUBk3i =L6xi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-02-15 at 20:07 +0100, Thomas Hochstein wrote:
# Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net So I search that iana thing, and find EU is for Europe. I try: Europe is not a country.
So what? I'm following the instructions to the letter,
No, you aren't. You did not replacy XY "with your country code", because Europe is not a country, and the "European Union" - which EU is for - is neither a country nor identical with Europe.
Please don't lecture me on what Europe is. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmYvxkACgkQtTMYHG2NR9UwqwCeMt3RhSwOJI5vU4wmkGY2vYXy rX8AoJVulI/K7J3gJeYgRQKi8VJT1ppN =2Cr2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (5)
-
Carlos E. R.
-
Carlos E. R.
-
Christian Boltz
-
Marcus Meissner
-
Thomas Hochstein