[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)
From: Paul Kosinski <clamav-users () iment ! com>
Date: 2018-06-30 23:27:52
Message-ID: 20180630192752.77d22392 () ime1 ! iment ! local
[Download RAW message or body]
We are *still* failing to get ClamAV cvd files updates reliably -- even
after deleting mirrors.dat before each attempt!
The basic problem seems to be that the query to (e.g.):
daily.24710.85.1.0.6810BB8A.ping.clamav.net
fails as often as not (e.g.):
Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net
Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net
The query fails a lot when issued by freshclam, and it also fails
(times out) a lot when issued by dig.
As far as I can tell by reading the freshclam code, the query is just a
DNS query for the A record (as opposed to a TXT record etc.). I presume
that the prefix part of the FQDN works like it does for blacklists and
indicates whether the prefix is "good" or "bad".
As I investigated further, I ran one test which gave a very interesting
result:
# dig xx.ping.clamav.net
;xx.ping.clamav.net. IN A
xx.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 218 IN NS ns4.clamav.net.
ns4.clamav.net. 3053 IN A 12.167.151.33
ns4.clamav.net. 3053 IN A 5.9.14.57
ns4.clamav.net. 3258 IN AAAA 2a01:4f8:160:8421::2
Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name
server has 2 unrelated IP addresses. The 12.167.151.33 address appears
to be leased by Sourcefire from AT&T, but the 5.9.14.57 address is
owned by Hetzner.de.
If I now do digs explicitly using the 2 different addresses for ns4,
the Hetzner one works, but the Sourcefire one doesn't:
# while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep \
1 ; done ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
ping.clamav.net. 1200 IN NS ns4.clamav.net.
^C
# while true; do dig @12.167.151.33 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; \
sleep 1 ; done ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A
ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 \
86400 2419200 86400 ^C
This would explain why the DNS query from freshclam is so unreliable.
(Is the Sourcefire instance of ns4 even running a DNS server?)
This behavior is causing us much grief, because a large number of
ClamAV DB updates fail, saying that the mirror is not synchronized,
thus adding that mirror to mirrors.dat (which I now automatically
delete right before freshclam runs!).
Is there anything we can do short of bypassing freshclam, periodically
downloading daily.cvd, bytecode.cvd etc., and seeing if they differ from
the last download?
P.S. Here are traceroutes to the 2 ns4.clamav.net machines; these show
that we *do* have the ability to reach both of them:
traceroute to ns4.clamav.net (5.9.14.57), 30 hops max, 60 byte packets
1 dslmodem.iment.local (10.25.26.1) 1.108 ms 1.476 ms 1.942 ms
2 216.237.102.1 (216.237.102.1) 36.675 ms 39.009 ms 40.798 ms
3 216.237.98.117 (216.237.98.117) 44.470 ms 46.751 ms 46.998 ms
4 69.46.227.233.lightower.net (69.46.227.233) 79.273 ms 79.554 ms 79.803 ms
5 ae22-bstpmalljp1.lightower.net (104.207.214.80) 74.458 ms 76.358 ms 76.582 \
ms 6 ae10-bstpmallj93.lightower.net (144.121.35.36) 68.487 ms 69.450 ms 69.548 \
ms 7 10ge8-1.core1.bos1.he.net (216.66.32.5) 66.711 ms 41.656 ms 42.851 ms
8 100ge12-2.core1.nyc4.he.net (184.105.64.53) 43.861 ms 41.986 ms 42.088 ms
9 100ge11-1.core1.nyc5.he.net (184.105.213.218) 43.702 ms \
100ge16-2.core1.lon2.he.net (72.52.92.165) 109.536 ms 112.671 ms 10 \
100ge6-2.core1.ams1.he.net (72.52.92.214) 145.347 ms 161.222 ms \
100ge8-2.core1.dub1.he.net (184.105.65.246) 103.805 ms 11 \
100ge3-2.core1.man1.he.net (72.52.92.197) 107.707 ms 109.637 ms 109.192 ms 12 \
100ge16-1.core1.ams1.he.net (184.105.213.65) 128.275 ms core23.fsn1.hetzner.com \
(213.239.224.249) 128.936 ms 100ge16-1.core1.ams1.he.net (184.105.213.65) 128.679 \
ms 13 ex9k1.dc7.fsn1.hetzner.com (213.239.229.234) 134.740 ms \
hetzner.interxionfra4.nl-ix.net (193.239.117.110) 127.076 ms 127.058 ms 14 \
core23.fsn1.hetzner.com (213.239.224.249) 131.271 ms core24.fsn1.hetzner.com \
(213.239.224.253) 130.748 ms core23.fsn1.hetzner.com (213.239.224.249) 125.226 ms \
15 ns4.clamav.net (5.9.14.57) 127.731 ms 128.609 ms ex9k1.dc7.fsn1.hetzner.com \
(213.239.229.238) 129.537 ms
traceroute to ns4.clamav.net (12.167.151.33), 30 hops max, 60 byte packets
1 dslmodem.iment.local (10.25.26.1) 1.104 ms 1.562 ms 2.070 ms
2 216.237.102.1 (216.237.102.1) 37.613 ms 40.082 ms 41.797 ms
3 216.237.98.117 (216.237.98.117) 43.653 ms 45.999 ms 47.673 ms
4 69.46.227.233.lightower.net (69.46.227.233) 49.435 ms 51.731 ms 53.404 ms
5 ae22-bstpmalljp1.lightower.net (104.207.214.80) 57.317 ms 59.946 ms 61.832 \
ms 6 ae10-bstpmallj93.lightower.net (144.121.35.36) 61.904 ms 61.712 ms 64.363 \
ms 7 10ge8-1.core1.bos1.he.net (216.66.32.5) 66.045 ms 39.012 ms 37.544 ms
8 100ge12-2.core1.nyc4.he.net (184.105.64.53) 41.486 ms 41.540 ms 41.395 ms
9 100ge16-1.core1.ash1.he.net (184.105.223.165) 117.502 ms 47.104 ms 57.578 ms
10 eqix-ix-dc6.ciscosystems.com (206.126.237.194) 47.562 ms 46.928 ms 46.960 ms
11 ava-talos2-pp-talos1-vlan2804.vrt.sourcefire.com (198.148.79.102) 48.446 ms \
50.351 ms 50.132 ms 12 moist.vrt.sourcefire.com (198.148.79.134) 50.964 ms \
50.374 ms 47.583 ms 13 * * *
14 12.167.151.33 (12.167.151.33) 47.663 ms 47.912 ms 47.902 ms
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic