Ian Abbott wrote the following on 12/13/2006 2:42 AM -0800:
On 12/12/2006 19:44, Edward Dam wrote:
Just to expand on this thought a bit.
Shouldn't something like this be the default behaviour? To download
the CVD
files to a temp location, and run the MD5 there before moving it into
the
live database directory?
This way a corrupt/bad database could be prevented from going live, and
hanging the mail system. Only verified good cvd files would be moved
into
the live data dir, and clam would never hang because of this failure.
freshclam already downloads cvd files using a temporary name and
verifies them before installing them.
cdiff files on the other hand are only verified if freshclam was built
to use the GNU GMP library, and cdiff updates are applied to the live
incremental databases. If anything goes wrong, the incremental
database is removed and the full database downloaded.
The thing I'm not too sure about is what happens if clamd is told to
reload the databases while freshclam is in the middle of updating them
(for example, from a script that updates the third party databases
from MSRBL and SaneSecurity). I think it would be possible for clamd
to see the databases in an inconsistent state in that case and crap out.
Conversely, freshclam could tell clamd to reload the databases while
some third party database update script is updating the third party
databases. But in that case it is possible to write the third party
database script so that each database is replaced atomically at the
file system level (by ensuring that the old database and (a copy of)
the new database are on the same filesystem before the atomically
moving the new one over the old one).
To avoid these problems, freshclam and the third party update scripts
could be run sequentially from a single cron job, rather than running
freshclam as a daemon.
This is exactly what I do. Via cron.hourly (rather than freshclam
daemon) I check for new files, if new then download and test the any new
SaneSecurity and MSRBL signature files, then run freshclam. Work well here.
Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
