We are in a situation where we have multiple hosts that need to run ClamAV, but those hosts are highly restricted in what outbound Internet access they have. Thus, we need to run a local ClamAV mirror.
We have been doing this for several months now, using the "Serve .cvd files from a local web server" (CVD) approach, here: http://wiki.clamav.net/bin/view/Main/CvdPrivateMirror This has been extremely problematic for us. And unfortunately, the "Serve .cvd+.cdiff files from a local web server" (CDIFF) approach probably won't be any better. The reason why building a private mirror in this fashion is so problematic is because both the CVD and CDIFF approaches require your mirror to download the new CVD file for every database update. For the CVD approach, this is necessary because freshclam on the clients is looking only for CVD files (due to disabling ScriptedUpdates). And for the CDIFF approach, you still need the CVD files, in case a freshclam client is outdated and needs old CDIFF files that you don't have anymore. Downloading the full CVD files for every database update is painful, particularly for the safebrowsing DB. For example, we run freshclam on the mirror master every 30 minutes via cron (as per the comments in freshclam.conf regarding using the safebrowsing DB), and we have had multiple instances where the next cron iteration of freshclam starts before the previous instance completes! So, here's my main question: is there some way to eliminate the need to download the latest CVD files for every update? I was thinking along the lines of adding two new options to freshclam, as follows: # The RetainCLDFiles option causes freshclam to save the database # diff (CDIFF) files it downloads (to [re]build the CLD database # files) into the DatabaseDirectory. Normally, freshclam deletes # the CDIFF files after it rebuilds the CLD files, as they are no # longer needed in that case. Note that freshclam will never # delete old CDIFF files, so you will need to use some other # mechanism (e.g., a cron job) to do so. Use this option if you # want this host to act as a ClamAV private mirror for other # ClamAV/freshclam hosts on your network. # Default: disabled #RetainCLDFiles yes # The DownloadCLDFiles option affects how freshclam behaves when # it cannot update a local database via CDIFF files (e.g., because # it needs an older CDIFF file that is no longer available) and # must therefore download a fresh copy of the database file. # Normally, in this case, freshclam will insist on downloading the # CVD file, so that it can verify the signature. However, if you # wish to point freshclam at a private mirror, and you trust the # CLD files from that server, then you can enable this option to # cause freshclam to additionally try to download CLD database # files if CVD database files are not available. You should ONLY # use this option when freshclam is pointed at a private mirror # that you explicitly control and trust! # Default: disabled #DownloadCLDFiles yes Would this work? I.e., are the CLD files not tied in any way to the host that builds them? (I.e., they're architecture-independent?) Is there a better way to run a private mirror avoid having to download the CVD files for every database update? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
