On 13/02/13 14:37, Al Varnell wrote: > On 2/12/13 4:55 PM, "Mark Foster" wrote: > >> Greetings, >> >> I frequently see errors such as this from several of our ClamAV >> installations. >> Pretty much every time I go to check manually (freshclam runs from cron, so I >> get the errors via email) there's no update available / freshclam works fine. >> >> So why would I get: >> >> ERROR: getpatch: Can't download bytecode-YYY.cdiff from db.x.clamav.net >> > Haven't seen any of those in my log that goes back to November, but I have > had a couple with regard to daily-xxxxx.cdiff. Yeah, the bytecode one was probably a poor example to select, as i've mostly seen it with daily-xxxx as well.
I run mail servers in several parts of the world and I can report that I was presented with several errors for 16655.cdiff between 0000 and 0030hrs UTC this morning from at least two countries (and two seperate db.xx.clamav.net hosts - for New Zealand and India.). The bytecode error occurred today in two different countries again, bytecode-213 between 0035 and 0105hrs UTC. >> Does this mean we are seeing out-of-date mirrors? Because i'm seeing this >> frequently from several different parts of the world. >> > That's one explanation. I should think it could be almost any server issue > or even temporary network issues. I would expect there to be some increase > in out-of-dates due to there being many more updates per day than there used > to be. I'm in the US on the West coast and update a minimum of twice a day. We're checking every 30 minutes, and the timing is staggered across multiple servers worldwide. We've done a bit of work lately to try to get the mirrors we poll set up correctly[1], and to ensure that our transparent proxies weren't getting in the way. Now i'm seeing alerts via email, but by the time I check manually, it's fine - which implied to me that the update was failing on the first mirror and working fine on the second - so the question is whether Freshclam needs to fire this back to stdout. [1] we are using three mirrors: db.$countrycode.clamav.net, followed by db.local.clamav.net, followed by database.clamav.net. Interestingly in New Zealand at least, db.nz.clamav.net points to the same cluster of IP's (all located in Australia) that db.local.clamav.net does, so i'm not entirely sure why it fails on db.nz but works on db.local? An examination of the freshclam log for that specific case suggests that the failure on db.nz.clamav.net is that the cdiff is missing, so it's tried to grab the whole bytecode file and found that it's 'not synchronised', so (presumably) trashes it and tries the next mirror. There's a proxy involved, which makes troubleshooting a little more complicated... > >> Can freshclam be configured to try multiple mirrors and suppress the error >> unless none of the mirrors work? >> > It does try multiple mirrors, and why do you need the warning (not an error) > suppressed? Here's one example: > > WARNING: getfile: daily-15612.cdiff not found on remote server (IP: > 194.47.250.218) > WARNING: getpatch: Can't download daily-15612.cdiff from database.clamav.net > Downloading daily-15612.cdiff [100%] > Downloading daily-15613.cdiff [100%] > daily.cld updated (version: 15613, sigs: 286256, f-level: 63, builder: > guitar) > bytecode.cvd is up to date (version: 202, sigs: 40, f-level: 63, builder: > neo) > Database updated (1330683 signatures) from database.clamav.net (IP: > 207.57.106.31) > I see the emails and treat them as a warning we might not be updated or have some other problem. I've learned today, that I should read them more carefully and maybe I can filter them a little more in my client to pull the truly useful info out! :-) Cheers Mark. _____________________________________________________________________________ This email has been filtered by SMX. For more information visit smxemail.com _____________________________________________________________________________ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
