On 13/02/13 14:37, Al Varnell wrote:
> On 2/12/13 4:55 PM, "Mark Foster"  wrote:
>
>> Greetings,
>>
>> I frequently see errors such as this from several of our ClamAV 
>> installations.
>> Pretty much every time I go to check manually (freshclam runs from cron, so I
>> get the errors via email) there's no update available / freshclam works fine.
>>
>> So why would I get:
>>
>> ERROR: getpatch: Can't download bytecode-YYY.cdiff from db.x.clamav.net
>>
> Haven't seen any of those in my log that goes back to November, but I have
> had a couple with regard to daily-xxxxx.cdiff.
Yeah, the bytecode one was probably a poor example to select, as i've
mostly seen it with daily-xxxx as well.

I run mail servers in several parts of the world and I can report that I
was presented with several errors for 16655.cdiff between 0000 and
0030hrs UTC this morning from at least two countries (and two seperate
db.xx.clamav.net hosts - for New Zealand and India.).

The bytecode error occurred today in two different countries again,
bytecode-213 between 0035 and 0105hrs UTC.

>> Does this mean we are seeing out-of-date mirrors?  Because i'm seeing this
>> frequently from several different parts of the world.
>>
> That's one explanation.  I should think it could be almost any server issue
> or even temporary network issues.  I would expect there to be some increase
> in out-of-dates due to there being many more updates per day than there used
> to be.  I'm in the US on the West coast and update a minimum of twice a day.
We're checking every 30 minutes, and the timing is staggered across
multiple servers worldwide.
We've done a bit of work lately to try to get the mirrors we poll set up
correctly[1], and to ensure that our transparent proxies weren't getting
in the way. Now i'm seeing alerts via email, but by the time I check
manually, it's fine - which implied to me that the update was failing on
the first mirror and working fine on the second - so the question is
whether Freshclam needs to fire this back to stdout.


[1] we are using three mirrors: db.$countrycode.clamav.net, followed by
db.local.clamav.net, followed by database.clamav.net.
Interestingly in New Zealand at least, db.nz.clamav.net points to the
same cluster of IP's (all located in Australia) that db.local.clamav.net
does, so i'm not entirely sure why it fails on db.nz but works on db.local?

An examination of the freshclam log for that specific case suggests that
the failure on db.nz.clamav.net is that the cdiff is missing, so it's
tried to grab the whole bytecode file and found that it's 'not
synchronised', so (presumably) trashes it and tries the next mirror. 
There's a proxy involved, which makes troubleshooting a little more
complicated...




>
>> Can freshclam be configured to try multiple mirrors and suppress the error
>> unless none of the mirrors work?
>>
> It does try multiple mirrors, and why do you need the warning (not an error)
> suppressed?  Here's one example:
>
> WARNING: getfile: daily-15612.cdiff not found on remote server (IP:
> 194.47.250.218)
> WARNING: getpatch: Can't download daily-15612.cdiff from database.clamav.net
> Downloading daily-15612.cdiff [100%]
> Downloading daily-15613.cdiff [100%]
> daily.cld updated (version: 15613, sigs: 286256, f-level: 63, builder:
> guitar)
> bytecode.cvd is up to date (version: 202, sigs: 40, f-level: 63, builder:
> neo)
> Database updated (1330683 signatures) from database.clamav.net (IP:
> 207.57.106.31)
>

I see the emails and treat them as a warning we might not be updated or
have some other problem.  I've learned today, that I should read them
more carefully and maybe I can filter them a little more in my client to
pull the truly useful info out! :-)

Cheers
Mark.
_____________________________________________________________________________

This email has been filtered by SMX. For more information visit smxemail.com
_____________________________________________________________________________

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to