Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Joel Esler (jesler) Sat, 30 Jun 2018 17:38:46 -0700

Ping.clamav.net is an identification lookup.  Helps us see what versions people 
are running out there and what version of ClamAV people are using.  It’s 
failure shouldn’t stop the update process.  Please give us a debug.


Sent from my iPhone

> On Jun 30, 2018, at 19:28, Paul Kosinski <clamav-us...@iment.com> wrote:
> 
> We are *still* failing to get ClamAV cvd files updates reliably -- even
> after deleting mirrors.dat before each attempt!
> 
> The basic problem seems to be that the query to (e.g.):
> 
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net
> 
> fails as often as not (e.g.):
> 
>  Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net
>  Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net
> 
> The query fails a lot when issued by freshclam, and it also fails
> (times out) a lot when issued by dig.
> 
> As far as I can tell by reading the freshclam code, the query is just a
> DNS query for the A record (as opposed to a TXT record etc.). I presume
> that the prefix part of the FQDN works like it does for blacklists and
> indicates whether the prefix is "good" or "bad".
> 
> As I investigated further, I ran one test which gave a very interesting
> result:
> 
>  # dig  xx.ping.clamav.net
>  ;xx.ping.clamav.net.            IN      A
>  xx.ping.clamav.net.     1       IN      A       5.9.14.57
>  ping.clamav.net.        218     IN      NS      ns4.clamav.net.
>  ns4.clamav.net.         3053    IN      A       12.167.151.33
>  ns4.clamav.net.         3053    IN      A       5.9.14.57
>  ns4.clamav.net.         3258    IN      AAAA    2a01:4f8:160:8421::2
> 
> Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name
> server has 2 unrelated IP addresses. The 12.167.151.33 address appears
> to be leased by Sourcefire from AT&T, but the 5.9.14.57 address is
> owned by Hetzner.de.
> 
> 
> If I now do digs explicitly using the 2 different addresses for ns4,
> the Hetzner one works, but the Sourcefire one doesn't:
> 
>  # while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net 
> ; sleep 1 ; done
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
>  ^C
> 
>  # while true; do dig @12.167.151.33 
> daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
>  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ^C
> 
> This would explain why the DNS query from freshclam is so unreliable.
> (Is the Sourcefire instance of ns4 even running a DNS server?)
> 
> 
> This behavior is causing us much grief, because a large number of
> ClamAV DB updates fail, saying that the mirror is not synchronized,
> thus adding that mirror to mirrors.dat (which I now automatically
> delete right before freshclam runs!).
> 
> Is there anything we can do short of bypassing freshclam, periodically
> downloading daily.cvd, bytecode.cvd etc., and seeing if they differ from
> the last download?
> 
> 
> P.S. Here are traceroutes to the 2 ns4.clamav.net machines; these show
> that we *do* have the ability to reach both of them:
> 
>  traceroute to ns4.clamav.net (5.9.14.57), 30 hops max, 60 byte packets
>   1  dslmodem.iment.local (10.25.26.1)  1.108 ms  1.476 ms  1.942 ms
>   2  216.237.102.1 (216.237.102.1)  36.675 ms  39.009 ms  40.798 ms
>   3  216.237.98.117 (216.237.98.117)  44.470 ms  46.751 ms  46.998 ms
>   4  69.46.227.233.lightower.net (69.46.227.233)  79.273 ms  79.554 ms  
> 79.803 ms
>   5  ae22-bstpmalljp1.lightower.net (104.207.214.80)  74.458 ms  76.358 ms  
> 76.582 ms
>   6  ae10-bstpmallj93.lightower.net (144.121.35.36)  68.487 ms  69.450 ms  
> 69.548 ms
>   7  10ge8-1.core1.bos1.he.net (216.66.32.5)  66.711 ms  41.656 ms  42.851 ms
>   8  100ge12-2.core1.nyc4.he.net (184.105.64.53)  43.861 ms  41.986 ms  
> 42.088 ms
>   9  100ge11-1.core1.nyc5.he.net (184.105.213.218)  43.702 ms 
> 100ge16-2.core1.lon2.he.net (72.52.92.165)  109.536 ms  112.671 ms
>  10  100ge6-2.core1.ams1.he.net (72.52.92.214)  145.347 ms  161.222 ms 
> 100ge8-2.core1.dub1.he.net (184.105.65.246)  103.805 ms
>  11  100ge3-2.core1.man1.he.net (72.52.92.197)  107.707 ms  109.637 ms  
> 109.192 ms
>  12  100ge16-1.core1.ams1.he.net (184.105.213.65)  128.275 ms 
> core23.fsn1.hetzner.com (213.239.224.249)  128.936 ms 
> 100ge16-1.core1.ams1.he.net (184.105.213.65)  128.679 ms
>  13  ex9k1.dc7.fsn1.hetzner.com (213.239.229.234)  134.740 ms 
> hetzner.interxionfra4.nl-ix.net (193.239.117.110)  127.076 ms  127.058 ms
>  14  core23.fsn1.hetzner.com (213.239.224.249)  131.271 ms 
> core24.fsn1.hetzner.com (213.239.224.253)  130.748 ms core23.fsn1.hetzner.com 
> (213.239.224.249)  125.226 ms
>  15  ns4.clamav.net (5.9.14.57)  127.731 ms  128.609 ms 
> ex9k1.dc7.fsn1.hetzner.com (213.239.229.238)  129.537 ms
> 
>  traceroute to ns4.clamav.net (12.167.151.33), 30 hops max, 60 byte packets
>   1  dslmodem.iment.local (10.25.26.1)  1.104 ms  1.562 ms  2.070 ms
>   2  216.237.102.1 (216.237.102.1)  37.613 ms  40.082 ms  41.797 ms
>   3  216.237.98.117 (216.237.98.117)  43.653 ms  45.999 ms  47.673 ms
>   4  69.46.227.233.lightower.net (69.46.227.233)  49.435 ms  51.731 ms  
> 53.404 ms
>   5  ae22-bstpmalljp1.lightower.net (104.207.214.80)  57.317 ms  59.946 ms  
> 61.832 ms
>   6  ae10-bstpmallj93.lightower.net (144.121.35.36)  61.904 ms  61.712 ms  
> 64.363 ms
>   7  10ge8-1.core1.bos1.he.net (216.66.32.5)  66.045 ms  39.012 ms  37.544 ms
>   8  100ge12-2.core1.nyc4.he.net (184.105.64.53)  41.486 ms  41.540 ms  
> 41.395 ms
>   9  100ge16-1.core1.ash1.he.net (184.105.223.165)  117.502 ms  47.104 ms  
> 57.578 ms
>  10  eqix-ix-dc6.ciscosystems.com (206.126.237.194)  47.562 ms  46.928 ms  
> 46.960 ms
>  11  ava-talos2-pp-talos1-vlan2804.vrt.sourcefire.com (198.148.79.102)  
> 48.446 ms  50.351 ms  50.132 ms
>  12  moist.vrt.sourcefire.com (198.148.79.134)  50.964 ms  50.374 ms  47.583 
> ms
>  13  * * *
>  14  12.167.151.33 (12.167.151.33)  47.663 ms  47.912 ms  47.902 ms
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Reply via email to