I hadn't looked recently. After I gave up on running a local mirror and switched to CDIFFs, I also observed that signatures were usually updated only couple of times per day. So I reduced polling the DNS TXT record to only twice per hour and only running freshclam if the DNS TXT record suggested it.
Having just rechecked our freshclam logs, I can state that I have not seen any failures this year! I don't know if this is due to the BOS server being improved, or if it's simply due to the CDIFF files being much smaller, and thus being propagated in a more timely fashion. In any case, I'm quite pleased. Now I have another, related, question. Since I now have each of our machines on our LAN downloading the signature updates separately (local mirrors apparently being dead), I have a firewalling problem. Our mail server (for example) is blocked from having general Internet access outbound. So when I want to do a software update, I manually unblock the appropriate port, run the update and then manually block the port again. This obviously is impractical for freshclam, as it might be run at arbitrary times during the day. So my solution has been to have permanently allowed outbound connections to port 80 from the mail server to *exactly* those Anycast IP addresses that ClamAV uses at Cloudflare. This, obviously, would cause trouble in the future if the IP addresses were to change. Should I presume that the lifetime of these IP addresses is long enough that a rare manual update might be needed, or could they change "relatively" often (like DHCP leases) so that some kind of automation would be warranted? (The only IP addresses I currently allow through are 104.16.218.84 and 104.16.219.84, and they seem to be enough.) Any thoughts? On Tue, 9 Jul 2019 20:40:15 +0000 "Joel Esler (jesler)" <jes...@cisco.com> wrote: > This has been fixed for some time has it not? > > > On Jul 9, 2019, at 3:38 PM, Paul Kosinski via clamav-users > > <clamav-users@lists.clamav.net> wrote: > > > > The CVD version delivered by Cloudflare's "BOS" > > Anycast server was often behind the version advertised by the DNS > > TXT. > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
