Several of the problems that we’ve observed are things like a dockerized container or a VM that is reset constantly, so instead of being able to download the cdiffs, those machines have to download the whole daily/main. Those could benefit from a local mirror.
Abusers are present but infrequent. If you’re using freshclam, you’re doing it right. If you have python or curl downloading everything every 5 minutes — I’m going to block you. Sent from my iPhone > On Sep 2, 2020, at 07:54, G.W. Haywood via clamav-users > <clamav-users@lists.clamav.net> wrote: > > Hi there, > >> On Wed, 2 Sep 2020, Andrew C Aitchison via clamav-users wrote: >> >> The sample freshclam.conf ... >> # Default: 12 (every two hours) >> ... >> but https://blog.clamav.net/2020/07/freshclam-cdiffs-effect-on-bandwidth.html >> ... >> 2. Reduce the checks to once or twice a day. >> >> Would it make sense to make these agree ? > > +1 > > Bear in mind that a normal freshclam database update check (which is > just a DNS query) doesn't necessarily result in the download of any > file - not even of a .cdiff file. > > In the same blog post it says that the databases are only updated once > per day. In view of the types of threat that some folks have to deal > with that seems a little infrequent, although I do understand that > there are pressures on resources. Also bear in mind that if the update > frequency is once per day both at the server and at the client, then > if the timings are unfortunate the delay between an update at source > and the update by a client could be almost _two_ days. > > Finally the blog post talks about a small number of IPs which seem to > be downloading the main and daily databases tens of thousands of times > per day. While I suppose it is plausible that these are deliberately > malicious downloads it seems more likely to me that the explanation is > incompetence in large organizations which have a lot of workstations > behind NAT firewalls. I suspect a local caching proxy or mirror could > eliminate some of the problems, but the blog post does not mention it. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
