On Thu, 11 Mar 2021, Paul Smith via clamav-users wrote:

On 10/03/2021 22:29, Joel Esler (jesler) via clamav-users wrote:
100 CDIFFs or so behind, and they download it nearly 2k times in a row?  Why?  This is not a partial download either.  It’s the full file.  Stuck cron?


Who in the past 24 hours has created 22.17M file downloads /all by themselves/ from a single IP. (The main.cvd btw)

You *may* be forgetting NAT.

Eg, it's possible the first one is a network of a few thousand computers going through a NAT firewall where each of them has had an old daily.cvd copied onto them in an internal release cycle or something, so each of the computers on that network is trying to download a backlog of CDIFFs. (Or maybe another problem stopping the updates has been discovered and fixed, or something)

I'm not saying it is, but it may be. If you are only analysing by IP address, NAT will innocently cause strange results.

I'm thinking short-lived virtual machines that install clamav on first boot.
I guess the thinking is that "Since the cvd files are large and change "frequently"* it isn't worth installing them in the image;
the running image can download the current versions ..."
*Daily isn't that frequent, but they think it is.
Of course a short-lived vm should be using an external clamd server,
if it needs AV at all.

If this *is* the problem, freshclam isn't the solution :-(
You will need either to persuade the owners to think about how and why they are attempting to run clamav, or perhaps persuade the suppliers
of the container images not to include a local clam service.

--
Andrew C. Aitchison                                     Kendal, UK
                        and...@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to