Topic: Clamav config not up to standard?

[ainigma32]

I've just installed Clamav using Swerts Knudsen's excellent install script. Everything was working as expected and after checking the installation I decided to check out the Clamav website. The first thing that struck me was the following topic: http://sourceforge.net/forum/forum.php?forum_id=420492

We are seeing a lot of useless traffic on our mirror servers.  
It looks like there are many broken freshclam clients still running.

and

Abusing clients will be added to a black list and won't be able to  
download our database anymore.

Since I don't particularly like to be blacklisted I solved this problem quick and dirty by adding two custom-templates:

Code: [Select]

/etc/e-smith/templates-custom/etc/freshclam.conf/36DatabaseMirror

and

Code: [Select]

/etc/e-smith/templates-custom/etc/freshclam.conf/37DatabaseMirror

The first file contains:

Code: [Select]

DNSDatabaseInfo current.cvd.clamav.net

The second contains:

Code: [Select]

DatabaseMirror database.clamav.net

I then expanded the templates and set the DatabaseMirror that was already present to the one nearest to me (db.nl.clamav.net) using the administrator panel.

I think that should do it but, like I mentioned earlier, this is a quick and dirty solution. Since I'm no SME guru I was wondering if this will satisfy the demands made by Clamav and how this could be incorporated into the administrator panel.

I didn't go into the cron settings (not using the full hour because everybody already does) but maybe one of the more experienced users could take a swing at that?

Anyway, any feedback would be greatly appreciated.

[mrjhb3]

I am on the clamav announce list and received the same info.  I also made templates-custom modifications to my system to test.  The new settings work quite nicely.  If you run the freshclam test, you should see that if you don't need any updates, it completes much faster with the DNS settings.  

Jesper is working on making the necessary modifications to his script and hopefully can get them released real soon.

JB

[ainigma32]

Outstanding! I look forward to the modifications. Any thoughts on the schedule used for cron?

[mrjhb3]

Don't think I can add any value with the cron settings.  I have mine set to daily.  I don't really think I need it set for every hour or two.

JB

[ainigma32]

I was referring to the following text in the Clamav documentation:

The other method is to use the cron daemon. You have to add the following line to the
crontab of the root or clamav users:
N * * * * /usr/local/bin/freshclam --quiet
to check for a new database every hour. N should be a number between 3 and 57
of your choice. Please don’t choose any multiple of 10, because there are already
too many clients using those time slots.

Does the contrib use a random number between 3 and 57 or does it use a multiple of 10? Maybe this should be changed as well when the contrib is updated?

This isn't a big issue but it could prevent performace problems in the future if the number of Clamav users keeps on growing.

[mrjhb3]

If you look in /etc/crontab you can see when freshclam is run.  From the server-manager panel you have the choice of running the updates, every hour, 2 hours, daily or never.  If that doesn't suite you, then just create a templates-custom fragment and change the time you want to run the updates.

JB

[ainigma32]

Okay, I looked at it and freshclam is executed at 5 minutes past the hour (or two hours, or ...) which suits me just fine.

What I meant to say was that if enough SME-users install this contrib they will all try to update on 5 minutes past the hour. Now that's kind of cozy   but I don't think the people of Clamav will appreciate it much. So I was thinking: Why not generate a random number or let the admin specify the setting through the web panel?
Like I mentioned before, this is no biggie but it could cause problems in the future.

Anyway I was planning to check out the "RPM's for dummies" documentation and I guess there's no time like the present  

Update:

Jesper has fixed the new directive: http://forums.contribs.org/index.php?topic=24796.0

[TrevorB]

Okay, I looked at it and freshclam is executed at 5 minutes past the hour (or two hours, or ...) which suits me just fine.

What I meant to say was that if enough SME-users install this contrib they will all try to update on 5 minutes past the hour. Now that's kind of cozy but I don't think the people of Clamav will appreciate it much. So I was thinking: Why not generate a random number or let the admin specify the setting through the web panel?

I used Jespers (Knuddis) latest script and freshclam is executed at 24 minutes past the hour, so am assuming that he has generated a random number.

Trevor B

[ainigma32]

It just keeps getting better. Three thumbs up for Jesper

[bigbri100]

It is probably something simple but after upgrading Clam I am getting the following warnings when running clamscan.

LibClamAV Warning: Unknown machine type in PE header
LibClamAV Warning: Broken PE header detected.

Everything appears to be working fine except for the warnings.

Any ideas?

[ainigma32]

Not sure but these guys have the same problem http://www.gossamer-threads.com/lists/clamav/users/14045?do=post_view_threaded
Seems that Clamav warns that the attached executable is broken/mangled.
I can't seem to find a buglist for Clamav anywhere to confirm. Anybody know where to find such a list?