[Pkg-clamav-devel] Bug#761162: clamav-unofficial-sigs: Cron job results spread onto mail and logs

Bill Landry unofficialsigs at gmail.com
Fri Oct 17 03:45:50 UTC 2014


Guys, please note that curl only downloads a SecuriteInfo database if the
file has been updated.  Checking for database updates will not get your IP
banned; however, "downloading" the same databases over and over, even
though there have been no updates, will cause your IP to get banned.
Therefore, no need to change the default SecuriteInfo check interval.

Also, I don't feel that ignoring failed database downloads is prudent.
Most admins what to know right away if there is a problem with a download
site.  When I get some time I'll take a look at the provided patch to see
if any of the suggested changes make sense.

Bill

On Thu, Sep 11, 2014 at 10:10 AM, Alessandro Vesely <vesely at tana.it> wrote:

> On Thu 11/Sep/2014 12:20:11 +0200 Paul Wise wrote:
> >
> > Bill, would it be possible for you to update clamav-unofficial-sigs so
> > that only signature downtime of more than one day is reported by the
> > cron job? The current setup means that many admins are getting a lot of
> > non-actionable cron spam, myself included.
>
> I'd rather suggest something along the lines of the attached patch
> (not tested).  It should get rid of some cron spam.  For reporting, I
> think libclamav does issue some warnings if a database is unacceptably
> old, not sure that covers all databases though.
>
> >> shell variable si_url is hardcoded in clamav-unofficial-
> >> sigs.sh. Perhaps, making it configurable may encourage
> >> donations.  In fact, it is not clear whether that host
> >> is managed by Sanesecurity or SecuriteInfo.
>
> At a closer look, it /is/ clear: Sanesecurity rate SecuriteInfo
> databases, but neither produce nor distribute them.  Sorry for the
> confusion.
>
> > You can change the default URL by putting si_url=... here:
> >
> > /etc/clamav-unofficial-sigs.conf.d/sanesecurl.conf
>
> Hm... that would work if those assignments were done before sourcing
> $config_source.
>
> > I doubt the premium mirrors would resolve this issue though.
>
> You're right.  Unlike Sanesecurity, SecuriteInfo have no premium
> mirror.  Instead, they warn not to download files more than once a day
> on pain of ip-ban[1].  Hence, I changed to "24" the default
> si_update_hours (it is "4" in the dist clamav-unofficial-sigs.conf).
>
> Ciao
> Ale
>
> [1]:
>
> https://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20141016/70689791/attachment.html>


More information about the Pkg-clamav-devel mailing list