search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
3.98k stars 669 forks source link

Suspected rate limiting while running freshclam #664

Open matthj1 opened 1 year ago

matthj1 commented 1 year ago

Hi Team,

I've been getting the below error when running the freshclam command during the building of an AWS machine image using Packer. I've been using clam av without issue for a long time, this has only been observed for the first time today.

> "stdout": "Fri Jul 29 11:21:26 2022 -> ClamAV update process started at Fri Jul 29 11:21:26 2022
> Fri Jul 29 11:21:26 2022 -> ^DNS record is older than 3 hours.
> Fri Jul 29 11:21:26 2022 -> Trying to retrieve CVD header from https://database.clamav.net/daily.cvd
> Fri Jul 29 11:21:26 2022 -> daily.cvd database is up-to-date (version: 26615, sigs: 1992518, f-level: 90, builder: raynman)
> Fri Jul 29 11:21:26 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd
> Fri Jul 29 11:21:27 2022 -> ^remote_cvdhead: Malformed CVD header (too short)
> Fri Jul 29 11:21:27 2022 -> ^Failed to get main database version information from server: https://database.clamav.net
> Fri Jul 29 11:21:27 2022 -> !check_for_new_database_version: Failed to find main database using server https://database.clamav.net.
> Fri Jul 29 11:21:27 2022 -> Trying again in 5 secs...
> Fri Jul 29 11:21:32 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd
> Fri Jul 29 11:21:32 2022 -> ^remote_cvdhead: Malformed CVD header (too short)
> Fri Jul 29 11:21:32 2022 -> ^Failed to get main database version information from server: https://database.clamav.net
> Fri Jul 29 11:21:32 2022 -> !check_for_new_database_version: Failed to find main database using server https://database.clamav.net.
> Fri Jul 29 11:21:32 2022 -> Trying again in 5 secs...
> Fri Jul 29 11:21:37 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd
> Fri Jul 29 11:21:37 2022 -> ^remote_cvdhead: Malformed CVD header (too short)
> Fri Jul 29 11:21:37 2022 -> ^Failed to get main database version information from server: https://database.clamav.net
> Fri Jul 29 11:21:37 2022 -> !check_for_new_database_version: Failed to find main database using server https://database.clamav.net.
> Fri Jul 29 11:21:37 2022 -> Trying again in 5 secs...
> Fri Jul 29 11:21:42 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd
> Fri Jul 29 11:21:42 2022 -> ^remote_cvdhead: Malformed CVD header (too short)
> Fri Jul 29 11:21:42 2022 -> ^Failed to get main database version information from server: https://database.clamav.net
> Fri Jul 29 11:21:42 2022 -> !check_for_new_database_version: Failed to find main database using server https://database.clamav.net.
> Fri Jul 29 11:21:42 2022 -> Trying again in 5 secs...
> Fri Jul 29 11:21:47 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd
> Fri Jul 29 11:21:47 2022 -> !remote_cvdhead: Malformed CVD header (too short)
> Fri Jul 29 11:21:47 2022 -> ^Failed to get main database version information from server: https://database.clamav.net
> Fri Jul 29 11:21:47 2022 -> !check_for_new_database_version: Failed to find main database using server https://database.clamav.net.
> Fri Jul 29 11:21:47 2022 -> Giving up on https://database.clamav.net...
> Fri Jul 29 11:21:47 2022 -> !Update failed for database: main
> Fri Jul 29 11:21:47 2022 -> !Database update process failed: HTTP GET failed
> Fri Jul 29 11:21:47 2022 -> !Update failed."

I believe it's the same issue as #https://github.com/Cisco-Talos/clamav/issues/588 and #https://github.com/Cisco-Talos/clamav/issues/592

Is this likely a legitimate hit of the rate limit or has something gone wrong between Cloudfare and yourselves as described in the above issues?

Many thanks!

micahsnyder commented 1 year ago

Hi @matthj1 I'm sad to hear this issue is happening again.

I have an idea on what is actually happening. For some reason your freshclam client is trying to determine the version of main.cvd on the server by using HTTP to query the CVD header, rather than by using a DNS query. Frequent HTTP queries will trigger rate limiting, while DNS queries will not.

My question is, do you know if DNS may be failing or disabled in your environment or your freshclam config? I want to understand why it's falling back to HTTP.

If you can't get freshclam to use DNS instead, my advice would be to change the frequency that you run freshclam for updates to once or twice a day. That should get you below the rate limit threshold, and hopefully will make this go away.

On our side, we should alter freshclam to be understand rate limit responses in that HTTP CVD-header check, and put in some smarter logic to limit version check attempts when in HTTP-fallback mode.

tjanson commented 2 weeks ago

@micahsnyder I think you're right, at least I've run into the same issue in an environment where DNS queries were not possible. As you suggested, lowering the update frequency works.

It doesn't seem entirely unreasonable to have clients interact with the DB server entirely via HTTP, particularly when using a HTTP proxy; though I totally understand that the DNS mechanism is certainly used for good reason.

As for this issue, perhaps it would be useful to just add a note to the docs for now.