From clamav-users-bounces@lists.clamav.net Thu Apr 12 07:34:53 2007 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net X-Spam-Score: 4 X-Spam-Level: **** X-Spam-Status: No, score=4 tagged_above=4 required=6.3 tests=[RCVD_IN_NJABL_DUL=2, RCVD_IN_SORBS_DUL=2] Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ON7ET1AOufWy; Thu, 12 Apr 2007 07:34:53 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 8F97916C153; Thu, 12 Apr 2007 07:34:42 +0200 (CEST) X-Original-To: clamav-users@tad.clamav.net Delivered-To: clamav-users@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kt+DraUzqBhs for ; Thu, 12 Apr 2007 07:34:40 +0200 (CEST) Received: from luke.rinnanet.it (host177-242-static.56-82-b.business.telecomitalia.it [82.56.242.177]) by tad.clamav.net (Postfix) with ESMTP id 28CA916C140 for ; Thu, 12 Apr 2007 07:34:40 +0200 (CEST) Received: from luke.rinnanet.it ([127.0.0.1]) by localhost (luke.rinna.it [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 03172-03-2 for ; Thu, 12 Apr 2007 07:34:37 +0200 (CEST) Received: from win2kpro (host245-42-dynamic.6-87-r.retail.telecomitalia.it [87.6.42.245]) by luke.rinnanet.it (Postfix) with ESMTP id 7C2A0C042 for ; Thu, 12 Apr 2007 07:34:35 +0200 (CEST) From: "Luigi Iotti" To: "ClamAV users ML" Date: Thu, 12 Apr 2007 07:35:59 +0200 Message-ID: MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20070411185218.GI12285@ivenue.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4971.600 X-Virus-Scanned: amavisd-new at rinna.it Subject: Re: [Clamav-users] error stops clamd X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net > From: clamav-users-bounces@lists.clamav.net > [mailto:clamav-users-bounces@lists.clamav.net]On Behalf Of Todd Lyons > Sent: Wednesday, April 11, 2007 8:52 PM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Apr 11, 2007 at 02:24:52PM -0400, Jim Maul wrote: > > >However, it is illogical that clamd would die completely due to issues > >with a recently downloaded definition file. Why can it not just roll > >back to the old, previously working, definitions? Can someone please > >explain this? Im having trouble trying to comprehend the > current behavior. > > Neutral question: > What's worse? > a) AV that dies because of problems with virus definitions > b) AV that reverts back to previously working definitions but then > leaves you with a system that lets the latest things through > and the whole time you think you're protected Taken into account that by default freshclam updates every 2 hours (and it is often configured to update every 1 hour), I would prefer the risk of being running with signatures 4 hours old, than having a denial of service. Obviously, I think to the case where the update failure is sporadic. > a is not great, but then neither is b. In the case of a, cron scripts > watching the daemon process fixes things if it can and notifies you via > pager (and 10 pages coming in simultaneously definitely indicates > that something is wrong). In the case of b, you see no interruption so > you assume all is well (and in this case, all IS well, but suppose some > corporation changes their firewall blocking traffic outbound from your > clamav box and you never know that it's not getting the latest updates). > > Notification is a part of the solution IMHO. If clamd recognizes that > it's not able to load the new ones because the update process is still > occurring, then it should continue running *AND* notify the sysadmin > that it's running in what should be considered a degraded mode. The > ease with which this is attained will vary by system. I agree. Only it's worth noticing that if I have a script that can inform me via a pager that clamd is not running, than it's likely to be able to inform me that an update did not go well, or that sigtool reports my virus signatures to be 4 or 24 or NN hours old. I would be equally informed, but I would have no denial of service. Just my opinion. Luigi _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html