ClamWin is being used on lots of networks, but the network guys do not bother to participate in the ClamWin release candidate tests. It seems they prefer to solve problems when they happen rather than prevent them! So ClamWin has not been significantly tested with all that can go on in a networked environment.

Regards,

Noted. I'll keep this thread posted with whatever transpires.

Thanks, Piran, and good luck.

Regards,

It's not going so well really. Several more times today.
Nowadays I delete all the db files after it baulked with
a reload of the mirrors.dat file.

Now, yet another falsie... and, as usual, citing
for yet another time a trojan with winRar:
https://www.virustotal.com/file-scan/report.html?id=e2c21331195ad12fbaa9fbedeb3e375f7a4345dbbd98abbbac876749c6f14b8b-1309893222

I can't put my finger on it but I think ClamWin is
barfing at something networky... what I do not know.
It would help if the failures could get to be predictable
but haven't worked out what drives the triggering event.

1. As you know I have resolved NTP timing on the router.
No difference?

2. Despite NEVER EVER port forwarding TCP port53
between the server and the router I have done so.
Your stuff seems to do its thing with UDP despite
all the prose saying it does so with TCP ...go figure.
No difference?

3. "disabling TCP offloading" might be a trigger...?
https://www.windowsreference.com/networking/enabledisable-tcp-task-offloading-to-nic-in-windows/
...think this is counter-productive, stuff completing
in longer timescales but direct activity (ie me) seems
to zing along a bit quicker but it might be my imagination.
No difference?

Trying to keep ClamWin running (ie updating itself
reliably) is beginning to get to be a PITA. Thinking
out of the box it might be more beneficial to simply
delete mirrors.dat every hour...? Such is progress.

You might try a search on these ClamWin forums for mirror problems to see if someone somewhere has had a similar problem and see if you can find out more about it.

I checked the original signature for that trojan. It includes installer code, which "good" programs can also use. Please report this false positive to Clam.

Regards,

Reliable regular updating of a signature-driven security
product is, in my opionion, a core mandatory feature -
a deal breaker as it were if found to be unreliable.

My site is not of a common configuration.
Taking on others' apparently similar issues is not
without its own set of problems. I am currently
being (over)tasked elsewhere. If this were to be
widely endemic there would be a plethora of
clamours on the forum. There are not. It's just
me... so, presumably, it's something here on my
site that is giving ClamWin grief. It's going to some
difficult to track down and ameliorate its effects.

A hourly script (to delete the 'stale' mirrors.dat file)
will just have to do for the moment. Needs must.

As for the 'false positive' ...that is only my assumption
which has been right for a very long time up to now.
I am not qualified to file it as a true 'false positive'
and would not attempt to mislead others thus.
I suspect it is a false alarm but have only common
sense driving that thought. I usually email WinRAR
to let him know the latest... he's pretty sanguine
about it each time. These things are best left to
those that know what they're doing.

Again, I will update this thread as and when I find
the culprit currently messing up my workflow. Out.

1. Working OK yesterday.
--------------------------------------
ClamAV update process started at Tue Jul 05 21:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-13284.cdiff [100%]
daily.cld updated (version: 13284, sigs: 134656, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
Database updated (980910 signatures) from database.clamav.net (IP: 217.135.32.99)
--------------------------------------
ClamAV update process started at Tue Jul 05 22:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 13284, sigs: 134656, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
--------------------------------------
ClamAV update process started at Tue Jul 05 23:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 13284, sigs: 134656, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
--------------------------------------
2. Today workstation was powered up late - just after midday.
3. Following the boot up the 'out of period' auto-update was OK.
--------------------------------------
ClamAV update process started at Wed Jul 06 12:12:06 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-13285.cdiff [100%]
daily.cld updated (version: 13285, sigs: 137922, f-level: 60, builder: ccordes)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
Database updated (984176 signatures) from database.clamav.net (IP: 193.1.193.64)
--------------------------------------
4. apparently using mirrors.dat file
Created: ‎2011 ‎July ‎05, ‏‎21:49:01
Modified: ‎2011 ‎July ‎06, ‏‎13:49:11
Accessed: ‎2011 ‎July ‎05, ‏‎21:49:01
--------------------------------------
ClamAV update process started at Wed Jul 06 12:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getfile: Unknown response from remote server (IP: 163.1.3.8)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 81.91.100.173)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 217.135.32.99)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: getfile: Unknown response from remote server (IP: 81.91.100.173)
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ClamAV update process started at Wed Jul 06 12:49:06 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getfile: Unknown response from remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 163.1.3.8)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 217.135.32.99)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: getfile: Unknown response from remote server (IP: 193.1.193.64)
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ClamAV update process started at Wed Jul 06 12:49:11 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-13286.cdiff from database.clamav.net
ERROR: getpatch: Can't download daily-13286.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
ERROR: Can't download daily.cvd from database.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in c:\users\robert\appdata\local\temp\tmpr3mtwb is working. Check https://www.clamav.net/support/mirror-problem for possible reasons.
--------------------------------------
5. Where can I find specific ClamWin logging data that further clarifies...
WARNING: getfile: Unknown response from remote server (IP: 163.1.3.8)
WARNING: getfile: Unknown response from remote server (IP: 81.91.100.173)
WARNING: getfile: Unknown response from remote server (IP: 217.135.32.99)
WARNING: getfile: Unknown response from remote server (IP: 193.1.193.64)

6. Do you need me to save and submit to you your stale mirrors.dat file?

7. The workstation is M$ W7 x64 but I have started a PuTTY session
and accessing my site's linux server. Your IP 163.1.3.8 *is* accessible
and I am *not* noticing any data corruption in my on-line connectivity:
--------------------------------------
[root@twiggy ~]# host 163.1.3.8
8.3.1.163.in-addr.arpa domain name pointer clamav.oucs.ox.ac.uk.

[root@twiggy ~]# host -t txt current.cvd.clamav.net
current.cvd.clamav.net text "0.97.1:53:13286:1309955341:1:60:30595:143"

[root@twiggy ~]# host database.clamav.net
database.clamav.net is an alias for db.local.clamav.net.
db.local.clamav.net is an alias for db.uk.clamav.net.
db.uk.clamav.net has address 163.1.3.8
db.uk.clamav.net has address 193.1.193.64
db.uk.clamav.net has address 217.135.32.99
db.uk.clamav.net has address 81.91.100.173

[root@twiggy ~]# dig @ns1.clamav.net db.us.big.clamav.net
; <<>> DiG 9.2.4 <<ns1>>HEADER<<- opcode: QUERY, status: NOERROR, id: 48800
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 5, ADDITIONAL: 6

;; QUESTION SECTION:
;db.us.big.clamav.net. IN A

;; ANSWER SECTION:
db.us.big.clamav.net. 60 IN A 208.72.56.53
db.us.big.clamav.net. 60 IN A 209.222.131.222
db.us.big.clamav.net. 60 IN A 213.165.80.159
db.us.big.clamav.net. 60 IN A 64.142.100.50
db.us.big.clamav.net. 60 IN A 64.246.134.219
db.us.big.clamav.net. 60 IN A 65.19.179.67
db.us.big.clamav.net. 60 IN A 69.163.100.14
db.us.big.clamav.net. 60 IN A 88.198.67.125
db.us.big.clamav.net. 60 IN A 150.214.142.197
db.us.big.clamav.net. 60 IN A 155.98.64.87
db.us.big.clamav.net. 60 IN A 168.143.19.95
db.us.big.clamav.net. 60 IN A 194.8.197.22
db.us.big.clamav.net. 60 IN A 194.47.250.218
db.us.big.clamav.net. 60 IN A 194.186.47.19
db.us.big.clamav.net. 60 IN A 207.57.106.31

;; AUTHORITY SECTION:
clamav.net. 1200 IN NS ns4.clamav.net.
clamav.net. 1200 IN NS ns3.clamav.net.
clamav.net. 1200 IN NS ns5.clamav.net.
clamav.net. 1200 IN NS ns7.clamav.net.
clamav.net. 1200 IN NS ns6.clamav.net.

;; ADDITIONAL SECTION:
ns3.clamav.net. 86400 IN A 195.70.36.141
ns4.clamav.net. 3600 IN A 78.46.32.131
ns5.clamav.net. 86400 IN A 85.94.204.146
ns5.clamav.net. 86400 IN AAAA 2001:4b78:2000::1
ns6.clamav.net. 86400 IN A 208.201.249.238
ns7.clamav.net. 86400 IN A 209.204.159.15

;; Query time: 109 msec
;; SERVER: 195.70.36.141#53(195.70.36.141)
;; WHEN: Wed Jul 6 14:11:04 2011
;; MSG SIZE rcvd: 476
--------------------------------------
8. Please advise

Searched. People have downloading and DNS resolving issues.
Nothing particularly helpful other than finding the path to your log.

Looking at C:\Users\robert\AppData\Local\Temp\ClamWin1.log
there is a massive section of NUL chars (in a text logging file!?).
1. Either this is an issue or it's obfuscation hiding the command path?
2. Have renamed the existing mirrors.dat (while it is apparently
still working). Shortly afterwards I saw a desktop notification that
the update had succeeded ...albeit with a 'new' mirrors.dat file.


Reported the citation to rarlabs who responded with
Germanic pragmatism expressing the hope that
you resolve your (apparent) error appropriately.

My mirrors.dat file for my PC is dated today, so a new file might be common with each signature update.

The RAR people can't help with false positives. Only Clam can remedy that.

Regards,

I don't understand this or its relevance.


I managed to *eventually* be 'allowed' to submit the file to ClamAV.

1. Does ClamWin interact badly with Acronis True Image Home 2010?

Maybe file locking or an excessive delay (overcoming any
file locking) is causing your mirrors.dat to apparently go stale.
I have (newly) added C:\Users\robert\AppData\Local\Temp into
the exclusions area for Acronis TIH ...just in case. It's never
before now been an issue but I am keen to get this resolved.

There are several periods over the day when Acronis runs for long
enough to possibly(?) interact with ClamWin's auto-update attempts.

Well, you said that you had a new mirrors.dat program. I just mentioned that I did, too.

I don't know about Acronis, but I have used ClamWin with snapshot programs before without noticing any problems, but I do not take frequent snapshots and perhaps a ClamWin update never coincided with a snapshot. Just to be safe, you might set ClamWin to update when a snapshot will not be made.

Regards,

When mirrors.dat filesize quadruples from 52bytes to 208bytes
ClamWin finds itself impossible to update. Acronis is running
right now. I cannot update. I have been using Acronis and
ClamWin for ...years. My network is running. My connectivity
is operational. I cannot update manually or in auto.
Please advise.

--------------------------------------
ClamAV update process started at Sat Jul 09 01:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 13300, sigs: 144038, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
--------------------------------------
ClamAV update process started at Sat Jul 09 01:57:32 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 13300, sigs: 144038, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
--------------------------------------
ClamAV update process started at Sat Jul 09 02:49:00 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-13301.cdiff [100%]
daily.cld updated (version: 13301, sigs: 144043, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
Database updated (990297 signatures) from database.clamav.net (IP: 81.91.100.173)
--------------------------------------workstation powered down

workstation powered up--------------------------------------
ClamAV update process started at Sat Jul 09 11:20:57 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getfile: Unknown response from remote server (IP: 217.135.32.99)
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 163.1.3.8)
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: getfile: Unknown response from remote server (IP: 81.91.100.173)
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: getfile: Unknown response from remote server (IP: 163.1.3.8)
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ClamAV update process started at Sat Jul 09 11:21:03 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ClamAV update process started at Sat Jul 09 11:21:08 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-13302.cdiff from database.clamav.net
ERROR: getpatch: Can't download daily-13302.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
ERROR: Can't download daily.cvd from database.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in c:\users\robert\appdata\local\temp\tmpxcttla is working. Check https://www.clamav.net/support/mirror-problem for possible reasons.
--------------------------------------

Acronis is running right now.
Network is running right now.
Connectivitiy is running right now.
ClamWin is not properly operational.

ClamWin mirrors.dat is 208bytes long
and there is only a 25MB main.cvd file
and nothing else in the db directory.

ClamWin does not succeed in updating even
when deleting the 208byte mirrors.dat file.

Effectively it's stuffed.
Please advise.

All I can suggest is to delete everything in the ClamWin database directory and try to update the signatures again. If that fails, try to reinstall ClamWin.

Yesterday, I believe, Mark suggested there was a DNS problem on Win 98 and had a workaround. See if you can find that post.

Regards,