Freenas

Mirroring the Virus Database

Some guidelines for people interested in contributing to the distribution of ClamAV
virus database.
1 Introduction
1.1 This doc
The latest version of this document is always available at http://www.clamav.net/doc/mirrors/.
Before going any further, please check that you are reading the latest version.
Japanese sysadmins can nd a translated version of thisdoc at http://www.orange.co.jp/~masaki/clamav/mirrorhowto-
jp.html (not necessarily up to date).
1.2 Who is responsible for the virus database
The virusdb team take care of reviewing virus signatures, checking for new viruses in
the wild and committing changes to the virus database le.
The updates are released quite often (usually no less than three times a week). If
you want to benotied whenever the virus database is updated subscribe to clamavvirusdb
at lists.clamav.net .
Every time the virusdb team updates the database, the ChangeLog will be posted
to the mailing-list.
Visit for the list description and archives.
If you need to contact the virusdb team please write to: virus-team at clamav.net
1.3 Virus submission
Whenever you nd a new virus which is not detectedby ClamAV you should send it
to the virusdb team by lling the form at http://www.clamav.net/sendvirus.html. They
1
will review your submission and update the database so that the whole ClamAV user
community can take benet from it.
Never send virus samples to ClamAV mailing-lists or developers addresses.
1.4 Getting a copy of the latest virus database
The most important factor for anantivirus's efciency is to be up to date. ClamAV
comes with a tool to update the virus database automatically: its name is freshclam.
freshclam looks up the TXT record associated with current.cvd.clamav.net and extracts
the latest database version available from the string returned. If the local database
is outdated, freshclam tries to connect to the hostnames listed in freshclam.conf(DatabaseMirror
directive). If the rst server in the list fails or the latest database is not available on
that mirror (e.g. in case there has been a problem sync'ing the mirror), freshclam will
sleep for 10 secs and then try again with the next one, and so on.
After freshclam downloads the new database, it sends a notify to clamd (if active)
to reload the database.
It is important for themachine running ClamAV to be able to make DNS lookups
and to connect to port 80 of external hosts on Internet either directly or through a
proxy. There are known problems with some transparent proxies caching what they
shouldn't cache. If you should run into this kind of problem, please check your proxy
conguration before reporting a bug.
2 Mirroring the database
2.1 The need for mirrorsTo prevent the spread of worms it is essential to check for updates frequently. ClamAV
users often congure freshclam with a check interval of 30 minutes.
With an exponentially growing number of ClamAV users, the servers hosting the
virus database les get easily overloaded.
Without mirrors, the trafc on our main site was 100GB/month (May 2003).
On Feb 2004 the trafc on each mirror (11in total) reached 120GB/month.
Thanks to some improvements in freshclam and the increasing number of mirrors (currently
60), the trafc on each mirror was lowered to 40GB/month (Aug 2004). That
makes about 2.5TByte/month of global trafc.
Our users are encouraged to add the following directives to their freshclam.conf :
DatabaseMirror db.XY.clamav.net
2
DatabaseMirror db.local.clamav.netwhere XY stands for the country the server lives in 1
Each db.XY.clamav.net record points to the mirrors available in that country2 or, in
case there are none, the continent.
If freshclam can't connect to db.XY.clamav.net, it will fail back on db.local.clamav.net,
which attempts to redirect the user to the closest pool of mirrors by looking up its
ip source address in GeoIP database...