ClamAV ethernet usage

[Paril]

Hi there.

I'm new to using Immunet as a daily driver for antivirus, but I've run into a strange issue. For some reason, ClamAV's "freshclam.exe" has been slowly eating away at my bandwidth. It's used over 30 GB over a day - approximately 230 MB every 30 minutes.

I tried it installed both in the regular installation directory (Program Files) and in root of a drive (E:\Immunet\) just in case it was a permissions issue, to no avail.

If I try to run freshclam manually, I see the following note:

Quote

ERROR: Can't create temporary directory E:\Immunet\clamav\0.102.1.14\database\tmp
Hint: The database directory must be writable for UID 0 or GID 0
ERROR: Initialization error!

I don't know if it's related or not. I can't touch anything in the Immunet folder (as expected), so it's possible this is normal from attempting to launch it by hand.

Then I tried to launch with a specific --datadir, just to rule out a permission issue:

Quote

E:\Immunet\clamav\0.102.1.14>freshclam --datadir=E:\
ClamAV update process started at Wed Mar 10 00:56:33 2021
daily database available for download (remote version: 26103)
Time: 2.7s, ETA; 0.0s [=======================================>] 100.18MiB/100.18MiB
WARNING: Mirror https://database.clamav.net is not synchronized.
ERROR: Unexpected error when attempting to update database: daily
WARNING: fc_update_databases: fc_update_database failed: Up-to-date (1)
ERROR: Database update process failed: Up-to-date (1)
ERROR: Update failed.

So, while it does update here (100 MB), it then throws some unexpected error and deletes the tmp folder. It seems to retry this every 15 mins or so.

If I enable --verbose --debug, this is all it adds to the log:

Quote

Time: 2.7s, ETA; 0.0s [=======================================>] 100.18MiB/100.18MiB
* Connection #0 to host database.clamav.net left intact
LibClamAV debug: Initialized devel-clamav-0.102.1-13-ga82161700 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 5abf3da8b864664c0c6f2faf057e392f
LibClamAV debug: cli_versig: Decoded signature: 5abf3da8b864664c0c6f2faf057e392f
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
WARNING: Mirror https://database.clamav.net is not synchronized.
ERROR: Unexpected error when attempting to update database: daily
WARNING: fc_update_databases: fc_update_database failed: Up-to-date (1)
ERROR: Database update process failed: Up-to-date (1)
ERROR: Update failed.

Anything I could try for this? I also have no way of knowing if this is another permission issue (since I'm launching freshclam from within the clamav\<version>\ folder which I don't have permission to write to), but I don't know where I could see any logs of freshclam that Immunet launches.

My clamav folder only has the version folder in it, and inside that folder there is all of the standard installation files alongside a "temp\clamtmp" folder tree with nothing in it. 

(EDIT: as a complete aside, while registering for this account, for some reason the email field for the Registration form started out as "oblako2018_5@bk.ru" for me.. I've never seen this email in my life, and it's not anywhere in my browser autofill, so I have no idea how that happened)

Edited March 10, 2021 by Paril
adding weird sign up info

[ritchie58]

Hi Paril,

Unfortunately you're not the first person to report that there are update issues occurring with this 7.4.0 build of Immunet.  

The data you provided is quite revealing and thanks for thinking of adding it to your post!

It looks like Immunet is having difficulty either connecting to or maintaining a connection to Clam's update servers long enough for the new malware definitions to be successfully installed.

"This seems like a bug that just doesn't want to go away!" The devs have not been able to fix users having update issues with ClamAV for the last several previous builds as well!

Since this forum 'no longer gets any one-on-one advanced technical support anymore' my best advise would be to either uninstall Immunet if it keeps hogging up bandwidth to your displeasure or turn off the ClamAV module & updates for it in Settings & just use the ETHOS/SPERO cloud engines. That's not recommended if you're using Immunet as a 'stand-alone' AV though.

Keep in mind you can use Immunet as a companion AV to another AV solution & it is recommended that ClamAV remain disabled if used in this manner. Immunet is compatible with most of the popular AV packages out there. Just exclude each other's 'Program Files directory' to avoid possible conflicts. That's how I have Immunet set up, as a companion AV to another AV solution (minus ClamAV enabled).

As far as your forum account registration anomaly goes, I couldn't replicate that.

For security reasons & my own curiosity I attempted, prior to logging in, to create a new account and didn't encounter what you reported. That must be an issue on your side of things would be my assumption.

Best wishes, Ritchie... 

 

[Paril]

Re the security issue; the way it happened was kind of odd circumstances. At the time, I was having trouble with my internet, and when I first attempted to post the thread, my internet had cut out during my first attempt to press Submit. Chrome displayed the usual error page. A few minutes later, I switched to mobile tethering, and refreshed the page; that's where I was presented with the weird Russian address filled in the box.

Attempting to reproduce the issue now with internet not cutting out, I can't seem to have it happen. It seems like switching sessions is part of the bug. I guarantee you that that email isn't anywhere adjacent to me; Russia is an ocean apart from Canada, and if you search the email up in Google you can find several references to it being used as a spam account, so I'm curious as to how it got in that box. Looking in my internet history, there was a 3 minute gap between attempting to post and getting to the validation page. I can't exactly tell the timeline because Chrome doesn't record page load failures in History. I dunno if that helps at all in tracking down what might have caused that to be in there, but me losing my connection prior to pressing Submit initially & refreshing seems to be part of it. Session ID reuse perhaps? Not sure.

Re ClamAV; I'm pretty sure it's a permission issue. The connection happens perfectly fine (you can see the progressbar go from 0 to 100), but it fails in writing out the downloaded files to the install directory. I wasn't able to hack around ownership of the folder to see if perhaps that got around the issue, but if I wanted to poke into this farther that'd be my first inclination: take permissions out of the mix (take ownership of the entire folder and ensure you have read/write access to every folder), and see if it updates properly.

Edited March 12, 2021 by Paril