Unable to download diff db files

[asark67]

When freshclam is running it is unable to reach the diff files:

--------------------------------------
freshclam daemon 1.0.6 (OS: Linux, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Wed Nov 13 22:58:39 2024
daily database available for update (local version: 26951, remote version: 27457)
WARNING: downloadFile: file not found: https://database.clamav.net/daily-26952.cdiff
WARNING: downloadPatch: Can't download daily-26952.cdiff from https://database.clamav.net/daily-26952.cdiff
WARNING: downloadFile: file not found: https://database.clamav.net/daily-26952.cdiff
WARNING: downloadPatch: Can't download daily-26952.cdiff from https://database.clamav.net/daily-26952.cdiff
WARNING: downloadFile: file not found: https://database.clamav.net/daily-26952.cdiff
WARNING: downloadPatch: Can't download daily-26952.cdiff from https://database.clamav.net/daily-26952.cdiff
WARNING: Incremental update failed, trying to download daily.cvd
Testing database: '/opt/zimbra/data/clamav/db/tmp.c6c4bde2c0/clamav-71471ba8e88d7cef2c3289b824b9a580.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 27457, sigs: 2067892, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for update (local version: 334, remote version: 335)
Testing database: '/opt/zimbra/data/clamav/db/tmp.c6c4bde2c0/clamav-186b71904808f37c645f8065a09869ff.tmp-bytecode.cld' ...
Database test passed.
bytecode.cld updated (version: 335, sigs: 86, f-level: 90, builder: raynman)
Clamd successfully notified about the update.

If I run a curl command from the same server I get:

curl -v https://database.clamav.net/daily-26952.cdiff
*   Trying 104.16.219.84...
* TCP_NODELAY set
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=database.clamav.net
*  start date: Oct  8 10:45:45 2024 GMT
*  expire date: Jan  6 10:45:44 2025 GMT
*  subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55f339c38710)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /daily-26952.cdiff HTTP/2
> Host: database.clamav.net
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 403
< date: Wed, 13 Nov 2024 23:23:27 GMT
< content-type: text/html; charset=UTF-8
< content-length: 4512
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: max-age=15
< expires: Wed, 13 Nov 2024 23:23:42 GMT
< set-cookie: __cf_bm=DM1pnr9.1BGs81K.A8P4CWowFtnF_4z9G0ma0gXwmec-1731540207-1.0.1.1-A_tXEgYYCtZFHofWgVW3ebKUozONtMyLcUUBSr9IAuftW_rAOOuEdYWyNnjzozFwxO5uZQUn8smogOeDFa.2mw; path=/; expires=Wed, 13-Nov-24 23:53:27 GMT; domain=.clamav.net; HttpOnly; Secure; SameSite=None
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 8e22827bda1f94b7-LHR
<
* TLSv1.3 (IN), TLS app data, [no content] (0):
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Attention Required! | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->
<style>body{margin:0;padding:0}</style>


<!--[if gte IE 10]><!-->
<script>
  if (!navigator.cookieEnabled) {
    window.addEventListener('DOMContentLoaded', function () {
      var cookieEl = document.getElementById('cookie-alert');
      cookieEl.style.display = 'block';
    })
  }
</script>
<!--<![endif]-->


</head>
<body>
  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
* TLSv1.3 (IN), TLS app data, [no content] (0):
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1 data-translate="block_headline">Sorry, you have been blocked</h1>
        <h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> clamav.net</h2>
      </div><!-- /.header -->

      <div class="cf-section cf-highlight">
        <div class="cf-wrapper">
          <div class="cf-screenshot-container cf-screenshot-full">

              <span class="cf-no-screenshot error"></span>

          </div>
        </div>
      </div><!-- /.captcha-container -->

      <div class="cf-section cf-wrapper">
        <div class="cf-columns two">
          <div class="cf-column">
            <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2>

            <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p>
          </div>

          <div class="cf-column">
            <h2 data-translate="blocked_resolve_headline">What can I do to resolve this?</h2>

* TLSv1.3 (IN), TLS app data, [no content] (0):
            <p data-translate="blocked_resolve_detail">You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.</p>
          </div>
        </div>
      </div><!-- /.section -->

      <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300">
  <p class="text-13">
    <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8e22827bda1f94b7</strong></span>
    <span class="cf-footer-separator sm:hidden">&bull;</span>
    <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1">
      Your IP:
      <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
      <span class="hidden" id="cf-footer-ip">88.97.91.208</span>
      <span class="cf-footer-separator sm:hidden">&bull;</span>
    </span>
    <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>

  </p>
* TLSv1.3 (IN), TLS app data, [no content] (0):
  <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script>
</div><!-- /.error-footer -->


    </div><!-- /#cf-error-details -->
  </div><!-- /#cf-wrapper -->

  <script>
  window._cf_translation = {};


</script>

</body>
</html>
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection #0 to host database.clamav.net left intact

[micahsnyder]

We only keep the last 90 days worth of diff files on the server. If your local database version is significantly older, then the diff download will fail and you'll have to download the whole database.

In this case I see you're updating from: 26951
to: 27457

So that makes sense.

You should hold on to your databases for update from day to day rather than update a new install from scratch every day, so it should only happen the once.

[micahsnyder]

Also - we explicitly only allow downloads from freshclam or cvdupdate programs becaue they have features to check if an update is actually required in order to save bandwidth. Programs like wget, curl, firefox, etc are intentionally blocked.