Subscribe to GEN
Login to GEN
Add a Comment
Beginning in mid‑2023 and escalating sharply around June 2025, Cisco placed and then tightened Cloudflare protections in front of key ClamAV database and bytecode update endpoints. In many environments, freshclam now retrieves Cloudflare challenge pages; often “Attention Required! | Cloudflare” or “You are unable to access clamav.net”—instead of CVD content, then carries on without clearly alerting operators. The net effect is widespread signature staleness at scale.
ClamAV's public update domains (for example database mirrors serving daily.cvd, main.cvd and bytecode.cvd) were moved behind Cloudflare Web Application Firewall controls and bot protections. From mid 2023 this introduced intermittent failures and by June 2025, aggressive rate limiting and outright blocking (e.g. HTTP 403/429) became common for non browser traffic originating from data centres, NAT'd egress, or IPs.
Since freshclam is a non interactive tool designed for downloading bytecode and updating signatures, any HTML 'page' rather than the expected CVD content is unhandled, and simply causes failure. This failure is fairly evidence from the freshclam logs, but there's no automatic notification to sysadmins, and indeed some 'GUI' tools like Synology's Antivirus Essentials claims success even when it failed in the backend on some versions.
Fri Nov 7 11:44:55 2025 -> daily database available for update (local version: 26817, remote version: 27816)
Fri Nov 7 11:45:09 2025 -> ERROR: downloadPatch: Can't download daily-26818.cdiff from https://database.clamav.net/daily-26818.cdiff
Fri Nov 7 11:45:09 2025 -> WARNING: Incremental update failed, trying to download daily.cvd
Fri Nov 7 11:45:09 2025 -> ERROR: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Fri Nov 7 11:45:10 2025 -> WARNING: FreshClam received error code 403 from the ClamAV Content Delivery Network (CDN).
ClamAV ships in the default repositories of most Linux distributions, is embedded in countless mail gateways, NAS devices, and CI/CD pipelines, and is widely used by managed service providers. Based on distro telemetry, vendor statements and our fleet data, a conservative estimate is 1 to 3 million active freshclam clients worldwide. Given typical network egress patterns, we assess that hundreds of thousands of installations, potentially a majority of enterprise and hosting environments are currently susceptible to Cloudflare blocking or rate-limiting, leaving them partially or wholly out-of-date.
Our SecOPS team became aware of this back in the Summer when they noticed a variance in signatures across hosting platforms, and with some investigation this was pinned down to Cloudflare. There were alraedy numerous reports by users and bugs files on Github but no change or resolution provided. We used tools to identify the source servers behind Cloudflare, and setup our own Mirror of ClamAV's signatures, with all our hosts being updated to use that mirror instead of ClamAV.net.
Signature freshness is the backbone of ClamAV detection. Bytecode updates in particular carry behavioural logic for new families and variants; without them, detection rates drop sharply against emerging threats. Because freshclam frequently runs via cron or systemd timers, failures are often logged but not alerted. In many default setups there is no paging on non-zero exit, no age threshold monitoring on .cvd files, and no SIEM rule for 'HTML instead of CVD', so fleets can run unprotected for days, weeks or months.
ClamAV is open-source and free to all to use. There's (currently) no paid version of it so Cisco are paying for the infrastructure and this move greatly reduces their costs. Was a right? well no, and not in the spirit of open source, but then again it is the default behaviour when corporates get involved in open-source. What we should have done, is setup a open-to-all CDN for ClamAV updates that larger companies can subscribe to and share the load much in the same way that we share Linux and other GPL distribution, or, use a distributed protocol like bittorrent to distribute updates so there is no single CDN managing the distribution. Lots of roads, none taken.
A separate but compounding problem is the continued reliance—often insistence—on plain HTTP for ClamAV update retrieval. In 2025 many modern firewalls block outbound HTTP by default; administrators have been forced to create explicit exceptions just to make updates work, and those exceptions still fail when Cloudflare challenges or rate‑limits the traffic. Proxies may also cache the HTML challenge pages, further breaking downstream clients. Where HTTPS is available, some legacy clients and middleboxes still fall back to or require HTTP, making the overall update path brittle in contemporary enterprise networks.
To protect customer estates immediately, GEN is operating a ClamAV bytecode mirror for all GEN customers free of charge. This service is designed for high availability, validates upstream content, and is rate‑limited per tenant to ensure fairness. If you are a GEN customer, open a ticket to receive your mirror endpoint and configuration guidance.
Open‑source security infrastructure depends on predictable, machine consumable distribution. Placing that flow behind browser challenges breaks the contract and increases risk for everyone. Until Cisco provides a stable, bot‑safe update path for freshclam, organisations should move quickly to internal mirroring and robust monitoring. GEN customers can use our bytecode mirror today at no cost.
--- This content is not legal or financial advice & Solely the opinions of the author ---