ClamAV 0.103 database update failed: Blocked by CDN. Error 403 when running freshclam

[danewilson]

Describe the bug

We have a Docker image which runs freshclam as part of building the image. This has started failing with a 403 error both in GitHub Actions and locally, which are two different networks. We are not running this regularly so it's unclear why this has started happening. Here's the error from a local Docker build:

ClamAV update process started at Wed Oct  1 12:26:24 2025
DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.103.12 Recommended version: 1.0.9
daily database available for download (remote version: 27779)
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
WARNING: FreshClam received error code 403 from the ClamAV Content Delivery Network (CDN).
WARNING: You are on cool-down until after: 2025-10-02 12:26:24
ERROR: Database update process failed: Forbidden; Blocked by CDN
ERROR: Update failed.
This could mean several things:
1. You are running an out-of-date version of ClamAV / FreshClam.
   Ensure you are the most updated version by visiting https://www.clamav.net/downloads
2. Your network is explicitly denied by the FreshClam CDN.
   In order to rectify this please check that you are:
  a. Running an up-to-date version of FreshClam
  b. Running FreshClam no more than once an hour
  c. If you have checked (a) and (b), please open a ticket at
     https://github.com/Cisco-Talos/clamav/issues
     and we will investigate why your network is blocked.

How to reproduce the problem

Attempt to run freshclam in a Docker image? I'm not entirely sure. Here's the output of clamconf -n:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogSyslog = "yes"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "clamscan"
MaxFileSize = "52428800"

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.12
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
Total number of signatures: 0

Platform information
--------------------
uname: Linux 6.10.14-linuxkit #1 SMP Wed Sep 10 06:47:45 UTC 2025 aarch64
OS: linux-gnu, ARCH: aarch64, CPU: aarch64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a01858508000000000b0401

Build information
-----------------
GNU C: 11.4.1 20230605 (Red Hat 11.4.1-2) (11.4.1)
CPPFLAGS: 
CFLAGS: -O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -march=armv8.2-a+crypto -mtune=neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -march=armv8.2-a+crypto -mtune=neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection
LDFLAGS: -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT,/builddir/build/BUILD/clamav-0.103.12/.package_note-clamav-0.103.12-1.amzn2023.0.1.aarch64.ld
Configure: '--build=aarch64-amazon-linux-gnu' '--host=aarch64-amazon-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' 'build_alias=aarch64-amazon-linux-gnu' 'host_alias=aarch64-amazon-linux-gnu' 'CXX=g++' 'CXXFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -march=armv8.2-a+crypto -mtune=neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT,/builddir/build/BUILD/clamav-0.103.12/.package_note-clamav-0.103.12-1.amzn2023.0.1.aarch64.ld' 'CC=gcc' 'CFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -march=armv8.2-a+crypto -mtune=neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 133, dconf: 133

[danewilson]

Based on this it might be that our version is too old. I will attempt to upgrade and close this issue if that resolves things.

[PitWenkin]

Got the same return on outdated Ubuntu servers running ClamAV version 0.103.12
Other servers with up-to-date OS running ClamAV 1.0.x or 1.4.x have no problems.

According to the EOL Policy this problem should however already have occured 2 weeks ago?

[val-ms]

ClamAV 0.103 exceeded end of life for security patch support on Sep-14 2024 and now exceeded end of life for signature database updates as of Sep-14 2025. Yesterday, CDN rules were updated to enforce the end of life rules.

You will have to upgrade to use ClamaV 1.0 LTS or newer to continue to download signatures from database.clamav.net.