@@ -427,7 +427,7 @@ ClamAV 0.102.2 is a bug patch release to address the following issues.

 - Fixed an issue where running freshclam manually causes a daemonized freshclam

   process to fail when it updates because the manual instance deletes the

-  temporary download directory. Freshclam temporary files will now download to a

+  temporary download directory. FreshClam temporary files will now download to a

   unique directory created at the time of an update instead of using a hardcoded

   directory created/destroyed at the program start/exit.

@@ -916,7 +916,7 @@ we've cooked up over the past 6 months.

   numeric value. You can read more about this feature, see how it works, and

   look over examples in [our documentation](docs/UserManual/Signatures.md).

 - Backwards compatibility improvements for detecting the OpenSSL dependency.

-- Freshclam updated to match exit codes defined in the freshclam.1 man page.

+- FreshClam updated to match exit codes defined in the freshclam.1 man page.

 - Upgrade from libmspack 0.5alpha to libmspack 0.7.1alpha. As a reminder, we

   support system-installed versions of libmspack. _However_, at this time the

   ClamAV-provided version of libmspack provides additional abilities to parse

@@ -1491,7 +1491,7 @@ ClamAV 0.98.4 is a bug fix release. The following issues are now resolved:

 - Crashes of clamd on Windows and Mac OS X platforms when reloading

   the virus signature database.

 - Infinite loop in clamdscan when clamd is not running.

-- Freshclam failure on Solaris 10.

+- FreshClam failure on Solaris 10.

 - Buffer underruns when handling multi-part MIME email attachments.

 - Configuration of OpenSSL on various platforms.

 - Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1.

@@ -1951,7 +1951,7 @@ version:

   Numbers and credit card numbers (clamd: StructuredDataDetection,

   clamscan: --detect-structured; additional fine-tuning options are available)

-- IPv6 Support: Freshclam now supports IPv6

+- IPv6 Support: FreshClam now supports IPv6

 - Improved Scanning of Scripts: The normalization of scripts now covers

   JavaScript

@@ -3240,7 +3240,7 @@ News from ClamAV world:

   - clamav.linux-sxs.org: database mirror - rsync from clamav.ozforces.com

     (thanks to Douglas J Hunley <doug@hunley.homeip.net>)

-    Freshclam will automatically use them when the main server is not

+    FreshClam will automatically use them when the main server is not

     accessible.

 - Official port in FreeBSD available ! (maintained by Masahiro Teramoto

@@ -147,7 +147,7 @@ m4_include([m4/reorganization/bsd.m4])

 dnl Clamonacc loading

 m4_include([m4/reorganization/clamonacc.m4])

-dnl Freshclam dependencies

+dnl FreshClam dependencies

 m4_include([m4/reorganization/libs/curl.m4])

 m4_include([m4/reorganization/substitutions.m4])

 m4_include([m4/reorganization/strni.m4])

@@ -10,7 +10,7 @@ freshclam [options]

 freshclam is a virus database update tool for ClamAV.

 .SH "OPTIONS"

 .LP

-Freshclam reads its configuration from freshclam.conf. The settings can be overwritten with command line options.

+FreshClam reads its configuration from freshclam.conf. The settings can be overwritten with command line options.

 .TP

 \fB\-h, \-\-help\fR

 Output help information and exit.

@@ -92,7 +92,7 @@ Number of database checks per day.

 Default: 12

 .TP

 \fBDNSDatabaseInfo STRING\fR

-Use DNS to verify the virus database version. Freshclam uses DNS TXT records to verify the versions of the database and software itself. With this directive you can change the database verification domain.

+Use DNS to verify the virus database version. FreshClam uses DNS TXT records to verify the versions of the database and software itself. With this directive you can change the database verification domain.

 .br

 \fBWARNING:\fR Please don't change it unless you're configuring freshclam to use your own database verification domain.

 .br

@@ -58,7 +58,7 @@ Example

 # Default: clamav (may depend on installation options)

 #DatabaseOwner clamav

-# Use DNS to verify virus database version. Freshclam uses DNS TXT records

+# Use DNS to verify virus database version. FreshClam uses DNS TXT records

 # to verify database and software versions. With this directive you can change

 # the database verification domain.

 # WARNING: Do not touch it unless you're configuring freshclam to use your

@@ -1,4 +1,4 @@

-PROJECT_NAME     = ClamAV - Freshclam

+PROJECT_NAME     = ClamAV - FreshClam

 OUTPUT_DIRECTORY = ../docs/freshclam

 WARNINGS         = YES

 FILE_PATTERNS    = *.c *.h

@@ -18,4 +18,4 @@ DOT_CLEANUP=NO

 MAX_DOT_GRAPH_DEPTH=3

 EXTRACT_ALL=YES

-INPUT = . 

+INPUT = .

@@ -261,7 +261,7 @@ fc_error_t download_complete_callback(const char *dbFilename, void *context)

             ret = FC_ETESTFAIL;

         }

         if (FC_SUCCESS != ret) {

-            logg("^Database load exited with \"%s\" (%d)\n", fc_strerror(ret), ret);

+            logg("^Database load exited with \"%s\"\n", fc_strerror(ret));

             status = FC_ETESTFAIL;

             goto done;

         }

@@ -276,7 +276,7 @@ fc_error_t download_complete_callback(const char *dbFilename, void *context)

             logg("^pipe() failed: %s\n", strerror(errno));

             ret = fc_test_database(dbFilename, fc_context->bBytecodeEnabled);

             if (FC_SUCCESS != ret) {

-                logg("^Database load exited with \"%s\" (%d)\n", fc_strerror(ret), ret);

+                logg("^Database load exited with \"%s\"\n", fc_strerror(ret));

                 status = FC_ETESTFAIL;

                 goto done;

             }

@@ -302,7 +302,7 @@ fc_error_t download_complete_callback(const char *dbFilename, void *context)

                     /* Test the database without forking. */

                     ret = fc_test_database(dbFilename, fc_context->bBytecodeEnabled);

                     if (FC_SUCCESS != ret) {

-                        logg("^Database load exited with \"%s\" (%d)\n", fc_strerror(ret), ret);

+                        logg("^Database load exited with \"%s\"\n", fc_strerror(ret));

                         status = FC_ETESTFAIL;

                         goto done;

                     }

@@ -367,7 +367,7 @@ fc_error_t download_complete_callback(const char *dbFilename, void *context)

                     if (WIFEXITED(stat_loc)) {

                         ret = (fc_error_t)WEXITSTATUS(stat_loc);

                         if (FC_SUCCESS != ret) {

-                            logg("^Database load exited with \"%s\" (%d)\n", fc_strerror(ret), ret);

+                            logg("^Database load exited with \"%s\"\n", fc_strerror(ret));

                             status = FC_ETESTFAIL;

                             goto done;

                         }

@@ -555,7 +555,7 @@ static void free_string_list(char **stringList, uint32_t nListItems)

 /**

  * @brief Get the database server list object

  *

- * @param opts          Freshclam options struct.

+ * @param opts          FreshClam options struct.

  * @param serverList    [out] List of servers.

  * @param nServers      [out] Number of servers in list.

  * @param bPrivate      [out] Non-zero if PrivateMirror servers were selected.

@@ -1463,7 +1463,7 @@ fc_error_t perform_database_update(

             (void *)fc_context,

             &nUpdated);

         if (FC_SUCCESS != ret) {

-            logg("!Database update process failed: %s (%d)\n", fc_strerror(ret), ret);

+            logg("!Database update process failed: %s\n", fc_strerror(ret));

             status = ret;

             goto done;

         }

@@ -1480,7 +1480,7 @@ fc_error_t perform_database_update(

             (void *)fc_context,

             &nUpdated);

         if (FC_SUCCESS != ret) {

-            logg("!Database update process failed: %s (%d)\n", fc_strerror(ret), ret);

+            logg("!Database update process failed: %s\n", fc_strerror(ret));

             status = ret;

             goto done;

         }

@@ -1,4 +1,4 @@

-PROJECT_NAME     = ClamAV - Freshclam

+PROJECT_NAME     = ClamAV - FreshClam

 OUTPUT_DIRECTORY = ../docs/freshclam

 WARNINGS         = YES

 FILE_PATTERNS    = *.c *.h

@@ -18,4 +18,4 @@ DOT_CLEANUP=NO

 MAX_DOT_GRAPH_DEPTH=3

 EXTRACT_ALL=YES

-INPUT = . 

+INPUT = .

@@ -113,6 +113,10 @@ const char *fc_strerror(fc_error_t fcerror)

             return "Memory allocation error";

         case FC_EARG:

             return "Invalid argument(s)";

+        case FC_EFORBIDDEN:

+            return "Forbidden, Blocked by CDN";

+        case FC_ERETRYLATER:

+            return "Too-many-requests, Retry later";

         default:

             return "Unknown libfreshclam error code!";

     }

@@ -627,8 +631,7 @@ fc_error_t fc_update_database(

                 }

                 case FC_ECONNECTION:

                 case FC_EBADCVD:

-                case FC_EFAILEDGET:

-                case FC_EMIRRORNOTSYNC: {

+                case FC_EFAILEDGET: {

                     if (attempt < g_maxAttempts) {

                         logg("Trying again in 5 secs...\n");

                         sleep(5);

@@ -642,8 +645,43 @@ fc_error_t fc_update_database(

                     }

                     break;

                 }

+                case FC_EMIRRORNOTSYNC: {

+                    logg("!Update failed for database: %s\n", database);

+                    status = ret;

+                    goto done;

+                }

+                case FC_EFORBIDDEN: {

+                    logg("^FreshClam received error code 403 from the ClamAV Content Delivery Network (CDN).\n");

+                    logg("This could mean several things:\n");

+                    logg(" 1. You are running an out of date version of ClamAV / FreshClam.\n");

+                    logg("    Ensure you are the most updated version by visiting https://www.clamav.net/downloads\n");

+                    logg(" 2. Your network is explicitly denied by the FreshClam CDN.\n");

+                    logg("    In order to rectify this please check that you are:\n");

+                    logg("   a. Running an up to date version of FreshClam\n");

+                    logg("   b. Running FreshClam no more than once an hour\n");

+                    logg("   c. If you have checked (a) and (b), please open a ticket at\n");

+                    logg("      https://bugzilla.clamav.net under the “Mirrors” component\n");

+                    logg("      and we will investigate why your network is blocked.\n");

+                    status = ret;

+                    goto done;

+                    break;

+                }

+                case FC_ERETRYLATER: {

+                    logg("^FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN).\n");

+                    logg("This means that you have been rate limited by the CDN.\n");

+                    logg(" 1. Run FreshClam no more than once an hour to check for updates.\n");

+                    logg("    Freshclam should check DNS first to see if an update is needed.\n");

+                    logg(" 2. If you have more than 10 hosts on your network attempting to download,\n");

+                    logg("    it is recommended that you set up a private mirror on your network using\n");

+                    logg("    cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the\n");

+                    logg("    CDN and your own network.\n");

+                    logg(" 3. Please do not open a ticket asking for an exemption from the rate limit,\n");

+                    logg("    it will not be granted.\n");

+                    goto success;

+                    break;

+                }

                 default: {

-                    logg("!Unexpected error when attempting to update database: %s\n", database);

+                    logg("!Unexpected error when attempting to update %s: %s\n", database, fc_strerror(ret));

                     status = ret;

                     goto done;

                 }

@@ -698,7 +736,6 @@ fc_error_t fc_update_databases(

                                bScriptedUpdates,

                                context,

                                &bUpdated))) {

-            logg("^fc_update_databases: fc_update_database failed: %s (%d)\n", fc_strerror(ret), ret);

             status = ret;

             goto done;

         }

@@ -24,7 +24,7 @@

 #include "clamav-types.h"

 /*

- * Freshclam configuration flag options.

+ * FreshClam configuration flag options.

  */

 // clang-format off

 #define FC_CONFIG_MSG_DEBUG        0x1  // Enable debug messages.

@@ -79,7 +79,9 @@ typedef enum fc_error_tag {

     FC_ELOGGING,

     FC_EFAILEDUPDATE,

     FC_EMEM,

-    FC_EARG

+    FC_EARG,

+    FC_EFORBIDDEN,

+    FC_ERETRYLATER

 } fc_error_t;

 /**

@@ -240,7 +242,7 @@ fc_error_t fc_update_databases(

  */

 /**

- * @brief Freshclam callback Download Complete

+ * @brief FreshClam callback Download Complete

  *

  * Called after each database has been downloaded or updated.

  *

@@ -575,13 +575,11 @@ static fc_error_t remote_cvdhead(

     /*

      * Request CVD header.

      */

-    logg("Reading CVD header (%s): ", cvdfile);

-

     urlLen = strlen(server) + strlen("/") + strlen(cvdfile);

     url    = malloc(urlLen + 1);

     snprintf(url, urlLen + 1, "%s/%s", server, cvdfile);

-    logg("*Trying to retrieve CVD header from %s\n", url);

+    logg("Trying to retrieve CVD header from %s\n", url);

     if (FC_SUCCESS != (ret = create_curl_handle(

                            bHttpServer, // Set extra HTTP-specific headers.

@@ -1000,6 +998,14 @@ static fc_error_t downloadFile(

             status = FC_UPTODATE;

             break;

         }

+        case 403: {

+            status = FC_EFORBIDDEN;

+            break;

+        }

+        case 429: {

+            status = FC_ERETRYLATER;

+            break;

+        }

         case 404: {

             if (g_proxyServer)

                 logg("^downloadFile: file not found: %s (Proxy: %s:%u)\n", url, g_proxyServer, g_proxyPort);

@@ -1050,6 +1056,7 @@ static fc_error_t getcvd(

     const char *cvdfile,

     const char *tmpfile,

     char *server,

+    uint32_t ifModifiedSince,

     unsigned int remoteVersion,

     int logerr)

 {

@@ -1071,8 +1078,13 @@ static fc_error_t getcvd(

     url    = malloc(urlLen + 1);

     snprintf(url, urlLen + 1, "%s/%s", server, cvdfile);

-    if (FC_SUCCESS != (ret = downloadFile(url, tmpfile, 1, logerr, 0))) {

-        logg("%cgetcvd: Can't download %s from %s\n", logerr ? '!' : '^', cvdfile, url);

+    ret = downloadFile(url, tmpfile, 1, logerr, ifModifiedSince);

+    if (ret == FC_UPTODATE) {

+        logg("%s is up to date.\n", cvdfile);

+        status = ret;

+        goto done;

+    } else if (ret > FC_UPTODATE) {

+        logg("%cCan't download %s from %s\n", logerr ? '!' : '^', cvdfile, url);

         status = ret;

         goto done;

     }

@@ -1080,32 +1092,32 @@ static fc_error_t getcvd(

     /* Temporarily rename file to correct extension for verification. */

     tmpfile_with_extension = strdup(tmpfile);

     if (!tmpfile_with_extension) {

-        logg("!getcvd: Can't allocate memory for temp file with extension!\n");

+        logg("!Can't allocate memory for temp file with extension!\n");

         status = FC_EMEM;

         goto done;

     }

     strncpy(tmpfile_with_extension + strlen(tmpfile_with_extension) - 4, cvdfile + strlen(cvdfile) - 4, 4);

     if (rename(tmpfile, tmpfile_with_extension) == -1) {

-        logg("!getcvd: Can't rename %s to %s: %s\n", tmpfile, tmpfile_with_extension, strerror(errno));

+        logg("!Can't rename %s to %s: %s\n", tmpfile, tmpfile_with_extension, strerror(errno));

         status = FC_EDBDIRACCESS;

         goto done;

     }

     if (CL_SUCCESS != (cl_ret = cl_cvdverify(tmpfile_with_extension))) {

-        logg("!getcvd: Verification: %s\n", cl_strerror(cl_ret));

+        logg("!Verification: %s\n", cl_strerror(cl_ret));

         status = FC_EBADCVD;

         goto done;

     }

     if (NULL == (cvd = cl_cvdhead(tmpfile_with_extension))) {

-        logg("!getcvd: Can't read CVD header of new %s database.\n", cvdfile);

+        logg("!Can't read CVD header of new %s database.\n", cvdfile);

         status = FC_EBADCVD;

         goto done;

     }

     /* Rename the file back to the original, since verification passed. */

     if (rename(tmpfile_with_extension, tmpfile) == -1) {

-        logg("!getcvd: Can't rename %s to %s: %s\n", tmpfile_with_extension, tmpfile, strerror(errno));

+        logg("!Can't rename %s to %s: %s\n", tmpfile_with_extension, tmpfile, strerror(errno));

         status = FC_EDBDIRACCESS;

         goto done;

     }

@@ -1719,7 +1731,8 @@ static fc_error_t check_for_new_database_version(

     uint32_t *localVersion,

     uint32_t *remoteVersion,

     char **localFilename,

-    char **remoteFilename)

+    char **remoteFilename,

+    uint32_t *localTimestamp)

 {

     fc_error_t ret;

     fc_error_t status = FC_EARG;

@@ -1728,13 +1741,13 @@ static fc_error_t check_for_new_database_version(

     struct cl_cvd *local_database = NULL;

     char *remotename              = NULL;

-    uint32_t localver       = 0;

-    uint32_t localTimestamp = 0;

-    uint32_t remotever      = 0;

+    uint32_t localver  = 0;

+    uint32_t remotever = 0;

     if ((NULL == database) || (NULL == server) ||

         (NULL == localVersion) || (NULL == remoteVersion) ||

-        (NULL == localFilename) || (NULL == remoteFilename)) {

+        (NULL == localFilename) || (NULL == remoteFilename) ||

+        (NULL == localTimestamp)) {

         logg("!check_for_new_database_version: Invalid args!\n");

         goto done;

     }

@@ -1743,6 +1756,7 @@ static fc_error_t check_for_new_database_version(

     *remoteVersion  = 0;

     *localFilename  = NULL;

     *remoteFilename = NULL;

+    *localTimestamp = 0;

     /*

      * Check local database version (if exists)

@@ -1751,8 +1765,8 @@ static fc_error_t check_for_new_database_version(

         logg("*check_for_new_database_version: No local copy of \"%s\" database.\n", database);

     } else {

         logg("*check_for_new_database_version: Local copy of %s found: %s.\n", database, localname);

-        localTimestamp = local_database->stime;

-        localver       = local_database->version;

+        *localTimestamp = local_database->stime;

+        localver        = local_database->version;

     }

     /*

@@ -1760,7 +1774,7 @@ static fc_error_t check_for_new_database_version(

      */

     ret = query_remote_database_version(

         database,

-        localTimestamp,

+        *localTimestamp,

         dnsUpdateInfo,

         server,

         bPrivateMirror,

@@ -1858,11 +1872,12 @@ fc_error_t updatedb(

     struct cl_cvd *cvd = NULL;

-    uint32_t localVersion  = 0;

-    uint32_t remoteVersion = 0;

-    char *localFilename    = NULL;

-    char *remoteFilename   = NULL;

-    char *newLocalFilename = NULL;

+    uint32_t localTimestamp = 0;

+    uint32_t localVersion   = 0;

+    uint32_t remoteVersion  = 0;

+    char *localFilename     = NULL;

+    char *remoteFilename    = NULL;

+    char *newLocalFilename  = NULL;

     char *tmpdir  = NULL;

     char *tmpfile = NULL;

@@ -1892,7 +1907,8 @@ fc_error_t updatedb(

                            &localVersion,

                            &remoteVersion,

                            &localFilename,

-                           &remoteFilename))) {

+                           &remoteFilename,

+                           &localTimestamp))) {

         logg("*updatedb: %s database update failed.\n", database);

         status = ret;

         goto done;

@@ -1914,8 +1930,15 @@ fc_error_t updatedb(

         /*

          * Download entire file.

          */

-        ret = getcvd(remoteFilename, tmpfile, server, remoteVersion, logerr);

-        if (FC_SUCCESS != ret) {

+        ret = getcvd(remoteFilename, tmpfile, server, localTimestamp, remoteVersion, logerr);

+        if (FC_UPTODATE == ret) {

+            logg("^Expected newer version of %s database but the server's copy is not newer than our local file (version %d).\n", database, localVersion);

+            if (NULL != localFilename) {

+                /* Received a 304 (not modified), must be up to date after all */

+                *dbFilename = cli_strdup(localFilename);

+            }

+            goto up_to_date;

+        } else if (FC_SUCCESS != ret) {

             status = ret;

             goto done;

         }

@@ -1980,7 +2003,7 @@ fc_error_t updatedb(

                 logg("^Incremental update failed, trying to download %s\n", remoteFilename);

             }

-            ret = getcvd(remoteFilename, tmpfile, server, remoteVersion, logerr);

+            ret = getcvd(remoteFilename, tmpfile, server, localTimestamp, remoteVersion, logerr);

             if (FC_SUCCESS != ret) {

                 status = ret;

                 goto done;

@@ -496,7 +496,7 @@ const struct clam_option __clam_options[] = {

     {"DevPerformance", "dev-performance", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", ""},

     {"DevLiblog", "dev-liblog", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD, "", ""},

-    /* Freshclam-only entries */

+    /* FreshClam-only entries */

     /* FIXME: drop this entry and use LogFile */

     {"UpdateLogFile", "log", 'l', CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_FRESHCLAM, "Save all reports to a log file.", "/var/log/freshclam.log"},

@@ -505,7 +505,7 @@ const struct clam_option __clam_options[] = {

     {"Checks", "checks", 'c', CLOPT_TYPE_NUMBER, MATCH_NUMBER, 12, NULL, 0, OPT_FRESHCLAM, "This option defined how many times daily freshclam should check for\na database update.", "24"},

-    {"DNSDatabaseInfo", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, "current.cvd.clamav.net", FLAG_REQUIRED, OPT_FRESHCLAM, "Use DNS to verify the virus database version. Freshclam uses DNS TXT records\nto verify the versions of the database and software itself. With this\ndirective you can change the database verification domain.\nWARNING: Please don't change it unless you're configuring freshclam to use\nyour own database verification domain.", "current.cvd.clamav.net"},

+    {"DNSDatabaseInfo", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, "current.cvd.clamav.net", FLAG_REQUIRED, OPT_FRESHCLAM, "Use DNS to verify the virus database version. FreshClam uses DNS TXT records\nto verify the versions of the database and software itself. With this\ndirective you can change the database verification domain.\nWARNING: Please don't change it unless you're configuring freshclam to use\nyour own database verification domain.", "current.cvd.clamav.net"},

     {"DatabaseMirror", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_FRESHCLAM, "DatabaseMirror specifies to which mirror(s) freshclam should connect.\nYou should have at least one entry: database.clamav.net.", "database.clamav.net"},

@@ -55,7 +55,7 @@ Example

 # Default: clamav (may depend on installation options)

 #DatabaseOwner clamav

-# Use DNS to verify virus database version. Freshclam uses DNS TXT records

+# Use DNS to verify virus database version. FreshClam uses DNS TXT records

 # to verify database and software versions. With this directive you can change

 # the database verification domain.

 # WARNING: Do not touch it unless you're configuring freshclam to use your