[clamav-users] ClamAV Server Agent
Graeme Fowler
G.E.Fowler at lboro.ac.uk
Wed Apr 22 13:14:26 UTC 2020
You wrote
> Sorry for sounding so naive and confused with this, I am actually confused whether my clamav is working or not.
If you haven't told it to do anything, then yes it's working but it's not actually doing anything.
clamd is a daemon; you need to use the 'clamdscan' tool to ask it to scan things, or setup on-access scanning.
http://www.clamav.net/documents/scanning
Additionally, if your PCI assessor is insistent on anti-virus apps being installed on web servers then they're not very good; you should be able to argue that this is out-of-scope for the environment you're working in *unless* they have client-provided data flowing through them. If they're not in the payment path and the content is all static then they should be considered out of scope.
Graeme
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Karmendra Suthar via clamav-users <clamav-users at lists.clamav.net>
Reply to: ClamAV users ML <clamav-users at lists.clamav.net>
Date: Wednesday, 22 April 2020 at 13:47
To: ClamAV users ML <clamav-users at lists.clamav.net>
Cc: Karmendra Suthar <karmendra.js at gmail.com>, "G.W. Haywood" <clamav at jubileegroup.co.uk>
Subject: Re: [clamav-users] ClamAV Server Agent
Hello,
Thanks a lot for answering my query.
Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up.
Anyways, I will give my use case.
I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server.
I wanted to mange the anti virus also from this bastion server.
-----------------
I have few more questions:
1. When I am using freshclam what kind of threat I am getting protection from? (I do not know what other signature DB i can use for webserver. there is no mails on these servers)
2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so.
3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow?
And, I am not sure what can I ask about performance, I had never seen clamd taking any significant amount of CPU of RAM.
Following is my clamav installation script: (i made no changes to /etc/clamav/clamav.conf)
apt-get install -y clamav clamav-daemon
service clamav-daemon start
service clamav-freshclam start
Sorry for sounding so naive and confused with this, I am actually confused whether my clamav is working or not.
Again, Thanks for you help.
Regards,
Karemndra
On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>> wrote:
Hi there,
On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote:
> Is there a server-agent model in ClamAV ...
Not exactly.
Several databases of signatures and similar things exist, which ClamAV
can use when it looks for undesirables. Some of the databases are
maintained by the ClamAV authors, others are maintained by community
members and/or commercial organizations. The objectives of the
databases differ widely. Some for example primarily target malicious
code for a variety of operating systems, others are more concerned
with spam and similar things usually found in email. The policies for
(and the frequencies of) updating the databases differ. In any ClamAV
installation it is possible to use multiple databases, and commonly
ClamAV users who have only one or two machines to scan will point
their freshclam instances at the remote database servers[*], wherever
those are, to obtain copies of the signature databases for each
individual ClamAV installation by direct downloading. However it is
possible to maintain one single local mirror of your own, update the
mirror from the remote databases, and point your ClamAV installations
at the mirror. This may save some bandwidth, but that's about as far
as it goes for managing databases in the way which you describe.
[*] They're more like read-only file servers than database servers.
ClamAV provides a daemon called 'clamd' which can listen on a TCP port
for connections from a client. The daemon can scan data sent to it
over such connections. I run clamd in this way, on a separate server,
and pass email data to it from a Sendmail 'milter' which runs on a
mail server. I normally scan nothing except email, and many users do
the same, but I think most users of ClamAV do not use it in this way;
I think they mostly run clamscan (or clamd plus clamdscan) on the
machines which contain the data which is to be scanned. The scanning
process can be heavy on CPU and memory. Your mileage, as they say,
may vary.
> Didn't find information in official documentation as well, do not know
> which document to check.
http://www.clamav.net/documents/clam-antivirus-user-manual
Perhaps if you describe your use case more fully we can help more.
You haven't asked about performance...
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200422/403f929a/attachment.htm>
More information about the clamav-users
mailing list