[clamav-users] ClamAV Server Agent

Karmendra Suthar karmendra.js at gmail.com
Thu Apr 23 07:26:33 UTC 2020 

Hello Graeme,
This is a great deal of information, really appreciate this selfless help.

I will read thru the docs as suggested by you.

clamav.conf was typo, I meant clamd.conf.
First 10 lines of my clamd.conf
---------------------------------------------------------------
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
---------------------------------------------------------------

DBs that I see in my system are here
ProdServer:/var/lib/clamav$ ll -h
total 477M
drwxr-xr-x  3 clamav clamav 4.0K Apr 23 00:12 ./
drwxr-xr-x 51 root   root   4.0K Apr 17 22:24 ../
-rw-r--r--  1 clamav clamav 1.4M Sep 19  2019 bytecode.cld
drwxr-xr-x  2 clamav clamav 4.0K Jun  2  2019
clamav-ee20a882503c9c919932e15af52f0da2.tmp/
-rw-r--r--  1 clamav clamav 182M Apr 22 18:12 daily.cld
-rw-r--r--  1 clamav clamav 294M Nov 26 03:25 main.cld
-rw-------  1 clamav clamav  256 Jan  9 06:28 mirrors.dat


Regards,
Karmendra


On Wed, Apr 22, 2020 at 11:15 PM G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote:
>
> > Actually I never had any antivirus on my  linux we servers, but PCI
> > complaince forced me to install it on my servers. Now a bit of my CPU and
> > RAM is going into running the antivirus, not sure how much, but
> > definitely something is used up.
>
> If you have the clamd daemon running, and it is using the 'official'
> databases (which are normally configured by the installation scripts
> for most Linux distributions) then it will use about a gigabyte of
> memory in normal operation and practically no other resources until
> you require ClamAV to scan something.  As has been mentioned you can
> ask ClamAV to scan something in several different ways, and you need
> to become familiar with them in order to use ClamAV effectively.
>
> > I have 3 ubuntu 18 servers running load balanced nginx webservers (all
> > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are
> > open to these servers. I run OSSEC for intrusion detection in a server
> > agent model a 4th server is used as bastion server that runs
> ossec-server,
> > time-server etc and these 3 webservers uses this bastion server.
> > I wanted to mange the anti virus also from this bastion server.
>
> You could install clamd on the bastion server and configure it to
> listen on a TCP port for connections only from your other servers.
> Then you would only need to keep a single set of databases and you
> would only have to keep that single set of databases up to date.
> There is one issue which might not be covered in that case; if you
> wish to use on-access scanning then the last I heard from ClamAV's
> development team was that there are still some things to do to get
> a remote clamd to handle on-access scanning.  I'm sure someone from
> Talos will chip in with a comment if there's still an issue there.
>
> > 1. When I am using freshclam what kind of threat I am getting
> > protection from?
>
> If I were going to install something like ClamAV, I would want to know
> the answer to that question before I installed it, not after.  Before
> that I would want to know and in your case probably document carefully
> what threats my systems faced, and also what the likely results of a
> compromise might be.  For example loss of earnings, lawsuits, people
> becoming homeless and/or starving to death, you being sent to prison,
> that kind of thing.
>
> ClamAV is a kind of tool kit, and it's up to you how you want to use
> it to make scans happen.  It's also up to you what you want to do if
> something is reported as 'FOUND' by the scanning process.  By default
> nothing else happens, and it would be most unwise (for example) simply
> to delete or move the offending object as it you might have discovered
> a 'false positive' (a very common subject on this mailing list).  To
> blithely move (or delete) system files, for example, on a Linux box is
> very dangerous for the system.  It's better just to mount the system
> partition(s) read-only, so that nothing can mess with them unless the
> box is already hopelessly compromised.
>
> To be clear, 'freshclam' is the thing which updates your databases.
> The things which use the databases when scanning are usually clamd
> (which is the persistent daemon) and clamscan (which does _not_ use
> the daemon).
>
> The clamd daemon loads the databases into memory when it starts, and
> then waits for some process to ask it to scan things.  The requesting
> process can be clamdscan, clamav-milter, some other milter such as one
> I wrote for use here, or something else.  When a process requests that
> something be scanned it can, depending on how things are configured,
> either give the location of a directory or a file to scan, or it can
> send the data to be scanned directly to the daemon via a socket.
>
> (I do not know what other signature DB i can use for webserver. there
> > is no mails on these servers)
>
> Try searching, for example, for "ClamAV unofficial databases".  It's
> up to you, since ClamAV is a tool kit, to configure which databases
> are to be used by ClamAV, and to ensure that they're kept up to date,
> and, for that matter, that they are appropriate to the tasks that you
> have decided that ClamAV is to do for you.
>
> > 2. You mentioned clamd scans TCP ports, my question is it by default
> scans
> > all data on all open ports or we need to configure it to do so.
>
> By default TCP ports are not used, and in any case no port scanning
> takes place - ClamAV is not like 'nmap', or 'metasploit', for example.
> TCP ports are only used for communication between a client, which asks
> for something to be scanned, and the server, which scans it.
>
> > 3. if clamav find something malicious, what does it do. is there a place
> I
> > can see what it found and what it did with it, or can it notify me
> somehow?
>
> Normally all that will happen is that you will be informed in some
> way.  For example if you use a command-line tool from a terminal to do
> a scan, a report will be printed on the terminal.  If you configure a
> daemon to use syslog, it will send messages to the log about things
> that it does.
>
> > And, I am not sure what can I ask about performance, I had never seen
> clamd
> > taking any significant amount of CPU of RAM.
>
> Then I suspect it is not doing anything for you at all, I would expect
> it to at least consume a gigabyte of RAM while doing _nothing_ and a
> significant amount of CPU (like _most_ of it) while scanning things.
>
> > Following is my clamav installation script: (i made no changes to
> > /etc/clamav/clamav.conf)
>
> I do not recognize the file named 'clamav.conf'.  Perhaps you can tell
> us something about it.  If you have a file 'clamd.conf' on your system
> it would be very interesting to see the first ten lines or so from it.
> Perhaps you could post the output of
>
> top -b -n1 | grep clam
>
> and for comparison here's the output of that command from one of my
> servers:
>
> $ top -b -n1 | grep clam
>    606 clamav    20   0   63240   9408   7792 S   0.0   0.2   0:17.80
> freshclam
>   1880 clamav    20   0 1136888   1.0g   5660 S   0.0  25.8  12:08.15 clamd
>
> As you can see there's about a gigabyte of RAM used there, about 25%
> of the RAM in the box.  As it happens the box has only been up for
> four days, yet clamd has used over 12 minutes of CPU in that time.
>
> > apt-get install -y clamav clamav-daemon
> > service clamav-daemon start
> > service clamav-freshclam start
>
> I wonder if you have installed any databases.  Do you know where the
> databases would be stored on your system?  Here are some of the
> databases on the machine which runs clamd above:
>
> -rw-r--r-- 1 clamav clamav 117859675 Feb  5 18:03 main.cvd
> -rw-r--r-- 1 clamav clamav    296388 Feb  5 18:04 bytecode.cvd
> -rw-r--r-- 1 clamav clamav  41321567 Feb  5 18:08 safebrowsing.cvd
> -rw-r--r-- 1 clamav clamav      9676 Feb  7 22:04 bofhland_phishing_URL.ndb
> -rw-r--r-- 1 clamav clamav       610 Feb  7 22:04 bofhland_malware_URL.ndb
> -rw-r--r-- 1 clamav clamav      3448 Feb  7 22:04 bofhland_cracked_URL.ndb
> -rw-r--r-- 1 clamav clamav       115 Feb  7 22:08 spear.ndb
> drwxr-xr-x 8 clamav clamav      4096 Feb  7 22:34 unofficial-dbs
> -rw-r--r-- 1 clamav clamav     19115 Feb 12 08:11 spamimg.hdb
> -rw-r--r-- 1 clamav clamav    225174 Feb 18 12:07 foxhole_filename.cdb
> -rw-r--r-- 1 clamav clamav    599208 Mar 13 21:05 MiscreantPunch099-Low.ldb
> -rw-r--r-- 1 clamav clamav   7497595 Apr 15 09:09 junk.ndb
> -rw-r--r-- 1 clamav clamav   1923685 Apr 16 09:08 scam.ndb
> -rw-r--r-- 1 clamav clamav     30265 Apr 16 22:04 malware.expert.hdb
> -rw-r--r-- 1 clamav clamav     92255 Apr 20 15:17 badmacro.ndb
> -rw-r--r-- 1 clamav clamav    122409 Apr 21 16:09 rogue.hdb
> -rw-r--r-- 1 clamav clamav   4124800 Apr 21 19:09 phish.ndb
> -rw-r--r-- 1 clamav clamav      6790 Apr 21 19:09 shelter.ldb
> -rw-r--r-- 1 clamav clamav   1297721 Apr 21 20:09 jurlbl.ndb
> -rw-r--r-- 1 clamav clamav    652822 Apr 21 22:00 porcupine.ndb
> -rw-r--r-- 1 clamav clamav     31557 Apr 21 22:00 porcupine.hsb
> -rw-r--r-- 1 clamav clamav   2018412 Apr 21 22:00 phishtank.ndb
> -rw-r--r-- 1 clamav clamav    161140 Apr 21 22:09 jurlbla.ndb
> -rw-r--r-- 1 clamav clamav    185036 Apr 21 22:09 blurl.ndb
> -rw-r--r-- 1 clamav clamav 190392832 Apr 22 16:28 daily.cld
>
> I suggest you run
>
> apt-get install clamav-docs
>
> and then do some more reading.  Also read all the documentation on the
> ClamAV Website and all the posts to this mailing list for at least the
> past year.  That might sound onerous, but I can assure you that you
> will learn a great deal about ClamAV from that.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200423/0554f6cc/attachment.htm>

More information about the clamav-users mailing list