[clamav-users] ClamAV usage for AMI Builds
G.W. Haywood
clamav at jubileegroup.co.uk
Wed Nov 25 00:13:11 UTC 2020
Hi there,
On Tue, 24 Nov 2020, Will Watters via clamav-users wrote:
> I have a number of questions regarding usage of ClamAV to
> investigate to ensure it meets our security, alerting and incident
> requirements for use in our AMI builds and greatly appreciate
> feedback on this:
>
> * How virus definitions are applied?
>
> * Is Internet access required to receive update?
>
> * How is the lifecycle of the AMI managed for AV / Malware?
>
> * How are detected events received and where are they sent?
>
> * Is there a list of OS that it covers?
ClamAV is more along the lines of a toolkit than a turnkey product,
and in that context I don't understand some of your questions. The
way it generally works is you create a set of databases which contains
a variety of ways of recognizing malicious and unwanted data, then you
start a scanner process which reads the databases and finally you pass
data to the scanner. There are various ways to do that. When a data
stream (or file, email, whatever) is found to contain something which
matches something in the database, the scanner emits a message and can
for example also run a script which you have previously defined. The
messages can be passed to the controlling process in various ways. It
is up to you what you do if ClamAV detects something, and also how you
maintain the databases. There are tools provided which will perform
scheduled automatic updates over the Internet, but this is by no means
mandatory. There are 'official' databases and also some 'third-party'
databases which - in addition to viruses - target spam, phishing etc.
ClamAV is used in different ways by different people. For example I
use it primarily as a mail filter. Others may use it to screen data
uploaded by untrusted sources. Some people routinely scan filesystems
with it although I can't say that I'd recommend that in most cases.
The source code for ClamAV is freely available, you can compile it for
most operating systems but its features are not all available on every
operating system.
There are archives of this mailing list, and there is documentation at
https://www.clamav.net/documents/clam-antivirus-user-manual
perhaps if you spend some time with it you will be able to answer many
of your own questions. Please feel free to get back to us if you have
more specific questions. If you can give us some details about your
requirements we might be able to explain if ClamAV might fit, or not.
--
73,
Ged.
More information about the clamav-users
mailing list