You wrote > Sorry for sounding so naive and confused with this, I am actually confused > whether my clamav is working or not.
If you haven't told it to do anything, then yes it's working but it's not actually doing anything. clamd is a daemon; you need to use the 'clamdscan' tool to ask it to scan things, or setup on-access scanning. http://www.clamav.net/documents/scanning Additionally, if your PCI assessor is insistent on anti-virus apps being installed on web servers then they're not very good; you should be able to argue that this is out-of-scope for the environment you're working in *unless* they have client-provided data flowing through them. If they're not in the payment path and the content is all static then they should be considered out of scope. Graeme From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Karmendra Suthar via clamav-users <clamav-users@lists.clamav.net> Reply to: ClamAV users ML <clamav-users@lists.clamav.net> Date: Wednesday, 22 April 2020 at 13:47 To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Karmendra Suthar <karmendra...@gmail.com>, "G.W. Haywood" <cla...@jubileegroup.co.uk> Subject: Re: [clamav-users] ClamAV Server Agent Hello, Thanks a lot for answering my query. Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up. Anyways, I will give my use case. I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server. I wanted to mange the anti virus also from this bastion server. ----------------- I have few more questions: 1. When I am using freshclam what kind of threat I am getting protection from? (I do not know what other signature DB i can use for webserver. there is no mails on these servers) 2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so. 3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow? And, I am not sure what can I ask about performance, I had never seen clamd taking any significant amount of CPU of RAM. Following is my clamav installation script: (i made no changes to /etc/clamav/clamav.conf) apt-get install -y clamav clamav-daemon service clamav-daemon start service clamav-freshclam start Sorry for sounding so naive and confused with this, I am actually confused whether my clamav is working or not. Again, Thanks for you help. Regards, Karemndra On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote: Hi there, On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: > Is there a server-agent model in ClamAV ... Not exactly. Several databases of signatures and similar things exist, which ClamAV can use when it looks for undesirables. Some of the databases are maintained by the ClamAV authors, others are maintained by community members and/or commercial organizations. The objectives of the databases differ widely. Some for example primarily target malicious code for a variety of operating systems, others are more concerned with spam and similar things usually found in email. The policies for (and the frequencies of) updating the databases differ. In any ClamAV installation it is possible to use multiple databases, and commonly ClamAV users who have only one or two machines to scan will point their freshclam instances at the remote database servers[*], wherever those are, to obtain copies of the signature databases for each individual ClamAV installation by direct downloading. However it is possible to maintain one single local mirror of your own, update the mirror from the remote databases, and point your ClamAV installations at the mirror. This may save some bandwidth, but that's about as far as it goes for managing databases in the way which you describe. [*] They're more like read-only file servers than database servers. ClamAV provides a daemon called 'clamd' which can listen on a TCP port for connections from a client. The daemon can scan data sent to it over such connections. I run clamd in this way, on a separate server, and pass email data to it from a Sendmail 'milter' which runs on a mail server. I normally scan nothing except email, and many users do the same, but I think most users of ClamAV do not use it in this way; I think they mostly run clamscan (or clamd plus clamdscan) on the machines which contain the data which is to be scanned. The scanning process can be heavy on CPU and memory. Your mileage, as they say, may vary. > Didn't find information in official documentation as well, do not know > which document to check. http://www.clamav.net/documents/clam-antivirus-user-manual Perhaps if you describe your use case more fully we can help more. You haven't asked about performance... -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
