Hi, Sorry, I think I didn't mention clearly, but these servers are actually dealing with payments, these webserver shows webpages where Card info is collected and then payments are processed and further client data is stored in DB with required encryption to retrieved later for administration.
Well looks like for over a year now, I was just having clamav as a pet, that eats and sleeps and does nothing productive. Well to be honest, I am unsure what I should ask clamav to scan or keep an eye on in a webserver running a php web application. If you have a clue, let me know. Thanks for all your help. Regards, Karmendra On Wed, Apr 22, 2020 at 6:44 PM Graeme Fowler <g.e.fow...@lboro.ac.uk> wrote: > You wrote > > Sorry for sounding so naive and confused with this, I am actually > confused whether my clamav is working or not. > > > > If you haven't told it to do anything, then yes it's working but it's not > actually doing anything. > > > > clamd is a daemon; you need to use the 'clamdscan' tool to ask it to scan > things, or setup on-access scanning. > > > > http://www.clamav.net/documents/scanning > > > > Additionally, if your PCI assessor is insistent on anti-virus apps being > installed on web servers then they're not very good; you should be able to > argue that this is out-of-scope for the environment you're working in > *unless* they have client-provided data flowing through them. If they're > not in the payment path and the content is all static then they should be > considered out of scope. > > > > Graeme > > > > > > > > *From: *clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of > Karmendra Suthar via clamav-users <clamav-users@lists.clamav.net> > *Reply to: *ClamAV users ML <clamav-users@lists.clamav.net> > *Date: *Wednesday, 22 April 2020 at 13:47 > *To: *ClamAV users ML <clamav-users@lists.clamav.net> > *Cc: *Karmendra Suthar <karmendra...@gmail.com>, "G.W. Haywood" < > cla...@jubileegroup.co.uk> > *Subject: *Re: [clamav-users] ClamAV Server Agent > > > > Hello, > > > > Thanks a lot for answering my query. > > Actually I never had any antivirus on my linux we servers, but PCI > complaince forced me to install it on my servers. Now a bit of my CPU and > RAM is going into running the antivirus, not sure how much, but > definitely something is used up. > > > > Anyways, I will give my use case. > > > > I have 3 ubuntu 18 servers running load balanced nginx webservers (all > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are > open to these servers. I run OSSEC for intrusion detection in a server > agent model a 4th server is used as bastion server that runs ossec-server, > time-server etc and these 3 webservers uses this bastion server. > > > > I wanted to mange the anti virus also from this bastion server. > > ----------------- > > > > I have few more questions: > > 1. When I am using freshclam what kind of threat I am getting protection > from? (I do not know what other signature DB i can use for webserver. there > is no mails on these servers) > > 2. You mentioned clamd scans TCP ports, my question is it by default scans > all data on all open ports or we need to configure it to do so. > > 3. if clamav find something malicious, what does it do. is there a place I > can see what it found and what it did with it, or can it notify me somehow? > > > > > > And, I am not sure what can I ask about performance, I had never seen > clamd taking any significant amount of CPU of RAM. > > > > > > Following is my clamav installation script: (i made no changes to > /etc/clamav/clamav.conf) > > apt-get install -y clamav clamav-daemon > service clamav-daemon start > service clamav-freshclam start > > > > Sorry for sounding so naive and confused with this, I am actually confused > whether my clamav is working or not. > > > > Again, Thanks for you help. > > > > Regards, > > Karemndra > > > > > > On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users < > clamav-users@lists.clamav.net> wrote: > > Hi there, > > On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Is there a server-agent model in ClamAV ... > > Not exactly. > > Several databases of signatures and similar things exist, which ClamAV > can use when it looks for undesirables. Some of the databases are > maintained by the ClamAV authors, others are maintained by community > members and/or commercial organizations. The objectives of the > databases differ widely. Some for example primarily target malicious > code for a variety of operating systems, others are more concerned > with spam and similar things usually found in email. The policies for > (and the frequencies of) updating the databases differ. In any ClamAV > installation it is possible to use multiple databases, and commonly > ClamAV users who have only one or two machines to scan will point > their freshclam instances at the remote database servers[*], wherever > those are, to obtain copies of the signature databases for each > individual ClamAV installation by direct downloading. However it is > possible to maintain one single local mirror of your own, update the > mirror from the remote databases, and point your ClamAV installations > at the mirror. This may save some bandwidth, but that's about as far > as it goes for managing databases in the way which you describe. > > [*] They're more like read-only file servers than database servers. > > ClamAV provides a daemon called 'clamd' which can listen on a TCP port > for connections from a client. The daemon can scan data sent to it > over such connections. I run clamd in this way, on a separate server, > and pass email data to it from a Sendmail 'milter' which runs on a > mail server. I normally scan nothing except email, and many users do > the same, but I think most users of ClamAV do not use it in this way; > I think they mostly run clamscan (or clamd plus clamdscan) on the > machines which contain the data which is to be scanned. The scanning > process can be heavy on CPU and memory. Your mileage, as they say, > may vary. > > > Didn't find information in official documentation as well, do not know > > which document to check. > > http://www.clamav.net/documents/clam-antivirus-user-manual > > Perhaps if you describe your use case more fully we can help more. > > You haven't asked about performance... > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
