Hi there, On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote:
Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up.
If you have the clamd daemon running, and it is using the 'official' databases (which are normally configured by the installation scripts for most Linux distributions) then it will use about a gigabyte of memory in normal operation and practically no other resources until you require ClamAV to scan something. As has been mentioned you can ask ClamAV to scan something in several different ways, and you need to become familiar with them in order to use ClamAV effectively.
I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server. I wanted to mange the anti virus also from this bastion server.
You could install clamd on the bastion server and configure it to listen on a TCP port for connections only from your other servers. Then you would only need to keep a single set of databases and you would only have to keep that single set of databases up to date. There is one issue which might not be covered in that case; if you wish to use on-access scanning then the last I heard from ClamAV's development team was that there are still some things to do to get a remote clamd to handle on-access scanning. I'm sure someone from Talos will chip in with a comment if there's still an issue there.
1. When I am using freshclam what kind of threat I am getting protection from?
If I were going to install something like ClamAV, I would want to know the answer to that question before I installed it, not after. Before that I would want to know and in your case probably document carefully what threats my systems faced, and also what the likely results of a compromise might be. For example loss of earnings, lawsuits, people becoming homeless and/or starving to death, you being sent to prison, that kind of thing. ClamAV is a kind of tool kit, and it's up to you how you want to use it to make scans happen. It's also up to you what you want to do if something is reported as 'FOUND' by the scanning process. By default nothing else happens, and it would be most unwise (for example) simply to delete or move the offending object as it you might have discovered a 'false positive' (a very common subject on this mailing list). To blithely move (or delete) system files, for example, on a Linux box is very dangerous for the system. It's better just to mount the system partition(s) read-only, so that nothing can mess with them unless the box is already hopelessly compromised. To be clear, 'freshclam' is the thing which updates your databases. The things which use the databases when scanning are usually clamd (which is the persistent daemon) and clamscan (which does _not_ use the daemon). The clamd daemon loads the databases into memory when it starts, and then waits for some process to ask it to scan things. The requesting process can be clamdscan, clamav-milter, some other milter such as one I wrote for use here, or something else. When a process requests that something be scanned it can, depending on how things are configured, either give the location of a directory or a file to scan, or it can send the data to be scanned directly to the daemon via a socket. (I do not know what other signature DB i can use for webserver. there
is no mails on these servers)
Try searching, for example, for "ClamAV unofficial databases". It's up to you, since ClamAV is a tool kit, to configure which databases are to be used by ClamAV, and to ensure that they're kept up to date, and, for that matter, that they are appropriate to the tasks that you have decided that ClamAV is to do for you.
2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so.
By default TCP ports are not used, and in any case no port scanning takes place - ClamAV is not like 'nmap', or 'metasploit', for example. TCP ports are only used for communication between a client, which asks for something to be scanned, and the server, which scans it.
3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow?
Normally all that will happen is that you will be informed in some way. For example if you use a command-line tool from a terminal to do a scan, a report will be printed on the terminal. If you configure a daemon to use syslog, it will send messages to the log about things that it does.
And, I am not sure what can I ask about performance, I had never seen clamd taking any significant amount of CPU of RAM.
Then I suspect it is not doing anything for you at all, I would expect it to at least consume a gigabyte of RAM while doing _nothing_ and a significant amount of CPU (like _most_ of it) while scanning things.
Following is my clamav installation script: (i made no changes to /etc/clamav/clamav.conf)
I do not recognize the file named 'clamav.conf'. Perhaps you can tell us something about it. If you have a file 'clamd.conf' on your system it would be very interesting to see the first ten lines or so from it. Perhaps you could post the output of top -b -n1 | grep clam and for comparison here's the output of that command from one of my servers: $ top -b -n1 | grep clam 606 clamav 20 0 63240 9408 7792 S 0.0 0.2 0:17.80 freshclam 1880 clamav 20 0 1136888 1.0g 5660 S 0.0 25.8 12:08.15 clamd As you can see there's about a gigabyte of RAM used there, about 25% of the RAM in the box. As it happens the box has only been up for four days, yet clamd has used over 12 minutes of CPU in that time.
apt-get install -y clamav clamav-daemon service clamav-daemon start service clamav-freshclam start
I wonder if you have installed any databases. Do you know where the databases would be stored on your system? Here are some of the databases on the machine which runs clamd above: -rw-r--r-- 1 clamav clamav 117859675 Feb 5 18:03 main.cvd -rw-r--r-- 1 clamav clamav 296388 Feb 5 18:04 bytecode.cvd -rw-r--r-- 1 clamav clamav 41321567 Feb 5 18:08 safebrowsing.cvd -rw-r--r-- 1 clamav clamav 9676 Feb 7 22:04 bofhland_phishing_URL.ndb -rw-r--r-- 1 clamav clamav 610 Feb 7 22:04 bofhland_malware_URL.ndb -rw-r--r-- 1 clamav clamav 3448 Feb 7 22:04 bofhland_cracked_URL.ndb -rw-r--r-- 1 clamav clamav 115 Feb 7 22:08 spear.ndb drwxr-xr-x 8 clamav clamav 4096 Feb 7 22:34 unofficial-dbs -rw-r--r-- 1 clamav clamav 19115 Feb 12 08:11 spamimg.hdb -rw-r--r-- 1 clamav clamav 225174 Feb 18 12:07 foxhole_filename.cdb -rw-r--r-- 1 clamav clamav 599208 Mar 13 21:05 MiscreantPunch099-Low.ldb -rw-r--r-- 1 clamav clamav 7497595 Apr 15 09:09 junk.ndb -rw-r--r-- 1 clamav clamav 1923685 Apr 16 09:08 scam.ndb -rw-r--r-- 1 clamav clamav 30265 Apr 16 22:04 malware.expert.hdb -rw-r--r-- 1 clamav clamav 92255 Apr 20 15:17 badmacro.ndb -rw-r--r-- 1 clamav clamav 122409 Apr 21 16:09 rogue.hdb -rw-r--r-- 1 clamav clamav 4124800 Apr 21 19:09 phish.ndb -rw-r--r-- 1 clamav clamav 6790 Apr 21 19:09 shelter.ldb -rw-r--r-- 1 clamav clamav 1297721 Apr 21 20:09 jurlbl.ndb -rw-r--r-- 1 clamav clamav 652822 Apr 21 22:00 porcupine.ndb -rw-r--r-- 1 clamav clamav 31557 Apr 21 22:00 porcupine.hsb -rw-r--r-- 1 clamav clamav 2018412 Apr 21 22:00 phishtank.ndb -rw-r--r-- 1 clamav clamav 161140 Apr 21 22:09 jurlbla.ndb -rw-r--r-- 1 clamav clamav 185036 Apr 21 22:09 blurl.ndb -rw-r--r-- 1 clamav clamav 190392832 Apr 22 16:28 daily.cld I suggest you run apt-get install clamav-docs and then do some more reading. Also read all the documentation on the ClamAV Website and all the posts to this mailing list for at least the past year. That might sound onerous, but I can assure you that you will learn a great deal about ClamAV from that. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
