Your list includes a number of databases I haven't seen before. Could you provide a list of source sites that provide the DBs that you find most useful?
Thanks! On Wed, 22 Apr 2020 18:43:47 +0100 (BST) "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote: > Hi there, > > On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Actually I never had any antivirus on my linux we servers, but PCI > > complaince forced me to install it on my servers. Now a bit of my CPU and > > RAM is going into running the antivirus, not sure how much, but > > definitely something is used up. > > If you have the clamd daemon running, and it is using the 'official' > databases (which are normally configured by the installation scripts > for most Linux distributions) then it will use about a gigabyte of > memory in normal operation and practically no other resources until > you require ClamAV to scan something. As has been mentioned you can > ask ClamAV to scan something in several different ways, and you need > to become familiar with them in order to use ClamAV effectively. > > > I have 3 ubuntu 18 servers running load balanced nginx webservers (all > > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are > > open to these servers. I run OSSEC for intrusion detection in a server > > agent model a 4th server is used as bastion server that runs ossec-server, > > time-server etc and these 3 webservers uses this bastion server. > > I wanted to mange the anti virus also from this bastion server. > > You could install clamd on the bastion server and configure it to > listen on a TCP port for connections only from your other servers. > Then you would only need to keep a single set of databases and you > would only have to keep that single set of databases up to date. > There is one issue which might not be covered in that case; if you > wish to use on-access scanning then the last I heard from ClamAV's > development team was that there are still some things to do to get > a remote clamd to handle on-access scanning. I'm sure someone from > Talos will chip in with a comment if there's still an issue there. > > > 1. When I am using freshclam what kind of threat I am getting > > protection from? > > If I were going to install something like ClamAV, I would want to know > the answer to that question before I installed it, not after. Before > that I would want to know and in your case probably document carefully > what threats my systems faced, and also what the likely results of a > compromise might be. For example loss of earnings, lawsuits, people > becoming homeless and/or starving to death, you being sent to prison, > that kind of thing. > > ClamAV is a kind of tool kit, and it's up to you how you want to use > it to make scans happen. It's also up to you what you want to do if > something is reported as 'FOUND' by the scanning process. By default > nothing else happens, and it would be most unwise (for example) simply > to delete or move the offending object as it you might have discovered > a 'false positive' (a very common subject on this mailing list). To > blithely move (or delete) system files, for example, on a Linux box is > very dangerous for the system. It's better just to mount the system > partition(s) read-only, so that nothing can mess with them unless the > box is already hopelessly compromised. > > To be clear, 'freshclam' is the thing which updates your databases. > The things which use the databases when scanning are usually clamd > (which is the persistent daemon) and clamscan (which does _not_ use > the daemon). > > The clamd daemon loads the databases into memory when it starts, and > then waits for some process to ask it to scan things. The requesting > process can be clamdscan, clamav-milter, some other milter such as one > I wrote for use here, or something else. When a process requests that > something be scanned it can, depending on how things are configured, > either give the location of a directory or a file to scan, or it can > send the data to be scanned directly to the daemon via a socket. > > (I do not know what other signature DB i can use for webserver. there > > is no mails on these servers) > > Try searching, for example, for "ClamAV unofficial databases". It's > up to you, since ClamAV is a tool kit, to configure which databases > are to be used by ClamAV, and to ensure that they're kept up to date, > and, for that matter, that they are appropriate to the tasks that you > have decided that ClamAV is to do for you. > > > 2. You mentioned clamd scans TCP ports, my question is it by default scans > > all data on all open ports or we need to configure it to do so. > > By default TCP ports are not used, and in any case no port scanning > takes place - ClamAV is not like 'nmap', or 'metasploit', for example. > TCP ports are only used for communication between a client, which asks > for something to be scanned, and the server, which scans it. > > > 3. if clamav find something malicious, what does it do. is there a place I > > can see what it found and what it did with it, or can it notify me somehow? > > > > Normally all that will happen is that you will be informed in some > way. For example if you use a command-line tool from a terminal to do > a scan, a report will be printed on the terminal. If you configure a > daemon to use syslog, it will send messages to the log about things > that it does. > > > And, I am not sure what can I ask about performance, I had never seen clamd > > taking any significant amount of CPU of RAM. > > Then I suspect it is not doing anything for you at all, I would expect > it to at least consume a gigabyte of RAM while doing _nothing_ and a > significant amount of CPU (like _most_ of it) while scanning things. > > > Following is my clamav installation script: (i made no changes to > > /etc/clamav/clamav.conf) > > I do not recognize the file named 'clamav.conf'. Perhaps you can tell > us something about it. If you have a file 'clamd.conf' on your system > it would be very interesting to see the first ten lines or so from it. > Perhaps you could post the output of > > top -b -n1 | grep clam > > and for comparison here's the output of that command from one of my servers: > > $ top -b -n1 | grep clam > 606 clamav 20 0 63240 9408 7792 S 0.0 0.2 0:17.80 > freshclam > 1880 clamav 20 0 1136888 1.0g 5660 S 0.0 25.8 12:08.15 clamd > > As you can see there's about a gigabyte of RAM used there, about 25% > of the RAM in the box. As it happens the box has only been up for > four days, yet clamd has used over 12 minutes of CPU in that time. > > > apt-get install -y clamav clamav-daemon > > service clamav-daemon start > > service clamav-freshclam start > > I wonder if you have installed any databases. Do you know where the > databases would be stored on your system? Here are some of the > databases on the machine which runs clamd above: > > -rw-r--r-- 1 clamav clamav 117859675 Feb 5 18:03 main.cvd > -rw-r--r-- 1 clamav clamav 296388 Feb 5 18:04 bytecode.cvd > -rw-r--r-- 1 clamav clamav 41321567 Feb 5 18:08 safebrowsing.cvd > -rw-r--r-- 1 clamav clamav 9676 Feb 7 22:04 bofhland_phishing_URL.ndb > -rw-r--r-- 1 clamav clamav 610 Feb 7 22:04 bofhland_malware_URL.ndb > -rw-r--r-- 1 clamav clamav 3448 Feb 7 22:04 bofhland_cracked_URL.ndb > -rw-r--r-- 1 clamav clamav 115 Feb 7 22:08 spear.ndb > drwxr-xr-x 8 clamav clamav 4096 Feb 7 22:34 unofficial-dbs > -rw-r--r-- 1 clamav clamav 19115 Feb 12 08:11 spamimg.hdb > -rw-r--r-- 1 clamav clamav 225174 Feb 18 12:07 foxhole_filename.cdb > -rw-r--r-- 1 clamav clamav 599208 Mar 13 21:05 MiscreantPunch099-Low.ldb > -rw-r--r-- 1 clamav clamav 7497595 Apr 15 09:09 junk.ndb > -rw-r--r-- 1 clamav clamav 1923685 Apr 16 09:08 scam.ndb > -rw-r--r-- 1 clamav clamav 30265 Apr 16 22:04 malware.expert.hdb > -rw-r--r-- 1 clamav clamav 92255 Apr 20 15:17 badmacro.ndb > -rw-r--r-- 1 clamav clamav 122409 Apr 21 16:09 rogue.hdb > -rw-r--r-- 1 clamav clamav 4124800 Apr 21 19:09 phish.ndb > -rw-r--r-- 1 clamav clamav 6790 Apr 21 19:09 shelter.ldb > -rw-r--r-- 1 clamav clamav 1297721 Apr 21 20:09 jurlbl.ndb > -rw-r--r-- 1 clamav clamav 652822 Apr 21 22:00 porcupine.ndb > -rw-r--r-- 1 clamav clamav 31557 Apr 21 22:00 porcupine.hsb > -rw-r--r-- 1 clamav clamav 2018412 Apr 21 22:00 phishtank.ndb > -rw-r--r-- 1 clamav clamav 161140 Apr 21 22:09 jurlbla.ndb > -rw-r--r-- 1 clamav clamav 185036 Apr 21 22:09 blurl.ndb > -rw-r--r-- 1 clamav clamav 190392832 Apr 22 16:28 daily.cld > > I suggest you run > > apt-get install clamav-docs > > and then do some more reading. Also read all the documentation on the > ClamAV Website and all the posts to this mailing list for at least the > past year. That might sound onerous, but I can assure you that you > will learn a great deal about ClamAV from that. > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
