Thanks Paul for the clarification, There is a misunderstanding, initially our developers are using the "clamscan -" to scan the streamed data in the upload form of the app, as i mentioned earlier clamscan has to load the entire virus database and initialize the scanning engine from scratch on every call, and you are right that clamdscan is faster and but in order to use clamdscan you need to have the clamd running, in my env as rhel8 the daemon runs through a service , what i am trying to avoid is :
-The clamd process is consuming resources while running and allocating a usage of memory and cpu I found out that i can do remote scan using the clamdscan while the daemon is running on remote server dedicated for this purpose but unfortunately the data streamed over the remote socket is not protected . Is there is a way to run clamd service while limiting and throttling its usage , i was trying to set a cpu and memory limit under the systemd service but did not work as expected , I am looking for a configuration where clamd is using less resources when idle, Thanks a lot, ________________________________ From: Paul Silvestri <psilvest...@gmail.com> Sent: Friday, July 5, 2024 5:10 PM To: Paul Kosinski <clamav-us...@iment.com>; Matus UHLAR - fantomas via clamav-users <clamav-users@lists.clamav.net>; Khodor Barakat <khodor.bara...@outlook.com> Subject: Re: [clamav-users] Inquiry About Security Measures for Remote Scanning Using Clamdscan It shouldn't be doing that. You sound like you have the wrong configuration option for clamscan npm package. You need to be using the clamdscan configuration option. It sounds like you're using the clamscan option. Clamdscan uses the already running Daemon (only loads the database once). Clamscan loads the database every single time. Go read through the docs where it shows you all the options on the npm README. Let me know if that's not the issue. On Jul 5, 2024, 5:01 PM -0400, Khodor Barakat <khodor.bara...@outlook.com>, wrote: Thanks for sharing this , I am currently using clamscan within my app, but the problem with clamscan has to load the entire virus database and initialize the scanning engine from scratch. Scanning a file with few kb took what a mb file would need for scanning around 20 to 30s ________________________________ From: Paul Silvestri <psilvest...@gmail.com> Sent: Friday, July 5, 2024 4:54 PM To: Paul Kosinski <clamav-us...@iment.com>; Matus UHLAR - fantomas via clamav-users <clamav-users@lists.clamav.net>; Matus UHLAR - fantomas via clamav-users <clamav-users@lists.clamav.net> Cc: Khodor Barakat <khodor.bara...@outlook.com> Subject: Re: [clamav-users] Inquiry About Security Measures for Remote Scanning Using Clamdscan If I'm understanding your use case correctly you may want to use this tool: https://www.npmjs.com/package/clamscan Create an express app and run the daemon locally on the same server. The express app is essentially a glorified local proxy. On Jul 5, 2024, 4:46 PM -0400, Khodor Barakat via clamav-users <clamav-users@lists.clamav.net>, wrote: Thanks Paul, This was something i was looking into, like building an ssh tunnel , but it is a burden as tunnel failure would broke the entire process , I might reconsider running clamdscan locally while tunning the config and using systemd unit param to limit the resources used by clamdscan service ________________________________ From: Paul Kosinski <clamav-us...@iment.com> Sent: Friday, July 5, 2024 4:29 PM To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>; Khodor Barakat <khodor.bara...@outlook.com> Subject: Re: [clamav-users] Inquiry About Security Measures for Remote Scanning Using Clamdscan I don't think there is anything builtin to clamd, but you might consider setting up a secure tunnel(s) from the client machine(s) to the scanning machine. For example, each client machine has a little daemon that listens on a UNIX socket and is connected securely (SSH, OpenVPN etc.) to the scanning machine. That machine has a (daemon) listener on the agreed upon port which forwards the (decrypted) traffic to clamd's local UNIX socket. (The responses must be sent back, of course.) This obviously adds some overhead, but so would a similar function builtin to clamd. On Fri, 5 Jul 2024 19:32:01 +0000 Khodor Barakat via clamav-users <clamav-users@lists.clamav.net> wrote: > Anyone has encountered this, i can see the transfer is not encrypted and > secure when doing a remote scan , > > I captured the packet on the remote server and i can see the data as clear > text , > > > [Timestamps] > [Time since first frame in this TCP stream: 0.000209756 seconds] > [Time since previous frame in this TCP stream: 0.000037349 seconds] > TCP payload (28 bytes) > Data (28 bytes) > > 0000 00 00 00 14 74 68 69 73 20 69 73 20 61 20 74 65 ....this is a te > 0010 73 74 20 66 69 6c 65 0a 00 00 00 00 st file..... > Data: 0000001474686973206973206120746573742066696c650a... > [Length: 28] > > > ________________________________ > From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of > Khodor Barakat via clamav-users <clamav-users@lists.clamav.net> > Sent: Tuesday, July 2, 2024 4:03 PM > To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net> > Cc: Khodor Barakat <khodor.bara...@outlook.com> > Subject: [clamav-users] Inquiry About Security Measures for Remote Scanning > Using Clamdscan > > Hi, everyone > > I am writing to inquire about the security measures implemented when using > ClamAV's clamdscan for remote scanning, particularly when streaming to port > 3310. > > clamdscan -c /etc/clamd.d/remote-scan.conf --fdpass --stream > /tmp/testfile.txt > > cat /etc/clamd.d/remote-scan.conf > LogSyslog yes > StreamMaxLength 10M > User clamscan > TCPSocket 3310 > TCPAddr 192.168.1.100 > > > Does anyone have information on the security protocols and safeguards in > place in order to protect data during remote scans? > > Thank you for your assistance _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
