Sorry if I'm misunderstanding, but if i think the best situation for you is the following:
Server A is running your production application. Server B has two services running: an express application that can securely handle traffic (npm module) and the clamdscan daemon. Server A sends the file to Server B's express application. The express application on Server B forwards the stream to the daemon running on Server B, localhost:XXX to localhost:YYY (not over the public internet). You now have a remote anti-virus scanner, Server B, that securely handles traffic. Is that what you're looking to do? On Jul 6, 2024, 4:55 PM -0400, Khodor Barakat <khodor.bara...@outlook.com>, wrote: > Thanks Paul for the clarification, > > There is a misunderstanding, initially our developers are using the "clamscan > -" to scan the streamed data in the upload form of the app, as i mentioned > earlier clamscan has to load the entire virus database and initialize the > scanning engine from scratch on every call, and you are right that clamdscan > is faster and but in order to use clamdscan you need to have the clamd > running, in my env as rhel8 the daemon runs through a service , what i am > trying to avoid is : > > -The clamd process is consuming resources while running and allocating a > usage of memory and cpu > > I found out that i can do remote scan using the clamdscan while the daemon is > running on remote server dedicated for this purpose but unfortunately the > data streamed over the remote socket is not protected . > > Is there is a way to run clamd service while limiting and throttling its > usage , i was trying to set a cpu and memory limit under the systemd service > but did not work as expected , > > I am looking for a configuration where clamd is using less resources when > idle, > > Thanks a lot, > > > > From: Paul Silvestri <psilvest...@gmail.com> > Sent: Friday, July 5, 2024 5:10 PM > To: Paul Kosinski <clamav-us...@iment.com>; Matus UHLAR - fantomas via > clamav-users <clamav-users@lists.clamav.net>; Khodor Barakat > <khodor.bara...@outlook.com> > Subject: Re: [clamav-users] Inquiry About Security Measures for Remote > Scanning Using Clamdscan > > It shouldn't be doing that. You sound like you have the wrong configuration > option for clamscan npm package. > > You need to be using the clamdscan configuration option. It sounds like > you're using the clamscan option. > > Clamdscan uses the already running Daemon (only loads the database once). > Clamscan loads the database every single time. > > Go read through the docs where it shows you all the options on the npm README. > > Let me know if that's not the issue. > On Jul 5, 2024, 5:01 PM -0400, Khodor Barakat <khodor.bara...@outlook.com>, > wrote: > > Thanks for sharing this , > > > > I am currently using clamscan within my app, but the problem with clamscan > > has to load the entire virus database and initialize the scanning engine > > from scratch. > > > > Scanning a file with few kb took what a mb file would need for scanning > > around 20 to 30s > > From: Paul Silvestri <psilvest...@gmail.com> > > Sent: Friday, July 5, 2024 4:54 PM > > To: Paul Kosinski <clamav-us...@iment.com>; Matus UHLAR - fantomas via > > clamav-users <clamav-users@lists.clamav.net>; Matus UHLAR - fantomas via > > clamav-users <clamav-users@lists.clamav.net> > > Cc: Khodor Barakat <khodor.bara...@outlook.com> > > Subject: Re: [clamav-users] Inquiry About Security Measures for Remote > > Scanning Using Clamdscan > > > > If I'm understanding your use case correctly you may want to use this tool: > > > > https://www.npmjs.com/package/clamscan > > > > Create an express app and run the daemon locally on the same server. The > > express app is essentially a glorified local proxy. > > On Jul 5, 2024, 4:46 PM -0400, Khodor Barakat via clamav-users > > <clamav-users@lists.clamav.net>, wrote: > > > Thanks Paul, > > > > > > This was something i was looking into, like building an ssh tunnel , but > > > it is a burden as tunnel failure would broke the entire process , > > > > > > I might reconsider running clamdscan locally while tunning the config and > > > using systemd unit param to limit the resources used by clamdscan service > > > > > > From: Paul Kosinski <clamav-us...@iment.com> > > > Sent: Friday, July 5, 2024 4:29 PM > > > To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>; Khodor > > > Barakat <khodor.bara...@outlook.com> > > > Subject: Re: [clamav-users] Inquiry About Security Measures for Remote > > > Scanning Using Clamdscan > > > > > > I don't think there is anything builtin to clamd, but you might consider > > > setting up a secure tunnel(s) from the client machine(s) to the scanning > > > machine. > > > > > > For example, each client machine has a little daemon that listens on a > > > UNIX socket and is connected securely (SSH, OpenVPN etc.) to the scanning > > > machine. That machine has a (daemon) listener on the agreed upon port > > > which forwards the (decrypted) traffic to clamd's local UNIX socket. (The > > > responses must be sent back, of course.) > > > > > > This obviously adds some overhead, but so would a similar function > > > builtin to clamd. > > > > > > > > > On Fri, 5 Jul 2024 19:32:01 +0000 > > > Khodor Barakat via clamav-users <clamav-users@lists.clamav.net> wrote: > > > > > > > Anyone has encountered this, i can see the transfer is not encrypted > > > > and secure when doing a remote scan , > > > > > > > > I captured the packet on the remote server and i can see the data as > > > > clear text , > > > > > > > > > > > > [Timestamps] > > > > [Time since first frame in this TCP stream: 0.000209756 seconds] > > > > [Time since previous frame in this TCP stream: 0.000037349 > > > >seconds] > > > > TCP payload (28 bytes) > > > > Data (28 bytes) > > > > > > > > 0000 00 00 00 14 74 68 69 73 20 69 73 20 61 20 74 65 ....this is a te > > > > 0010 73 74 20 66 69 6c 65 0a 00 00 00 00 st file..... > > > > Data: 0000001474686973206973206120746573742066696c650a... > > > > [Length: 28] > > > > > > > > > > > > ________________________________ > > > > From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of > > > > Khodor Barakat via clamav-users <clamav-users@lists.clamav.net> > > > > Sent: Tuesday, July 2, 2024 4:03 PM > > > > To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net> > > > > Cc: Khodor Barakat <khodor.bara...@outlook.com> > > > > Subject: [clamav-users] Inquiry About Security Measures for Remote > > > > Scanning Using Clamdscan > > > > > > > > Hi, everyone > > > > > > > > I am writing to inquire about the security measures implemented when > > > > using ClamAV's clamdscan for remote scanning, particularly when > > > > streaming to port 3310. > > > > > > > > clamdscan -c /etc/clamd.d/remote-scan.conf --fdpass --stream > > > > /tmp/testfile.txt > > > > > > > > cat /etc/clamd.d/remote-scan.conf > > > > LogSyslog yes > > > > StreamMaxLength 10M > > > > User clamscan > > > > TCPSocket 3310 > > > > TCPAddr 192.168.1.100 > > > > > > > > > > > > Does anyone have information on the security protocols and safeguards > > > > in place in order to protect data during remote scans? > > > > > > > > Thank you for your assistance > > > _______________________________________________ > > > > > > Manage your clamav-users mailing list subscription / unsubscribe: > > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/Cisco-Talos/clamav-documentation > > > > > > https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
