# ClamAV Notes

stop the clam scanning service. 
`service clamd@scan stop`

# clamscan vs clamdscan

clamscan is the full scanner, clamdscan talks to the clam daemon who runs
scans on its behalf. These give slightly different results. 



# Clamd stuff

## Logging

Logging is horrible.  Clamd by default writes to a logfile, but doesn't apparently
log when a scan actually runs or what its results were, unless that scan finds
something.

See `salt/fileroots/internal_splunk_forwarder/files/TA-clamav/default/inputs.conf` for the locations Splunk is looking for.

## Exceptions and False Positives

See also: [AV-Exceptions in our Github](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/AV-Exceptions)

## 2022-07-15 - ClamAV not running on Ubuntu systems

```
    Jul 15 18:46:46 vmray-server.pvt.xdr.accenturefederalcyber.com clamd[428814]: Fri Jul 15 18:46:46 2022 -> !LOCAL: Socket file /var/run/clamav/clamd.ctl could not be bound: Permission denied
```
(Note: Path may have been `/var/run/clam.d` or something else)

Fixed via:
```
sudo apt purge clamav-base clamav-daemon clamav-docs clamav-freshclam clamav clamdscan libclamav9
sudo userdel --remove clamav
sudo groupdel clamav

sudo rm -rf /var/log/clamav
sudo rm -rf /var/lib/clamav
sudo rm -rf /var/run/clamd.scan
sudo rm -rf /var/run/{clamav,clamd.scan}

sudo groupadd --system clamav
sudo useradd --home-dir /var/lib/clamav --inactive -1 -g clamav --no-create-home --no-user-group --system --shell /bin/false clamav

sudo apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav clamdscan libclamav9
```

and then rerun salt state:
```
salt vmray\* state.sls clam --output-diff
```