# ClamAV Notes

stop the clam scanning service. 
`service clamd@scan stop`

# clamscan vs clamdscan

clamscan is the full scanner, clamdscan talks to the clam daemon who runs
scans on its behalf. These give slightly different results. 



# Clamd stuff

## Logging

Logging is horrible.  Clamd by default writes to a logfile, but doesn't apparently
log when a scan actually runs or what its results were, unless that scan finds
something.

See `salt/fileroots/internal_splunk_forwarder/files/TA-clamav/default/inputs.conf` for the locations Splunk is looking for.

## Exceptions and False Positives

See also: [AV-Exceptions in our Github](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/AV-Exceptions)