infrastructure-notes/ClamAV notes.md

ClamAV Notes

stop the clam scanning service. service clamd@scan stop

clamscan vs clamdscan

clamscan is the full scanner, clamdscan talks to the clam daemon who runs scans on its behalf. These give slightly different results.

Clamd stuff

Logging

Logging is horrible. Clamd by default writes to a logfile, but doesn't apparently log when a scan actually runs or what its results were, unless that scan finds something.

See salt/fileroots/internal_splunk_forwarder/files/TA-clamav/default/inputs.conf for the locations Splunk is looking for.

Exceptions and False Positives

See also: AV-Exceptions in our Github

2022-07-15 - ClamAV not running on Ubuntu systems

    Jul 15 18:46:46 vmray-server.pvt.xdr.accenturefederalcyber.com clamd[428814]: Fri Jul 15 18:46:46 2022 -> !LOCAL: Socket file /var/run/clamav/clamd.ctl could not be bound: Permission denied

(Note: Path may have been /var/run/clam.d or something else)

Fixed via:

sudo apt purge clamav-base clamav-daemon clamav-docs clamav-freshclam clamav clamdscan libclamav9
sudo userdel --remove clamav
sudo groupdel clamav

sudo rm -rf /var/log/clamav
sudo rm -rf /var/lib/clamav
sudo rm -rf /var/run/clamd.scan
sudo rm -rf /var/run/{clamav,clamd.scan}

sudo groupadd --system clamav
sudo useradd --home-dir /var/lib/clamav --inactive -1 -g clamav --no-create-home --no-user-group --system --shell /bin/false clamav

sudo apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav clamdscan libclamav9

and then rerun salt state:

salt vmray\* state.sls clam --output-diff