Hi there, On Tue, 24 Nov 2020, Will Watters via clamav-users wrote:
I have a number of questions regarding usage of ClamAV to investigate to ensure it meets our security, alerting and incident requirements for use in our AMI builds and greatly appreciate feedback on this: * How virus definitions are applied? * Is Internet access required to receive update? * How is the lifecycle of the AMI managed for AV / Malware? * How are detected events received and where are they sent? * Is there a list of OS that it covers?
ClamAV is more along the lines of a toolkit than a turnkey product, and in that context I don't understand some of your questions. The way it generally works is you create a set of databases which contains a variety of ways of recognizing malicious and unwanted data, then you start a scanner process which reads the databases and finally you pass data to the scanner. There are various ways to do that. When a data stream (or file, email, whatever) is found to contain something which matches something in the database, the scanner emits a message and can for example also run a script which you have previously defined. The messages can be passed to the controlling process in various ways. It is up to you what you do if ClamAV detects something, and also how you maintain the databases. There are tools provided which will perform scheduled automatic updates over the Internet, but this is by no means mandatory. There are 'official' databases and also some 'third-party' databases which - in addition to viruses - target spam, phishing etc. ClamAV is used in different ways by different people. For example I use it primarily as a mail filter. Others may use it to screen data uploaded by untrusted sources. Some people routinely scan filesystems with it although I can't say that I'd recommend that in most cases. The source code for ClamAV is freely available, you can compile it for most operating systems but its features are not all available on every operating system. There are archives of this mailing list, and there is documentation at https://www.clamav.net/documents/clam-antivirus-user-manual perhaps if you spend some time with it you will be able to answer many of your own questions. Please feel free to get back to us if you have more specific questions. If you can give us some details about your requirements we might be able to explain if ClamAV might fit, or not. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
