Re: [clamav-users] ClamAV Server Agent
Yes, I would appreciate that. Thanks, Paul P.S. When I copied you on yesterday's ClamAV posting, your mail server said: : host mail.jubileegroup.co.uk[83.67.166.33] said: 550 5.7.1 Message rejected (in reply to end of DATA command) On Thu, 23 Apr 2020 10:15:00 +0100 (BST) "G.W. Haywood via clamav-users" wrote: > Hi there, > > On Wed, 22 Apr 2020, Paul Kosinski via clamav-users wrote: > > > Your list includes a number of databases I haven't seen before. Could > > you provide a list of source sites that provide the DBs that you find > > most useful? > > Sorry, I don't keep an organized list but I can privately let you have > my copy of my unofficial database update script and the configuration, > if that's any help. The script is based on Bill Landry's original > from about a decade ago, although there are much more recent works. > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Server Agent
Hi there, On Wed, 22 Apr 2020, Paul Kosinski via clamav-users wrote: Your list includes a number of databases I haven't seen before. Could you provide a list of source sites that provide the DBs that you find most useful? Sorry, I don't keep an organized list but I can privately let you have my copy of my unofficial database update script and the configuration, if that's any help. The script is based on Bill Landry's original from about a decade ago, although there are much more recent works. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Server Agent
Hello Graeme, This is a great deal of information, really appreciate this selfless help. I will read thru the docs as suggested by you. clamav.conf was typo, I meant clamd.conf. First 10 lines of my clamd.conf --- #Automatically Generated by clamav-daemon postinst #To reconfigure clamd run #dpkg-reconfigure clamav-daemon #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav ScanMail true --- DBs that I see in my system are here ProdServer:/var/lib/clamav$ ll -h total 477M drwxr-xr-x 3 clamav clamav 4.0K Apr 23 00:12 ./ drwxr-xr-x 51 root root 4.0K Apr 17 22:24 ../ -rw-r--r-- 1 clamav clamav 1.4M Sep 19 2019 bytecode.cld drwxr-xr-x 2 clamav clamav 4.0K Jun 2 2019 clamav-ee20a882503c9c919932e15af52f0da2.tmp/ -rw-r--r-- 1 clamav clamav 182M Apr 22 18:12 daily.cld -rw-r--r-- 1 clamav clamav 294M Nov 26 03:25 main.cld -rw--- 1 clamav clamav 256 Jan 9 06:28 mirrors.dat Regards, Karmendra On Wed, Apr 22, 2020 at 11:15 PM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Actually I never had any antivirus on my linux we servers, but PCI > > complaince forced me to install it on my servers. Now a bit of my CPU and > > RAM is going into running the antivirus, not sure how much, but > > definitely something is used up. > > If you have the clamd daemon running, and it is using the 'official' > databases (which are normally configured by the installation scripts > for most Linux distributions) then it will use about a gigabyte of > memory in normal operation and practically no other resources until > you require ClamAV to scan something. As has been mentioned you can > ask ClamAV to scan something in several different ways, and you need > to become familiar with them in order to use ClamAV effectively. > > > I have 3 ubuntu 18 servers running load balanced nginx webservers (all > > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are > > open to these servers. I run OSSEC for intrusion detection in a server > > agent model a 4th server is used as bastion server that runs > ossec-server, > > time-server etc and these 3 webservers uses this bastion server. > > I wanted to mange the anti virus also from this bastion server. > > You could install clamd on the bastion server and configure it to > listen on a TCP port for connections only from your other servers. > Then you would only need to keep a single set of databases and you > would only have to keep that single set of databases up to date. > There is one issue which might not be covered in that case; if you > wish to use on-access scanning then the last I heard from ClamAV's > development team was that there are still some things to do to get > a remote clamd to handle on-access scanning. I'm sure someone from > Talos will chip in with a comment if there's still an issue there. > > > 1. When I am using freshclam what kind of threat I am getting > > protection from? > > If I were going to install something like ClamAV, I would want to know > the answer to that question before I installed it, not after. Before > that I would want to know and in your case probably document carefully > what threats my systems faced, and also what the likely results of a > compromise might be. For example loss of earnings, lawsuits, people > becoming homeless and/or starving to death, you being sent to prison, > that kind of thing. > > ClamAV is a kind of tool kit, and it's up to you how you want to use > it to make scans happen. It's also up to you what you want to do if > something is reported as 'FOUND' by the scanning process. By default > nothing else happens, and it would be most unwise (for example) simply > to delete or move the offending object as it you might have discovered > a 'false positive' (a very common subject on this mailing list). To > blithely move (or delete) system files, for example, on a Linux box is > very dangerous for the system. It's better just to mount the system > partition(s) read-only, so that nothing can mess with them unless the > box is already hopelessly compromised. > > To be clear, 'freshclam' is the thing which updates your databases. > The things which use the databases when scanning are usually clamd > (which is the persistent daemon) and clamscan (which does _not_ use > the daemon). > > The clamd daemon loads the databases into memory when it starts, and > then waits for some process to ask it to scan things. The requesting > process can be clamdscan, clamav-milter, some other milter such as one > I
Re: [clamav-users] ClamAV Server Agent
On 2020-04-22 15:14, Graeme Fowler via clamav-users wrote: Additionally, if your PCI assessor is insistent on anti-virus apps being installed on web servers then they're not very good; I agree with that. From what I understand about your situation, perhaps you are not looking for an antivirus such as ClamAV, but for a NIDS (e.g. Snort)? bye av. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Server Agent
Your list includes a number of databases I haven't seen before. Could you provide a list of source sites that provide the DBs that you find most useful? Thanks! On Wed, 22 Apr 2020 18:43:47 +0100 (BST) "G.W. Haywood via clamav-users" wrote: > Hi there, > > On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Actually I never had any antivirus on my linux we servers, but PCI > > complaince forced me to install it on my servers. Now a bit of my CPU and > > RAM is going into running the antivirus, not sure how much, but > > definitely something is used up. > > If you have the clamd daemon running, and it is using the 'official' > databases (which are normally configured by the installation scripts > for most Linux distributions) then it will use about a gigabyte of > memory in normal operation and practically no other resources until > you require ClamAV to scan something. As has been mentioned you can > ask ClamAV to scan something in several different ways, and you need > to become familiar with them in order to use ClamAV effectively. > > > I have 3 ubuntu 18 servers running load balanced nginx webservers (all > > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are > > open to these servers. I run OSSEC for intrusion detection in a server > > agent model a 4th server is used as bastion server that runs ossec-server, > > time-server etc and these 3 webservers uses this bastion server. > > I wanted to mange the anti virus also from this bastion server. > > You could install clamd on the bastion server and configure it to > listen on a TCP port for connections only from your other servers. > Then you would only need to keep a single set of databases and you > would only have to keep that single set of databases up to date. > There is one issue which might not be covered in that case; if you > wish to use on-access scanning then the last I heard from ClamAV's > development team was that there are still some things to do to get > a remote clamd to handle on-access scanning. I'm sure someone from > Talos will chip in with a comment if there's still an issue there. > > > 1. When I am using freshclam what kind of threat I am getting > > protection from? > > If I were going to install something like ClamAV, I would want to know > the answer to that question before I installed it, not after. Before > that I would want to know and in your case probably document carefully > what threats my systems faced, and also what the likely results of a > compromise might be. For example loss of earnings, lawsuits, people > becoming homeless and/or starving to death, you being sent to prison, > that kind of thing. > > ClamAV is a kind of tool kit, and it's up to you how you want to use > it to make scans happen. It's also up to you what you want to do if > something is reported as 'FOUND' by the scanning process. By default > nothing else happens, and it would be most unwise (for example) simply > to delete or move the offending object as it you might have discovered > a 'false positive' (a very common subject on this mailing list). To > blithely move (or delete) system files, for example, on a Linux box is > very dangerous for the system. It's better just to mount the system > partition(s) read-only, so that nothing can mess with them unless the > box is already hopelessly compromised. > > To be clear, 'freshclam' is the thing which updates your databases. > The things which use the databases when scanning are usually clamd > (which is the persistent daemon) and clamscan (which does _not_ use > the daemon). > > The clamd daemon loads the databases into memory when it starts, and > then waits for some process to ask it to scan things. The requesting > process can be clamdscan, clamav-milter, some other milter such as one > I wrote for use here, or something else. When a process requests that > something be scanned it can, depending on how things are configured, > either give the location of a directory or a file to scan, or it can > send the data to be scanned directly to the daemon via a socket. > > (I do not know what other signature DB i can use for webserver. there > > is no mails on these servers) > > Try searching, for example, for "ClamAV unofficial databases". It's > up to you, since ClamAV is a tool kit, to configure which databases > are to be used by ClamAV, and to ensure that they're kept up to date, > and, for that matter, that they are appropriate to the tasks that you > have decided that ClamAV is to do for you. > > > 2. You mentioned clamd scans TCP ports, my question is it by default scans > > all data on all open ports or we need to configure it to do so. > > By default TCP ports are not used, and in any case no port scanning > takes place - ClamAV is not like 'nmap', or 'metasploit', for example. > TCP ports are only used for communication between a client, which asks > for something to be scanned, and the server, which scans it. >
Re: [clamav-users] ClamAV Server Agent
Hi there, On Wed, 22 Apr 2020, Karmendra Suthar via clamav-users wrote: Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up. If you have the clamd daemon running, and it is using the 'official' databases (which are normally configured by the installation scripts for most Linux distributions) then it will use about a gigabyte of memory in normal operation and practically no other resources until you require ClamAV to scan something. As has been mentioned you can ask ClamAV to scan something in several different ways, and you need to become familiar with them in order to use ClamAV effectively. I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server. I wanted to mange the anti virus also from this bastion server. You could install clamd on the bastion server and configure it to listen on a TCP port for connections only from your other servers. Then you would only need to keep a single set of databases and you would only have to keep that single set of databases up to date. There is one issue which might not be covered in that case; if you wish to use on-access scanning then the last I heard from ClamAV's development team was that there are still some things to do to get a remote clamd to handle on-access scanning. I'm sure someone from Talos will chip in with a comment if there's still an issue there. 1. When I am using freshclam what kind of threat I am getting protection from? If I were going to install something like ClamAV, I would want to know the answer to that question before I installed it, not after. Before that I would want to know and in your case probably document carefully what threats my systems faced, and also what the likely results of a compromise might be. For example loss of earnings, lawsuits, people becoming homeless and/or starving to death, you being sent to prison, that kind of thing. ClamAV is a kind of tool kit, and it's up to you how you want to use it to make scans happen. It's also up to you what you want to do if something is reported as 'FOUND' by the scanning process. By default nothing else happens, and it would be most unwise (for example) simply to delete or move the offending object as it you might have discovered a 'false positive' (a very common subject on this mailing list). To blithely move (or delete) system files, for example, on a Linux box is very dangerous for the system. It's better just to mount the system partition(s) read-only, so that nothing can mess with them unless the box is already hopelessly compromised. To be clear, 'freshclam' is the thing which updates your databases. The things which use the databases when scanning are usually clamd (which is the persistent daemon) and clamscan (which does _not_ use the daemon). The clamd daemon loads the databases into memory when it starts, and then waits for some process to ask it to scan things. The requesting process can be clamdscan, clamav-milter, some other milter such as one I wrote for use here, or something else. When a process requests that something be scanned it can, depending on how things are configured, either give the location of a directory or a file to scan, or it can send the data to be scanned directly to the daemon via a socket. (I do not know what other signature DB i can use for webserver. there is no mails on these servers) Try searching, for example, for "ClamAV unofficial databases". It's up to you, since ClamAV is a tool kit, to configure which databases are to be used by ClamAV, and to ensure that they're kept up to date, and, for that matter, that they are appropriate to the tasks that you have decided that ClamAV is to do for you. 2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so. By default TCP ports are not used, and in any case no port scanning takes place - ClamAV is not like 'nmap', or 'metasploit', for example. TCP ports are only used for communication between a client, which asks for something to be scanned, and the server, which scans it. 3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow? Normally all that will happen is that you will be informed in some way. For example if you use a command-line tool from a terminal to do a scan, a report will be printed on the terminal. If you configure a daemon to use syslog, it will send messages to the log about things that it does.
Re: [clamav-users] ClamAV Server Agent
Hi, Sorry, I think I didn't mention clearly, but these servers are actually dealing with payments, these webserver shows webpages where Card info is collected and then payments are processed and further client data is stored in DB with required encryption to retrieved later for administration. Well looks like for over a year now, I was just having clamav as a pet, that eats and sleeps and does nothing productive. Well to be honest, I am unsure what I should ask clamav to scan or keep an eye on in a webserver running a php web application. If you have a clue, let me know. Thanks for all your help. Regards, Karmendra On Wed, Apr 22, 2020 at 6:44 PM Graeme Fowler wrote: > You wrote > > Sorry for sounding so naive and confused with this, I am actually > confused whether my clamav is working or not. > > > > If you haven't told it to do anything, then yes it's working but it's not > actually doing anything. > > > > clamd is a daemon; you need to use the 'clamdscan' tool to ask it to scan > things, or setup on-access scanning. > > > > http://www.clamav.net/documents/scanning > > > > Additionally, if your PCI assessor is insistent on anti-virus apps being > installed on web servers then they're not very good; you should be able to > argue that this is out-of-scope for the environment you're working in > *unless* they have client-provided data flowing through them. If they're > not in the payment path and the content is all static then they should be > considered out of scope. > > > > Graeme > > > > > > > > *From: *clamav-users on behalf of > Karmendra Suthar via clamav-users > *Reply to: *ClamAV users ML > *Date: *Wednesday, 22 April 2020 at 13:47 > *To: *ClamAV users ML > *Cc: *Karmendra Suthar , "G.W. Haywood" < > cla...@jubileegroup.co.uk> > *Subject: *Re: [clamav-users] ClamAV Server Agent > > > > Hello, > > > > Thanks a lot for answering my query. > > Actually I never had any antivirus on my linux we servers, but PCI > complaince forced me to install it on my servers. Now a bit of my CPU and > RAM is going into running the antivirus, not sure how much, but > definitely something is used up. > > > > Anyways, I will give my use case. > > > > I have 3 ubuntu 18 servers running load balanced nginx webservers (all > these servers are on AWS), only ports like 80, 443, 22(ip restricted) are > open to these servers. I run OSSEC for intrusion detection in a server > agent model a 4th server is used as bastion server that runs ossec-server, > time-server etc and these 3 webservers uses this bastion server. > > > > I wanted to mange the anti virus also from this bastion server. > > - > > > > I have few more questions: > > 1. When I am using freshclam what kind of threat I am getting protection > from? (I do not know what other signature DB i can use for webserver. there > is no mails on these servers) > > 2. You mentioned clamd scans TCP ports, my question is it by default scans > all data on all open ports or we need to configure it to do so. > > 3. if clamav find something malicious, what does it do. is there a place I > can see what it found and what it did with it, or can it notify me somehow? > > > > > > And, I am not sure what can I ask about performance, I had never seen > clamd taking any significant amount of CPU of RAM. > > > > > > Following is my clamav installation script: (i made no changes to > /etc/clamav/clamav.conf) > > apt-get install -y clamav clamav-daemon > service clamav-daemon start > service clamav-freshclam start > > > > Sorry for sounding so naive and confused with this, I am actually confused > whether my clamav is working or not. > > > > Again, Thanks for you help. > > > > Regards, > > Karemndra > > > > > > On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users < > clamav-users@lists.clamav.net> wrote: > > Hi there, > > On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Is there a server-agent model in ClamAV ... > > Not exactly. > > Several databases of signatures and similar things exist, which ClamAV > can use when it looks for undesirables. Some of the databases are > maintained by the ClamAV authors, others are maintained by community > members and/or commercial organizations. The objectives of the > databases differ widely. Some for example primarily target malicious > code for a variety of operating systems, others are more concerned > with spam and similar things usually found in email. The policies for > (and the frequencies of) updating the databases differ
Re: [clamav-users] ClamAV Server Agent
You wrote > Sorry for sounding so naive and confused with this, I am actually confused > whether my clamav is working or not. If you haven't told it to do anything, then yes it's working but it's not actually doing anything. clamd is a daemon; you need to use the 'clamdscan' tool to ask it to scan things, or setup on-access scanning. http://www.clamav.net/documents/scanning Additionally, if your PCI assessor is insistent on anti-virus apps being installed on web servers then they're not very good; you should be able to argue that this is out-of-scope for the environment you're working in *unless* they have client-provided data flowing through them. If they're not in the payment path and the content is all static then they should be considered out of scope. Graeme From: clamav-users on behalf of Karmendra Suthar via clamav-users Reply to: ClamAV users ML Date: Wednesday, 22 April 2020 at 13:47 To: ClamAV users ML Cc: Karmendra Suthar , "G.W. Haywood" Subject: Re: [clamav-users] ClamAV Server Agent Hello, Thanks a lot for answering my query. Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up. Anyways, I will give my use case. I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server. I wanted to mange the anti virus also from this bastion server. - I have few more questions: 1. When I am using freshclam what kind of threat I am getting protection from? (I do not know what other signature DB i can use for webserver. there is no mails on these servers) 2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so. 3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow? And, I am not sure what can I ask about performance, I had never seen clamd taking any significant amount of CPU of RAM. Following is my clamav installation script: (i made no changes to /etc/clamav/clamav.conf) apt-get install -y clamav clamav-daemon service clamav-daemon start service clamav-freshclam start Sorry for sounding so naive and confused with this, I am actually confused whether my clamav is working or not. Again, Thanks for you help. Regards, Karemndra On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users mailto:clamav-users@lists.clamav.net>> wrote: Hi there, On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: > Is there a server-agent model in ClamAV ... Not exactly. Several databases of signatures and similar things exist, which ClamAV can use when it looks for undesirables. Some of the databases are maintained by the ClamAV authors, others are maintained by community members and/or commercial organizations. The objectives of the databases differ widely. Some for example primarily target malicious code for a variety of operating systems, others are more concerned with spam and similar things usually found in email. The policies for (and the frequencies of) updating the databases differ. In any ClamAV installation it is possible to use multiple databases, and commonly ClamAV users who have only one or two machines to scan will point their freshclam instances at the remote database servers[*], wherever those are, to obtain copies of the signature databases for each individual ClamAV installation by direct downloading. However it is possible to maintain one single local mirror of your own, update the mirror from the remote databases, and point your ClamAV installations at the mirror. This may save some bandwidth, but that's about as far as it goes for managing databases in the way which you describe. [*] They're more like read-only file servers than database servers. ClamAV provides a daemon called 'clamd' which can listen on a TCP port for connections from a client. The daemon can scan data sent to it over such connections. I run clamd in this way, on a separate server, and pass email data to it from a Sendmail 'milter' which runs on a mail server. I normally scan nothing except email, and many users do the same, but I think most users of ClamAV do not use it in this way; I think they mostly run clamscan (or clamd plus clamdscan) on the machines which contain the data which is to be scanned. The scanning process can be heavy on CPU and memory. Your mileage, as they say, may vary. > Didn't find information in official documentation as well, do not kn
Re: [clamav-users] ClamAV Server Agent
Hello, Thanks a lot for answering my query. Actually I never had any antivirus on my linux we servers, but PCI complaince forced me to install it on my servers. Now a bit of my CPU and RAM is going into running the antivirus, not sure how much, but definitely something is used up. Anyways, I will give my use case. I have 3 ubuntu 18 servers running load balanced nginx webservers (all these servers are on AWS), only ports like 80, 443, 22(ip restricted) are open to these servers. I run OSSEC for intrusion detection in a server agent model a 4th server is used as bastion server that runs ossec-server, time-server etc and these 3 webservers uses this bastion server. I wanted to mange the anti virus also from this bastion server. - I have few more questions: 1. When I am using freshclam what kind of threat I am getting protection from? (I do not know what other signature DB i can use for webserver. there is no mails on these servers) 2. You mentioned clamd scans TCP ports, my question is it by default scans all data on all open ports or we need to configure it to do so. 3. if clamav find something malicious, what does it do. is there a place I can see what it found and what it did with it, or can it notify me somehow? And, I am not sure what can I ask about performance, I had never seen clamd taking any significant amount of CPU of RAM. Following is my clamav installation script: (i made no changes to /etc/clamav/clamav.conf) apt-get install -y clamav clamav-daemon service clamav-daemon start service clamav-freshclam start Sorry for sounding so naive and confused with this, I am actually confused whether my clamav is working or not. Again, Thanks for you help. Regards, Karemndra On Sun, Apr 19, 2020 at 5:52 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: > > > Is there a server-agent model in ClamAV ... > > Not exactly. > > Several databases of signatures and similar things exist, which ClamAV > can use when it looks for undesirables. Some of the databases are > maintained by the ClamAV authors, others are maintained by community > members and/or commercial organizations. The objectives of the > databases differ widely. Some for example primarily target malicious > code for a variety of operating systems, others are more concerned > with spam and similar things usually found in email. The policies for > (and the frequencies of) updating the databases differ. In any ClamAV > installation it is possible to use multiple databases, and commonly > ClamAV users who have only one or two machines to scan will point > their freshclam instances at the remote database servers[*], wherever > those are, to obtain copies of the signature databases for each > individual ClamAV installation by direct downloading. However it is > possible to maintain one single local mirror of your own, update the > mirror from the remote databases, and point your ClamAV installations > at the mirror. This may save some bandwidth, but that's about as far > as it goes for managing databases in the way which you describe. > > [*] They're more like read-only file servers than database servers. > > ClamAV provides a daemon called 'clamd' which can listen on a TCP port > for connections from a client. The daemon can scan data sent to it > over such connections. I run clamd in this way, on a separate server, > and pass email data to it from a Sendmail 'milter' which runs on a > mail server. I normally scan nothing except email, and many users do > the same, but I think most users of ClamAV do not use it in this way; > I think they mostly run clamscan (or clamd plus clamdscan) on the > machines which contain the data which is to be scanned. The scanning > process can be heavy on CPU and memory. Your mileage, as they say, > may vary. > > > Didn't find information in official documentation as well, do not know > > which document to check. > > http://www.clamav.net/documents/clam-antivirus-user-manual > > Perhaps if you describe your use case more fully we can help more. > > You haven't asked about performance... > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Server Agent
Hi there, On Sat, 18 Apr 2020, Karmendra Suthar via clamav-users wrote: Is there a server-agent model in ClamAV ... Not exactly. Several databases of signatures and similar things exist, which ClamAV can use when it looks for undesirables. Some of the databases are maintained by the ClamAV authors, others are maintained by community members and/or commercial organizations. The objectives of the databases differ widely. Some for example primarily target malicious code for a variety of operating systems, others are more concerned with spam and similar things usually found in email. The policies for (and the frequencies of) updating the databases differ. In any ClamAV installation it is possible to use multiple databases, and commonly ClamAV users who have only one or two machines to scan will point their freshclam instances at the remote database servers[*], wherever those are, to obtain copies of the signature databases for each individual ClamAV installation by direct downloading. However it is possible to maintain one single local mirror of your own, update the mirror from the remote databases, and point your ClamAV installations at the mirror. This may save some bandwidth, but that's about as far as it goes for managing databases in the way which you describe. [*] They're more like read-only file servers than database servers. ClamAV provides a daemon called 'clamd' which can listen on a TCP port for connections from a client. The daemon can scan data sent to it over such connections. I run clamd in this way, on a separate server, and pass email data to it from a Sendmail 'milter' which runs on a mail server. I normally scan nothing except email, and many users do the same, but I think most users of ClamAV do not use it in this way; I think they mostly run clamscan (or clamd plus clamdscan) on the machines which contain the data which is to be scanned. The scanning process can be heavy on CPU and memory. Your mileage, as they say, may vary. Didn't find information in official documentation as well, do not know which document to check. http://www.clamav.net/documents/clam-antivirus-user-manual Perhaps if you describe your use case more fully we can help more. You haven't asked about performance... -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV Server Agent
I need some help understanding the ClamAV usage, in server agent model. Is there a server-agent model in ClamAV, meaning there is one administration server where admins can mange the ClamAV updates, virus definition updates (freshclam), reporting etc. and then there are ClamAV agents software running on other servers doing the regular scans and/or real time monitoring? I tried a lot of googling but didn't find much information about this. Didn't find information in official documentation as well, do not know which document to check. Any help would be highly appreciated. Regards, Karmendra Bangalore, India ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml