Clam Anti-Virus

Definitions

Atomic OSSEC has built in real-time malware protection as well as upload malware protection, and on-demand malware scanning.

Configuring ClamAV

The ClamAV settings can be accessed from the UI at Hub Configuration > Hub Configuration > Clam Anti-Virus

CLAMAV_ENABLED

  • Enable or Disable the ClamAV malware detection engine for the system.

CLAMAV_ENABLE_REALTIME

  • Enable or Disable the ClamAV kernel module. Note this requires the AO kernel, and the official Atomicorp build of clamav.

CLAMAV_PREVENTIONACCESS

  • Enable or Disable blocking malware in the file system.

TCP Server Address

  • Set the IP address for clamd to listen on. Default: localhost

TCP Port

  • Default: 3310

CLAMAV_LocalSocket

  • Path to a local socket file the daemon will listen on.

CLAMAV_TemporaryDirectory

  • Optional path to the global temporary directory.

CLAMAV_DatabaseDirectory

  • Path to the database directory.

CLAMAV_SelfCheck

  • Perform a database check. Default: 600 seconds (10 minutes)

CLAMAV_LogFile

  • Full path to the clamd log file. Default: /var/log/clamav/clamd.log

CLAMAV_LogFileMaxSize

  • Maximum size of the log file. Value of 0 disables the limit.

CLAMAV_LogTime

  • Log time with each message.

CLAMAV_DetectPUA

  • This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:

    PUA.Script.Packed-1 FOUND

That means you have enabled this option. If you do not want ClamAV to find files like this you must either:

  1. Disable this option

  2. Specifically whitelist the signatures you no longer with ClamAV to detect. Please see the ‘Disabling Signatures’ section below.

Scan Safebrowing

Note

This will increase memory usage in clamd significantly. Not enabling this will prevent AO from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.

  • This will increase memory usage in clamd significantly. Not enabling this will prevent AO from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this. Default: no

  • This will increase memory usage in clamd significantly. Not enabling this will prevent AP from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this. Default: no

  • Below is a simple test you can run to see if an URL is on the google safebrowsing list:

    URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -

    And provided your signatures are up to date, if the URL Is on the list you’ll see output like the following:

    stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND

CLAMAV_ScanELF

  • Executable and Linking Format is a standard format for UNIX executables.

CLAMAV_DetectBrokenExecutables

  • With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.

CLAMAV_ScanOLE2

  • This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.

CLAMAV_ScanPDF

  • This option enables scanning within PDF files.

CLAMAV_ScanMail

Note

This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.

  • Enable internal e-mail scanner.

CLAMAV_CDB_SIGNATURES

  • With this option enabled ClamAV will try to detect malicious extensions using signatures.

CLAMAV_PhishingSignatures

  • With this option enabled ClamAV will try to detect phishing attempts by using signatures.

CLAMAV_PhishingAlwaysBlockSSLMismatch

  • Always block SSL mismatches in URLs, even if the URL isn’t in the database. This can lead to false positives.

CLAMAV_PhishingAlwaysBlockCloak

  • Always block cloaked URLs, even if URL isn’t in database. This can lead to false positives.

Data Loss Prevention (DLP) Module

Note

This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system.

  • Minimum credit card count - This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file. Default: 3

  • Minimum SSN count - This option sets the lowest number of Social Security Numbers found in a file to generate a detect. Default: 3

  • Structured SSN format - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz. Default: yes

  • Structured SSN format stripped - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz. Default: no

Scan: HTML

  • Perform HTML normalisation and decryption of MS Script Encoder code.

Scan: Archive

  • ClamAV can scan within archives and compressed file.

Scan: Archive Encrypted

  • Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

Real Time Malware Protection

The basic behavior when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the AO gui.

Enable: To enable this feature follow the steps below

Step 1: Log into the AP Web Console

Step 2: Navigate to Hub Configuration > Clam Anti-Virus

Step 4: Set Realtime Maleware detection to <yes>

Configuration:

Step 1: Navigate to Asset Management > Agent Management

Step 2: Select the group that you wish to modify

Step 3: Open AV Settings

Step 4: Add the directories you want to protect. For example:

/home

/var/www/vhosts
/tmp
/var/tmp
/home

DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES such as these:

/var/clamav
/var/lib/clamav
/etc/httpd/modsecurity.d/
/dev
/var/log
/home/user/apache/log

We also recommend for source built systems that you exclude build directories such as these:

/home/cpeasyapache
/home/.cpan
/home/.cpanm
/home/.cpanan

Your should also never include system partitions or directories, such as:

/home/virtfs
/proc
/selinux
/sys
/dev
Step 5: Select the Malware Signature Feed

You can choose from the official Clamav.net source, the atomic source or if you are on an airgapped system, you can select hub and your signatures will be downloaded from the OSSEC HUB

  • AO includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.

Option 1: Change the temporary directory modsecurity uses. Modify this setting under the AO WAF MODSEC_TMPDIR

Option 2: Exclude the temporary directory modsecurity uses. By default, this is /tmp.

Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AO WAF MODSEC_99_SCANNER.

Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AP WAF MODSEC_99_SCANNER.

Step 6: Click Save to apply the new settings

  • Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

Note

It is not recommended you enable malware scanning for the default excluded users.

Testing Your Protection

If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the AO kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site

Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:

cat eicar.com.txt

If permission is denied, then you have successfully configured and enabled real time malware protection for your system.

Detecting False Positives

If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:

/var/clamav/local.ign

For Example, if your system reported this file and this signature:

Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND

You would add “Some Signature Name” to the local.ign file. If the signature has an UNOFFICIAL at the end of the end, do NOT add UNOFFICIAL to the signature name. For example:

somesignature.UNOFFCIAL

In the case above, you would only add “somesignature” to the local.ign* file, and **NOT “somesignature.UNOFFICIAL”