########################################
Clam Anti-Virus
########################################


Definitions
============
Atomic OSSEC has built in real-time malware protection as well as upload malware protection, and on-demand malware scanning.


-----------

Configuring ClamAV
=====================================
The ClamAV settings can be accessed from the UI at Hub Configuration > Hub Configuration > Clam Anti-Virus

=======


**CLAMAV_ENABLED**

   * Enable or Disable the ClamAV malware detection engine for the system.


**CLAMAV_ENABLE_REALTIME**


   * Enable or Disable the ClamAV kernel module. Note this requires the AO kernel, and the official Atomicorp build of clamav.


**CLAMAV_PREVENTIONACCESS**

   * Enable or Disable blocking malware in the file system. 
   

**TCP Server Address**

   * Set the IP address for clamd to listen on. Default: localhost
   
**TCP Port** 

   * Default: 3310

**CLAMAV_LocalSocket**

  * Path to a local socket file the daemon will listen on. 
  
  
**CLAMAV_TemporaryDirectory**

   * Optional path to the global temporary directory.
   
   
**CLAMAV_DatabaseDirectory**

   * Path to the database directory.
   
   
**CLAMAV_SelfCheck**

   * Perform a database check. Default: 600 seconds (10 minutes)
   
   
**CLAMAV_LogFile**

   * Full path to the clamd log file. Default: /var/log/clamav/clamd.log
   
   
**CLAMAV_LogFileMaxSize**

   * Maximum size of the log file. Value of 0 disables the limit. 
   
   
**CLAMAV_LogTime**

   * Log time with each message. 
   
   
**CLAMAV_DetectPUA**

   * This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:

      .. code-block:: console
	  
         PUA.Script.Packed-1 FOUND
		 
		 
   \
   
   That means you have enabled this option. If you do not want ClamAV to find files like this you must either:
   
      1) Disable this option
	  
      2) Specifically whitelist the signatures you no longer with ClamAV to detect. Please see the 'Disabling Signatures' section below.
	  
	  
**Scan Safebrowing**


   .. note:: This will increase memory usage in clamd significantly. Not enabling this will prevent AO from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.

   \
   
   * This will increase memory usage in clamd significantly. Not enabling this will prevent AO from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this. Default: no 
=======
   .. note:: This will increase memory usage in clamd significantly. Not enabling this will prevent AP from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.

   \
   
   * This will increase memory usage in clamd significantly. Not enabling this will prevent AP from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this. Default: no 


   \
   
   * Below is a simple test you can run to see if an URL is on the google safebrowsing list:
   
      .. code-block:: console
	  
         URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -


      And provided your signatures are up to date, if the URL Is on the list you'll see output like the following:
	  
         .. code-block:: console
		 
            stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND


**CLAMAV_ScanELF**

   * Executable and Linking Format is a standard format for UNIX executables.  


**CLAMAV_DetectBrokenExecutables**

   * With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.


**CLAMAV_ScanOLE2**

   * This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.


**CLAMAV_ScanPDF**

   * This option enables scanning within PDF files.  


**CLAMAV_ScanMail**

   .. note:: This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.
   
   \
   
   * Enable internal e-mail scanner.
   
   
**CLAMAV_CDB_SIGNATURES**

   * With this option enabled ClamAV will try to detect malicious extensions using signatures.
   
   
**CLAMAV_PhishingSignatures**

   * With this option enabled ClamAV will try to detect phishing attempts by using signatures.
   
   
**CLAMAV_PhishingAlwaysBlockSSLMismatch**

   * Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
   
   
**CLAMAV_PhishingAlwaysBlockCloak**

   * Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
   
   
**Data Loss Prevention (DLP) Module**

   .. note:: This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system.
   
   
   * Minimum credit card count - This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file. Default: 3
   
   \
   
   * Minimum SSN count - This option sets the lowest number of Social Security Numbers found in a file to generate a detect. Default: 3
   
   \
   
   * Structured SSN format - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz. Default: yes
   
   \
   
   * Structured SSN format stripped - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz. Default: no 
   
 

**Scan: HTML**

   *  Perform HTML normalisation and decryption of MS Script Encoder code.


**Scan: Archive**

   * ClamAV can scan within archives and compressed file. 
   
   
**Scan: Archive Encrypted**

   * Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).


------------------------

Real Time Malware Protection
============================


The basic behavior when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the AO gui.
=======


   **Enable: To enable this feature follow the steps below**
   
      Step 1: Log into the AP Web Console

      Step 2: Navigate to Hub Configuration > Clam Anti-Virus

      Step 4: Set Realtime Maleware detection to <yes> 

   **Configuration:**

      Step 1: Navigate to Asset Management > Agent Management 

      Step 2: Select the group that you wish to modify

      Step 3: Open AV Settings
      
      Step 4: Add the directories you want to protect. For example: 

            .. code-block:: console

               /home




            .. code-block:: console

               /var/www/vhosts
               /tmp
               /var/tmp
               /home			
			   
			   
         **DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES** such as these:
		 
            .. code-block:: console
			
               /var/clamav
               /var/lib/clamav
               /etc/httpd/modsecurity.d/
               /dev
               /var/log
               /home/user/apache/log
			   
			   
         We also recommend for source built systems that you exclude build directories such as these:

            .. code-block:: console
			
               /home/cpeasyapache
               /home/.cpan
               /home/.cpanm
               /home/.cpanan	


         Your should also **never** include system partitions or directories, such as: 

            .. code-block:: console
		 
               /home/virtfs
               /proc
               /selinux
               /sys
               /dev	

  

      Step 5: Select the Malware Signature Feed
         You can choose from the official Clamav.net source, the atomic source or if you are on an airgapped system, you can select hub and your signatures will be downloaded from the OSSEC HUB


         * AO includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

          Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.		 
   
            **Option 1:** Change the temporary directory modsecurity uses. Modify this setting under the AO WAF **MODSEC_TMPDIR**

            **Option 2:** Exclude the temporary directory modsecurity uses. By default, this is /tmp.			

            **Option 3:** Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AO WAF **MODSEC_99_SCANNER**.

            **Option 3:** Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AP WAF **MODSEC_99_SCANNER**.

			
			
      Step 6: Click Save to apply the new settings
	  
         * Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

         .. note:: It is not recommended you enable malware scanning for the default excluded users.
		 

-------------

Testing Your Protection
=======================


If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the AO kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer `EICAR site`_


.. _EICAR site: http://www.eicar.org/85-0-Download.html


Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:

   .. code-block:: console
   
      cat eicar.com.txt
	  
	  
If permission is denied, then you have successfully configured and enabled real time malware protection for your system.


--------------

Detecting False Positives
=========================

If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:

   .. code-block:: console
   
      /var/clamav/local.ign


For Example, if your system reported this file and this signature:
   
   .. code-block:: console
	  
      Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND

   You would add "Some Signature Name" to the **local.ign** file. If the signature has an UNOFFICIAL at the end of the end, do **NOT** add UNOFFICIAL to the signature name. For example:
   
      .. code-block:: console
	  
         somesignature.UNOFFCIAL


   In the case above, you would only add "somesignature" to the **local.ign* file, and **NOT** "somesignature.UNOFFICIAL"
