ClamAV

Metadata

• Identifier: clamav
• Maturity: Production

Categories

• Antimalware
• Host Protection

Description

Clam AntiVirus (ClamAV) is a free software, cross-platfom antimalware toolkit able to detect many types of malware, including viruses. ClamAV includes a command-line scanner, automatic database updater, and a scalable multi-threaded daemon running on an anti-virus engine from a shared library. FreshClam is a virus database update tool for ClamAV. ClamAV Daemon checks periodically for virus database definition updates, downloads, installs them, and notifies clamd to refresh it's in-memory virus database cache.

Actions

Identifier	Description	Expected Parameters Keys and Types
start_scan	Starts the scan containing the predifined scan options: Quarantine Location and Scan Log Location. Also, it requires the input of Scan Location.	scan_location (STRING)

Information

Identifier	Description	Type	Properties	Default Value
daily_infected_files_detected	Total number of infected files detected today	INTEGER	METRIC, READ_ONLY
quarantine_location	The location where the infected files will be moved to after the on-demand/crontab scans. Select a directory in which the quarantine will take place if you would like to change.	STRING	MANDATORY, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	/opt/mutablesecurity/clamav/quarantine/
scan_day_of_month	The day (1-31, or * for any) of the month when the crontab scan will take place	STRING	OPTIONAL, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	*
scan_day_of_week	The day (0-6, SUN-SAT, 7 for Sunday or * for any) of the week when the crontab scan will take place	STRING	OPTIONAL, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	MON
scan_hour	The hour (0-23, or * for any) when the crontab scan will take place	STRING	OPTIONAL, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	0
scan_location	The location where the on-demand/crontab scans will take place.Select a different directory if you would like to change.	STRING	MANDATORY, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	/
scan_log_location	The location of the generated logs after the on-demand/crontab scans.Chose a file in which the logs will be stored if you would like to change.	STRING	MANDATORY, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	/opt/mutablesecurity/clamav/logs/logs.txt
scan_minute	The minute (0-59, or * for any) when the crontab scan will take place	STRING	OPTIONAL, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	0
scan_month	The month (1-12, JAN-DEC, or * for any) when the crontab scan will take place	STRING	OPTIONAL, WITH_DEFAULT_VALUE, CONFIGURATION, NON_DEDUCTIBLE, WRITABLE	*
total_infected_files_detected	Total number of infected files detected overall	INTEGER	METRIC, READ_ONLY
version	Installed version	STRING	METRIC, READ_ONLY

Logs

Identifier	Description	Location	Format
clamav_logs	The logs generated by ClamAV	/var/log/clamav/clamav.log	TEXT
freshclam_logs	The logs generated by FreshClam	/var/log/clamav/freshclam.log	TEXT
scan_logs	The logs generated during ClamAV scanning	ScanLogLocation-dependent	TEXT

Tests

Identifier	Description	Type
active_database	Checks if the ClamAV virus database service is active.	OPERATIONAL
eicar_detection	Creates a EICAR-STANDARD-ANTIVIRUS-TEST-FILE and checks if ClamAV is able to detect it.	SECURITY
internet_access	Checks if host has Internet access.	REQUIREMENT
ubuntu	Checks if the operating system is Ubuntu.	REQUIREMENT

References

• https://www.clamav.net/
• https://github.com/Cisco-Talos/clamav
• https://docs.clamav.net/Introduction.html