Mailing List Archive

Clam AV on NAS/Personal Cloud Device?
Hi All,

Grateful for any advice, and apologies in advance for the necessarily
detailed message below.
I recently purchased a Western Digital MyCloud Ex2 Ultra Personal Cloud/NAS
device. The firmware of this device includes an app store of installable
third party products including what they call Anti Virus Essentials. This
turns out after some investigation to be Clam Anti Virus.

The device runs a flavour of Linux, and the configuration I chose has 6TB of
storage, which I have configured as a single volume.
Specifications from the WD website at
https://www.westerndigital.com/en-gb/products/network-attached-storage/wd-my
-cloud-expert-series-ex2-ultra#WDBVBZ0060JCH-EESN say:
"Upgraded with the powerful Marvell ARMADA 385 1.3GHz dual-core processor,
you'll get ultra-fast transfer rates for high performance streaming. It also
comes with 1GB of DDR3 memory, so you can multitask with ease."

When I set up the device, I noticed the Anti Virus Essentials app as an
installable option. It hadn't occurred to me that I needed an AV product on
a device of this nature, but once you're aware that it exists, it feels like
tempting providence to ignore it. I therefore installed it. However,
running the configuration as delivered by the firmware to do a full scan
takes several weeks to complete. I gave up when it had been running for 2
weeks and had only reached 29%, most of which appeared to be scanning its
own libraries. A lengthy exchange of email messages between myself and WD
support, suggested turning off other applications such as streaming, while
the scan was running, and eventually yielded the advice that as this is a
third party product, I should engage with the third party supplier.

My questions, with many thanks to anyone still reading this are:
1. Is Clam Anti Virus appropriate and/or necessary for an environment such
as this where most of the data is actually backup files generated by the
Windows10 Backup And Restore application.
2. Is the device under-powered to run Clam AV over this amount of data
(currently approximately 3TB including music files for streaming).
3. As a total Newbie to Clam AV is there anything I can do to optimise
performance on my device?

Regards and thanks,

Tim Pennick

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Clam AV on NAS/Personal Cloud Device? [ In reply to ]
Hi there,

On Thu, 1 Sep 2022, tim.pennick--- via clamav-users wrote:

> Grateful for any advice, and apologies in advance for the necessarily
> detailed message below.

You're welcome in advance, and within reason the more detail the better.
More often there isn't nearly enough. :)

> I recently purchased a Western Digital MyCloud Ex2 Ultra Personal Cloud/NAS

This sort of thing has come up here before, you might want to search the
mailing list archives. See the links in the headers in any list mail.

> device. The firmware of this device includes an app store of installable
> third party products including what they call Anti Virus Essentials. This
> turns out after some investigation to be Clam Anti Virus.

I *wish* people wouldn't do that. They never seem to keep on top of it, seems
to me it's just the marketing department's idea.

> ... the powerful Marvell ARMADA 385 1.3GHz dual-core processor,
> you'll get ultra-fast transfer rates for high performance streaming. ...

Yeah, yeah.

> ... comes with 1GB of DDR3 memory, so you can multitask with ease."

Ah. But *not* so you can use ClamAV. Unfortunately that's nowehere
near enough memmory.

> ... running the configuration as delivered by the firmware to do a full scan
> takes several weeks to complete. I gave up when it had been running for 2
> weeks and had only reached 29%, most of which appeared to be scanning its
> own libraries.

Sounds about right. It would probably have been swapping like crazy.

> A lengthy exchange of email messages between myself and WD
> support, suggested turning off other applications such as streaming, while
> the scan was running ...

Well they were on the right track, but it was never really going to fly.

> ... eventually yielded the advice that as this is a third party
> product, I should engage with the third party supplier.

Pity they didn't read the documentation before they stol^H^H^H^H bundled
more bloatware which didn't cost them anything so they could put another
bit of bait on the sales blurb. I used to think WD was a decent company.

https://docs.clamav.net/Introduction.html#recommended-system-requirements

> My questions, with many thanks to anyone still reading this

Still here. :)

> are:
> 1. Is Clam Anti Virus appropriate and/or necessary for an environment such
> as this where most of the data is actually backup files generated by the
> Windows10 Backup And Restore application.

Necessary is a strong word, but it depends on how it's used. As it's
based on a more or less general purpose Linux distribution it suffers
from the potential risks of compromise that any network-connected box
will suffer. When it comes to after-sales service and support some of
the companies pushing this kind of storage have a chequered history so
you're probably best advised to take security matters upon yourself.

NAS devices respond to requests to read and write data which come from
the other devices on the network. For backup, my own feeling is that
I'd much rather have something which makes calls to the devices being
backed up to ask for the data but does *not* respond to devices which
try to command it. Effectively there's a firewall between the devices
being backed up and the backup device. Then if ransomware or similar
manages to compromise any of the devices being backed up, it can't get
to the backup device to do any damage there and you have a much better
situation to recover from.

> 2. Is the device under-powered to run Clam AV over this amount of data
> (currently approximately 3TB including music files for streaming).

To put things into perspective, there are of the order of ten million
signatures in the official signature database and there are third-party
databases available which extend the coverage of the official one, so
memory gets used up pretty quickly when you start scanning for viruses.
The amount of data to be scanned is irrelevant. As things stand now
the device cannot sensibly run ClamAV. Before it can even scan a 68
byte EICAR file, the scanner will use up more than 1GByte RAM just to
load the 'official' signature database - and we haven't talked about
keeping it up to date yet.

> 3. As a total Newbie to Clam AV is there anything I can do to optimise
> performance on my device?

If you can put more memory into it, yes. Otherwise sorry, no, not as
a total newbie. Maybe you could do things if you were very familiar
with the tools. It would be a lot of work to set up and very onerous
to keep up to date, something which is done more or less automatically
with a vanilla installation. You'd basically need a personalized
signature database which was small enough to fit in the available RAM.
The effort would not justify the results. My recommendation would be
don't even think about it.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Clam AV on NAS/Personal Cloud Device? [ In reply to ]
Hi Ged,

Apologies for the OT follow-up. I attempted to send this off list, but was
rejected.

***

Very many thanks for your extremely helpful response. I wonder if you could
clear up a point you raise as I'm not a security expert, but am concerned
that I might be adding unnecessarily to the risks of a security breach.

You say:

"NAS devices respond to requests to read and write data which come from the
other devices on the network. For backup, my own feeling is that I'd much
rather have something which makes calls to the devices being backed up to
ask for the data but does *not* respond to devices which try to command it.
Effectively there's a firewall between the devices being backed up and the
backup device. Then if ransomware or similar manages to compromise any of
the devices being backed up, it can't get to the backup device to do any
damage there and you have a much better situation to recover from."

Do you have a product or type of product in mind which would satisfy your
criteria? Wouldn't it be just as dangerous to allow a storage device to
command a client device to perform a particular task, as vice versa?

Thanks again,

Tim Pennick


-----Original Message-----
From: G.W. Haywood <clamav@jubileegroup.co.uk>
Sent: 01 September 2022 11:35
To: tim.pennick--- via clamav-users <clamav-users@lists.clamav.net>
Cc: tim.pennick@btinternet.com
Subject: Re: [clamav-users] Clam AV on NAS/Personal Cloud Device?

Hi there,

On Thu, 1 Sep 2022, tim.pennick--- via clamav-users wrote:

> Grateful for any advice, and apologies in advance for the necessarily
> detailed message below.

You're welcome in advance, and within reason the more detail the better.
More often there isn't nearly enough. :)

> I recently purchased a Western Digital MyCloud Ex2 Ultra Personal
> Cloud/NAS

This sort of thing has come up here before, you might want to search the
mailing list archives. See the links in the headers in any list mail.

> device. The firmware of this device includes an app store of
> installable third party products including what they call Anti Virus
> Essentials. This turns out after some investigation to be Clam Anti
Virus.

I *wish* people wouldn't do that. They never seem to keep on top of it,
seems to me it's just the marketing department's idea.

> ... the powerful Marvell ARMADA 385 1.3GHz dual-core processor, you'll
> get ultra-fast transfer rates for high performance streaming. ...

Yeah, yeah.

> ... comes with 1GB of DDR3 memory, so you can multitask with ease."

Ah. But *not* so you can use ClamAV. Unfortunately that's nowehere near
enough memmory.

> ... running the configuration as delivered by the firmware to do a
> full scan takes several weeks to complete. I gave up when it had been
> running for 2 weeks and had only reached 29%, most of which appeared
> to be scanning its own libraries.

Sounds about right. It would probably have been swapping like crazy.

> A lengthy exchange of email messages between myself and WD support,
> suggested turning off other applications such as streaming, while the
> scan was running ...

Well they were on the right track, but it was never really going to fly.

> ... eventually yielded the advice that as this is a third party
> product, I should engage with the third party supplier.

Pity they didn't read the documentation before they stol^H^H^H^H bundled
more bloatware which didn't cost them anything so they could put another bit
of bait on the sales blurb. I used to think WD was a decent company.

https://docs.clamav.net/Introduction.html#recommended-system-requirements

> My questions, with many thanks to anyone still reading this

Still here. :)

> are:
> 1. Is Clam Anti Virus appropriate and/or necessary for an environment
> such as this where most of the data is actually backup files generated
> by the
> Windows10 Backup And Restore application.

Necessary is a strong word, but it depends on how it's used. As it's based
on a more or less general purpose Linux distribution it suffers from the
potential risks of compromise that any network-connected box will suffer.
When it comes to after-sales service and support some of the companies
pushing this kind of storage have a chequered history so you're probably
best advised to take security matters upon yourself.

NAS devices respond to requests to read and write data which come from the
other devices on the network. For backup, my own feeling is that I'd much
rather have something which makes calls to the devices being backed up to
ask for the data but does *not* respond to devices which try to command it.
Effectively there's a firewall between the devices being backed up and the
backup device. Then if ransomware or similar manages to compromise any of
the devices being backed up, it can't get to the backup device to do any
damage there and you have a much better situation to recover from.

> 2. Is the device under-powered to run Clam AV over this amount of data
> (currently approximately 3TB including music files for streaming).

To put things into perspective, there are of the order of ten million
signatures in the official signature database and there are third-party
databases available which extend the coverage of the official one, so memory
gets used up pretty quickly when you start scanning for viruses.
The amount of data to be scanned is irrelevant. As things stand now the
device cannot sensibly run ClamAV. Before it can even scan a 68 byte EICAR
file, the scanner will use up more than 1GByte RAM just to load the
'official' signature database - and we haven't talked about keeping it up to
date yet.

> 3. As a total Newbie to Clam AV is there anything I can do to optimise
> performance on my device?

If you can put more memory into it, yes. Otherwise sorry, no, not as a
total newbie. Maybe you could do things if you were very familiar with the
tools. It would be a lot of work to set up and very onerous to keep up to
date, something which is done more or less automatically with a vanilla
installation. You'd basically need a personalized signature database which
was small enough to fit in the available RAM.
The effort would not justify the results. My recommendation would be don't
even think about it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Clam AV on NAS/Personal Cloud Device? [ In reply to ]
On 01.09.22 10:49, tim.pennick--- via clamav-users wrote:
>Grateful for any advice, and apologies in advance for the necessarily
>detailed message below.
>I recently purchased a Western Digital MyCloud Ex2 Ultra Personal Cloud/NAS
>device.

> The firmware of this device includes an app store of installable
>third party products including what they call Anti Virus Essentials. This
>turns out after some investigation to be Clam Anti Virus.

>The device runs a flavour of Linux, and the configuration I chose has 6TB of
>storage, which I have configured as a single volume.
>Specifications from the WD website at
>https://www.westerndigital.com/en-gb/products/network-attached-storage/wd-my
>-cloud-expert-series-ex2-ultra#WDBVBZ0060JCH-EESN say:
>"Upgraded with the powerful Marvell ARMADA 385 1.3GHz dual-core processor,
>you'll get ultra-fast transfer rates for high performance streaming. It also
>comes with 1GB of DDR3 memory, so you can multitask with ease."

according to its specification:
https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/wd/product/nas/my_cloud/ex2_ultra/product-overview-my-cloud-expert-series-ex2-ultra.pdf

as this device only has 1GB of RAM, it is not enough to run clamav.
sorry.

there were multiple NAS devices shipped with clamav, however currently
clamav itself requires about 1.3GB of RAM and you need OS too.

so I recommend you at least 2GB for ocassional use, 4 and more for standard
use with antivirus
(during database reload, clamav needs twice as much memory, unless you are
willing to suspend any work while DB reload happens).

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Clam AV on NAS/Personal Cloud Device? [ In reply to ]
Hi there,

On Fri, 2 Sep 2022, tim.pennick--- via clamav-users wrote:

> Apologies for the OT follow-up. I attempted to send this off list, but was
> rejected.

Sorry, my mail system is a bit picky about replies to mailing list posts. :)

> Very many thanks for your extremely helpful response. I wonder if you could
> clear up a point you raise as I'm not a security expert, but am concerned
> that I might be adding unnecessarily to the risks of a security breach.

Concern about these things is good. :)

> You say:
>
> "NAS devices respond to requests to read and write data which come from the
> other devices on the network. For backup, my own feeling is that I'd much
> rather have something which makes calls to the devices being backed up to
> ask for the data but does *not* respond to devices which try to command it.
> Effectively there's a firewall between the devices being backed up and the
> backup device. Then if ransomware or similar manages to compromise any of
> the devices being backed up, it can't get to the backup device to do any
> damage there and you have a much better situation to recover from."
>
> Do you have a product or type of product in mind which would satisfy your
> criteria?

Yes. Something like 'BackupPC'. It won't quite tick all the boxes without
a bit of work on the box on which it runs, but a little bit of firewalling
can go a long way. I'm sure there must be others but that's what I've been
using for many years.

> Wouldn't it be just as dangerous to allow a storage device to
> command a client device to perform a particular task, as vice versa?

No, absolutely not. The ideal would be to harden a backup device so
that, even if the devices it's backing up are compromised, it can't
itself be compromised. The backup device says in effect "Please send
some data." and it doesn't care a hoot what data gets sent because its
one and only job is to accept any amount of random data that anything
on the network cares to send to it *after* receiving such a request.

If a device tries to connect to the backup box to instruct it to do
something, the backup box ignores it - and hopefully writes a warning
in the logs somewhere, or sends mail, or whatever kind of alert the
system administrator prefers.

We're OT for this list so I won't go into more detail but if you do a
bit of reading about firewalls you'll start to get the picture. You
can have a firewall anywhere, it doesn't have to be just at a network
perimeter like in your modem/router. It just seems like common sense
to me to have at least a firewall between the backup and the things it
backs up. An air gap is better, but more effort and less convenient.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat