Mailing List Archive

Hi there,

On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:

> I am specifically looking for assistance in setting up and configuring Clam
> AV in our AWS EC2 environment.
>
> We are specifically looking to create a scanning service using clam av that
> can be called everywhere a file is uploaded. Make sure that if a file is
> flagged as having a virus that we delete the file and return a message to
> the user that the file appears to be infected and was not successfully
> uploaded.
>
> Any assistance would be greatly appreciated!

ClamAV is really just a toolkit. You can learn how to use it to scan
data streams, files, directories and whole filesystems against a set
of signatures and other stuff which is stored - more or less locally -
by you in a sort of database. You decide what to put in the database
(and then you have to maintain it, there are tools in the ClamAV suite
to help you to do that). Other tools in the suite can help you to do
something like what you want to do, but if we are to provide any help
other than generalities and pointers to the documentation you need to
give us sufficient detail about what you intend to do. The online
documentation is at

https://docs.clamav.net/

and if you download ClamAV from one of the archives at

https://www.clamav.net/downloads

you will also find documentation in the archive.

Things like returning messages to users are the sorts of things that
you have to do in your own software, which can use the ClamAV toolkit
and perhaps collect information from ClamAV scan results which can be
returned to your users. These things are not part of ClamAV itself.
The messages provided by ClamAV are at best rather terse, you would
probably want to embellish them in your own software for consumption
by your users.

If ClamAV *does* flag a file, deleting it will not always be the best
choice of the options available to you.

If ClamAV does *not* flag a file, accepting that it is safe will not
always be the best choice of the options available to you. You should
consider carefully the probabilities that ClamAV will detect the kinds
of threats which concern you.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Dont use Ec2. You will be paying more Use Docker image and run on ECS with
network load balance. Use clamdscan. To scan files

Clamscan takes 20 seconds to load virus definition and it is slow

If you have to use Ec2 you can use docker image. That works fine too

On Fri, Nov 5, 2021 at 7:09 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:
>
> > I am specifically looking for assistance in setting up and configuring
> Clam
> > AV in our AWS EC2 environment.
> >
> > We are specifically looking to create a scanning service using clam av
> that
> > can be called everywhere a file is uploaded. Make sure that if a file is
> > flagged as having a virus that we delete the file and return a message to
> > the user that the file appears to be infected and was not successfully
> > uploaded.
> >
> > Any assistance would be greatly appreciated!
>
> ClamAV is really just a toolkit. You can learn how to use it to scan
> data streams, files, directories and whole filesystems against a set
> of signatures and other stuff which is stored - more or less locally -
> by you in a sort of database. You decide what to put in the database
> (and then you have to maintain it, there are tools in the ClamAV suite
> to help you to do that). Other tools in the suite can help you to do
> something like what you want to do, but if we are to provide any help
> other than generalities and pointers to the documentation you need to
> give us sufficient detail about what you intend to do. The online
> documentation is at
>
> https://docs.clamav.net/
>
> and if you download ClamAV from one of the archives at
>
> https://www.clamav.net/downloads
>
> you will also find documentation in the archive.
>
> Things like returning messages to users are the sorts of things that
> you have to do in your own software, which can use the ClamAV toolkit
> and perhaps collect information from ClamAV scan results which can be
> returned to your users. These things are not part of ClamAV itself.
> The messages provided by ClamAV are at best rather terse, you would
> probably want to embellish them in your own software for consumption
> by your users.
>
> If ClamAV *does* flag a file, deleting it will not always be the best
> choice of the options available to you.
>
> If ClamAV does *not* flag a file, accepting that it is safe will not
> always be the best choice of the options available to you. You should
> consider carefully the probabilities that ClamAV will detect the kinds
> of threats which concern you.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Thanks,

Jaspal Sandhu

basically. users upload a file to our windows servers. now maybe we save
that to s3 and somehow pass the s3 url or bucket/file to clamav to scan. I
don't know what's easiest to do. That or to forward that file from the
windows server to the clamav linux server for scanning. but somehow, we
need to take that uploaded file, save it somewhere that clamav can scan and
let us know if it's bad or not. if it's bad, we can delete it in our
code.

On Fri, Nov 5, 2021 at 10:09 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:
>
> > I am specifically looking for assistance in setting up and configuring
> Clam
> > AV in our AWS EC2 environment.
> >
> > We are specifically looking to create a scanning service using clam av
> that
> > can be called everywhere a file is uploaded. Make sure that if a file is
> > flagged as having a virus that we delete the file and return a message to
> > the user that the file appears to be infected and was not successfully
> > uploaded.
> >
> > Any assistance would be greatly appreciated!
>
> ClamAV is really just a toolkit. You can learn how to use it to scan
> data streams, files, directories and whole filesystems against a set
> of signatures and other stuff which is stored - more or less locally -
> by you in a sort of database. You decide what to put in the database
> (and then you have to maintain it, there are tools in the ClamAV suite
> to help you to do that). Other tools in the suite can help you to do
> something like what you want to do, but if we are to provide any help
> other than generalities and pointers to the documentation you need to
> give us sufficient detail about what you intend to do. The online
> documentation is at
>
> https://docs.clamav.net/
>
> and if you download ClamAV from one of the archives at
>
> https://www.clamav.net/downloads
>
> you will also find documentation in the archive.
>
> Things like returning messages to users are the sorts of things that
> you have to do in your own software, which can use the ClamAV toolkit
> and perhaps collect information from ClamAV scan results which can be
> returned to your users. These things are not part of ClamAV itself.
> The messages provided by ClamAV are at best rather terse, you would
> probably want to embellish them in your own software for consumption
> by your users.
>
> If ClamAV *does* flag a file, deleting it will not always be the best
> choice of the options available to you.
>
> If ClamAV does *not* flag a file, accepting that it is safe will not
> always be the best choice of the options available to you. You should
> consider carefully the probabilities that ClamAV will detect the kinds
> of threats which concern you.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hi there,

On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:

> ... users upload a file to our windows servers. now maybe we save
> that to s3 and somehow pass the s3 url or bucket/file to clamav to
> scan. I don't know what's easiest to do. That or to forward that
> file from the windows server to the clamav linux server for
> scanning.

If you read the documentation you'll see that ClamAV runs on Windows.
If the upload server is a Windows box I'd suggest that it's simplest
to run ClamAV on the Windows server. Having said that Windows boxes
are the target of more malicious software than anything else, so you
might want the scanner to be hosted on a less attractive target.

> ... somehow, we need to take that uploaded file, save it somewhere
> that clamav can scan ...

If you give the ClamAV process(es) permission to read the uploaded
file then it can scan it in the Windows filesystem after uploading.
If you prefer, it could scan the data stream as it's being uploaded,
before it's even written to the filesystem. Either way you probably
want to use a 'clamd' process (a daemon) to do the scanning.

You need to read the documentation.

> and let us know if it's bad or not. if it's bad, we can delete it
> in our code.

That's up to you, but do please heed my warning about probabilities.
It is not safe to rely entirely on ClamAV to determine whether or not
an uploaded file is malicious. There are services freely available on
the Web which will scan files using a dozen or more different scanning
engines. I use such a service frequently to scan attachments in mail
sent to our servers. None of the scan engines has a 100% success rate
and I have posted some of my observations of the performance of ClamAV
itself here on this list. I think the performance of the best of the
scanners is in the region of 80% on a good day. So even if you were
to use *all* the available scanners to scan *every* uploaded file, you
could probably expect to miss about one in five malicious uploads.

Speaking for myself, those numbers would be enough to make me dismiss
the idea as insane.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml