LATEST VERSION: 1.3 - CHANGELOG
ClamAV Add-on for PCF v1.3

Troubleshooting ClamAV Add-on for PCF

Page last updated:

This topic provides instructions to verify that the ClamAV-based antivirus add-on works with your Pivotal Cloud Foundry (PCF) deployment, and provides general recommendations for troubleshooting and ensuring that the deployment is being protected as you expect.

ClamAV Installation Issues

Ops Manager Fails to Apply Changes

Symptom

Applying changes in Ops Manager fails. The bottom of the changelog contains an error message similiar to the following:

...
Started updating job nats > nats/0 (12bfae02-b4af-4104-b2bd-227ff07b2d92) (canary). Done (00:02:31)
  Failed updating job etcd_server > etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11) (canary): 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd (00:05:53)


Error 400007: 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd

Explanation

The ClamAV mirror server was unavailable during initial deployment.

Solution

Review the manifest file, and replace the database_mirror key with the address of a stable mirror server. If you do not have a stable mirror server for reliable initial deployment, use the S3-based mirror: pivotal-clamav-mirror.s3.amazonaws.com


ClamAV Runtime Issues

ClamAV Is Not Detecting Malware

Symptom

Malware signature or sample malware is not detected, even though the ClamAV daemon is properly configured.

Explanation

Virus signatures are not up-to-date.

Solution

First, ensure that the configuration checks have been done, that the mirror server is correctly configured and is available on the network from within the PCF private subnet, and that at least one hour has elapsed. One hour is the default scan schedule interval.

If the local mirror is up-to-date and ClamAV is still failing to detect a malware sample, you might have encountered a new threat. Pivotal recommends alerting the community via existing channels and reporting the suspicious file directly to the ClamAV team.

Note: Pivotal does not provide support for ClamAV detection failures, mirror coordination, or threat tracking activity.


ClamAV Reports False Positives

Symptom

ClamAV reports a false postive result; a non-malicious file is reported to be a virus.

Explanation

ClamAV compares files to its database of known malicious patterns. ClavAV may detect a non-malicious file as a virus due to a coincidental similarity to those patterns.

Solution

Submit false positive reports to ClamAV. You can also be subscribe to the ClamAV email list to be kept up-to-date with ClamAV database changes.


Getting CPU Spikes While Using ClamAV

Symptom

ClamAV is taking more CPU resources than assigned in its configuration.

Explanation

ClamAV resource consumption is restricted using CGroups. ClamAV is resource-limited whenever other processes are active. However, CGroups allows ClamAV to occupy more CPU resources when all other processes are idle, as it would not impact their performance.

Solution

This is expected behavior from CGroups.

Create a pull request or raise an issue on the source for this page in GitHub