LATEST VERSION: 1.3 - CHANGELOG
ClamAV Add-on for PCF v1.3

Troubleshooting ClamAV Add-on for PCF

Page last updated:

This topic provides instructions to verify that the ClamAV-based antivirus add-on works with your Pivotal Cloud Foundry (PCF) deployment, and provides general recommendations for troubleshooting and ensuring that the deployment is being protected as you expect.

There are two common types of issues that can occur with the ClamAV Add-on for PCF:

  • The installation of the add-on is not successful.

  • The installation succeeds, but at runtime a detection is not successful.

Troubleshoot ClamAV

ClamAV Installation Issues

Symptom

Applying changes in Ops Manager fails. The bottom of the changelog contains an error message similiar to the following:

...
Started updating job nats > nats/0 (12bfae02-b4af-4104-b2bd-227ff07b2d92) (canary). Done (00:02:31)
  Failed updating job etcd_server > etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11) (canary): 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd (00:05:53)


Error 400007: 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd

Explanation

The ClamAV mirror server was unavailable during initial deployment.

Solution

Review the manifest file, and replace the database_mirror key with the address of a stable mirror server. If you do not have a stable mirror server for reliable initial deployment, use the S3-based mirror: pivotal-clamav-mirror.s3.amazonaws.com


ClamAV Runtime Issues

Symptom

Malware signature or sample malware is not detected, even though the ClamAV daemon is properly configured.

Explanation

Virus signatures are not up-to-date.

Solution

First, ensure that the configuration checks have been done, that the mirror server is correctly configured and is available on the network from within the PCF private subnet, and that at least one hour has elapsed. One hour is the default scan schedule interval.

If the local mirror is up-to-date and ClamAV is still failing to detect a malware sample, you might have encountered a new threat. Pivotal recommends alerting the community via existing channels and reporting the suspicious file directly to the ClamAV team.

Note: Pivotal does not provide support for ClamAV detection failures, mirror coordination, or threat tracking activity.


Create a pull request or raise an issue on the source for this page in GitHub