Troubleshooting ClamAV Add-on for PCF
Page last updated:
This topic provides instructions to verify that the ClamAV-based antivirus add-on works with your Pivotal Cloud Foundry (PCF) deployment, and provides general recommendations for troubleshooting and ensuring that the deployment is being protected as you expect.
There are two common types of issues that can occur with the ClamAV Add-on for PCF:
The installation of the add-on is not successful.
The installation succeeds, but at runtime a detection is not successful.
Applying changes in Ops Manager fails. The bottom of the changelog contains an error message similiar to the following:
... Started updating job nats > nats/0 (12bfae02-b4af-4104-b2bd-227ff07b2d92) (canary). Done (00:02:31) Failed updating job etcd_server > etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11) (canary): 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd (00:05:53) Error 400007: 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd
The ClamAV mirror server was unavailable during initial deployment.
Review the manifest file, and replace the
database_mirror key with the address of a stable mirror server. If you do not have a stable mirror server for reliable initial deployment, use the S3-based mirror:
Malware signature or sample malware is not detected, even though the ClamAV daemon is properly configured.
Virus signatures are not up-to-date.
First, ensure that the configuration checks have been done, that the mirror server is correctly configured and is available on the network from within the PCF private subnet, and that at least one hour has elapsed. One hour is the default scan schedule interval.
If the local mirror is up-to-date and ClamAV is still failing to detect a malware sample, you might have encountered a new threat. Pivotal recommends alerting the community via existing channels and reporting the suspicious file directly to the ClamAV team.
Note: Pivotal does not provide support for ClamAV detection failures, mirror coordination, or threat tracking activity.