Troubleshooting ClamAV Add-on for PCF
Page last updated:
This topic provides instructions to verify that the ClamAV-based antivirus add-on works with your Pivotal Cloud Foundry (PCF) deployment and provides general recommendations for troubleshooting and ensuring that the deployment is being protected as you expect.
Applying changes in Ops Manager fails. The bottom of the changelog contains an error message similar to the following:
... Started updating job nats > nats/0 (12bfae02-b4af-4104-b2bd-227ff07b2d92) (canary). Done (00:02:31) Failed updating job etcd_server > etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11) (canary): 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd (00:05:53) Error 400007: 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd
The ClamAV mirror server was unavailable during initial deployment.
Review the manifest file, and replace the
database_mirror key with the address of a stable mirror server.
If you do not have a stable mirror server for reliable initial deployment, use the S3-based mirror:
Malware signature or sample malware is not detected, even though the ClamAV daemon is properly configured.
Virus signatures are not up-to-date.
First, ensure that the configuration checks have been done, that the mirror server is correctly configured and is available on the network from within the PCF private subnet, and that at least one hour has elapsed. One hour is the default scan schedule interval.
If the local mirror is up-to-date and ClamAV is still failing to detect a malware sample, you might have encountered a new threat. Pivotal recommends alerting the community via existing channels and reporting the suspicious file directly to the ClamAV team.
Note: Pivotal does not provide support for ClamAV detection failures, mirror coordination, or threat tracking activity.
ClamAV reports a false postive result; a non-malicious file is reported to be a virus.
ClamAV compares files to its database of known malicious patterns. ClavAV may detect a non-malicious file as a virus due to a coincidental similarity to those patterns.
Submit false positive reports to ClamAV. You can also subscribe to the ClamAV email list to be kept up-to-date with ClamAV database changes.
ClamAV is taking more CPU resources than assigned in its configuration.
ClamAV resource consumption is restricted using CGroups. ClamAV is resource-limited whenever other processes are active. However, CGroups allows ClamAV to occupy more CPU resources when all other processes are idle, because it does not impact their performance.
This is expected behavior from CGroups. If a hard limit is required, set the
enforce_cpu_limit Linux property.