Pivotal Anti-Virus

Page last updated:

This topic is an overview of Pivotal Anti-Virus.

Note: Pivotal Anti-Virus replaces an earlier product called ClamAV Add-on for Pivotal Cloud Foundry (PCF). To learn how Pivotal Anti-Virus differs from ClamAV Add-on for PCF, see the feature list in Release Notes.

About Anti-Virus

Anti-Virus might be necessary for regulatory purposes if your compliance auditor requires antivirus protection within your Pivotal Platform environment.

For example, auditors sometimes expect that antivirus protection is present in an environment that must comply with standards such as the Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA).

Product Snapshot for Pivotal Anti-Virus

The following table provides version and version-support information about Pivotal Anti-Virus.

Element Details
Version 2.0.13
Release date September 18, 2019
Software component version Open Source ClamAV 0.101.4
Compatible Ops Manager versions 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7
Compatible Pivotal Application Service (PAS) versions 2.3, 2.4, 2.5, 2.6, and 2.7
Compatible Enterprise Pivotal Container Service (Enterprise PKS) versions 1.2, 1.3, 1.4, and 1.5
Compatible BOSH stemcells Ubuntu (Xenial and Trusty) and Windows (2016 and 2012)
IaaS support vSphere, GCP, AWS, Azure, and OpenStack

Product Snapshot for Pivotal Anti-Virus Mirror

The following table provides version and version-support information about Pivotal Anti-Virus Mirror.

Element Details
Version 2.0.13
Release date September 18, 2019
Compatible Ops Manager versions 2.2, 2.3, 2.4, 2.5, and 2.6
Compatible Pivotal Application Service (PAS) versions 2.3, 2.4, 2.5, and 2.6
Compatible Enterprise Pivotal Container Service (Enterprise PKS) versions 1.2, 1.3, and 1.4
Compatible BOSH stemcells Ubuntu Xenial and Trusty
IaaS support vSphere, GCP, AWS, and OpenStack

Features

Pivotal Anti-Virus includes the following features:

  • Open-source ClamAV packaged as part of the tile for installation
  • A private Anti-Virus Mirror tile for deployment and providing VMs to the foundation:
    • Anti-Virus Mirror serves both air-gapped and non-air-gapped environments.
    • The Anti-Virus Mirror tile authenticates and validates publicly downloaded database definition files for added security.
  • Ability to scan VMs and containers for foundations with PAS and Enterprise PKS
  • Support for scheduled scans to reduce workload during peak operation hours
  • Whitelisting of known signatures
  • Configuration options that let you set CPU and memory usage limits on VMs of the foundation

Anti-Virus Architecture

The following sections provide some information and diagrams to help you understand how Pivotal Anti-Virus works.

How Virus Definitions Propagate to VMs

Virus definitions on the internal Anti-Virus Mirror update automatically or manually depending on whether your is on an online or air-gapped network, as described in Update Virus Definitions above. The automatic and manual processes store new virus definitions to the Anti-Virus Mirror VM’s database of unverified viruses as follows:

  • Automatic update: The freshclam daemon process on the Anti-Virus Mirror VM downloads the virus definitions and stores them in the internal mirror VM’s unverified database.
  • Manual update: The operator runs bosh scp to directly copy the virus definitions to the internal mirror’s database of unverified viruses.

From the unverified internal mirror database, virus definitions then propagate to BOSH VMs as follows:

  1. The database verifier process on the Anti-Virus Mirror verifies the date, format, and integrity of the new virus definitions.

    • To verify integrity, the verifier checks bytecode signatures against signatures in the external ClamAV database, using the external database public key.
    • If verification fails or if the virus definitions are not new, the mirror VM generates an error. See Virus Database Update Issues.
  2. The internal Anti-Virus Mirror VM saves verified virus definitions to its verified database and serves them to the freshclam processes of BOSH VMs.

  3. On each BOSH-managed VM:

    1. The freshclam daemon process regularly queries the internal Anti-Virus Mirror for new virus definitions.
      • You can configure the query frequency in the Pivotal Anti-Virus tile > ClamAV Configuration > Number of database checks per day field.
    2. When freshclam retrieves new definitions, it:
      • Notifies the clamd daemon process that there are new definitions, and
      • Saves the virus definitions in the BOSH VM’s own virus database.
    3. The clamd process loads the new virus definitions into active memory to enable fast scanning by the clamscan process.

The diagrams below illustrate how new virus definitions propagate from an external ClamAV database to BOSH VMs, in online and air-gapped Pivotal Platform installations.

Online Network

This diagram illustrates how virus definitions propagate to BOSH VMs in an online network:

Online (non-air-gapped) update process, following path of new virus data. External ClamAV database in cloud serves new virus data to freshclam running on local Anti-Virus Mirror. The local mirror runs it through the database verifier, also on Anti-Virus Mirror and then serves it to freshclam on all BOSH VMs. On each BOSH VM, freshclam notifies clamd that there are new definitions, and saves the definitions in the virus database. clamd then loads the new virus definitions from the database into its memory to enable fast scanning.

Air-Gapped Network

This diagram illustrates how virus definitions propagate to BOSH VMs in an air-gapped network:

Air-gapped update process, following path of new virus data. Operator downloads virus data from External ClamAV database in cloud, then runs BOSH SCP to send it to freshclam running on local Anti-Virus Mirror. The local mirror runs it through the database verifier, also on ClamAV mirror, and then serves it to freshclam on all BOSH VMs. On each BOSH VM, freshclam notifies clamd that there are new definitions, and saves the definitions in the virus database. clamd then loads the new virus definitions from the database into its memory to enable fast scanning.