Installing and Configuring Anti-Virus

Note: Pivotal Platform is now part of VMware Tanzu. In v2.2 and later, Pivotal Anti-Virus is named Anti-Virus for VMware Tanzu.

Page last updated:

This topic describes how to install and configure Anti-Virus for VMware Tanzu.

Before installing Anti-Virus, VMware recommends that you download and install the Anti-Virus Mirror for VMware Tanzu tile. For more information about the Anti-Virus Mirror tile, see Installing and Configuring Anti-Virus Mirror for VMware Tanzu.

Prerequisites

To install Anti-Virus, you must have:

  • An Ops Manager operator user account with admin rights. For more information, see Pivotal Platform Operators.

  • Operations Manager (Ops Manager). For compatible versions, see the Product Snapshot.

  • At least 1 GB of RAM free for each VM that installs Anti-Virus. Anti-Virus installs itself on each tile VM and runs internally. Anti-Virus takes at least 610 MB of RAM on each VM. On Google Cloud Platform (GCP), the recommended minimum VM size is micro.cpu using 2 CPU and 2 GB RAM.

  • An external mirror. If you do not have an external mirror, VMware recommends that you install the Anti-Virus Mirror. For instructions, see Installing and Configuring Anti-Virus Mirror for VMware Tanzu.

Install Anti-Virus

Install the Anti-Virus tile on the Ops Manager Installation Dashboard:

  1. Download the product file from VMware Tanzu Network.

  2. Navigate to the Ops Manager Installation Dashboard and select Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of Anti-Virus. This adds the tile to your staging area.

  4. Click the newly added Anti-Virus for VMware Tanzu tile.

Configure Anti-Virus

To configure Anti-Virus:

  1. Select Anti-Virus Configuration.

  2. Configure Mirror for Automatic Database Updates.
    The tabs below expand to show instructions for each type of mirror.

    Configure Official mirror
    Field Description
    Official mirror Select this to have the mirror fetch databases from database.clamav.net.
    Configure Deployed mirror from the Anti-Virus Mirror tile
    Field Description
    Deployed mirror from the Anti-Virus Mirror for VMware Tanzu Tile Select this when using the Anti-Virus Mirror for VMware Tanzu tile.

    For more information, see Installing and Configuring Anti-Virus Mirror for VMware Tanzu.
    Anti-Virus Mirror Port Enter the port for Anti-Virus Mirror to use. The default value is 6501.

    Note: Anti-Virus Mirror uses mutual TLS (mTLS). This port must be the same port used in Anti-Virus Mirror Port of the Anti-Virus Mirror for VMware Tanzu tile. If these ports are not the same, Anti-Virus database updates and deployments fail.

    Configure Existing Mirror
    Field Description
    Existing Mirror Select this to use an existing mirror without TLS.
    Comma separated list of mirror hostnames or IPs Enter one or more mirror hostnames or IP addresses in a comma-separated list.
    Configure Existing Mirror with TLS
    Field Description
    Existing Mirror with TLS Select this to enter a hostname, port number, and CA certificate.
    Mirror hostname without leading https:// Enter the hostname or IP address for your existing mirror.
    For example: pivotal-anti-virus-mirror.s3.amazonaws.com or 10.0.4.5

    Note: Ensure that your existing mirror server is using the correct certificate for the method you choose (hostname or IP address).

    Mirror Port Enter the port used by your existing mirror.
    For example: 443
    Mirror CA Certificate Enter the CA certificate used with your existing mirror.
    For example: -----BEGIN CERTIFICATE-----
    MIIEYzCCA0ugAwIBAgIQAYL4CY6i5ia5GjsnhB+5rzANBgkqhki
    ...
    upcHi9nzBhDFKdT3uhaQqNBU4UtJx5g=
    -----END CERTIFICATE-----
  3. Configure the remaining fields: Configure Anti-Virus

    Field Description
    (Optional) Enable on-access scanning on Linux Select this option to scan files immediately after they are modified.

    Note: On-Access Scan is not supported on Windows.

    Memory limit (in bytes) Enter the maximum amount of user memory (including file cache) in bytes that Anti-Virus can use. The default value is 1610612736.
    Number of database checks per day Set how often VMs check the mirror for virus database updates. This is the mirror you selected for automatic database updates, above. The default value is 12.
    Timeout to connect to the database server (in seconds) Set the timeout for downloading virus definitions from the mirror server configured in Mirror for Automatic Database Updates. The default value is 30.
    CPU limit (percentage) Set the percentage of CPU that the Anti-Virus processes can use.
    Integers from 1 to 100 are valid.
    Setting this field to 100 permits the use of one full core.

    Note: CPU Limit affects only one core. For example, in a system with four cores, if you set the CPU limit to 100, Anti-Virus uses only one of the four cores.

    Enforce CPU limit Set the enforcement policy for the CPU limit:
    • Always: Ensures the CPU limit is always enforced.
    • When other processes are using CPU resources: Permits the CPU usage to exceed the limit set by CPU limit if idle CPU cycles are available.

    Warning: If Enforce CPU limit is set to Enable, ensure CPU limit (percentage) is set high enough for Anti-Virus to execute normally. If the limit is too strict, Anti-Virus fails to start.

    Action to take when a virus is found Select one of the following options:
    • Notify: (Default) Only send a notification to syslog.
    • Remove: Delete the infected file from the file system.
    • Move: Move the infected file to a specified directory.
    • Copy: Copy the infected file to a specified directory.
    For the Move and Copy options, a field for Destination for infected files appears after the option is selected.
    Destination for infected files Enter the directory location where you want the infected files moved or copied to. This field only appears if you have selected the move or copy while selecting an Action to take when a virus is found.
    Note: Add this path to the Directories and files that will be ignored (on Windows) list below. If you do not do this, then Anti-Virus:
    • Detects the moved or copied file
    • Logs redundant alerts
    • Creates additional copies of the detected file
    Directories and files that will be ignored Enter directories in a comma-separated list for Anti-Virus to not scan on Linux. The default value is “/proc/,/sys/”. This configures Anti-Virus scans to exclude the /proc and /sys directories.

    VMware recommends that you ignore the /proc, /sys, and Destination for infected files directories.
    Directories and files that will be ignored on Windows Enter directories in a comma-separated list for Anti-Virus to not scan on Windows.
    List of signature names that will be ignored (Used for false positives) Enter signature names in a comma-separated list for Anti-Virus to add to the allowlist. For example,
    Eicar-Test-Signature, Clamav.Test.File-7
    configures Anti-Virus to ignore the Eicar Test File and ClamAV Test File-7 signatures.
    List of instance group names that will be excluded from deployment Enter the instance groups that you do not want Anti-Virus deployed on. Use a comma-separated list.


  4. Click Save.

If a scan reports false positives, report the issue to ClamAV. For more information about false positives, see Anti-Virus Reports False Positives. It takes about a week for ClamAV to verify and publish a new database.

Configure HTTP Proxy

If you require a proxy server for Anti-Virus jobs to connect to the internet to update their virus definitions, you can configure one:

  1. Select HTTP Proxy Configuration for Anti-Virus Jobs. Configure HTTP Proxy

  2. Set HTTP proxy for Anti-Virus jobs to get database updates to Enabled.

  3. Enter the Host, Port, Username and Password in the fields that appear.

  4. Click Save.

Configure Scheduled Scan

Anti-Virus can be configured to run a virus scan hourly or daily. The default value is daily. The format of these values must be in 24-hour format HH:MM.

To change the scheduled scan value:

  1. Select Scheduled Scans. Configure Scheduled Scan

  2. Set Interval for scheduled scans to run to one of these options:

    • Hourly
    • Daily (default)
    • Disabled
  3. (Optional) If you selected Daily scheduled scans, you can restrict the interval. To do this, set Earliest time that a daily scheduled scan can start and Latest time that a daily scheduled scan can start.

  4. Click Save.

Apply Changes from Your Configuration

Your installation is not complete until you apply your configuration changes. To do this, complete this procedure:

  1. Return to the Ops Manager Installation Dashboard.
  2. Click Review Pending Changes.
  3. Ensure all products are selected and click Apply Changes.



(Optional) Configure Anti-Virus to Exclude Duplicate Logs on Containers

You can use Anti-Virus to scan:

  • Garden containers on the Diego Cell VMs in VMware Tanzu Application Service for VMs (TAS for VMs).
  • Containers on the Kubernetes worker node VMs in Enterprise VMware PKS (Enterprise PKS).

However, duplicate logs about the same file appear under the diff, rootfs, or merged directories as a consequence of OverlayFS implementation.

To configure Anti-Virus to ignore duplicate logs for these directories, see the optional Exclude Duplicate Logs on Garden Containers or Exclude Duplicate Logs on Containers in Enterprise PKS sections below:

(Optional) Exclude Duplicate Logs on Garden Containers

When Anti-Virus scan results detect potential malware on Garden containers, logs are reported for both the diff and rootfs directories.

This is because the rootfs directory is the projection of the diff directory on top of a base image layer, therefore it is safe to ignore the rootfs directory. GrootFS mounts the underlying volumes using OverlayFS to a point in the images directory. This mount point is the rootfs directory for the container and is read-write.

For more information about GrootFS OverlayFS implementation, see Volumes in the Cloud Foundry documentation.

Procedure

To configure Anti-Virus to ignore duplicate logs for these directories:

  1. Select Anti-Virus Configuration.
  2. Enter the following ignore pattern into the Directories and files that will be ignored field:

    ^/var/vcap/data/grootfs/store/(un)?privileged/images/[\w-]+/rootfs/.*$
    

    Directories and files that will be ignored by Anti-Virus

    Note: Adding this ignore pattern means that files and directories in the /var/vcap/data/grootfs/store/unprivileged/images/UUID/rootfs directory are ignored by Anti-Virus. UUID is the ID of the container.

  3. Click Save.

  4. To apply the configuration change, follow the instructions in Apply Changes from Your Configuration above.

For an example log entry, see Container Log Messages.

(Optional) Exclude Duplicate Logs on Containers in Enterprise PKS

When Anti-Virus scan results detect potential malware on containers of the Kubernetes worker node VMs in Enterprise PKS, logs are reported for both the diff and merged directories.

This is because the merged directory is the projection of the diff directory on top of a base image layer, therefore it is safe to ignore the merged directory.

For more information about Docker OverlayFS implementation, see Use the OverlayFS storage driver in the Docker documentation.

Procedure

To configure Anti-Virus to ignore duplicate logs for these directories:

  1. Select Anti-Virus Configuration.
  2. Enter the following ignore pattern into the Directories and files that will be ignored field:

    ^/var/vcap/store/docker/docker/overlay2/\w+/merged/.*$
    

    Directories and files that will be ignored by Anti-Virus

    Note: Adding this ignore pattern means that files and directories in the /var/vcap/data/grootfs/store/unprivileged/images/UUID/merged directory are ignored by Anti-Virus. UUID is the ID of the container.

  3. Click Save.

  4. To apply the configuration change, follow the instructions in Apply Changes from Your Configuration above.

For an example log entry, see Container Log Messages.