ClamAV Wazuh integration
100 views
Skip to first unread message
hai
Jul 24, 2024, 10:56:46 PM7/24/24
to Wazuh | Mailing List
Hello, I see clamav support on wazuh's official website, but I don't use yum to install it. How should I access it? Do I need to write rules by myself,My log format is clamav_20240624.log clamav_20240701.log clamav_20240708.log clamav_20240715.log clamav_20240722.log
Whether wildcard matching is supported
Whether wildcard matching is supported
Farhan Ahmed
Jul 25, 2024, 3:40:04 AM7/25/24
to Wazuh | Mailing List
Hi,
To install clamAV you can visit official page to download and install desired pkg. To install in debian use sudo dpkg -i <clamav-x.x.x.linux.x86_64.debOR You can download the tar file from the link.
Link to download this pkg - https://www.clamav.net/downloads
Once it is installed. You need to configure ClamAV and collect its log.
You should go to this path /etc/clamav/clamd.conf and uncomment LogSyslog true (remove # to uncomment)
Basically, Uncommenting this statement forwards ClamAV logs to the Syslog file /var/log/syslog.
You don’t need further configuration after this because the Wazuh agent reads the /var/log/syslog file by default. Your configuration should be similar to this:
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog true
LogRotate true
...
Wazuh has decoders for ClamAV logs out-of-the-box. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for ClamAV, which you can find at /var/ossec/ruleset/rules/0320-clam_av_rules.xml on the Wazuh server.
You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server when triggered on monitored endpoints.
You can check this link for clear explanation on this - https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/clam-av-logs-collection.html
Please let me know updates on this and happy to help you anytime.
Kind regards,
Farhan
To install clamAV you can visit official page to download and install desired pkg. To install in debian use sudo dpkg -i <clamav-x.x.x.linux.x86_64.debOR You can download the tar file from the link.
Link to download this pkg - https://www.clamav.net/downloads
Once it is installed. You need to configure ClamAV and collect its log.
You should go to this path /etc/clamav/clamd.conf and uncomment LogSyslog true (remove # to uncomment)
Basically, Uncommenting this statement forwards ClamAV logs to the Syslog file /var/log/syslog.
You don’t need further configuration after this because the Wazuh agent reads the /var/log/syslog file by default. Your configuration should be similar to this:
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog true
LogRotate true
...
Wazuh has decoders for ClamAV logs out-of-the-box. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for ClamAV, which you can find at /var/ossec/ruleset/rules/0320-clam_av_rules.xml on the Wazuh server.
You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server when triggered on monitored endpoints.
You can check this link for clear explanation on this - https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/clam-av-logs-collection.html
Please let me know updates on this and happy to help you anytime.
Kind regards,
Farhan
hai
Jul 25, 2024, 4:19:37 AM7/25/24
to Wazuh | Mailing List
I generated a malicious file and scanned it using ClamAV but no alerts about it on wazuh, but clamav restarts and shutdown are visible on wazuh. I executed
# clamscan -r --bell./1.txt
/root/1.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8696246
Engine version: 0.103.11
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00MB (ratio 0.00:1)
Time: 31.751 sec (0 m 31 s)
Start Date: 2024:07:25 16:10:43
It just displays it on the console and doesn't enter it into the system log
/root/1.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8696246
Engine version: 0.103.11
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00MB (ratio 0.00:1)
Time: 31.751 sec (0 m 31 s)
Start Date: 2024:07:25 16:10:43
It just displays it on the console and doesn't enter it into the system log
Thank you very much and look forward to your reply
Farhan Ahmed
Aug 1, 2024, 3:39:25 AM8/1/24
to Wazuh | Mailing List
Hello,
Can you verify if ClamAV is logging detected threats by manually scanning the file and reviewing the log file. cat /var/log/clamav/clamav.log. Also, you can check /etc/clamav/clamd.conf configuration file if scan logs are not populated in the /var/log/syslog.
Please update me on this so we can assist you better further.
Regards,
Farhan
Can you verify if ClamAV is logging detected threats by manually scanning the file and reviewing the log file. cat /var/log/clamav/clamav.log. Also, you can check /etc/clamav/clamd.conf configuration file if scan logs are not populated in the /var/log/syslog.
Please update me on this so we can assist you better further.
Regards,
Farhan
Reply all
Reply to author
Forward
0 new messages