-
Notifications
You must be signed in to change notification settings - Fork 9
/
troubleshooting.html.md.erb
55 lines (35 loc) · 2.59 KB
/
troubleshooting.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
title: Troubleshooting ClamAV Add-on for PCF
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic provides instructions to verify that the ClamAV-based antivirus add-on works with your Pivotal Cloud Foundry (PCF) deployment, and provides general recommendations for troubleshooting and ensuring that the deployment is being protected as you expect.
There are two common types of issues that can occur with the ClamAV Add-on for PCF:
+ The installation of the add-on is not successful.
+ The installation succeeds, but at runtime a detection is not successful.
## <a id='troubleshoot-clamav'></a>Troubleshoot ClamAV
### <a id="clamav-installation-issues"></a> ClamAV Installation Issues
#### Symptom
Applying changes in Ops Manager fails. The bottom of the changelog contains an error message similiar to the following:
```
...
Started updating job nats > nats/0 (12bfae02-b4af-4104-b2bd-227ff07b2d92) (canary). Done (00:02:31)
Failed updating job etcd_server > etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11) (canary): 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd (00:05:53)
Error 400007: 'etcd_server/0 (f8e492bf-db09-4d38-8a73-5cf69d7b8a11)' is not running after update. Review logs for failed jobs: clamd
```
#### Explanation
The ClamAV mirror server was unavailable during initial deployment.
#### Solution
Review the manifest file, and replace the `database_mirror` key with the address of a stable mirror server. If you do not have a stable mirror server for reliable initial deployment, use the S3-based mirror: `pivotal-clamav-mirror.s3.amazonaws.com`
<hr>
### <a id="clamav-runtime-issues"></a>ClamAV Runtime Issues
#### Symptom
Malware signature or sample malware is not detected, even though the ClamAV daemon is properly configured.
#### Explanation
Virus signatures are not up-to-date.
#### Solution
First, ensure that the [configuration checks](./index.html#verify) have been done, that the mirror server is correctly configured and is available on the network from within the PCF private subnet, and that at least one hour has elapsed. One hour is the default scan schedule interval.
If the local mirror is up-to-date and ClamAV is still failing to detect a malware sample, you might have encountered a new threat.
Pivotal recommends alerting the community via existing channels and reporting the suspicious file directly to the ClamAV team.
<p class="note"><strong>Note</strong>: Pivotal does not provide support for ClamAV detection failures, mirror coordination, or threat tracking activity.</p>
<hr>