ClamAV logs collection

ThreatLockDown detects malicious files through integration with ClamAV, a free and open source antimalware engine for detecting various types of malware, including viruses and trojans.

About ClamAV

ClamAV is an open source antimalware toolkit designed for various use cases like endpoint security, web scanning, and email scanning. ClamAV has the following features:

  • It offers real-time protection for Linux endpoints.

  • It provides automatic updates to the malware database.

  • It supports all standard mail file formats by default.

  • It supports several archive formats like ZIP and RAR.

  • It supports common document files like MS Office and Mac Office files, HTML, RTF, and PDF

  • It is designed with an advanced database updater that can either leverage scripted updates or digital signatures.

  • It uses a command-line scanner.

  • It has built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE and others.

Configuration

You can configure ClamAV and collect its logs from Linux and Windows endpoints. To collect ClamAV logs from Linux endpoints, remove the # comment tag before the LogSyslog true statement in /etc/clamav/clamd.conf. Uncommenting this statement forwards ClamAV logs to the Syslog file /var/log/syslog. You don’t need further configuration after this because the ThreatLockDown agent reads the /var/log/syslog file by default. Your configuration should be similar to this:

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog true
LogRotate true
...

Decoders and rules

ThreatLockDown has decoders for ClamAV logs out-of-the-box. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for ClamAV, which you can find at /var/ossec/ruleset/rules/0320-clam_av_rules.xml on the ThreatLockDown server.

Note

The out-of-the-box decoders only decode ClamAV logs from /var/log/syslog on Linux endpoints.

Alert samples

Below are examples of ClamAV alerts. You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the ThreatLockDown server when triggered on monitored endpoints. The ThreatLockDown dashboard also displays these alerts.

Alert created when ClamAV detects malware:

{
   "timestamp":"2023-01-09T18:10:57.937+0000",
   "rule":{
      "level":8,
      "description":"ClamAV: Virus detected",
      "id":"52502",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673287857.654581",
   "full_log":"Jan  9 18:10:56 ip-172-31-44-227 clamd[5780]: /home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 18:10:56",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "parent":"clamd",
      "name":"clamd"
   },
   "data":{
      "id":"44d88612fea8a8f36de82e1278abb02f",
      "url":"/home/ubuntu/eicar.com",
      "extra_data":"Win.Test.EICAR_HDB-1"
   },
   "location":"/var/log/syslog"
}

Alert created when Clamd service is stopped:

{
   "timestamp":"2023-01-09T18:06:13.623+0000",
   "rule":{
      "level":6,
      "description":"Clamd stopped",
      "id":"52510",
      "mitre":{
         "id":[
            "T1562.001"
         ],
         "tactic":[
            "Defense Evasion"
         ],
         "technique":[
            "Disable or Modify Tools"
         ]
      },
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1"
      ],
      "gpg13":[
         "4.14"
      ],
      "nist_800_53":[
         "SI.3"
      ],
      "tsc":[
         "A1.2"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673287573.647539",
   "full_log":"Jan  9 18:06:12 ip-172-31-44-227 clamd[5468]: Mon Jan  9 18:06:12 2023 -> --- Stopped at Mon Jan  9 18:06:12 2023",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 18:06:12",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"clamd"
   },
   "location":"/var/log/syslog"
}

Alert created when ClamAV updates its signature database:

{
   "timestamp":"2023-01-09T17:46:30.473+0000",
   "rule":{
      "level":3,
      "description":"ClamAV database update",
      "id":"52507",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.2"
      ],
      "gpg13":[
         "4.4"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3"
      ],
      "tsc":[
         "A1.2"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673286390.636389",
   "full_log":"Jan  9 17:46:29 ip-172-31-44-227 freshclam[2718]: Mon Jan  9 17:46:29 2023 -> ClamAV update process started at Mon Jan  9 17:46:29 2023",
   "predecoder":{
      "program_name":"freshclam",
      "timestamp":"Jan  9 17:46:29",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"freshclam"
   },
   "location":"/var/log/syslog"
}

Alert created when Clamd service is restarted:

{
   "timestamp":"2023-01-09T17:23:49.081+0000",
   "rule":{
      "level":3,
      "description":"Clamd restarted",
      "id":"52505",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "gpg13":[
         "4.14"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673285029.597542",
   "full_log":"Jan  9 17:23:47 ip-172-31-44-227 clamd[5333]: clamd daemon 0.103.6 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 17:23:47",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"clamd"
   },
   "location":"/var/log/syslog"
}

Alert created when ClamAV detects a malware multiple times:

{
   "timestamp":"2023-01-11T19:01:16.719+0000",
   "rule":{
      "level":10,
      "description":"ClamAV: Virus detected multiple times",
      "id":"52511",
      "frequency":8,
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673463676.23800",
   "previous_output":"Jan 11 19:01:14 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:14 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:13 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:13 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:12 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:12 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:10 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:10 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:09 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:09 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:06 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:06 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:01 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:01 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "full_log":"Jan 11 19:01:16 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:16 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan 11 19:01:16",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "parent":"clamd",
      "name":"clamd"
   },
   "data":{
      "id":"44d88612fea8a8f36de82e1278abb02f",
      "url":"~/home/ubuntu/eicar.com",
      "extra_data":"Win.Test.EICAR_HDB-1"
   },
   "location":"/var/log/syslog"
}