000033699 - FAQ on RSA Authentication Manager 8.1 AntiVirus ClamAV

Document created by RSA Customer Support Employee on Aug 5, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033699
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
O/S Version: ESXi 5.0
Product Description: RSA SID Access Virtual Appliance
IssueNeed to configure ClamAV and Information
Resolution>>ClamAV: RSA Authentication Manager Antivirus 
Each RSA Authentication Manager instance includes Clam Antivirus (ClamAV) software. ClamAV is an open-source software toolkit that is intended to reduce the risk of intrusion or malicious system or data access. Apply software updates to ClamAV only as part of RSA-delivered updates.
>> What action is taken by ClamAV when a virus is found (either during a scheduled or on-access scan), Will the infected files be cleaned, deleted, or moved to quarantine ? 
The ClamAV detects but it doesn't clean up nor quarantine any viruses. By default it only logs the infected files in /var/log/clamav.log.
You can control the action it takes by using one of the below options with clamscan:
-i, --infected : Only print infected files.
--remove[=yes/no(*)] : Remove infected files. Be careful.
--move=DIRECTORY : Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.
--copy=DIRECTORY : Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

>> ClamAV is not a resident scanner. The Scan has to be initiated manually. It’s not a real time scanner, it can be setup to run scheduled scans only.
To run scans manually , type the following line:
sudo clamscan -r / --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/opt/rsa/am/rsapgdata --follow-dir-symlinks=0 --follow-file-symlinks=0 --log=/var/log/clamav.log

To schedule automatic virus scans, create a cron job that runs the same command
>> How to update the signatures?
You will need to update them by updating definition files, If the Authentication Manager instance has access to the Internet, you can automatically download and apply the latest antivirus definition files. Type the following command:
sudo /usr/bin/freshclam

If the Authentication Manager instance does not have access to the Internet, manually download the main.cvd and daily.cvd antivirus definition files from the ClamAV web site:
NotesMore details on the man page: http://linux.die.net/man/1/clamscan
Additional Information: https://help.ubuntu.com/community/ClamAVare ClamAV:Infected files reporting
Set up procedure : RSA Authentication Manager Administrator's guide page 416