Malware Scanning Overview
See Malware Scanning for an overview of the feature and how it works. This section is for configuration of scan behavior.
Customizing the analyzer_config.yaml
requires a restart of the analyzer container. The typical process is to mount it externally into /anchore_service/analyzer_config.yaml
from a host volume or as a ConfigMap in Kubernetes and
all analyzers in the deployment share the same configuration.
Enabling & Disabling Malware Scans
Each analyzer needs to have it’s analyzer_config.yaml file updated to include:
malware:
clamav:
enabled: true
db_update_enabled: true
malware.clamav.enabled = true will enable the analyzer that runs the scan. If not enabled, the analyzer will run but will not execute a ClamAV scan so no scan results will be reported.
:warning: Malware Scanning currently only supports image sizes up to 4gb.
Disabling DB Updates for ClamAV
The db_update_enabled
property of the malware.clamav object shown above in the analyzer_config.yaml controls whether the analyzer will invoke a refreshclam
call prior to each
analysis execution. By default it is enabled and should be left on for up-to-date scan results. The db version is returned in the metadata section of the scan results available from the Anchore Enterprise API.
You can disable the update if you want to mount an external volume to provide the db data in /home/anchore/clamav/db inside the container (must be read-write for the anchore user) This can be used to cache or share a db across multiple analyzers (e.g. using AWS EFS) or to support air-gapped deployments where the db cannot be automatically updated from deployment itself.
Advanced Configuration
The path for the db and db update configuration are also available as environment variables inside the analyzer containers. These should not need to be used in most cases, but for air-gapped or other installation where the default configuration is not sufficient they are available for customization.
Name | Description | Default |
---|---|---|
ANCHORE_FRESHCLAM_CONFIG_FILE | Location of freshclam.conf to use | /home/anchore/clamav/freshclam.conf |
ANCHORE_CLAMAV_DB_DIR | Location of the db dir to read/write | /home/anchore/clamav/db |
For most cases, anchore uses the default values for the clamscan
and freshclam
invocations.
If you would like to override any of the default values of those commands or replace existing ones, you can add the following to the analyzer_config.yaml:
malware:
clamav:
clamscan_args:
- max-filesize=1000m
- max-scansize=1000m
freshclam_args:
- datadir=/tmp/different/datadir
Please note that the value above will be passed directly to the corresponding commands, e.g.:
clamscan --suppress-ok-results --infected --recursive --allmatch --archive-verbose --tempdir={tempdir} --database={database} --max-filesize=1000m --max-scansize=1000m <path_to_tar>