Configuring Malware Scans of Images
Malware Scanning Overview
See Malware Scanning for an overview of the feature and how it works. This section is for configuration of scan behavior.
Customizing the analyzer_config.yaml requires a restart of the analyzer container. The typical process is to mount it externally into /anchore_service/analyzer_config.yaml from a host volume or as a ConfigMap in Kubernetes and
all analyzers in the deployment share the same configuration.
Enabling & Disabling Malware Scans
Each analyzer needs to have it’s analyzer_config.yaml file updated to include:
malware:
clamav:
enabled: true
db_update_enabled: true
malware.clamav.enabled = true will enable the analyzer that runs the scan. If not enabled, the analyzer will run but will not execute a ClamAV scan so no scan results will be reported.
:warning: Malware Scanning currently only supports image sizes up to 4gb.
Disabling DB Updates for ClamAV
The db_update_enabled property of the malware.clamav object shown above in the analyzer_config.yaml controls whether the analyzer will invoke a refreshclam call prior to each
analysis execution. By default it is enabled and should be left on for up-to-date scan results. The db version is returned in the metadata section of the scan results available from the engine API.
You can disable the update if you want to mount an external volume to provide the db data in /home/anchore/clamav/db inside the container (must be read-write for the anchore user) This can be used to cache or share a db across multiple analyzers (e.g. using AWS EFS) or to support air-gapped deployments where the db cannot be automatically updated from deployment itself.
Advanced Configuration
The path for the db and db update configuration are also available as environment variables inside the analyzer containers. These should not need to be used in most cases, but for air-gapped or other installation where the default configuration is not sufficient they are available for customization.
| Name | Description | Default |
|---|---|---|
| ANCHORE_FRESHCLAM_CONFIG_FILE | Location of freshclam.conf to use | /home/anchore/clamav/freshclam.conf |
| ANCHORE_CLAMAV_DB_DIR | Location of the db dir to read/write | /home/anchore/clamav/db |
For most cases, anchore uses the default values for the clamscan and freshclam invocations. The parameters that are already specified
can be found in the analyzer source.
If you would like to override any of the default values of those commands or replace existing ones, you can add the following to the analyzer_config.yaml:
malware:
clamav:
clamscan_args:
- max-filesize=1000m
- max-scansize=1000m
freshclam_args:
- datadir=/tmp/different/datadir
Please note that the value above will be passed directly to the corresponding commands, e.g.:
clamscan --suppress-ok-results --infected --recursive --allmatch --archive-verbose --tempdir={tempdir} --database={database} --max-filesize=1000m --max-scansize=1000m <path_to_tar>
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.