Gate: malware
Introduction
The “malware” gate allows users to detect malware in an iamge SBOM through the use of ClamAV.
ClamAV is an open-source antivirus toolkit and can be used to detect various kinds of malicious threats on a system. Anchore pulls malware data from ClamAV and provides users the capability to create policy rules that triggers against malwares through the “malware” gate.
However, ClamAV has a limitation for the size of files that it can scan for a single image SBOM. Currently, the maximum allowable size of file that ClamAV can scan is 4GB. Additionally, utilizing the “malware” gate will impact analysis/scanning time as each analyzer service for the “malware” gate runs a malware signature update before analyzing each image SBOM. The duration of this latency depends on the size and number of files the image SBOM contains.
Note For detailed information about malware scanning, please click here
Example Use-case
Scenario 1
Goal: Create a rule that results in a STOP action if malware is detected on an image SBOM.
Example rule set configuration in Anchore Enterprise
Gate: malware
Trigger: scans
Action: STOP
Reference: malware
| Trigger | Description | Parameters |
|---|---|---|
| scans | Triggers if any malware scanner has found any matches in the image. | |
| scan_not_run | Triggers if no scan was found for the image. |