Malware Scans of Images

Malware Scanning Overview

See Malware Scanning for an overview of the feature and how it works. This section is for configuration of scan behavior.

Customizing the analyzer_config.yaml requires a restart of the analyzer container. The typical process is to mount it externally into /anchore_service/analyzer_config.yaml from a host volume or as a ConfigMap in Kubernetes and all analyzers in the deployment share the same configuration.

Limitations and Resource Usage

ClamAV has a maximum size of file that it can scan: 4GB. That means that it is only capable of scanning a 4GB squashed filesystem for a container. If you analyze an image larger than that with malware scanning enabled, you’ll see an error in the logs and the analyzer will not register a valid malware scan for the image. This condition can be caught using the policy rule requiring a scan to be run for an image.

Enabling & Disabling Malware Scans

Each analyzer needs to have it’s analyzer_config.yaml file updated to include:

malware:
  clamav:
    enabled: true
    db_update_enabled: true

malware.clamav.enabled = true will enable the analyzer that runs the scan. If not enabled, the analyzer will run but will not execute a ClamAV scan so no scan results will be reported.

:warning: Malware Scanning currently only supports image sizes up to 4gb.

Disabling DB Updates for ClamAV

The db_update_enabled property of the malware.clamav object shown above in the analyzer_config.yaml controls whether the analyzer will invoke a refreshclam call prior to each analysis execution. By default it is enabled and should be left on for up-to-date scan results. The db version is returned in the metadata section of the scan results available from the Anchore Enterprise API.

You can disable the update if you want to mount an external volume to provide the db data in /home/anchore/clamav/db inside the container (must be read-write for the anchore user) This can be used to cache or share a db across multiple analyzers (e.g. using AWS EFS) or to support air-gapped deployments where the db cannot be automatically updated from deployment itself.

Advanced Configuration

The path for the db and db update configuration are also available as environment variables inside the analyzer containers. These should not need to be used in most cases, but for air-gapped or other installation where the default configuration is not sufficient they are available for customization.

NameDescriptionDefault
ANCHORE_FRESHCLAM_CONFIG_FILELocation of freshclam.conf to use/home/anchore/clamav/freshclam.conf
ANCHORE_CLAMAV_DB_DIRLocation of the db dir to read/write/home/anchore/clamav/db

For most cases, anchore uses the default values for the clamscan and freshclam invocations. If you would like to override any of the default values of those commands or replace existing ones, you can add the following to the analyzer_config.yaml:

malware:
  clamav:
    clamscan_args:
      - max-filesize=1000m
      - max-scansize=1000m
    freshclam_args:
      - datadir=/tmp/different/datadir

Please note that the value above will be passed directly to the corresponding commands, e.g.:

clamscan --suppress-ok-results --infected --recursive --allmatch --archive-verbose --tempdir={tempdir} --database={database} --max-filesize=1000m --max-scansize=1000m <path_to_tar>
Last modified February 16, 2024