• 1. About Scanner Plugin
  • 1.1. Supported Platforms
  • 1.2. Agent/DataFlow compatibility
• 2. Build
  • 2.1. Docker Builder
  • 2.2. Compile
• 3. Config
  • 3.1. [Scan Path config](#ScanPathconfig.srcconfig.rs)
  • 3.2. [Engine config](#Engineconfig.srcmodelengineclamavconfig.rs)
  • 3.3. [Option : 1. Clamav database Database config.](#Option:1.ClamavdatabaseDatabaseconfig.srcmodelengineclamavupdater.rs.)
  • 3.4. Option : 2. Rules
• 4. plugin task
• 5. Scanner Report DataType
• 6. Known Errors & issues
• 7. License

Elkeid-Scanner

1. About Scanner Plugin

Current Version: 1.9.X

Scanner is a Elkied plugin for scanning static files (using clamav engine).

1.1. Supported Platforms

Same as Elkeid Agent. Pre-Compiled binary support : x86_64, Aarch64

1.2. Agent/DataFlow compatibility

forward compatible: 1.7.X、1.8.X

2. Build

Scanner CI workflow seen Github Action.

2.1. Docker Builder

• aarch64
  • Dockerfile.aarch64
  • CI.aarch64
  • aarch64 scanner Binary

  {
      "id_list":[
          "xxxxxxxx"
      ],
      "data":{
          "config":[
              {
                  "name":"scanner",
                  "version":"3.1.9.6",
                  "download_url":[
                      "http://lf3-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-aarch64-3.1.9.6.tar.gz",
                      "http://lf6-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-aarch64-3.1.9.6.tar.gz",
                      "http://lf9-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-aarch64-3.1.9.6.tar.gz",
                      "http://lf26-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-aarch64-3.1.9.6.tar.gz"
                  ],
                  "type": "tar.gz",
                  "sha256": "d75a5c542a2d7c0900ad96401d65833833232fcf539896ac2d2a95619448850b",
                  "signature": "1089b8fdcb69eac690323b0d092d8386901ded2155a057bf4d044679a2b83a9c",
                  "detail":""
              }
          ]
      }
  }
  

• x86_64
  • Dockerfile.x86_64
  • CI.x86_64
  • x86_64 scanner Binary

  {
      "id_list":[
          "xxxxxxxx"
      ],
      "data":{
          "config":[
              {
                  "name":"scanner",
                  "version":"3.1.9.6",
                  "download_url":[
                      "http://lf3-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-x86_64-3.1.9.6.tar.gz",
                      "http://lf6-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-x86_64-3.1.9.6.tar.gz",
                      "http://lf9-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-x86_64-3.1.9.6.tar.gz",
                      "http://lf26-elkeid.bytetos.com/obj/elkeid-download/plugin/scanner/scanner-default-x86_64-3.1.9.6.tar.gz"
                  ],
                  "type": "tar.gz",
                  "sha256": "e17e7380233c64172c767aa7587a9e303b11132e97c0d36a42e450469c852fdf",
                  "signature": "527c6ea0caac3b0604021de5aa2d34e4b9fae715e5e6cdd37e8f485869f923c2",
                  "detail":""
              }
          ]
      }
  }
  

2.2. Compile

# x86_64
docker build -t scanner -f docker/Dockerfile.x86_64 ../../ 
docker create --name scanner scanner
docker cp scanner:/Elkeid/plugins/scanner/output/scanner-x86_64.tar.gz ./
docker rm -f scanner

# aarch64
docker build -t scanner -f docker/Dockerfile.aarch64 ../../ 
docker create --name scanner scanner
docker cp scanner:/Elkeid/plugins/scanner/output/scanner-aarch64.tar.gz ./
docker rm -f scanner

3. Config

There are following files, with some constants. In order to avoid occupying too much system resources, it is recommended to use the default parameters.

• Scan Path config src/config.rs
• Engine config src/model/engine/clamav/config.rs
• Database config src/model/engine/clamav/updater.rs

3.1. Scan Path config

• SCAN_DIR_CONFIG define the scan directory list and recursion depth
• SCAN_DIR_FILTER define the filter directory list matched by prefix

3.2. Engine config

• CLAMAV_MAX_FILESIZE define the maximum file size of scanned files (skip large files)

3.3. Option : 1. Clamav database Database config.

Get default database url with default password clamav_default_passwd:

wget http://lf26-elkeid.bytetos.com/obj/elkeid-download/18249e0cbe7c6aca231f047cb31d753fa4604434fcb79f484ea477f6009303c3/archive_db_default_20220817.zip

#wget http://lf3-elkeid.bytetos.com/obj/elkeid-download/18249e0cbe7c6aca231f047cb31d753fa4604434fcb79f484ea477f6009303c3/archive_db_default_20220817.zip

#wget http://lf6-elkeid.bytetos.com/obj/elkeid-download/18249e0cbe7c6aca231f047cb31d753fa4604434fcb79f484ea477f6009303c3/archive_db_default_20220817.zip

#wget http://lf9-elkeid.bytetos.com/obj/elkeid-download/18249e0cbe7c6aca231f047cb31d753fa4604434fcb79f484ea477f6009303c3/archive_db_default_20220817.zip

The clamav scanner plugin will load local database from TMP_PATH/archive_db_default.zip with password ARCHIVE_DB_PWD, besides, it will also check ARCHIVE_DB_VERSION from ARCHIVE_DB_VERSION_FILE and ARCHIVE_DB_PWD.

More details in src/model/engine/updater.rs

3.4. Option : 2. Rules

The default database includes cropped clamav database and open source yara rules.

root@hostname$ ls
main.ldb  main.ndb  online_XXXXXXXX.yar

More details in Clamav Docs

• Notice
  • There are currently a few limitations on using YARA rules within ClamAV

4. plugin task

scanner plugin task (Seen Elkeid Console Doc):

• Dir scan
• Fulldisk scan
• Quick scan

5. Scanner Report DataType

6. Known Errors & issues

• Creation time / birth_time is not available for some filesystems

error: "creation time is not available for the filesystem

• Centos7 default compile tool-chains didn't work, high version of tool-chains needed.

7. License

Clamav Scanner Plugin is distributed under the GPLv2 license.