We're Hiring!

Mattermost Discussion Forums

How to connect ClamAv with Mattermost for the Antivirus plugin

I used this repository to deploy an ClamAv server in Kubernetes. Now I need to connect ClamAv with Mattermost for using the Antivirus plugin. I just need to configure the host and port number from ClamAv in Mattermost, but I’m doing something wrong here I think.

I was wondering how I can expose an clamd pod the right way for Mattermost. I created an deployment file for the ClamAv server like this:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: clamav
data:
  clamd.conf: |
    Foreground yes
    Debug no
    LeaveTemporaryFiles no

    LogFile /dev/stdout
    LogFileMaxSize 0
    LogTime yes
    LogClean no

    TCPSocket 3310
    TCPAddr 0.0.0.0

    ExcludePath ^/proc/
    ExcludePath ^/sys/
    ExcludePath ^/host/proc/
    ExcludePath ^/host/sys/

    MaxDirectoryRecursion 64
    FollowDirectorySymlinks no
    FollowFileSymlinks no
    CrossFilesystems no

    AllowAllMatchScan no
    HeuristicAlerts no
    HeuristicScanPrecedence no

    ScanELF yes
    ScanPDF yes
    ScanSWF yes
    ScanXMLDOCS yes
    ScanArchive yes

  freshclam.conf: |
    Foreground yes
    DatabaseDirectory /var/lib/clamav
    UpdateLogFile /dev/stdout
    Debug no

    LogFileMaxSize 0
    LogTime yes

    DatabaseOwner root
    DNSDatabaseInfo current.cvd.clamav.net
    DatabaseMirror database.clamav.net
    MaxAttempts 3

    ScriptedUpdates yes
    CompressLocalDatabase no
    TestDatabases yes
    SafeBrowsing no
    Bytecode no

    Checks 12
    NotifyClamd /etc/clamav/clamd.conf

    ConnectTimeout 30
    ReceiveTimeout 60

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: clamd
spec:
  selector:
    matchLabels:
      aikido: clamd
  template:
    metadata:
      labels:
        aikido: clamd
    spec:
      volumes:
        - name: host
          hostPath:
            path: /

        - name: clamdb
          emptyDir:

        - name: etc
          configMap:
            name: clamav

      initContainers:
        - name: init
          image: filefrog/clamav:latest
          imagePullPolicy: Always
          command:
            - /clamav
            - seed

          volumeMounts:
            - name: etc
              mountPath: /etc/clamav
              readOnly: yes

            - name: clamdb
              mountPath: /var/lib/clamav
              readOnly: no

      containers:
        - name: clamd
          image: filefrog/clamav:latest
          imagePullPolicy: Always
          command:
            - /clamav
            - clamd

          readinessProbe:
            periodSeconds: 3
            tcpSocket:
              port: 3310

          volumeMounts:
            - name: etc
              mountPath: /etc/clamav
              readOnly: yes

            - name: host
              mountPath: /host
              readOnly: yes

            - name: clamdb
              mountPath: /var/lib/clamav
              readOnly: yes

        - name: freshclam
          image: filefrog/clamav:latest
          imagePullPolicy: Always
          command:
            - /clamav
            - freshclam

          volumeMounts:
            - name: etc
              mountPath: /etc/clamav
              readOnly: yes

            - name: clamdb
              mountPath: /var/lib/clamav
              readOnly: no

To expose the pod locally I runned the command: kubectl -n ind-iv port-forward pod/clamd-2f58r 3310:3310. Afterwards I connected to localhost:3031 with telnet and scanned a file by running the command SCAN /var/lib/eicar/eicar.com.
The fake malware file was detected:

clamd Wed Nov 24 17:07:20 2021 -> /var/lib/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND                                                             
clamd Wed Nov 24 17:07:20 2021 -> ~/var/lib/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND   

But the configuration in Mattermost for the Antivirus plugin is still not right I think, since I’m getting the error Unable to upload file fake-malware.txt. Rejected by plugin: File Scanning Server unreachable, contact your Mattermost administrator for assistance. when uploading a fake malware file. In the configuration of Mattermost I filled in localhost:3310, the same I used for telnet. It’s also not possible to reach localhost:3310 from my browser, so am I doing something wrong here?

Anyone knows how to tackle the cause of this issue? :frowning: