{"id":13747,"date":"2022-08-29T09:26:19","date_gmt":"2022-08-29T06:26:19","guid":{"rendered":"https:\/\/kifarunix.com\/?p=13747"},"modified":"2024-03-09T20:55:09","modified_gmt":"2024-03-09T17:55:09","slug":"send-alert-when-clamav-finds-infected-files-on-linux-systems","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/send-alert-when-clamav-finds-infected-files-on-linux-systems\/","title":{"rendered":"Send Alert When ClamAV Finds Infected Files on Linux Systems"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to send alert when ClamAV finds infected files on Linux systems. <a href=\"https:\/\/docs.clamav.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClamAV<\/a>&nbsp;is an opensource antivirus engine for detecting trojans, viruses, malware &amp; other malicious threats. It is a good idea to sent alerts whenever a malicious file is detected on the system. This enables you to take actions of analyzing the files and probably removing them from the system based on the results of the analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Send Alert When ClamAV Finds Infected Files on Linux Systems<\/h2>\n\n\n\n<p>In our <a href=\"https:\/\/kifarunix.com\/?s=install+clamav\" target=\"_blank\" rel=\"noreferrer noopener\">previous guides on ClamAV<\/a>, we learnt how to perform only one time scanning of the systems using ClamAV clamscan command line tool.<\/p>\n\n\n\n<p>We have also seen how to <a href=\"https:\/\/kifarunix.com\/visualize-clamav-scan-logs-on-elk-stack-kibana\/\" target=\"_blank\" rel=\"noreferrer noopener\">configure ClamAV to send scan events to ELK Stack Kibana for visualization<\/a>.<\/p>\n\n\n\n<p>In this setup, therefore, we will configure ELK stack to sent alerts using ElastAlert to analysts or system admins via the email whenever it receives events from ClamAV with evidence of infected files found on the systems rather than sending emails directly from the system where ClamAV is installed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Send ClamAV Alerts using ElastAlert<\/h3>\n\n\n\n<p>To proceed with this kind of alerting, you need to have already setup ELK stack and already processing ClamAV events well. Check the guide below on how to configure ClamAV to send scan events to ELK Stack Kibana for visualization.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/visualize-clamav-scan-logs-on-elk-stack-kibana\/\" target=\"_blank\" rel=\"noreferrer noopener\">Visualize ClamAV Scan Logs on ELK Stack Kibana<\/a><\/p>\n\n\n\n<p>Next, install ElastAlert on ELK Stack. You can check our previous guide on how to install ElastAlert.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-elk-stack-alerting-with-elastalert\/#install-elastalert\" target=\"_blank\" rel=\"noreferrer noopener\">Install ElastAlert on Linux<\/a><\/p>\n\n\n\n<p>If you are have Python 3.9, install ElastAlert2;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pip install elastalert2<\/code><\/pre>\n\n\n\n<p>Configure your system to be able to send emails. You can consult our tutorials on using Postfix with Gmail SMTP.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=postfix\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure Postfix Gmail SMTP relay<\/a><\/p>\n\n\n\n<p>Assuming you already installed ElastAlert, it is then time to configure it to send ClamAV alerts whenever an infected file is found on the scan report.<\/p>\n\n\n\n<p>Remember in our guide on how to <a href=\"https:\/\/kifarunix.com\/visualize-clamav-scan-logs-on-elk-stack-kibana\/\" target=\"_blank\" rel=\"noreferrer noopener\">visualize ClamAV alerts on ELK<\/a>, one could filter ClamAV events with infected files using the filter;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>infected_files_num is not 0<\/strong><\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>infected_files:&nbsp;exists<\/strong><\/code><\/pre>\n\n\n\n<p>Details for the infected files found event;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"2725\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png\" alt=\"\" class=\"wp-image-13743\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details.png?v=1661601538 1916w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-768x1092.png?v=1661601538 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-1080x1536.png?v=1661601538 1080w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/infected-files-events-details-1440x2048.png?v=1661601538 1440w\" sizes=\"(max-width: 1916px) 100vw, 1916px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Based on the fields available above, we will configure ElastAlert to send an email alert when a match is found.<\/p>\n\n\n\n<p>Make a copy of the ElastAlert configuration file and update it for ClamAV alerts. This is our sample configuration<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/opt\/elastalert\/{config,-clamav}.yaml<\/code><\/pre>\n\n\n\n<p>If you installed via PIP, you can download example configuration file and rules from <a href=\"https:\/\/github.com\/Yelp\/elastalert\" target=\"_blank\" rel=\"noreferrer noopener\">Github repository<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/elastalert\/config-clamav.yaml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>rules_folder: example_rules\nrun_every:\n  minutes: 5\nbuffer_time:\n  minutes: 15\nes_host: 192.168.58.22\nes_port: 9200\nwriteback_index: elastalert_status\nwriteback_alias: elastalert_alerts\nalert_time_limit:\n  days: 2\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code><strong>rules_folder<\/strong><\/code>&nbsp;is where ElastAlert will load rule configuration files from, which in our case is&nbsp;<strong><code>\/opt\/elastalert\/example_rules<\/code><\/strong>.<\/li>\n\n\n\n<li><strong><code>run_every<\/code>&nbsp;<\/strong>is how often ElastAlert will query Elasticsearch index for the events specified in the alert.<\/li>\n\n\n\n<li><code><strong>buffer_time<\/strong><\/code>&nbsp;is the size of the query window, stretching backwards from the time each query is run.<\/li>\n\n\n\n<li><code><strong>es_host<\/strong><\/code>&nbsp;is the address of an Elasticsearch cluster where ElastAlert will store data about its state, queries run, alerts, and errors. Each rule may also use a different Elasticsearch host to query against.<\/li>\n\n\n\n<li><code><strong>es_port<\/strong><\/code>&nbsp;is the port corresponding to&nbsp;<code>es_host<\/code>.<\/li>\n\n\n\n<li><code><strong>writeback_index<\/strong><\/code>&nbsp;is the name of the index in which ElastAlert will store data. We will create this index later.<\/li>\n\n\n\n<li><code><strong>alert_time_limit<\/strong><\/code>&nbsp;is the retry window for failed alerts.<\/li>\n<\/ul>\n\n\n\n<p>ClamAV ElastAlert Rules file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/elastalert\/example_rules\/clamav-alert.yaml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>name: ClamAV Infected Files Report\ntype: frequency\nnum_events: 1\ntimeframe:\n  minutes: 1\nfilter:\n- query:\n    query_string:\n      query: \"infected_files: * AND NOT infected_files_num: 0\"\nindex: \"clamscan-*\"\nrealert:\n  minutes: 5\nquery_key:\n  - host.name\ninclude:\n  - host.name\n  - infected_files\n  - scan_start_time\n  - scan_end_time\n  - scan_time\n  - known_viruses\n  - engine_version\n  - scanned_directories\n  - scanned_files\n  - scanned_data_size\ninclude_match_in_root: true\nalert_subject_args:\n  - host.name\nalert_subject: \"ClamAV Scan Report for {}\"\nalert_text_args:\n  - host.name\n  - infected_files\n  - scan_start_time\n  - scan_end_time\n  - scan_time\n  - known_viruses\n  - engine_version\n  - scanned_directories\n  - scanned_files\n  - scanned_data_size\nalert_text: |-\n  Kindly find the ClamAV Scan report for {}\n\n  Details of the event:\n          - Infected Files: {}\n          - Scan Start Time: {}\n          - Scan End Time: {}\n          - Scan Time: {}\n          - Known Viruses: {}\n          - Scanner Engine Version: {}\n          - Scanned Directories: {}\n          - Scanned Files: {}\n          - Scanned Data Size: {} \nalert:\n  - email:\n     from_addr: \"elk@kifarunix-demo.com\"\n     email: \"mpolekip@gmail.com\"\nalert_text_type: alert_text_only\n<\/code><\/pre>\n\n\n\n<p>Consult <a href=\"https:\/\/elastalert.readthedocs.io\/en\/latest\/elastalert.html\" target=\"_blank\" rel=\"noreferrer noopener\">ElastAlert documentation<\/a> for more information on the configuration options used.<\/p>\n\n\n\n<p>Save and exit your rule.<\/p>\n\n\n\n<p>Run rule test to confirm if all good.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>elastalert-test-rule --config \/opt\/elastalert\/config-clamav.yaml \/opt\/elastalert\/example_rules\/clamav-alert.yaml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.\n            To send them but remain verbose, use --verbose instead.\nGot 421 hits from the last 0 day\n\nAvailable terms in first hit:\n\t@version\n\tdata_read_size\n\tlog.file.path\n\tlog.offset\n\tscanned_directories\n\tprogram\n\ttags\n\tknown_viruses\n\tscanned_files\n\tengine_version\n\tscanned_data_size\n\tscan_start_time\n\thost.ip\n\thost.name\n\thost.architecture\n\thost.os.type\n\thost.os.name\n\thost.os.platform\n\thost.os.kernel\n\thost.os.codename\n\thost.os.version\n\thost.os.family\n\thost.id\n\thost.containerized\n\thost.hostname\n\thost.mac\n\tinfected_files\n\tecs.version\n\tinput.type\n\tscan_end_time\n\t@timestamp\n\tinfected_files_num\n\tscan_time\n\tagent.type\n\tagent.name\n\tagent.id\n\tagent.version\n\tagent.hostname\n\tagent.ephemeral_id\n\nINFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.\n                To send them but remain verbose, use --verbose instead.\nINFO:elastalert:1 rules loaded\nINFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts\nINFO:elastalert:Queried rule ClamAV Infected Files Report from 2022-08-28 08:56 EAT to 2022-08-28 08:57 EAT: 1 \/ 1 hits\nINFO:elastalert:Alert for ClamAV Infected Files Report at 2022-08-28T05:56:55.056Z:\nINFO:elastalert:Kindly find the ClamAV Scan report for debian10\n\nDetails of the event:\n        - Infected Files: \/home\/kifarunix\/Downloads\/eicar_com.zip: Win.Test.EICAR_HDB-1\n\/home\/kifarunix\/Downloads\/wildfire-test-pe-file.exe: Win.Dropper.Bebloh-9954185-0 \n        - Scan Start Time: 2022:08:29 01:56:01\n        - Scan End Time: 2022:08:29 01:56:45\n        - Scan Time: 43.965 sec (0 m 43 s)\n        - Known Viruses: 8630854\n        - Scanner Engine Version: 0.103.6\n        - Scanned Directories: 52\n        - Scanned Files: 80\n        - Scanned Data Size: 1.83 MB \n\n\n\nWould have written the following documents to writeback index (default is elastalert_status):\n\nsilence - {'exponent': 0, 'rule_name': 'ClamAV Infected Files Report.debian10', '@timestamp': datetime.datetime(2022, 8, 29, 5, 57, 1, 990643, tzinfo=tzutc()), 'until': datetime.datetime(2022, 8, 29, 6, 2, 1, 990633, tzinfo=tzutc())}\n\nelastalert_status - {'rule_name': 'ClamAV Infected Files Report', 'endtime': datetime.datetime(2022, 8, 29, 5, 57, 1, 146070, tzinfo=tzutc()), 'starttime': datetime.datetime(2022, 8, 29, 5, 56, 0, 546070, tzinfo=tzutc()), 'matches': 1, 'hits': 1, '@timestamp': datetime.datetime(2022, 8, 29, 5, 57, 1, 991196, tzinfo=tzutc()), 'time_taken': 0.008098840713500977}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running ElastAlert<\/h3>\n\n\n\n<p>Once you have confirmed that your query is working fine, it is time to run ElastAlert.<\/p>\n\n\n\n<p>ElastAlert can be run as a daemon via supervisord or via Python.<\/p>\n\n\n\n<p>You can as well run it on standard output using the elastalert binary,&nbsp;<code><strong>\/usr\/local\/bin\/elastalert<\/strong><\/code>.<\/p>\n\n\n\n<p>For example, you run ElastAlert against all rules defined in the rules directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/local\/bin\/elastalert --verbose --config \/opt\/elastalert\/config.yaml<\/code><\/pre>\n\n\n\n<p>To specify a specific configuration and rules file, for example;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/local\/bin\/elastalert --verbose --config \/opt\/elastalert\/config-clamav.yaml --rule \/opt\/elastalert\/example_rules\/clamav-alert.yaml<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>INFO:elastalert:1 rules loaded\nINFO:elastalert:Starting up\nINFO:elastalert:Disabled rules are: []\nINFO:elastalert:Sleeping for 299.999937 seconds\nINFO:elastalert:Queried rule ClamAV Infected Files Report from 2022-08-28 08:21 EAT to 2022-08-28 08:36 EAT: 1 \/ 1 hits\nINFO:elastalert:Queried rule ClamAV Infected Files Report from 2022-08-28 08:36 EAT to 2022-08-28 08:51 EAT: 0 \/ 0 hits\nINFO:elastalert:Queried rule ClamAV Infected Files Report from 2022-08-28 08:51 EAT to 2022-08-28 08:54 EAT: 0 \/ 0 hits\nINFO:elastalert:Sent email to ['mpolekip@gmail.com']\nINFO:elastalert:Ran ClamAV Infected Files Report from 2022-08-28 08:21 EAT to 2022-08-28 08:54 EAT: 0 query hits (0 already seen), 1 matches, 1 alerts sent\nINFO:elastalert:ClamAV Infected Files Report range 1959\n<\/code><\/pre>\n\n\n\n<p>As you can see, an alert has been sent out.<\/p>\n\n\n\n<p>Sample receipt;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1859\" height=\"713\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-alerting.png\" alt=\"Send Alert When ClamAV Finds Infected Files on Linux Systems\" class=\"wp-image-13792\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-alerting.png?v=1661753659 1859w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-alerting-768x295.png?v=1661753659 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/clamav-elk-alerting-1536x589.png?v=1661753659 1536w\" sizes=\"(max-width: 1859px) 100vw, 1859px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Run ElastAlert as a systemd service<\/h3>\n\n\n\n<p>In our previous guide, you can check how to configure ElastAlert for specific alerting to run as a system service.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-elk-stack-alerting-with-elastalert\/#elastalert-systemd-service\" target=\"_blank\" rel=\"noreferrer noopener\">Run ElastAlert as systemd service<\/a><\/p>\n\n\n\n<p>And that concludes our guide on how to alert when ClamAV finds infected files on Linux Systems.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-prometheus-email-alerting-with-alertmanager\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Prometheus Email Alerting with AlertManager<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-grafana-email-alerting\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Grafana Email Alerting<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to send alert when ClamAV finds infected files on Linux systems. ClamAV&nbsp;is an opensource antivirus engine for detecting<\/p>\n","protected":false},"author":3,"featured_media":13794,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,34],"tags":[5715,5714,5716,5717,913,5713],"class_list":["post-13747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-security","tag-automate-clamav-alerts","tag-clamav-email-alerts","tag-clamav-email-notifications","tag-elastalert-email-notifications","tag-elk","tag-send-alert-when-clamav-finds-infected-files-on-linux-systems","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13747"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=13747"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13747\/revisions"}],"predecessor-version":[{"id":20599,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13747\/revisions\/20599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/13794"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=13747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=13747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=13747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}