DEV Community

Using Serverless to Scan Files with ClamAV in a Lambda Container

Joseph Sutton on August 19, 2021

In my previous post, I had used a lambda function with a designated lambda layer. The layer's binaries were created within a Docker image based fro...
Collapse
 
michaelmcdaid profile image
Michael Mc Daid

I have a question, hope you might know more than me on this. Been stumped by this for a few days and only finding this post which is absolutly awesome btw. You've really saved me here. I'm am trying to do the same thing minus the serverless stuff. I want to be able to use the API in a TypeScript project like this
`
import ClamScan from 'clamscan';

class ClamScanGetter {
static initClamScan() {
const clamScanOpts: ClamScan.Options = {
clamscan: {
active: true,
},
preference: 'clamscan'
}
return new ClamScan().init(clamScanOpts);
}
}

const clamScan = await ClamScanGetter.initClamScan();
const scan = await clamScan.scanDir("/tmp");
`
If I install it this way would you know if this would work ?

Collapse
 
sutt0n profile image
Joseph Sutton

As long as it's deployed and the binary is accessible, it should work.

Collapse
 
am_raf_26871ec4b693b72827 profile image
AmRf

Thank you for sharing this great article, I am trying this in Java, How second stage of dockerfile recognizes installed package from layer-image? It just copies files over, but when I try to execute clamscan inside the image it does not see it as an executable. Looks like in multistage docker we can not run packages installed in an earlier stage, am I wrong here?

Collapse
 
shyjurahim profile image
shyjurahim

Have you done in java? if so can please share the java code if possible here.
i'm also trying in java with jenkins pipeline

Collapse
 
sutt0n profile image
Joseph Sutton

This wasn't created in java, nor are there any plans to do it in java; however, it shouldn't be too difficult. 🙂

Collapse
 
mschleeweiss profile image
Marc Schleeweiß

Hey Joseph, I was playing around and got it to work almost immediately, huge thanks to you! Now my question is, is it normal that it takes around 30 seconds to scan a small file (image of 60 kb)? Or might there anything be wrong with my setup?

Collapse
 
sutt0n profile image
Joseph Sutton • Edited

The reason being is because for each file scanned, the ClamAV binary has to boot up and load its virus definitions -- it taking ~30 seconds to do so sounds 100% accurate.

edit: The scans themselves take < 1s. It's always the initial boot.

I have plans to write another Serverless article on having a ClamAV daemon running in a Fargate-configured container sometime either before the end of this year or sometime next year. I've just been rather busy this year, as life tends to take up most of my time. 😁

I do have a Terraform one here, however: dev.to/sutt0n/scanning-files-with-...

Collapse
 
mschleeweiss profile image
Marc Schleeweiß

I was doing a console.log before and after execSync and there was a difference of 25 sec. Cold starting the lambda even took 60 seconds, I guess these extra 35 sec are what you mean by "boot up", but even a warm lambda took so long because (it seems like) the scanning itself takes forever. Appreciate your other post and will take a look, but I really liked the simplicity of this lambda which fits our needs perfectly.

Thread Thread
 
sutt0n profile image
Joseph Sutton • Edited

"Boot up" meaning the ClamAV binary has to first load the virus definitions before it scans the file upon execution, which takes around ~30 seconds. That's normal, funfortunately, ha.

Collapse
 
amabroukzaizi profile image
amabrouk-zaizi

Hi Joseph, according to the README this: git clone github.com/sutt0n/serverless-clama...
is asking me for the username and password so I do not have it to clone it.

Collapse
 
sutt0n profile image
Joseph Sutton • Edited

The repo in the README wasn't correct. Thanks for letting me know.

Collapse
 
kiruba3441 profile image
kiruba3441

The yumdownloader is unable to find the clamv packages now.

Collapse
 
jrobens profile image
Dude

Mac? Not x86 machine?

Specify the platform FROM --platform=linux/amd64 amazonlinux:2

stackoverflow.com/questions/738262...

Collapse
 
sutt0n profile image
Joseph Sutton • Edited

My apologies for not paying attention to this, my notifications seem skewed. I'll update the repo code with this -- thank you!

Edit: This was actually done on a Mac initially. I'm going to assume that since M1 was released, some packages' archs have been modified / changed a bit.

Thread Thread
 
jrobens profile image
Dude

I updated a working copy to AWS SDK3. github.com/jrobens/serverless-clam.... Change to build.sh.

I also updated to typscript/v3 AWS SDK.

Collapse
 
skaverg profile image
Skaria Verghese

this is awesome! So the virus definitions are updated during build?

Collapse
 
sutt0n profile image
Joseph Sutton

Sorry for the late response -- yes, IIRC, the virus definitions are only updated when it's built/deployed.