cloudina/hawk

Multi Cloud Antivirus Scanning API using YARA and CLAMAV for AWS S3, Azure Blob Storage and GCP Cloud Storage

HAWK

Introduction

Multi Cloud antivirus scanning API based on CLAMAV and YARA for AWS S3, AZURE Blob Storage, GCP Cloud Storage.

Features

• Microservice for scanning stream with YARA and CLAMAV
• Scans S3 Bucket Object
• Moves Clean S3 Objects to another S3 Bucket
• Quarantines Infected S3 Objects to another S3 Bucket
• CLAMAV DB auto is updated to latest
• [TODO] AZURE and GCP support
• [TODO] Merge Various YARA rules to one set
• [TODO] Auto Update YARA rules
• [TODO] Support Yextend
• [TODO] Improve Logging using logrus [https://github.com/antonfisher/nested-logrus-formatter]
• [TODO] Harden Image

API

Available API are

POST /scanstream - scan stream

POST -d '{"bucketname": $S3_BUCKET "key": $S3_OBJECT }' /s3/scanfile - scan s3 file

GET /ruleset/ - list all loaded ruleset

GET /ruleset/{ruleset} - list all rules from a loaded rule

GET /metrics - get metrics
GET /health - get health info 
GET / - get index

Installation

Automated builds of the image are available on Registry and is the recommended method of installation.

docker pull hub.docker.com/cloudina/hawk:(imagetag)

The following image tags are available:

• latest - Most recent release of ClamAV with REST API

Quick Start

Run hawk docker image:

docker run -p 9000:9999 -itd --name hawk cloudina/hawk

Test that service detects common test virus signature:

HTTP

$  curl --data "@./testsamples/request/s3filescan" http://0.0.0.0:9000/s3/scanfile -H 'Content-Type: application/json'

{"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}%                                   

$  curl --data "@./testsamples/scanfiles/eicar" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'

{"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}                           

$ curl --data "@./testsamples/scanfiles/hello.txt" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'

{"filename":"stream","matches":[],"status":"CLEAN"} 

                                                                                         

Networking

Port	Description
3310	ClamD Listening Port
9999	HAWK Container Port

Debug

For debugging the running container

docker exec -it (whatever your container name is e.g. hawk) /bin/ash

Build

For building

docker build -t (whatever your image name is e.g. hawk) .

Prebuild Image

docker pull cloudina/hawk

Acknowledgements

• yarascanner
• clamscanner

References

• https://www.clamav.net
• https://virustotal.github.io/yara/