# AV/YARA Scan Runbook (AIRGAP-AV-510-011) Purpose: ensure every offline-kit bundle is scanned pre-publish and post-ingest, with deterministic reports and optional signatures. ## Inputs - Bundle directory containing `manifest.json` and payload files. - AV scanner (e.g., ClamAV) and optional YARA rule set available locally (no network). ## Steps (offline) 1. Scan all bundle files: ```bash clamscan -r --max-filesize=2G --max-scansize=4G --no-summary bundle/ > reports/av-scan.txt ``` 2. Convert to structured report: ```bash python - <<'PY' import hashlib, json, pathlib, sys root = pathlib.Path("bundle") report = { "scanner": "clamav", "scannerVersion": "1.4.1", "startedAt": "2025-12-02T00:02:00Z", "completedAt": "2025-12-02T00:04:30Z", "status": "clean", "artifacts": [], "errors": [] } for path in root.glob("**/*"): if path.is_file(): h = hashlib.sha256(path.read_bytes()).hexdigest() report["artifacts"].append({ "path": str(path.relative_to(root)), "sha256": h, "result": "clean", "yaraRules": [] }) json.dump(report, sys.stdout, indent=2) PY ``` 3. Validate report against schema: ```bash jq empty --argfile schema docs/airgap/av-report.schema.json 'input' < docs/airgap/samples/av-report.sample.json >/dev/null ``` 4. Optionally sign report (detached): ```bash openssl dgst -sha256 -sign airgap-av-key.pem reports/av-report.json > reports/av-report.sig ``` 5. Update `manifest.json`: - Set `avScan.status` to `clean` or `findings`. - `avScan.reportPath` and `avScan.reportSha256` must match the generated report. ## Acceptance checks - Report validates against `docs/airgap/av-report.schema.json`. - `manifest.json` hashes updated and verified via `src/AirGap/scripts/verify-manifest.sh`. - If any artifact result is `malicious`/`suspicious`, bundle must be rejected and re-scanned after remediation. ## References - Manifest schema: `docs/airgap/manifest.schema.json` - Sample report: `docs/airgap/samples/av-report.sample.json` - Manifest verifier: `src/AirGap/scripts/verify-manifest.sh`