clamav scan /home and move infected files

[k-planethost]

how can i schedule a cron for clam av to scan /home in the morning and move the infected files to a specific directory?

[k-planethost]

i found some info on the net is it correct?centos are the boxes
mkdir /tmp/virus
clamscan -ri --move=/tmp/virus /home
on etc/crontab
for 3.11 in the morning should look like this
11 3 * * * root mkdir /tmp/virus ; clamscan -ri --log=var/log/clamscan.log --move=/tmp/virus/
correct?

[anjo2]

11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus --scan-mail=no

This should work, you may not need to scan mails, so less time to search

[k-planethost]

on etc/crontab i have this command
11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus
if i check /var/log/clamscan.log the file is empty
if i run the command manually clamscan.log appears ok
what can we wrong you think?

[cPanelTristan]

First of all, determine the path to clamscan:

Code:

whereis clamscan

Then change to that path:

Code:

11 3 * * * /pathto/clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus

Here you would replace /pathto/clamscan with the output from the prior "whereis clamscan" command.

Next, do you have the cron set to email you when it runs? If you do not, then in crontab -e or /var/spool/cron/root where you have the cron set, put the following above the entry:

Code:

MAILTO="email@mydomain.com"

Please replace email@mydomain.com with your email address. This should cause an email to be sent whenever the cron runs. If there are any errors for the cron to process, you should get those via that email.

[cPanelJerrySmith]

Hello,

I would recommend using the following:

11 3 * * * /usr/bin/clamscan -ir /home --exclude-dir='/home/virtfs|/home/.cpan|/home/.cpcpan' -l /var/log/clamscan.log --move=/tmp/virus

This will prevent the virtfs and CPAN directories from being scanned.

If you are using jailshell and do not exclude virtfs, you will get duplicate matches in your scan and some weird results with moving the files.

[k-planethost]

thanks for the update i correct the path and both of the commands appears to work

[k-planethost]

let me ask something else
on cpanel documentation i found this
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

if i want to store the infections on /tmp/virus the cron command at /var/spool/cron/root should be

11 3 * * * for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus

correct?

[storminternet]

let me ask something else
on cpanel documentation i found this
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

if i want to store the infections on /tmp/virus the cron command at /var/spool/cron/root should be

11 3 * * * for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus

correct?

In my view it should work but please ensure that /tmp is secured before you store viruses into it.

[k-planethost]

yes it is secured
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus
this command from ssh result me this
-bash: /tmp/virus: Is a directory

also today i recompile from source the new version of clamav Since i use mailscanner i recompile always according to this
Installing ClamAV with MailScanner
well the core box takes ages to scan and i have errors like this
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

on clamd.conf
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 5000
i try to increase and decrease the BytecodeTimeout 5000 but server still returns the same errors
does anybody has any idea about this?

[cPanelTristan]

/tmp/virus will need to be a file rather than a folder for the command to function.

[k-planethost]

i correct it appears to work now

[storminternet]

i correct it appears to work now

Glad to know

[k-planethost]

LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

this one i fix it the box is ok now something was wrong with the databases

another one server withClamAV - v0.97.3 i still observe this

LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in
LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in

i think clamscan misses some test files

Package bzip2-1.0.3-6.el5_5.x86_64 is already installed and latest version
do you think i have to recompile with --enable-bzip2 ?

tar -xzf clamav-*
cd clamav*
./configure --disable-zlib-vcheck --enable-bzip2
make
make install

any suggestions should be usefull

[storminternet]

Hi,

Try running freshclam and see if that fixed the error.