Automatic user-based email script for clamavconnector plugin


Well-Known Member
Sep 3, 2009
The Netherlands
cPanel Access Level
Root Administrator
For our servers I created a simple automation script which uses the ClamAV Connector plug-in available through WHM. The idea is based on the suggestions made by cPanel:
Security and Virus Scanning in WHM

The cronjob mentioned on the above page performs a scan on a per account basis. I transfered this concept into a per account email warning send to the users contact email and the server administrator. Only if an infection is found an email will be send. This way detecting hacked websites is faster.

For anybody that finds this useful here's a little tutorial:

First make sure the ClamAV plug-in is installed and running. The below script can be created with any user you prefer, but must be executed by the root user.

Go to your preferred custom scripts directory and create the following file:
vi clamscan_daily
Paste the following code in the file and adjust the 3 email params as needed:

# Set default TO email
# This is a fall-back in case the user has no contact email
EMAIL_TO="[COLOR="#FF0000"][email protected][/COLOR]"

# Set BCC email
# Use this to get a copy of all send out warnings

# Set FROM email
# Use this to add a reply address for your customers or use a no-reply address
EMAIL_FROM="[COLOR="#FF0000"][email protected][/COLOR]"

run_scan () {

  # Get the servers hostname

  for i in `awk '!/nobody/{ print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`

    # Create tmp file
    TMPFILE=`mktemp clamscan-result.XXXXXXXXXX`

    # Get user email
    if [ -f /home/$i/.contactemail ]
      EMAIL_TO=`cat /home/$i/.contactemail`

    # Prepare email headers
    echo "To: $EMAIL_TO" >> $TMPFILE
    echo "Bcc: $EMAIL_BCC" >> $TMPFILE
    echo "From: $EMAIL_FROM" >> $TMPFILE
    echo "Subject: $HOSTNAME: Virus detected on account: $i" >> $TMPFILE
    echo "Importance: High" >> $TMPFILE
    echo "X-Priority: 1" >> $TMPFILE

    # Prepare email body
    echo "Attention! Your action is required. Please delete the following infected files:" >> $TMPFILE
    echo " " >> $TMPFILE

    # Start scanning the users home directory
    /usr/bin/clamscan -i -r /home/$i >> $TMPFILE

    # Check the last set of results.
    # If there are any 'Infected' counts that aren't zero, we have a problem.
    if [ `tail -n 12 $TMPFILE | grep Infected | grep -v 0 | wc -l` != 0 ]
      sendmail -t < $TMPFILE

    # clean-up tmp file
    rm -f $TMPFILE



Save the file and make it executable:
chmod +x clamscan_daily
Edit the crontab (crontab -e) and add the following cronjob:
30 5 * * * /path/to/your/clamscan_daily > /dev/null 2>&1
It's advised to configure the execution time of the above script about 10 minutes after your ClamAV update run (/usr/bin/freshclam) to make sure you have the latest definitions. It is also possible to run this more then once per day, but since running ClamAV results in a higher load it's best to run it during off-peak hours.

I hope this will help you a bit in protecting your servers.
Last edited:
May 14, 2018
cPanel Access Level
Reseller Owner

Is there any way that our resellers can directly run this script at there end or with a cPanel user directly ?

This can help low cost resellers to protect their client accounts from getting infected...Thank you