clamav cpanel plugin notify if infection found

jeffschips

Well-Known Member
Jun 5, 2016
239
30
78
new york
cPanel Access Level
Root Administrator
Hello.

Wondering if it's possible to have cpanel clamav plugin install notify something anything whatever when it finishes the scan? Currently is just finishes without any notices whatsoever which is not very useful. I've installed eircar.com in various locations in my home directory to test it and 1) it doesn't seem to recognize it as found nor 2) do any notifications.

I know the scan is running because ps | grep clam shows the process then it is gone a while later.

Thanks.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,051
106
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! While there's no innate way within cPanel to have a notification send every time a scan finishes regardless of results, it should be easy to configure a cronjob that does this. First, the following article should help with the base of the cronjob.


Then, I found a UnixExchange discussion that very usefully discusses how to have notifications sent upon a process completing.


Let me know if you have any questions.
 

jeffschips

Well-Known Member
Jun 5, 2016
239
30
78
new york
cPanel Access Level
Root Administrator
thank you @cPanelAnthony

A script I found that works but only when I manually run from the command line is this one:


I believe that was NOT written for Centos. Nevertheless is works fine from command line changing the directory to scan to /home/domain/public_html in the script and changing the location of the log file. Mail is dispatched and eicar files are reported.

However, issues arise when trying to automate the process with a cron job.

runing crontab -e
and entering the following line does not kick off the script:

minute hour * * * /root/scripts/clamscan.sh > /dev/null 2>&1

I have a feeling there is a setting unique to Centos that I'm missing here.
 

jeffschips

Well-Known Member
Jun 5, 2016
239
30
78
new york
cPanel Access Level
Root Administrator
Almost there:

Made a tweak to the clamscan.sh file changing:

clamscan -ri "$S" >> "$LOGFILE";

to

/usr/local/cpanel/3rdparty/bin/clamscan -ri "$S" >> "$LOGFILE";

and now the process does not fail and proceeds. However, this introduces another problem.

root 10104 1.4 31.7 1589716 1232960 ? Ssl Nov01 37:17 /usr/local/cpanel/3rdparty/bin/clamd -F
root 23330 0.0 0.0 113280 780 ? Ss 19:04 0:00 /bin/sh -c /root/clamscan.sh > /dev/null 2>&1
root 23331 0.0 0.0 113284 936 ? S 19:04 0:00 /bin/bash /root/clamscan.sh
root 23340 98.7 30.7 1303868 1191424 ? R 19:04 0:33 /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/domain/public_html/

There appears to be two instances of clamscan.sh running