Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Clamav daemon vs Daily Scan

Discussion in 'Security' started by Michaelit, Apr 27, 2018.

Tags:
  1. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hello all,
    i would like to read your opinion about the use of cron.daily task on which
    clamscan -r -i --remove /home/$USER
    instead of running clamav daemon all the time. Will i miss any functionality that daemon offer while running and clamscan will not be able to?

    The reason that i conclude into this option is the RAM Consumption. Clamd needs up to 2GB of 4GB total available.

    Thank you.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The main functionality you will lose is the automatic scanning of inbound messages through Exim, and the automatic scanning of files uploaded through the File Manager option in cPanel. In the case of email, an affected message could reach the local email user's inbox before the cron job runs. Note that if you do prefer to setup a cron job instead, we document an example of a specific command you can use at:

    Configure ClamAV Scanner - Version 70 Documentation - cPanel Documentation

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you a lot @cPanelMichael,
    Although clamd automatically scanned inbound messages through Exim, and the uploaded files through File Manager, it never inform me through email or automatically delete them. I had to scan them manually, find the inflected files and remove them or send them to quarantine.

    I added the cronjob as you've suggested me. Can you please help me change the output:
    with the one as quoted below. I just want to know in which domain the scan summary is pointed to below.
    Thank you!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    If ClamAV detects a virus during a File Manager upload attempt, then the upload attempt will fail. Additional, incoming emails that ClamAV detects a virus with should be rejected. If you are manually scanning the accounts and finding viruses, it's likely the files were uploaded through another method (e.g. FTP, PHP scripts).

    The ClamAV scanner won't separate the output on a per-account basis with the command referenced in our documentation. Instead, you'd need to review the /root/infections.txt file to see the file paths of the infected files.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you @cPanelMichael for your complete answers.

    I performed a test today in order to prove the opposite. Please check that clamd service is up and running.
    clamd_service.png

    While i completed the scan process manually through cPanel interface, i found a virus at the inbox of info[at]mydomain[dot]com.
    file_email.png
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Michaelit,

    Could you search for that message in /var/log/exim_mainlog and let us know the output? Here's a command to use:

    Code:
    exigrep "$SUBJECT" /var/log/exim_mainlog*
    Replace $SUBJECT with the subject of the affected message with the virus that's noted in your screenshot.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Can you please help me how to retrieve the subject from the inflected file f.e:
    mail/DOMAIN.TLD/info/cur/1513714881.M967064P4072.SERVERINFO,S=2739480,W=2775118:2,S
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    If the message still exists, you can view the message from the command line to obtain information such as the message subject. EX:

    Code:
    cat /home/username/mail/DOMAIN.TLD/info/cur/1513714881*
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Yes the message exists. I wrote the command and it returned me a very long message like (i quote a part of it):

    [Removed]

    What is it?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    That's the data associated with the attachment. Try using a command like this to see the first 10 lines:

    Code:
    head -10 /home/username/mail/DOMAIN.TLD/info/cur/1513714881*
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you @cPanelMichael,
    i finally figured it out. The subject was: confirm payment slip.
    subject.png

    I run the command:
    Code:
    exigrep "confirm payment slip" /var/log/exim_mainlog*
    however i haven't received something.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Michaelit,

    The date of the message shows 12-19-2017, so it's likely your Exim log has been rotated since that time. You can check to see if any of your older Exim logs exist with a command such as this:

    Code:
    ls -al /var/log/exim_mainlog*
    If you see an archived Exim log from December, then you could extract the archived log and then search it for the message using a similar command. EX:

    Code:
    exigrep "confirm payment slip" /path/to/extracted_exim_mainlog
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Unfortunately the older Exim log was on April 15.
    exim_log.png
    This is weird as i have scan manually for inflected files since December 2017 and i have totally removed them. It may be sent with different date/time?

    To the subject:
    I looked for another inflected file in this account and exim log return me results. Can i send you a personal message the results?
    This is a Win.Dropper.Generic-6518763-0 virus.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Michaelit,

    Keep in mind it's also possible your manual scan detected up a virus that was not yet included with the ClamAV virus database at the time the message was received.

    Yes, please feel free to do so.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    That's true.
    I sent the results through PM.

    Thank you.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,961
    Likes Received:
    1,821
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Michaelit,

    To summarize the conversation, it looks like clamscan detected the Win.Dropper.Generic-6518763-0 virus on that email. This particular virus definition was added to the ClamAV database on 05-02-2018:

    Mailing List Archive: Signatures Published daily - 24535

    Thus, since the email was sent on 04-23-2018, it wasn't detected by ClamAV at that time because the virus definition was not yet included in the ClamAV database.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you @cPanelMichael for your support.
    As it seems it's urgent to setup a cron.daily job on where we will scan all the accounts with a fully updated virus definition database.
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice