SOLVED Clamav daemon vs Daily Scan

Michaelit

Well-Known Member
Aug 5, 2015
71
9
58
Greece
cPanel Access Level
Root Administrator
Hello all,
i would like to read your opinion about the use of cron.daily task on which
clamscan -r -i --remove /home/$USER
instead of running clamav daemon all the time. Will i miss any functionality that daemon offer while running and clamscan will not be able to?

The reason that i conclude into this option is the RAM Consumption. Clamd needs up to 2GB of 4GB total available.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
instead of running clamav daemon all the time. Will i miss any functionality that daemon offer while running and clamscan will not be able to?
Hello,

The main functionality you will lose is the automatic scanning of inbound messages through Exim, and the automatic scanning of files uploaded through the File Manager option in cPanel. In the case of email, an affected message could reach the local email user's inbox before the cron job runs. Note that if you do prefer to setup a cron job instead, we document an example of a specific command you can use at:

Configure ClamAV Scanner - Version 70 Documentation - cPanel Documentation

Thanks!
 

Michaelit

Well-Known Member
Aug 5, 2015
71
9
58
Greece
cPanel Access Level
Root Administrator
Thank you a lot @cPanelMichael,
Although clamd automatically scanned inbound messages through Exim, and the uploaded files through File Manager, it never inform me through email or automatically delete them. I had to scan them manually, find the inflected files and remove them or send them to quarantine.

I added the cronjob as you've suggested me. Can you please help me change the output:
----------- SCAN SUMMARY -----------
Known viruses: 11072145
Engine version: 0.99.2
Scanned directories: 559
Scanned files: 6801
Infected files: 0
Data scanned: 2020.70 MB
Data read: 662.09 MB (ratio 3.05:1)
Time: 372.212 sec (6 m 12 s)

----------- SCAN SUMMARY -----------
Known viruses: 11072145
Engine version: 0.99.2
Scanned directories: 868
Scanned files: 7985
Infected files: 0
Data scanned: 859.52 MB
Data read: 379.70 MB (ratio 2.26:1)
Time: 643.993 sec (10 m 43 s)
with the one as quoted below. I just want to know in which domain the scan summary is pointed to below.
Domain: test1.com
----------- SCAN SUMMARY -----------
Known viruses: 11072145
Engine version: 0.99.2
Scanned directories: 559
Scanned files: 6801
Infected files: 0
Data scanned: 2020.70 MB
Data read: 662.09 MB (ratio 3.05:1)
Time: 372.212 sec (6 m 12 s)

Domain: test2.com
----------- SCAN SUMMARY -----------
Known viruses: 11072145
Engine version: 0.99.2
Scanned directories: 868
Scanned files: 7985
Infected files: 0
Data scanned: 859.52 MB
Data read: 379.70 MB (ratio 2.26:1)
Time: 643.993 sec (10 m 43 s)
Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Although clamd automatically scanned inbound messages through Exim, and the uploaded files through File Manager, it never inform me through email or automatically delete them. I had to scan them manually, find the inflected files and remove them or send them to quarantine.
If ClamAV detects a virus during a File Manager upload attempt, then the upload attempt will fail. Additional, incoming emails that ClamAV detects a virus with should be rejected. If you are manually scanning the accounts and finding viruses, it's likely the files were uploaded through another method (e.g. FTP, PHP scripts).

with the one as quoted below. I just want to know in which domain the scan summary is pointed to below.
The ClamAV scanner won't separate the output on a per-account basis with the command referenced in our documentation. Instead, you'd need to review the /root/infections.txt file to see the file paths of the infected files.

Thank you.
 

Michaelit

Well-Known Member
Aug 5, 2015
71
9
58
Greece
cPanel Access Level
Root Administrator
Thank you @cPanelMichael for your complete answers.

Additional, incoming emails that ClamAV detects a virus with should be rejected. If you are manually scanning the accounts and finding viruses, it's likely the files were uploaded through another method (e.g. FTP, PHP scripts).
I performed a test today in order to prove the opposite. Please check that clamd service is up and running.
clamd_service.png

While i completed the scan process manually through cPanel interface, i found a virus at the inbox of info[at]mydomain[dot]com.
file_email.png
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello @Michaelit,

Could you search for that message in /var/log/exim_mainlog and let us know the output? Here's a command to use:

Code:
exigrep "$SUBJECT" /var/log/exim_mainlog*
Replace $SUBJECT with the subject of the affected message with the virus that's noted in your screenshot.

Thank you.
 

Michaelit

Well-Known Member
Aug 5, 2015
71
9
58
Greece
cPanel Access Level
Root Administrator
Can you please help me how to retrieve the subject from the inflected file f.e:
mail/DOMAIN.TLD/info/cur/1513714881.M967064P4072.SERVERINFO,S=2739480,W=2775118:2,S
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello,

If the message still exists, you can view the message from the command line to obtain information such as the message subject. EX:

Code:
cat /home/username/mail/DOMAIN.TLD/info/cur/1513714881*
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello,

That's the data associated with the attachment. Try using a command like this to see the first 10 lines:

Code:
head -10 /home/username/mail/DOMAIN.TLD/info/cur/1513714881*
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello @Michaelit,

The date of the message shows 12-19-2017, so it's likely your Exim log has been rotated since that time. You can check to see if any of your older Exim logs exist with a command such as this:

Code:
ls -al /var/log/exim_mainlog*
If you see an archived Exim log from December, then you could extract the archived log and then search it for the message using a similar command. EX:

Code:
exigrep "confirm payment slip" /path/to/extracted_exim_mainlog
Thank you.
 

Michaelit

Well-Known Member
Aug 5, 2015
71
9
58
Greece
cPanel Access Level
Root Administrator
Unfortunately the older Exim log was on April 15.
exim_log.png
This is weird as i have scan manually for inflected files since December 2017 and i have totally removed them. It may be sent with different date/time?

To the subject:
I looked for another inflected file in this account and exim log return me results. Can i send you a personal message the results?
This is a Win.Dropper.Generic-6518763-0 virus.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello @Michaelit,

Keep in mind it's also possible your manual scan detected up a virus that was not yet included with the ClamAV virus database at the time the message was received.

I looked for another inflected file in this account and exim log return me results. Can i send you a personal message the results?
Yes, please feel free to do so.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello @Michaelit,

To summarize the conversation, it looks like clamscan detected the Win.Dropper.Generic-6518763-0 virus on that email. This particular virus definition was added to the ClamAV database on 05-02-2018:

Mailing List Archive: Signatures Published daily - 24535

Thus, since the email was sent on 04-23-2018, it wasn't detected by ClamAV at that time because the virus definition was not yet included in the ClamAV database.

Thank you.