The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

clamav database directory path

Discussion in 'General Discussion' started by manokiss, Oct 26, 2016.

Tags:
  1. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    574
    Likes Received:
    0
    Trophy Points:
    316
    Hi, im trying to create a sigs exception and im not finding the clamav dbase path, looks like is not the default /var/lib/clamav, can someone please provide me this information?

    Thanx in advance!
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You can check /usr/local/cpanel/3rdparty/share/clamav/ directory for clamav database
     
  3. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    574
    Likes Received:
    0
    Trophy Points:
    316
    Thanx very much!
     
  4. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Manokiss,

    You are welcome..
    Please update here if you have any issue with this process.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can create the following file in order to whitelist virus definitions with ClamAV:

    Code:
    /usr/local/cpanel/3rdparty/share/clamav/local.ign2
    For example, if ClamAV detected a virus on a test.swf file like this:

    Code:
    # /usr/local/cpanel/3rdparty/bin/clamscan /home/123
    /home/123/test.swf: Swf.Exploit.CVE_2016_0968-1 FOUND
    You would run the following commands to whitelist that definition:

    Code:
    echo Swf.Exploit.CVE_2016_0968-1 >> /usr/local/cpanel/3rdparty/share/clamav/local.ign2
    /scripts/restartsrv_clamd
    Thank you.
     
  6. dcusimano

    dcusimano Member

    Joined:
    Feb 24, 2008
    Messages:
    10
    Likes Received:
    4
    Trophy Points:
    53
    Location:
    Toronto, Ontario, Canada
    I tried creating a local.ign2 file as indicated above to whitelist a particular signature but clamscan still detects it.

    [root@server ~]# /usr/local/cpanel/3rdparty/bin/clamscan --version
    ClamAV 0.99.2/23499/Thu Jun 22 21:12:26 2017
    [root@server ~]# echo "BC.Pdf.Exploit.CVE_2017_3033" >> /usr/local/cpanel/3rdparty/share/clamav/local.ign2
    [root@server ~]# /scripts/restartsrv_clamd
    [root@server ~]# /usr/local/cpanel/3rdparty/bin/clamscan MYFILE.pdf

    clamd says it restarted successfully.
    clamscan shows the same results with or without the local.ign2 file.
    local.ign2 contains only the one line as created above.

    Even though clamav is not from cPanel, any suggestions?
     
  7. dcusimano

    dcusimano Member

    Joined:
    Feb 24, 2008
    Messages:
    10
    Likes Received:
    4
    Trophy Points:
    53
    Location:
    Toronto, Ontario, Canada
    clamscan debug information shows the following:

    [root@server ~]# /usr/local/cpanel/3rdparty/bin/clamscan --debug MYFILE.pdf 2>&1 | grep -e 'local.ign2' -e 'CVE_2017_3033'
    LibClamAV debug: /usr/local/cpanel/3rdparty/share/clamav/local.ign2 loaded
    LibClamAV debug: Bytecode 6311970.cbc(60) has logical signature: BC.Pdf.Exploit.CVE_2017_3033-6311970-3.{};Engine:76-255,Target:10;0;2f4a50584465636f6465
    LibClamAV debug: Bytecode 6316401.cbc(61) has logical signature: BC.Pdf.Exploit.CVE_2017_3033.{};Engine:76-255,Target:10;0;2f4a50584465636f6465
    LibClamAV debug: Bytecode found virus: BC.Pdf.Exploit.CVE_2017_3033
    LibClamAV debug: BC.Pdf.Exploit.CVE_2017_3033 found
    LibClamAV debug: FP SIGNATURE: a32e841105b6f53a6d85c9d8e57e2cb5:2626574:BC.Pdf.Exploit.CVE_2017_3033
    MYFILE.pdf: BC.Pdf.Exploit.CVE_2017_3033 FOUND

    So the ignore file local.ign2 is loaded but the signature is still being searched for and found.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look.

    Thank you.
     
Loading...

Share This Page