CLAMAV not working as expected

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
Just of late, I've had a number of word macro virus being delivered to a users mailbox.

I have CLAMAV installed, but for what ever reason, this rarely detects virus.

Last week, I conducted a few Eicar tests, these were picked up, so I guess CLAMAV is working, but not working to effect.

Any suggestions or alternatives to CLAMAV
 

ES - George

Well-Known Member
PartnerNOC
Jun 12, 2011
178
25
68
UK
cPanel Access Level
DataCenter Provider
Twitter
I'd recommend ensuring that your ClamAV definitions are updating properly, you can do this by running the following command via an SSH session:

/usr/local/cpanel/3rdparty/bin/freshclam

Also, have a look at Linux Malware Detect (commonly known as "Maldet"). It integrates nicely with ClamAV, and can actually use ClamAV's definitions alongside.

Outside of those two products, the good people at CloudLinux recently released a new, on-demand malware scanner called ImunifyAV, which you may like to research. Just note, though, that it's in Beta right now and so if you find rough edges using it, that might explain why.
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
I'm not sure the problem is down to scanning functionality, as CLAMAV will detect the Eicar test, this leads me to believe that it's scanning.
I think the issue is it not detecting, either down to the definitions not being any good or up to date quick enough.

I installed MALDET as suggested.
Is this primarily command line initiated, or does it run in the background and do live scanning.
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Whilst I am a big fan of ClamAV, it is apparent from using tools like virustotal to analyse files, that ClamAV are consistently one of the last to include new (as in Zero Day) definitions to their lists, especially when the malware targets Microsoft™ software.

I recommend that all users apply a second AV scanner on their own device (yes....even if it is Scottish or an iSomething), and periodically rescan any mail that is stored on the server in order to benefit from definitions that have been released since the files were originally scanned.

In reality, my users never bother to scan their mail boxes on the server ....ever :( and are quite convinced that their devices of whatever sort are immune to getting infected or compromise - because someone in the pub told them so, and it was absolutely what they preferred to hear !

Perhaps the answer is to configure a cron job to run scans daily as recommended in Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation, but this can significantly add to your server memory and CPU overhead during the run, and since I am seeing the most ridiculously under powered servers being deployed on VMs these days, one would have to experiment very carefully to establish if a particular server could cope.

I have high expectations of the CloudLinux new ImunifyAV becoming an indispensable tool. ImunifyAV: The Free, Powerful, Malware Scanner (now in Beta for cPanel and DirectAdmin) although this is still in Beta, it defiantly is worth watching. (Full Disclosure: I have NOT tried it, as I rarely deploy Beta software on a production server - so proceed at your own risk)

If you can afford it (I can't, so again, I haven't tried it) the full featured Imunify360 product Imunify360 - Keeps Your Linux Web Servers Safe would seem to be way to go.
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
I'm not sure a cron job would suffice, as I'm talking pop3 mailboxes.
The mail is downloaded and the damage could already be done before any cron job ran.

The issue i'm concerned with is idiot end users unable to spot a fake file etc.

I've ClamAV on our server and I've a watchguard firewall, neither of which are particularly good at detecting a virus.
If then for whatever, Norton doesn't spot it, I can be certain that an end user wont either.

Two weeks ago, a word macro got through all 4 lines of defense (server, firewall, norton, end user), fortuntely, word has macro's set at the highest security level, so nothing came of it.

If the MD can't spot these, god forbid anyone esle.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
The mail is downloaded and the damage could already be done before any cron job ran.
I absolutely agree.

I have spent much of the past 20 years attempting to solve PEBCAK issues (as have many others, all vastly better qualified than I am) and I regret to have to tell you that if a solution does exist, it is being kept a carefully guarded secret by either a 3 or 4 letter agency, or by (insert your favourite conspiracy theory organisation here)

I also regret to have to confess that so far, I have been unable to find a 100% reliable AV software solution for either the server, or indeed, for the end user device, so you have my sympathy.

Now if we could just somehow get rid of end users ....... there would be no problems :-D
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Hi @keat63


Maldet is primarily command line based, yes. I just finished up a 30day trial of Imunify360 and while it is still a fairly new project (which means some hiccups could be present along the way) it was really a robust plugin with a nice UI in WHM if that's something you're looking for as well as a malware scanning solution - Imunify360 - Keeps Your Linux Web Servers Safe
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
I guess Maldet will compliment RKHunter, and sit there in the background if I ever need them.
Not much use in finding email virus though.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
I guess Maldet will compliment RKHunter, and sit there in the background if I ever need them.
Not much use in finding email virus though.
You can set maldet to run at specific times, run manual scans and set it to scan specific directories but if you're looking for something proactive you might want to look more in-depth at imunify
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
I spent some time looking at what Imunify360 - ImunifyAV was offering, and whilst it looks very promising, it doesn't explicitly make any claims about scanning incoming email files in real time, nor regarding admin/user triggered, nor cron triggered scans.

The ImunifyAV Documentation is still rather rudimentary, but the product is still in Beta, so one shouldn't make judgements based on that alone.

As the product nears final release, I would hope that CloudLinux address these shortcomings in the publicity, product descriptions and documentation, and we shall be able to better assess the suitability for inclusion on our servers and if it will enhance our users experience.
 
  • Like
Reactions: Jean Boudreau

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
@Infopro I don't think you need to give up one for the other, though admittedly there is some redundancy, they are separate tools with different general purposes. I used them in tandem for an entire month last month.

As far as malware/viruses in mail goes another option might be to look at a more preventative approach advanced spam filtering, while spamassassin can do this it would take configuration/customization - if you don't have the time or the knowledge for that there are services that do this already.
 
  • Like
Reactions: cPanelMichael

Jean Boudreau

Member
Mar 31, 2017
23
8
3
Caraquet, NB, Canada
cPanel Access Level
Root Administrator
I'm a bit late but I've added Imunify360 and still use CSF. They work together and both should be enable in my opinion. Each of them have powerful features.

Now back to the main topic: ClamAV... It just doesn't work to find Macro infected documents. Imunify360 doesn't scan email neither. No option is available to scan live incoming emails with Imunify360. So my server is bombarded with .doc attachement with Macro malware. No way to stop them.

I'm surely not going to use an external service like SpamExpert. After a while, we need to keep cost down. Already with CloudLinux, Imunify360, LiteSpeed & LiteSpeed Cache, Kernel Care now just need an AntiVirus that works!
 

jndawson

Well-Known Member
Aug 27, 2014
301
32
78
Western US
cPanel Access Level
DataCenter Provider
We've been using csf/cxs/mod_sec for years with no issues. All our email flows through SpamTitan boxes with clamAV and bitdefender, and works well.

Somebody tell me why we would need ImmunifyAV or ImmunifyAV+ or Immunify360.
 

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
You probably don't, but not all of us have a $1250 budget to spend on SpamTitan.

:(

Incidentally, I blocked word macro's on our internal watchguard UTM.