The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

clamav scan /home and move infected files

Discussion in 'Security' started by k-planethost, Mar 14, 2011.

  1. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    how can i schedule a cron for clam av to scan /home in the morning and move the infected files to a specific directory?
     
  2. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i found some info on the net is it correct?centos are the boxes
    mkdir /tmp/virus
    clamscan -ri --move=/tmp/virus /home
    on etc/crontab
    for 3.11 in the morning should look like this
    11 3 * * * root mkdir /tmp/virus ; clamscan -ri --log=var/log/clamscan.log --move=/tmp/virus/
    correct?
     
  3. anjo2

    anjo2 Member

    Joined:
    May 1, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus --scan-mail=no

    This should work, you may not need to scan mails, so less time to search
     
  4. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    on etc/crontab i have this command
    11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus
    if i check /var/log/clamscan.log the file is empty
    if i run the command manually clamscan.log appears ok
    what can we wrong you think?
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    First of all, determine the path to clamscan:

    Code:
    whereis clamscan
    Then change to that path:

    Code:
    11 3 * * * /pathto/clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus
    Here you would replace /pathto/clamscan with the output from the prior "whereis clamscan" command.

    Next, do you have the cron set to email you when it runs? If you do not, then in crontab -e or /var/spool/cron/root where you have the cron set, put the following above the entry:

    Code:
    MAILTO="email@mydomain.com"
    Please replace email@mydomain.com with your email address. This should cause an email to be sent whenever the cron runs. If there are any errors for the cron to process, you should get those via that email.
     
  6. JerrySmith

    JerrySmith Active Member

    Joined:
    Apr 21, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I would recommend using the following:

    11 3 * * * /usr/bin/clamscan -ir /home --exclude-dir='/home/virtfs|/home/.cpan|/home/.cpcpan' -l /var/log/clamscan.log --move=/tmp/virus

    This will prevent the virtfs and CPAN directories from being scanned.

    If you are using jailshell and do not exclude virtfs, you will get duplicate matches in your scan and some weird results with moving the files.
     
  7. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    thanks for the update i correct the path and both of the commands appears to work
     
    #7 k-planethost, May 18, 2011
    Last edited: May 18, 2011
  8. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    let me ask something else
    on cpanel documentation i found this
    for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

    if i want to store the infections on /tmp/virus the cron command at /var/spool/cron/root should be

    11 3 * * * for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus

    correct?
     
  9. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    In my view it should work but please ensure that /tmp is secured before you store viruses into it.
     
  10. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    yes it is secured
    for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus
    this command from ssh result me this
    -bash: /tmp/virus: Is a directory

    also today i recompile from source the new version of clamav Since i use mailscanner i recompile always according to this
    Installing ClamAV with MailScanner
    well the core box takes ages to scan and i have errors like this
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
    LibClamAV Warning: [Bytecode JIT]: recovered from error
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
    LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
    LibClamAV Warning: [Bytecode JIT]: recovered from error
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

    on clamd.conf
    Bytecode yes
    BytecodeSecurity TrustSigned
    BytecodeTimeout 5000
    i try to increase and decrease the BytecodeTimeout 5000 but server still returns the same errors
    does anybody has any idea about this?
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    /tmp/virus will need to be a file rather than a folder for the command to function.
     
  12. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i correct it appears to work now
     
  13. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Glad to know :)
     
  14. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
    LibClamAV Warning: [Bytecode JIT]: recovered from error
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
    LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
    LibClamAV Warning: [Bytecode JIT]: recovered from error
    LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
    LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

    this one i fix it the box is ok now something was wrong with the databases

    another one server withClamAV - v0.97.3 i still observe this

    LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in
    LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in

    i think clamscan misses some test files

    Package bzip2-1.0.3-6.el5_5.x86_64 is already installed and latest version
    do you think i have to recompile with --enable-bzip2 ?

    tar -xzf clamav-*
    cd clamav*
    ./configure --disable-zlib-vcheck --enable-bzip2
    make
    make install

    any suggestions should be usefull
     
  15. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi,

    Try running freshclam and see if that fixed the error.
     
  16. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    well i investigate that some libraries were missing from centos box

    yum install bzip2

    yum install bzip2-devel

    yum install libbz2

    yum install libbz2-devel

    remove clamav


    killall clamd

    /bin/rm -Rfv /usr/bin/clam*
    /bin/rm -Rfv /usr/sbin/clam*
    /bin/rm -Rfv /usr/lib/libclam*
    /bin/rm -Rfv /usr/share/clam*
    /bin/rm -Rfv /usr/include/clam*
    /bin/rm -Rfv /usr/bin/freshclam*
    /bin/rm -Rfv /usr/etc/clamav*
    /bin/rm -Rfv /var/clamd

    /bin/rm -Rfv /usr/local/bin/clam*
    /bin/rm -Rfv /usr/local/sbin/clam*
    /bin/rm -Rfv /usr/local/lib/libclam*
    /bin/rm -Rfv /usr/local/share/clam*
    /bin/rm -Rfv /usr/local/include/clam*
    /bin/rm -Rfv /usr/local/bin/freshclam*
    /bin/rm -Rfv /usr/local/etc/clamav*
    /bin/rm -fv /etc/init.d/clamd
    /bin/rm -fv /etc/cron.daily/freshclam
    /bin/rm -fv /etc/cron.hourly/freshclam
    /bin/rm -fv /etc/cron.d/freshclam

    recompile and install after
    Installing ClamAV with MailScanner

    that guide has only to do with people that recompile clamav from source and not through cpanel
     
  17. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Does anybody have the regex I can use to exclude all mail directories from a full scan of /home?

    Thanks.
     
Loading...

Share This Page