clamav scan /home and move infected files

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
i found some info on the net is it correct?centos are the boxes
mkdir /tmp/virus
clamscan -ri --move=/tmp/virus /home
on etc/crontab
for 3.11 in the morning should look like this
11 3 * * * root mkdir /tmp/virus ; clamscan -ri --log=var/log/clamscan.log --move=/tmp/virus/
correct?
 

anjo2

Member
May 1, 2006
8
0
151
11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus --scan-mail=no

This should work, you may not need to scan mails, so less time to search
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
on etc/crontab i have this command
11 3 * * * clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus
if i check /var/log/clamscan.log the file is empty
if i run the command manually clamscan.log appears ok
what can we wrong you think?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
First of all, determine the path to clamscan:

Code:
whereis clamscan
Then change to that path:

Code:
11 3 * * * /pathto/clamscan -ir /home -l /var/log/clamscan.log --move=/tmp/virus
Here you would replace /pathto/clamscan with the output from the prior "whereis clamscan" command.

Next, do you have the cron set to email you when it runs? If you do not, then in crontab -e or /var/spool/cron/root where you have the cron set, put the following above the entry:

Code:
Please replace [email protected] with your email address. This should cause an email to be sent whenever the cron runs. If there are any errors for the cron to process, you should get those via that email.
 

JerrySmith

Active Member
Apr 21, 2011
35
0
56
Hello,

I would recommend using the following:

11 3 * * * /usr/bin/clamscan -ir /home --exclude-dir='/home/virtfs|/home/.cpan|/home/.cpcpan' -l /var/log/clamscan.log --move=/tmp/virus

This will prevent the virtfs and CPAN directories from being scanned.

If you are using jailshell and do not exclude virtfs, you will get duplicate matches in your scan and some weird results with moving the files.
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
let me ask something else
on cpanel documentation i found this
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

if i want to store the infections on /tmp/virus the cron command at /var/spool/cron/root should be

11 3 * * * for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus

correct?
 

storminternet

Well-Known Member
Nov 2, 2011
460
0
66
cPanel Access Level
Root Administrator
let me ask something else
on cpanel documentation i found this
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

if i want to store the infections on /tmp/virus the cron command at /var/spool/cron/root should be

11 3 * * * for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus

correct?
In my view it should work but please ensure that /tmp is secured before you store viruses into it.
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
yes it is secured
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /tmp/virus
this command from ssh result me this
-bash: /tmp/virus: Is a directory

also today i recompile from source the new version of clamav Since i use mailscanner i recompile always according to this
Installing ClamAV with MailScanner
well the core box takes ages to scan and i have errors like this
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

on clamd.conf
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 5000
i try to increase and decrease the BytecodeTimeout 5000 but server still returns the same errors
does anybody has any idea about this?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
/tmp/virus will need to be a file rather than a folder for the command to function.
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 37 failed to run: Error during bytecode execution

this one i fix it the box is ok now something was wrong with the databases

another one server withClamAV - v0.97.3 i still observe this

LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in
LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in

i think clamscan misses some test files

Package bzip2-1.0.3-6.el5_5.x86_64 is already installed and latest version
do you think i have to recompile with --enable-bzip2 ?

tar -xzf clamav-*
cd clamav*
./configure --disable-zlib-vcheck --enable-bzip2
make
make install

any suggestions should be usefull
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
well i investigate that some libraries were missing from centos box

yum install bzip2

yum install bzip2-devel

yum install libbz2

yum install libbz2-devel

remove clamav


killall clamd

/bin/rm -Rfv /usr/bin/clam*
/bin/rm -Rfv /usr/sbin/clam*
/bin/rm -Rfv /usr/lib/libclam*
/bin/rm -Rfv /usr/share/clam*
/bin/rm -Rfv /usr/include/clam*
/bin/rm -Rfv /usr/bin/freshclam*
/bin/rm -Rfv /usr/etc/clamav*
/bin/rm -Rfv /var/clamd

/bin/rm -Rfv /usr/local/bin/clam*
/bin/rm -Rfv /usr/local/sbin/clam*
/bin/rm -Rfv /usr/local/lib/libclam*
/bin/rm -Rfv /usr/local/share/clam*
/bin/rm -Rfv /usr/local/include/clam*
/bin/rm -Rfv /usr/local/bin/freshclam*
/bin/rm -Rfv /usr/local/etc/clamav*
/bin/rm -fv /etc/init.d/clamd
/bin/rm -fv /etc/cron.daily/freshclam
/bin/rm -fv /etc/cron.hourly/freshclam
/bin/rm -fv /etc/cron.d/freshclam

recompile and install after
Installing ClamAV with MailScanner

that guide has only to do with people that recompile clamav from source and not through cpanel
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Hello,

I would recommend using the following:

11 3 * * * /usr/bin/clamscan -ir /home --exclude-dir='/home/virtfs|/home/.cpan|/home/.cpcpan' -l /var/log/clamscan.log --move=/tmp/virus

This will prevent the virtfs and CPAN directories from being scanned.

If you are using jailshell and do not exclude virtfs, you will get duplicate matches in your scan and some weird results with moving the files.
Does anybody have the regex I can use to exclude all mail directories from a full scan of /home?

Thanks.