Clamd / ClamScan setup and configuration

PeteS

Well-Known Member
Jun 8, 2017
223
48
28
Oregon
cPanel Access Level
Root Administrator
Re: Configure ClamAV Scanner - Version 78 Documentation - cPanel Documentation

Please tell me if I have a correct and complete understanding of ClamAV.

Once plugin is installed in WHM (w/o cron job):
  • clamd daemon is active and used for the following
  • incoming mail is scanned
  • outgoing mail is scanned, if configured in Exim settings
  • uploads in file manager are scanned
  • users can scan manually (using clamd or clamscan?)
After adding a cron job:
  • clamscan is used for the following
  • all home directories (if using the code supplied) are scanned per the cron entry
Additionally...
  • Is there an advantage of one over the other in the cron:
    • while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt
    • for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&
  • I have read discussions about clamd vs clamscan regarding the impact on RAM and CPU usage (about signatures being loaded, I believe). Can you provide details on this?
  • What is the default behavior regarding infected files, and notification of found threats found, during cron scans? I have seen variations of cron jobs but would like docs on that.
-Pete
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Hi @PeteS

Is there an advantage of one over the other in the cron:
This is the recommended one:
Code:
while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt
As far as the other one goes it just looks like it's doing a similar action one outputs to /root/infections the other to /dev/null

I have read discussions about clamd vs clamscan regarding the impact on RAM and CPU usage (about signatures being loaded, I believe). Can you provide details on this?
The clamd signature db is pretty large and when it needs to be loaded or updated during that time it can cause relatively high CPU/RAM usage - this isn't a constant though and shouldn't last an excessive amount of time nor should it continue to be resource intensive due to that reason while it's scanning, I should note though that all virus/malware scanners are going to use resources when scanning.

What is the default behavior regarding infected files, and notification of found threats found, during cron scans? I have seen variations of cron jobs but would like docs on that.

I don't really think there is any it's dependent on the configuration you might want to look at ClamAV's site though ClamavNet
 

PeteS

Well-Known Member
Jun 8, 2017
223
48
28
Oregon
cPanel Access Level
Root Administrator
Thanks, @cPanelLauren

But, just to be clean, is my understanding on the first part of my post complete and correct? (Regarding the plugin installing the daemon, and making clamscan available to users, and the necessity and use of the cron job to automate scanning of the user folders.)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
The first part is correct though the user can initiate the scan through cPanel so shell isn't needed.

You can configure users to have specific scan settings by managing the settings at WHM>>Plugins>>Configure ClamAV Scanner

If you want automated scans you'd need to enable a cron job otherwise it'd be necessary to manually scan.
 

PeteS

Well-Known Member
Jun 8, 2017
223
48
28
Oregon
cPanel Access Level
Root Administrator
Thank you @cPanelLauren. Allow me to revisit this topic for a couple followup questions.

1- I believe I have had a faulty assumption, that running the cron job
Code:
while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt
took action on positives, but it appears from the docs I found (clamscan(1): scan files/directories for viruses - Linux man page) that it is only reporting, and thus if the reports aren't looked at... what's the point? Am I correct?

2- In working on a method to have scan reports sent to me I tested this cron job /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root
Code:
/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root
which works well, I think. I also noticed that it takes less than 1/2 the time to scan the same /home directory. I assume this is because it is running it as one large scan, rather than per home user. The difference being the scan setup time of checking signatures, etc., correct? So if I don't need/want a separate report on each user then why not reduce the load by running a single scan?

3- Short of adding the -remove flag (not going to do that!) is there any approach to managing infected files beyond passively logging them as found? I'm thinking not, but want to use the best strategies I can.

Thanks, Pete
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
1- I believe I have had a faulty assumption, that running the cron job
Code:
while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt
took action on positives, but it appears from the docs I found (clamscan(1): scan files/directories for viruses - Linux man page) that it is only reporting, and thus if the reports aren't looked at... what's the point? Am I correct?
clamscan running this way does indeed just report the issues - it will show up in the UI as well if there are infected files but, yes if you're not looking at the reports it's making it's not doing you any good

2- In working on a method to have scan reports sent to me I tested this cron job /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root
Code:
/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root
which works well, I think. I also noticed that it takes less than 1/2 the time to scan the same /home directory. I assume this is because it is running it as one large scan, rather than per home user. The difference being the scan setup time of checking signatures, etc., correct? So if I don't need/want a separate report on each user then why not reduce the load by running a single scan?
The default cron is scanning per user per domain, what you're running is just scanning the homedir - it's not initializing after each account which I would assume is causing it to complete faster and if that works for you giving you the data you need, yea no reason not to do it.
3- Short of adding the -remove flag (not going to do that!) is there any approach to managing infected files beyond passively logging them as found? I'm thinking not, but want to use the best strategies I can.
Not with clamscan there isn't really - you can move files - but the way you're scanning it might be difficult to tell where they came from as well. Some other malware scanning softwares like imunify360 will change permissions/ownership on infected files or LMD will quarantine them if you enable the setting.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Actually, you're right, the results don't show in the UI. It's just the configuration that you can manage there. I'd meant to double-check that yesterday and made an assumption that it was reported there. My apologies!