Clamd / ClamScan setup and configuration

[PeteS]

Re: Configure ClamAV Scanner - Version 78 Documentation - cPanel Documentation

Please tell me if I have a correct and complete understanding of ClamAV.

Once plugin is installed in WHM (w/o cron job):

• clamd daemon is active and used for the following
  
• incoming mail is scanned
• outgoing mail is scanned, if configured in Exim settings
• uploads in file manager are scanned
• users can scan manually (using clamd or clamscan?)

After adding a cron job:

• clamscan is used for the following
  
• all home directories (if using the code supplied) are scanned per the cron entry

Additionally...

• Is there an advantage of one over the other in the cron:
  • while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt
  • for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

• I have read discussions about clamd vs clamscan regarding the impact on RAM and CPU usage (about signatures being loaded, I believe). Can you provide details on this?
• What is the default behavior regarding infected files, and notification of found threats found, during cron scans? I have seen variations of cron jobs but would like docs on that.

-Pete

 

[cPanelLauren]

Hi @PeteS

Is there an advantage of one over the other in the cron:

This is the recommended one:

while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt

As far as the other one goes it just looks like it's doing a similar action one outputs to /root/infections the other to /dev/null

I have read discussions about clamd vs clamscan regarding the impact on RAM and CPU usage (about signatures being loaded, I believe). Can you provide details on this?

The clamd signature db is pretty large and when it needs to be loaded or updated during that time it can cause relatively high CPU/RAM usage - this isn't a constant though and shouldn't last an excessive amount of time nor should it continue to be resource intensive due to that reason while it's scanning, I should note though that all virus/malware scanners are going to use resources when scanning.

What is the default behavior regarding infected files, and notification of found threats found, during cron scans? I have seen variations of cron jobs but would like docs on that.

I don't really think there is any it's dependent on the configuration you might want to look at ClamAV's site though ClamavNet

 

[PeteS]

Thanks, @cPanelLauren

But, just to be clean, is my understanding on the first part of my post complete and correct? (Regarding the plugin installing the daemon, and making clamscan available to users, and the necessity and use of the cron job to automate scanning of the user folders.)

 

[cPanelLauren]

The first part is correct though the user can initiate the scan through cPanel so shell isn't needed.

You can configure users to have specific scan settings by managing the settings at WHM>>Plugins>>Configure ClamAV Scanner

If you want automated scans you'd need to enable a cron job otherwise it'd be necessary to manually scan.

 

[PeteS]

Thank you @cPanelLauren. Allow me to revisit this topic for a couple followup questions.

1- I believe I have had a faulty assumption, that running the cron job

while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt

took action on positives, but it appears from the docs I found (clamscan(1): scan files/directories for viruses - Linux man page) that it is only reporting, and thus if the reports aren't looked at... what's the point? Am I correct?

2- In working on a method to have scan reports sent to me I tested this cron job /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root

/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root

which works well, I think. I also noticed that it takes less than 1/2 the time to scan the same /home directory. I assume this is because it is running it as one large scan, rather than per home user. The difference being the scan setup time of checking signatures, etc., correct? So if I don't need/want a separate report on each user then why not reduce the load by running a single scan?

3- Short of adding the -remove flag (not going to do that!) is there any approach to managing infected files beyond passively logging them as found? I'm thinking not, but want to use the best strategies I can.

Thanks, Pete

 

[cPanelLauren]

1- I believe I have had a faulty assumption, that running the cron job

while read domain user; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1; done </etc/trueuserdomains >>/root/infections.txt

took action on positives, but it appears from the docs I found (clamscan(1): scan files/directories for viruses - Linux man page) that it is only reporting, and thus if the reports aren't looked at... what's the point? Am I correct?

clamscan running this way does indeed just report the issues - it will show up in the UI as well if there are infected files but, yes if you're not looking at the reports it's making it's not doing you any good

2- In working on a method to have scan reports sent to me I tested this cron job /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root

/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root

which works well, I think. I also noticed that it takes less than 1/2 the time to scan the same /home directory. I assume this is because it is running it as one large scan, rather than per home user. The difference being the scan setup time of checking signatures, etc., correct? So if I don't need/want a separate report on each user then why not reduce the load by running a single scan?

The default cron is scanning per user per domain, what you're running is just scanning the homedir - it's not initializing after each account which I would assume is causing it to complete faster and if that works for you giving you the data you need, yea no reason not to do it.

3- Short of adding the -remove flag (not going to do that!) is there any approach to managing infected files beyond passively logging them as found? I'm thinking not, but want to use the best strategies I can.

Not with clamscan there isn't really - you can move files - but the way you're scanning it might be difficult to tell where they came from as well. Some other malware scanning softwares like imunify360 will change permissions/ownership on infected files or LMD will quarantine them if you enable the setting.

 

[PeteS]

it will show up in the UI as well if there are infected files

Thank you for the confirmations and additional input.

Can you please elaborate on the UI comment though? I am unaware of any place clamscan results are shown in a UI. Which UI are you talking about?

-Pete

 

[cPanelLauren]

Actually, you're right, the results don't show in the UI. It's just the configuration that you can manage there. I'd meant to double-check that yesterday and made an assumption that it was reported there. My apologies!