Disable automatic scanning and blocking of file manager

[cyphixia]

Hey guys,

First post here, but have been playing the cpanel/whm game for a while as a hosting security admin.

We recently had an issue that I can't for the life of me figure out where to correct/change...

Let me describe the issue first'
-Stock centos7 server running "release" whm.
-Enable clamAV pluigin for cpanel Version: 0.99.2-1.cp1164
-Try to upload a known malicious file using cpanel file manager to an account's public_html.

It will block with something like:
"The file you uploaded, index.php, contains a virus so the upload was canceled: {HEX}base64.inject.unclassed.6.UNOFFICIAL FOUND"

I have checked the file, and can confirm that this is a false positive.

But, this leaves with with a question... Where are the configuration options for this? Specifically the option to disable the on demand stream scanning of an upload, for the host, a user, directory, or file. It seems like this would be configurable somewhere, or at least should be something that can be disabled via a config change.

Upon installation of the module, I see that the following packages are downloaded and added:

http://httpupdate.cpanel.net/RPM/11.62/centos/6/x86_64/cpanel-perl-524-File-Scan-ClamAV-1.95-1.cp1162.x86_64.rpm

http://httpupdate.cpanel.net/RPM/11.64/centos/6/x86_64/cpanel-clamav-0.99.2-1.cp1164.x86_64.rpm

These seem to add the following files:

-----

[root@host ~]# rpm -qlp [URL]http://httpupdate.cpanel.net/RPM/11.62/centos/6/x86_64/cpanel-perl-524-File-Scan-ClamAV-1.95-1.cp1162.x86_64.rpm[/URL]
/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/File/Scan/ClamAV.pm

[root@host ~]# rpm -qlp [URL]http://httpupdate.cpanel.net/RPM/11.64/centos/6/x86_64/cpanel-clamav-0.99.2-1.cp1164.x86_64.rpm[/URL]
/etc/chkserv.d/clamd
/usr/local/cpanel/3rdparty/bin/clamav-config
/usr/local/cpanel/3rdparty/bin/clamav_setupcrontab
/usr/local/cpanel/3rdparty/bin/clambc
/usr/local/cpanel/3rdparty/bin/clamconf
/usr/local/cpanel/3rdparty/bin/clamd
/usr/local/cpanel/3rdparty/bin/clamdscan
/usr/local/cpanel/3rdparty/bin/clamdtop
/usr/local/cpanel/3rdparty/bin/clamscan
/usr/local/cpanel/3rdparty/bin/clamsubmit
/usr/local/cpanel/3rdparty/bin/freshclam
/usr/local/cpanel/3rdparty/bin/sigtool
/usr/local/cpanel/3rdparty/etc/clamd.conf
/usr/local/cpanel/3rdparty/etc/cpclamav.conf
/usr/local/cpanel/3rdparty/etc/freshclam.conf
/usr/local/cpanel/3rdparty/include/clamav.h
/usr/local/cpanel/3rdparty/lib64/libclamav.la
/usr/local/cpanel/3rdparty/lib64/libclamav.so
/usr/local/cpanel/3rdparty/lib64/libclamav.so.7
/usr/local/cpanel/3rdparty/lib64/libclamav.so.7.1.1
/usr/local/cpanel/3rdparty/lib64/libclamunrar.la
/usr/local/cpanel/3rdparty/lib64/libclamunrar.so
/usr/local/cpanel/3rdparty/lib64/libclamunrar.so.7
/usr/local/cpanel/3rdparty/lib64/libclamunrar.so.7.1.1
/usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.la
/usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so
/usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so.7
/usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so.7.1.1
/usr/local/cpanel/3rdparty/lib64/pkgconfig/libclamav.pc
/usr/local/cpanel/3rdparty/share/clamav/copyright
/usr/local/cpanel/3rdparty/share/man/man1/clambc.1
/usr/local/cpanel/3rdparty/share/man/man1/clamconf.1
/usr/local/cpanel/3rdparty/share/man/man1/clamdscan.1
/usr/local/cpanel/3rdparty/share/man/man1/clamdtop.1
/usr/local/cpanel/3rdparty/share/man/man1/clamscan.1
/usr/local/cpanel/3rdparty/share/man/man1/clamsubmit.1
/usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
/usr/local/cpanel/3rdparty/share/man/man1/sigtool.1
/usr/local/cpanel/3rdparty/share/man/man5/clamav-milter.conf.5
/usr/local/cpanel/3rdparty/share/man/man5/clamd.conf.5
/usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
/usr/local/cpanel/3rdparty/share/man/man8/clamav-milter.8
/usr/local/cpanel/3rdparty/share/man/man8/clamd.8
/usr/local/cpanel/whostmgr/addonfeatures/clamavconnector
/usr/local/cpanel/whostmgr/docroot/cgi/addon_clamavconnector.cgi
/var/cpanel/dynamicui/clamav
/var/log/clam-update.log

-----

Nowhere in these can I see anything that defines if a file manager uploaded files gets scanned or not, and am unable to find any hooks that have been added to file manager after the install as well.

Anybody know where this would be, or have any insight here?

Thanks and best regards,
~Ian
Liquidweb Security.

 

[cPanelMichael]

Hello Ian,

It's not possible to disable virus scanning for files uploaded through File Manager without uninstalling ClamAV. I encourage you to open a feature request if you'd like to see that functionality added to the product:

Submit A Feature Request

The best approach in the meantime is to manually add false positives to the global whitelist using the instructions on the following thread:

ClamAV signatures database

Thank you.

 

[irmawan]

Hello Ian, have you get solution?
in vice versa, on my server, I try to upload suspect file (malicious), but there is no warning. How to setting/adding warning? So that dangerous file can be reject.
I have install clamAV adn also owasp mod_security.

Anybody know, need help.
Thanks
Irmaone

 

[cPanelMichael]

Hello @irmawan,

It's possible that ClamAV does not detect that file as malicious. Try scanning the file you uploaded via File Manager using the "clamscan" utility to verify that ClamAV actually detects it as a virus:

/usr/local/cpanel/3rdparty/bin/clamscan /path/to/filename

Thank you.