Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disable automatic scanning and blocking of file manager

Discussion in 'Security' started by cyphixia, Jun 18, 2017.

Tags:
  1. cyphixia

    cyphixia Registered

    Joined:
    Jun 18, 2017
    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Lansing Michigan
    cPanel Access Level:
    DataCenter Provider
    Hey guys,

    First post here, but have been playing the cpanel/whm game for a while as a hosting security admin.

    We recently had an issue that I can't for the life of me figure out where to correct/change...

    Let me describe the issue first'
    -Stock centos7 server running "release" whm.
    -Enable clamAV pluigin for cpanel Version: 0.99.2-1.cp1164
    -Try to upload a known malicious file using cpanel file manager to an account's public_html.

    It will block with something like:
    "The file you uploaded, index.php, contains a virus so the upload was canceled: {HEX}base64.inject.unclassed.6.UNOFFICIAL FOUND"

    I have checked the file, and can confirm that this is a false positive.

    But, this leaves with with a question... Where are the configuration options for this? Specifically the option to disable the on demand stream scanning of an upload, for the host, a user, directory, or file. It seems like this would be configurable somewhere, or at least should be something that can be disabled via a config change.

    Upon installation of the module, I see that the following packages are downloaded and added:

    Code:
    http://httpupdate.cpanel.net/RPM/11.62/centos/6/x86_64/cpanel-perl-524-File-Scan-ClamAV-1.95-1.cp1162.x86_64.rpm
    
    http://httpupdate.cpanel.net/RPM/11.64/centos/6/x86_64/cpanel-clamav-0.99.2-1.cp1164.x86_64.rpm
    These seem to add the following files:

    -----
    Code:
    [root@host ~]# rpm -qlp [URL]http://httpupdate.cpanel.net/RPM/11.62/centos/6/x86_64/cpanel-perl-524-File-Scan-ClamAV-1.95-1.cp1162.x86_64.rpm[/URL]
    /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/File/Scan/ClamAV.pm
    
    [root@host ~]# rpm -qlp [URL]http://httpupdate.cpanel.net/RPM/11.64/centos/6/x86_64/cpanel-clamav-0.99.2-1.cp1164.x86_64.rpm[/URL]
    /etc/chkserv.d/clamd
    /usr/local/cpanel/3rdparty/bin/clamav-config
    /usr/local/cpanel/3rdparty/bin/clamav_setupcrontab
    /usr/local/cpanel/3rdparty/bin/clambc
    /usr/local/cpanel/3rdparty/bin/clamconf
    /usr/local/cpanel/3rdparty/bin/clamd
    /usr/local/cpanel/3rdparty/bin/clamdscan
    /usr/local/cpanel/3rdparty/bin/clamdtop
    /usr/local/cpanel/3rdparty/bin/clamscan
    /usr/local/cpanel/3rdparty/bin/clamsubmit
    /usr/local/cpanel/3rdparty/bin/freshclam
    /usr/local/cpanel/3rdparty/bin/sigtool
    /usr/local/cpanel/3rdparty/etc/clamd.conf
    /usr/local/cpanel/3rdparty/etc/cpclamav.conf
    /usr/local/cpanel/3rdparty/etc/freshclam.conf
    /usr/local/cpanel/3rdparty/include/clamav.h
    /usr/local/cpanel/3rdparty/lib64/libclamav.la
    /usr/local/cpanel/3rdparty/lib64/libclamav.so
    /usr/local/cpanel/3rdparty/lib64/libclamav.so.7
    /usr/local/cpanel/3rdparty/lib64/libclamav.so.7.1.1
    /usr/local/cpanel/3rdparty/lib64/libclamunrar.la
    /usr/local/cpanel/3rdparty/lib64/libclamunrar.so
    /usr/local/cpanel/3rdparty/lib64/libclamunrar.so.7
    /usr/local/cpanel/3rdparty/lib64/libclamunrar.so.7.1.1
    /usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.la
    /usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so
    /usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so.7
    /usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so.7.1.1
    /usr/local/cpanel/3rdparty/lib64/pkgconfig/libclamav.pc
    /usr/local/cpanel/3rdparty/share/clamav/copyright
    /usr/local/cpanel/3rdparty/share/man/man1/clambc.1
    /usr/local/cpanel/3rdparty/share/man/man1/clamconf.1
    /usr/local/cpanel/3rdparty/share/man/man1/clamdscan.1
    /usr/local/cpanel/3rdparty/share/man/man1/clamdtop.1
    /usr/local/cpanel/3rdparty/share/man/man1/clamscan.1
    /usr/local/cpanel/3rdparty/share/man/man1/clamsubmit.1
    /usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
    /usr/local/cpanel/3rdparty/share/man/man1/sigtool.1
    /usr/local/cpanel/3rdparty/share/man/man5/clamav-milter.conf.5
    /usr/local/cpanel/3rdparty/share/man/man5/clamd.conf.5
    /usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
    /usr/local/cpanel/3rdparty/share/man/man8/clamav-milter.8
    /usr/local/cpanel/3rdparty/share/man/man8/clamd.8
    /usr/local/cpanel/whostmgr/addonfeatures/clamavconnector
    /usr/local/cpanel/whostmgr/docroot/cgi/addon_clamavconnector.cgi
    /var/cpanel/dynamicui/clamav
    /var/log/clam-update.log
    
    -----

    Nowhere in these can I see anything that defines if a file manager uploaded files gets scanned or not, and am unable to find any hooks that have been added to file manager after the install as well.

    Anybody know where this would be, or have any insight here?

    Thanks and best regards,
    ~Ian
    Liquidweb Security.
     
    #1 cyphixia, Jun 18, 2017
    Last edited by a moderator: Jun 18, 2017
    irmawan likes this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,896
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Ian,

    It's not possible to disable virus scanning for files uploaded through File Manager without uninstalling ClamAV. I encourage you to open a feature request if you'd like to see that functionality added to the product:

    Submit A Feature Request

    The best approach in the meantime is to manually add false positives to the global whitelist using the instructions on the following thread:

    ClamAV signatures database

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. irmawan

    irmawan Registered

    Joined:
    Feb 15, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    cPanel Access Level:
    Root Administrator
    Hello Ian, have you get solution?
    in vice versa, on my server, I try to upload suspect file (malicious), but there is no warning. How to setting/adding warning? So that dangerous file can be reject.
    I have install clamAV adn also owasp mod_security.

    Anybody know, need help.
    Thanks
    Irmaone
     
    #3 irmawan, Feb 15, 2018
    Last edited: Feb 15, 2018
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,896
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @irmawan,

    It's possible that ClamAV does not detect that file as malicious. Try scanning the file you uploaded via File Manager using the "clamscan" utility to verify that ClamAV actually detects it as a virus:

    Code:
    /usr/local/cpanel/3rdparty/bin/clamscan /path/to/filename
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice