Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What to do About ClamAV False Positives

Discussion in 'Security' started by Steve Kessler, May 27, 2017.

  1. Steve Kessler

    Steve Kessler Active Member

    Joined:
    Feb 22, 2015
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Denver, Colorado, United State
    cPanel Access Level:
    Root Administrator
    I am using ClamAV together with ConfigServer CXS. I get emails when viruses are detected by Clam and all of them are false positives. It is to the point that I think I would miss a serious issue because I get the same emails over and over.

    Yes, I could add each file to the ignore file but that is a major pain because this happening all the time.

    For example, fck_gecko.js is included in the FCKEditor package. This was one of the several files flagging in an install of this editor so I looked into it. It turns out that Clam thinks it is Txt.Malware.Agent-6162558-0. Looking at the analysis that does not appear to be the case.

    I am trying to find a better tool than Clam that will integrate with cPanel/WHM. Any thoughts on this or how to make Clam run better is much appreciated.

    Thanks,
    Steve
     
    #1 Steve Kessler, May 27, 2017
    Last edited by a moderator: May 27, 2017
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,745
    Likes Received:
    310
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What is happening all the time, you only give one example.
    You probably shouldn't be using it any longer. This post is from 2005:
    drupal.org/project/fckeditor

     
  3. Steve Kessler

    Steve Kessler Active Member

    Joined:
    Feb 22, 2015
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Denver, Colorado, United State
    cPanel Access Level:
    Root Administrator
    Right now the only files that are being identified as viruses are from FCKEditor. However, the age of the editor should not mean that a virus detection program will see the files as viruses. That is an absurd statement. It is being used on a legacy site that is not going to be updated until that company closes.

    This has happened before with other JS and PHP files from reputable up to date sources like Drupal and CiviCRM. It has also happened with DOC/X and XLS/X files that were uploaded to the server.

    I am just trying to find an option with fewer false positives if possible because this becomes the software that cried wolf.

    Thanks,
    Steve
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,745
    Likes Received:
    310
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Absurd? You might re-read the link I posted. The statement is what it is.

    Good luck with that.

    In the meantime, you might need to white list that file to stop the alerts.
     
  5. Erika Rangel

    Erika Rangel Registered

    Joined:
    May 28, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Those entries seem to be false positives, not infected files. Now, I can't tell why it appears so slow.
     
  6. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    326
    Likes Received:
    94
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I wonder if your clamav is actually detecting these files as Potentially Unwanted Applications (PUA)

    You might want to read their Documentations, and decide if you are going to block what might be good detections just because it is irritating, or if you are going to choose another A/V solution that doesn't warn you about potentially vulnerable scripts with known and published exploits.
     
Loading...

Share This Page