Solved

configure clamav to automatically move files to an quarantine folder

Posted on 2014-03-06
6
4,866 Views
Last Modified: 2014-03-09
I inherited a system with clamav on ubuntu 12.04 and I am trying to get it to scan whenever a file is uploaded and move the infected file to a quarantine folder.  I am researching on line for a php plugin for clamav but I still thought clamav should be working in the background.

Please share any examples on how to configure clamav to automatically move files to an quarantine folder
clamd.txt
0
Comment
Question by:cesemj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39912325
The moving part has to be part of your scripts logic.
Assign the status of running clamdscan filename to a variable.  Then check the status and on this basis, you change the location where the file goes.
Have not used clam recently, but do not believe it has an option I.e "clamdscan filename good_folder quarantine" which is what would be needed.  Note also that an automatic handling by the scanner, will not provide feedback to the user.
0
 
LVL 64

Accepted Solution

by:
btan earned 350 total points
ID: 39912332
Ref - http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav/

Check to find if Clamscan is running
https://help.ubuntu.com/community/ClamAV#Check_to_find_if_Clamscan_is_running

To check files in the USER home directory and move infected files to another folder:
clamscan -r --move=/home/USER/VIRUS /home/USER

there is also ClamTk which is a frontend for ClamAV. for quarantine can see below but do ntoe the on demand scan
http://clamtk.sourceforge.net/help/quarantine-clamtk.html

Why isn't there on-access virus scanning?
Several reasons:
First, it would rely on the Dazuko program, and there are no widely available binary packages for it. Second, if there were packages available, such a functionality is probably not needed in Linux and would serve mostly as a memory hog if you were watching the entire system. A workaround would be to only watch each user's home directory while they were logged in. Third, you would have to run clamd as root in this kind of situation, and that is a security risk.
The good news is that there is a Perl interface for Dazuko, so if things did change and this became a desirable functionality, it could probably be implemented.

you may want to see the add-on for on access filesystem scan
http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/

Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39912336
Rechecked the man pages, which you ....

 It has the ---remove option caution is advised
It also have the --move=/path/to/directory
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:cesemj
ID: 39912911
Thanks for your input: I found the following article and are testing the following cron command I entered as root:

echo "*/5 * * * * /usr/bin/find /var/www/testbuild.tv/site/fileuploads/* -mmin -7 -type f -exec /usr/bin/clamdscan --remove {} \ --log=/var/log/clamav/removedfiles.log;  > /dev/null 2>&1" >> /var/spool/cron/root

I restarted the cron service and did crontab -l but do not see the cronjob.  I did not receive an error when I typed the command..

The goal of the cronjob syntax is to run clamdscan every 5 mins against a specific directory tree and remove all infected files and log the results.
Please tell me what you think.
0
 
LVL 64

Expert Comment

by:btan
ID: 39913936
can also check out this script as reference for scheduled task via cron, grep infected and piped to your desired quarantine folde using --move=DIRECTORY where this option will move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

https://code.google.com/p/clamav-cron/
https://hacking.im/automated-clam-antivirus-scanning-for-centos-servers
man - http://linux.die.net/man/1/clamscan
0
 

Author Comment

by:cesemj
ID: 39915844
thanks for the update
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
The viewer will learn how to dynamically set the form action using jQuery.

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question