Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5375
  • Last Modified:

configure clamav to automatically move files to an quarantine folder

I inherited a system with clamav on ubuntu 12.04 and I am trying to get it to scan whenever a file is uploaded and move the infected file to a quarantine folder.  I am researching on line for a php plugin for clamav but I still thought clamav should be working in the background.

Please share any examples on how to configure clamav to automatically move files to an quarantine folder
clamd.txt
0
cesemj
Asked:
cesemj
  • 2
  • 2
  • 2
2 Solutions
 
arnoldCommented:
The moving part has to be part of your scripts logic.
Assign the status of running clamdscan filename to a variable.  Then check the status and on this basis, you change the location where the file goes.
Have not used clam recently, but do not believe it has an option I.e "clamdscan filename good_folder quarantine" which is what would be needed.  Note also that an automatic handling by the scanner, will not provide feedback to the user.
0
 
btanExec ConsultantCommented:
Ref - http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav/

Check to find if Clamscan is running
https://help.ubuntu.com/community/ClamAV#Check_to_find_if_Clamscan_is_running

To check files in the USER home directory and move infected files to another folder:
clamscan -r --move=/home/USER/VIRUS /home/USER

there is also ClamTk which is a frontend for ClamAV. for quarantine can see below but do ntoe the on demand scan
http://clamtk.sourceforge.net/help/quarantine-clamtk.html

Why isn't there on-access virus scanning?
Several reasons:
First, it would rely on the Dazuko program, and there are no widely available binary packages for it. Second, if there were packages available, such a functionality is probably not needed in Linux and would serve mostly as a memory hog if you were watching the entire system. A workaround would be to only watch each user's home directory while they were logged in. Third, you would have to run clamd as root in this kind of situation, and that is a security risk.
The good news is that there is a Perl interface for Dazuko, so if things did change and this became a desirable functionality, it could probably be implemented.

you may want to see the add-on for on access filesystem scan
http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/

Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes.
0
 
arnoldCommented:
Rechecked the man pages, which you ....

 It has the ---remove option caution is advised
It also have the --move=/path/to/directory
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
cesemjAuthor Commented:
Thanks for your input: I found the following article and are testing the following cron command I entered as root:

echo "*/5 * * * * /usr/bin/find /var/www/testbuild.tv/site/fileuploads/* -mmin -7 -type f -exec /usr/bin/clamdscan --remove {} \ --log=/var/log/clamav/removedfiles.log;  > /dev/null 2>&1" >> /var/spool/cron/root

I restarted the cron service and did crontab -l but do not see the cronjob.  I did not receive an error when I typed the command..

The goal of the cronjob syntax is to run clamdscan every 5 mins against a specific directory tree and remove all infected files and log the results.
Please tell me what you think.
0
 
btanExec ConsultantCommented:
can also check out this script as reference for scheduled task via cron, grep infected and piped to your desired quarantine folde using --move=DIRECTORY where this option will move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

https://code.google.com/p/clamav-cron/
https://hacking.im/automated-clam-antivirus-scanning-for-centos-servers
man - http://linux.die.net/man/1/clamscan
0
 
cesemjAuthor Commented:
thanks for the update
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now