Solved

configure clamav to automatically move files to an quarantine folder

Posted on 2014-03-06
6
3,907 Views
Last Modified: 2014-03-09
I inherited a system with clamav on ubuntu 12.04 and I am trying to get it to scan whenever a file is uploaded and move the infected file to a quarantine folder.  I am researching on line for a php plugin for clamav but I still thought clamav should be working in the background.

Please share any examples on how to configure clamav to automatically move files to an quarantine folder
clamd.txt
0
Comment
Question by:cesemj
  • 2
  • 2
  • 2
6 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39912325
The moving part has to be part of your scripts logic.
Assign the status of running clamdscan filename to a variable.  Then check the status and on this basis, you change the location where the file goes.
Have not used clam recently, but do not believe it has an option I.e "clamdscan filename good_folder quarantine" which is what would be needed.  Note also that an automatic handling by the scanner, will not provide feedback to the user.
0
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
ID: 39912332
Ref - http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav/

Check to find if Clamscan is running
https://help.ubuntu.com/community/ClamAV#Check_to_find_if_Clamscan_is_running

To check files in the USER home directory and move infected files to another folder:
clamscan -r --move=/home/USER/VIRUS /home/USER

there is also ClamTk which is a frontend for ClamAV. for quarantine can see below but do ntoe the on demand scan
http://clamtk.sourceforge.net/help/quarantine-clamtk.html

Why isn't there on-access virus scanning?
Several reasons:
First, it would rely on the Dazuko program, and there are no widely available binary packages for it. Second, if there were packages available, such a functionality is probably not needed in Linux and would serve mostly as a memory hog if you were watching the entire system. A workaround would be to only watch each user's home directory while they were logged in. Third, you would have to run clamd as root in this kind of situation, and that is a security risk.
The good news is that there is a Perl interface for Dazuko, so if things did change and this became a desirable functionality, it could probably be implemented.

you may want to see the add-on for on access filesystem scan
http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/

Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39912336
Rechecked the man pages, which you ....

 It has the ---remove option caution is advised
It also have the --move=/path/to/directory
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:cesemj
ID: 39912911
Thanks for your input: I found the following article and are testing the following cron command I entered as root:

echo "*/5 * * * * /usr/bin/find /var/www/testbuild.tv/site/fileuploads/* -mmin -7 -type f -exec /usr/bin/clamdscan --remove {} \ --log=/var/log/clamav/removedfiles.log;  > /dev/null 2>&1" >> /var/spool/cron/root

I restarted the cron service and did crontab -l but do not see the cronjob.  I did not receive an error when I typed the command..

The goal of the cronjob syntax is to run clamdscan every 5 mins against a specific directory tree and remove all infected files and log the results.
Please tell me what you think.
0
 
LVL 61

Expert Comment

by:btan
ID: 39913936
can also check out this script as reference for scheduled task via cron, grep infected and piped to your desired quarantine folde using --move=DIRECTORY where this option will move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

https://code.google.com/p/clamav-cron/
https://hacking.im/automated-clam-antivirus-scanning-for-centos-servers
man - http://linux.die.net/man/1/clamscan
0
 

Author Comment

by:cesemj
ID: 39915844
thanks for the update
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The purpose of this article is to demonstrate how we can use conditional statements using Python.
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now