Solved

configure clamav to automatically move files to an quarantine folder

Posted on 2014-03-06
6
4,611 Views
Last Modified: 2014-03-09
I inherited a system with clamav on ubuntu 12.04 and I am trying to get it to scan whenever a file is uploaded and move the infected file to a quarantine folder.  I am researching on line for a php plugin for clamav but I still thought clamav should be working in the background.

Please share any examples on how to configure clamav to automatically move files to an quarantine folder
clamd.txt
0
Comment
Question by:cesemj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39912325
The moving part has to be part of your scripts logic.
Assign the status of running clamdscan filename to a variable.  Then check the status and on this basis, you change the location where the file goes.
Have not used clam recently, but do not believe it has an option I.e "clamdscan filename good_folder quarantine" which is what would be needed.  Note also that an automatic handling by the scanner, will not provide feedback to the user.
0
 
LVL 63

Accepted Solution

by:
btan earned 350 total points
ID: 39912332
Ref - http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav/

Check to find if Clamscan is running
https://help.ubuntu.com/community/ClamAV#Check_to_find_if_Clamscan_is_running

To check files in the USER home directory and move infected files to another folder:
clamscan -r --move=/home/USER/VIRUS /home/USER

there is also ClamTk which is a frontend for ClamAV. for quarantine can see below but do ntoe the on demand scan
http://clamtk.sourceforge.net/help/quarantine-clamtk.html

Why isn't there on-access virus scanning?
Several reasons:
First, it would rely on the Dazuko program, and there are no widely available binary packages for it. Second, if there were packages available, such a functionality is probably not needed in Linux and would serve mostly as a memory hog if you were watching the entire system. A workaround would be to only watch each user's home directory while they were logged in. Third, you would have to run clamd as root in this kind of situation, and that is a security risk.
The good news is that there is a Perl interface for Dazuko, so if things did change and this became a desirable functionality, it could probably be implemented.

you may want to see the add-on for on access filesystem scan
http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/

Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39912336
Rechecked the man pages, which you ....

 It has the ---remove option caution is advised
It also have the --move=/path/to/directory
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:cesemj
ID: 39912911
Thanks for your input: I found the following article and are testing the following cron command I entered as root:

echo "*/5 * * * * /usr/bin/find /var/www/testbuild.tv/site/fileuploads/* -mmin -7 -type f -exec /usr/bin/clamdscan --remove {} \ --log=/var/log/clamav/removedfiles.log;  > /dev/null 2>&1" >> /var/spool/cron/root

I restarted the cron service and did crontab -l but do not see the cronjob.  I did not receive an error when I typed the command..

The goal of the cronjob syntax is to run clamdscan every 5 mins against a specific directory tree and remove all infected files and log the results.
Please tell me what you think.
0
 
LVL 63

Expert Comment

by:btan
ID: 39913936
can also check out this script as reference for scheduled task via cron, grep infected and piped to your desired quarantine folde using --move=DIRECTORY where this option will move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

https://code.google.com/p/clamav-cron/
https://hacking.im/automated-clam-antivirus-scanning-for-centos-servers
man - http://linux.die.net/man/1/clamscan
0
 

Author Comment

by:cesemj
ID: 39915844
thanks for the update
0

Featured Post

Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question