Linux – Scan whole system or just user dirs with clamav

clamavlinuxmalwareweb-server

I'm in doubt about how to scan my Linux system with Clamav: do I just scan the places where users can upload files (homedirs, their webroots) or do I scan the whole system?

The various sites I've read vary in opinion, some say you needn't scan the Linux-only parts, some say to not scan at all. The latter I've already discarded as I think it sensible to at least scan webroots for hosted viruses, but scanning the whole system is still something I am in doubt about.

Best Answer

ClamAV doesn't do well in many tests of antivirus (percentage detected) - better to find a commercial antivirus with Linux version that has good ratings on independent tests. See http://www.av-comparatives.org/en/comparativesreviews - however http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats shows it's in about the middle of the pack.

ClamAV won't find the most common sort of malware present on Linux web servers, namely web-based malware that compromises the website, rather than the web server itself. You can use LMD to find such malware typically: http://www.rfxn.com/projects/linux-malware-detect/

Since viruses affecting the Linux OS are rare to non-existent I would focus antivirus scans (ClamAV or other) on areas where Mac/Windows files could be uploaded, and run LMD over all web roots.

You might want to also set rkhunter to scan the whole system for known rootkits. (chkrootkit project appears to be dormant since 2009)

Related Solutions

Linux – How to find out what sites are using too much RAM on the linux web hosting box

Drop the PHP memory limit to a lower value (memory_limit config var in php.ini); the script that's consuming all the memory will error out and that'll identify the problem. If the problem still happens without visible error, keep dropping the memory limit. If everything starts erroring out, you dropped it too far. If you can't find a happy medium between "everything dies" and "nothing dies", consider the possibility that it's not actually a PHP script hogging all your memory, and start looking at other possibilities (cron jobs, background processing jobs, that sort of thing).

How to scan only last 24 hours files with clamav

I stumbled onto this page, when I was looking for a clamscan script. I followed above advice and got it working with:

#!/usr/bin/bash
# Create Hourly Cron Job With Clamscan

# Directories to scan
scan_dir="/home"

# Temporary file
list_file=$(mktemp -t clamscan.XXXXXX) || exit 1

# Location of log file
log_file="/var/log/clamav/hourly_clamscan.log"

# Make list of new files
if [ -f  "$log_file" ]
then
        # use newer files then logfile
        find "$scan_dir" -type f -cnewer "$log_file" -fprint "$list_file"
else
        # scan last 60 minutes
        find "$scan_dir" -type f -cmin -60 -fprint "$list_file"
fi

if [ -s "$list_file" ]
then
        # Scan files and remove (--remove) infected
        clamscan -i -f "$list_file" --remove=yes > "$log_file"

        # If there were infected files detected, send email alert
        if [ `cat $log_file | grep Infected | grep -v 0 | wc -l` != 0 ]
        then
                HOSTNAME=`hostname`
                echo "$(egrep "FOUND" $log_file)" | mail -s "VIRUS PROBLEM on $HOSTNAME" -r     clam@nas.local you@yourhost.com
        fi
else
        # remove the empty file, contains no info
        rm -f "$list_file"
fi
exit

It was an hourly script in my case, but should work for daily (modify the second find).

Best Answer

Related Solutions

Linux – How to find out what sites are using too much RAM on the linux web hosting box

How to scan only last 24 hours files with clamav

Related Topic