ClamAV Detected virus not getting quarantined

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

ClamAV Detected virus not getting quarantined

Post by peterelsner »

This may be a bug...

Noticed over the past week that several viruses that are detected by ClamAV as being
PHP Shell Exploits are NOT getting quarantined...

Here is my default cxs config.

/usr/sbin/cxs --allusers --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root@server.tld --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine /backups/quarantined_by_cxs --report /var/log/cxs.scan --sizemax 500000 --summary --throttle 4 --timemax 30 --virusscan --voptions mfhexT --xtra /etc/cxs/cxs.xtra

And here is the output I got from the email:

cxswatch Scanning /home/USERNAME/public_html/wp-content/themes/twentyeleven/search.php:
# ClamAV detected virus = [PHP.ShellExec] (md5sum:83897c09b14292a9b799dd31823715e2):
'/home/USERNAME/public_html/wp-content/themes/twentyeleven/search.php'


The search.php file (which I looked at and it is indeed a shell exploit) was never quarantined and still in the users directory.

The qurantine options (see above) clearly show "Mhv" (v being virus). It used to quarantine those, but doesn't seem to anymore.

Peter

peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: ClamAV Detected virus not getting quarantined

Post by peterelsner »

Here's another one...

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --block --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 50000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root@xxxxx.xxx --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --template cxs.template --throttle 4 --timemax 30 --virusscan --voptions mfhexT --Wloglevel 0 --Wmaxchild 3 --Wrateignore 0 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)

cxswatch Scanning /home/username/public_html/wthm1762g.php:
# Suspicious image file (hidden script file) (md5sum:3101137950288eac4eab9bc78addbf90):
'/home/username/public_html/wthm1762g.php'
# ClamAV detected virus = [PHP.Hide-1]:
'/home/username/public_html/wthm1762g.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.00 MB
Scan Time: 0.085 sec (including 70 throttle sleeps)

Found a suspicious match first (didn't quarantine and that's ok because I don't have 'f' option set in qoptions).
But I do have 'v' options (Virus) defined (--qoptions Mhv) and so it should have quarantined this file when it was
detected by ClamAV.

Yet it didn't quarantine it.

Why not??? what am I missing?

Sarah
Moderator
Posts: 817
Joined: 09 Dec 2006, 22:49

Re: ClamAV Detected virus not getting quarantined

Post by Sarah »

You have not configured a quarantine directory in your cxs command. You have "--quarantine " with no setting. It needs to be "--quarantine /home/quarantine" or wherever you have set up your quarantine directory.

Regards,
Sarah

peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: ClamAV Detected virus not getting quarantined

Post by peterelsner »

Hi Sarah,

Thanks. The first one reported on May 10th did have a quarantine directory defined. The second instance above did not (not yet sure why) and I will look into that to make sure that all my servers have that defined.

peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: ClamAV Detected virus not getting quarantined

Post by peterelsner »

Update on this. I made sure all the following have a quarantine directory defined...

/etc/cxs/cxs.defaults
/etc/cxs/cxsftp.sh
/etc/cxs/cxscgi.sh
/etc/cxs/cxswatch.sh

Yet still... This is the most recent scan:

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --block --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 50000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail cpadmin@gkg.net --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --template cxs.template --throttle 4 --timemax 30 --virusscan --voptions mfhexT --Wloglevel 0 --Wmaxchild 3 --Wrateignore 0 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)

cxswatch Scanning /home/username/public_html/wp-content/uploads/2013/06/502.php:
# Regular expression match = [decode regex: 1] (md5sum:83c64de7a4df4fd114f31f08aadd405f):
'/home/username/public_html/wp-content/uploads/2013/06/502.php'
# (decoded file [depth: 1]) ClamAV detected virus = [PHP.Shell-38]:
'/home/username/public_html/wp-content/uploads/2013/06/502.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.08 MB
Scan Time: 0.261 sec (including 680 throttle sleeps)

It detected the virus, but didn't quarantine it. Where else is the quarantine directory supposed to be defined other than those 4 files??? This is only happening on one server (that I know of). Other servers (which are all defined the same way) are working fine and have the quarantine directory defined.

What's strange, this is only happening on automated scans. If I run the scan manually through CXS in WHM, it will find and quarantine the virus correctly.

Sarah
Moderator
Posts: 817
Joined: 09 Dec 2006, 22:49

Re: ClamAV Detected virus not getting quarantined

Post by Sarah »

There must be a problem with your cxswatch.sh file. Please log a ticket on our helpdesk and attach the full contents of this file.

Regards,
Sarah

Post Reply