Page 1 of 1

ClamAV Detected virus not getting quarantined

Posted: 10 May 2013, 14:10
by peterelsner
This may be a bug...

Noticed over the past week that several viruses that are detected by ClamAV as being
PHP Shell Exploits are NOT getting quarantined...

Here is my default cxs config.

/usr/sbin/cxs --allusers --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root@server.tld --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine /backups/quarantined_by_cxs --report /var/log/cxs.scan --sizemax 500000 --summary --throttle 4 --timemax 30 --virusscan --voptions mfhexT --xtra /etc/cxs/cxs.xtra

And here is the output I got from the email:

cxswatch Scanning /home/USERNAME/public_html/wp-content/themes/twentyeleven/search.php:
# ClamAV detected virus = [PHP.ShellExec] (md5sum:83897c09b14292a9b799dd31823715e2):
'/home/USERNAME/public_html/wp-content/themes/twentyeleven/search.php'


The search.php file (which I looked at and it is indeed a shell exploit) was never quarantined and still in the users directory.

The qurantine options (see above) clearly show "Mhv" (v being virus). It used to quarantine those, but doesn't seem to anymore.

Peter

Re: ClamAV Detected virus not getting quarantined

Posted: 31 May 2013, 16:18
by peterelsner
Here's another one...

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --block --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 50000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root@xxxxx.xxx --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --template cxs.template --throttle 4 --timemax 30 --virusscan --voptions mfhexT --Wloglevel 0 --Wmaxchild 3 --Wrateignore 0 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)

cxswatch Scanning /home/username/public_html/wthm1762g.php:
# Suspicious image file (hidden script file) (md5sum:3101137950288eac4eab9bc78addbf90):
'/home/username/public_html/wthm1762g.php'
# ClamAV detected virus = [PHP.Hide-1]:
'/home/username/public_html/wthm1762g.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.00 MB
Scan Time: 0.085 sec (including 70 throttle sleeps)

Found a suspicious match first (didn't quarantine and that's ok because I don't have 'f' option set in qoptions).
But I do have 'v' options (Virus) defined (--qoptions Mhv) and so it should have quarantined this file when it was
detected by ClamAV.

Yet it didn't quarantine it.

Why not??? what am I missing?

Re: ClamAV Detected virus not getting quarantined

Posted: 31 May 2013, 16:45
by Sarah
You have not configured a quarantine directory in your cxs command. You have "--quarantine " with no setting. It needs to be "--quarantine /home/quarantine" or wherever you have set up your quarantine directory.

Regards,
Sarah

Re: ClamAV Detected virus not getting quarantined

Posted: 20 Jun 2013, 15:09
by peterelsner
Hi Sarah,

Thanks. The first one reported on May 10th did have a quarantine directory defined. The second instance above did not (not yet sure why) and I will look into that to make sure that all my servers have that defined.

Re: ClamAV Detected virus not getting quarantined

Posted: 25 Jun 2013, 15:26
by peterelsner
Update on this. I made sure all the following have a quarantine directory defined...

/etc/cxs/cxs.defaults
/etc/cxs/cxsftp.sh
/etc/cxs/cxscgi.sh
/etc/cxs/cxswatch.sh

Yet still... This is the most recent scan:

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --block --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 50000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail cpadmin@gkg.net --MD5 --options mMOLfSGchexdnwZDR --qoptions Mhv --quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --template cxs.template --throttle 4 --timemax 30 --virusscan --voptions mfhexT --Wloglevel 0 --Wmaxchild 3 --Wrateignore 0 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)

cxswatch Scanning /home/username/public_html/wp-content/uploads/2013/06/502.php:
# Regular expression match = [decode regex: 1] (md5sum:83c64de7a4df4fd114f31f08aadd405f):
'/home/username/public_html/wp-content/uploads/2013/06/502.php'
# (decoded file [depth: 1]) ClamAV detected virus = [PHP.Shell-38]:
'/home/username/public_html/wp-content/uploads/2013/06/502.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.08 MB
Scan Time: 0.261 sec (including 680 throttle sleeps)

It detected the virus, but didn't quarantine it. Where else is the quarantine directory supposed to be defined other than those 4 files??? This is only happening on one server (that I know of). Other servers (which are all defined the same way) are working fine and have the quarantine directory defined.

What's strange, this is only happening on automated scans. If I run the scan manually through CXS in WHM, it will find and quarantine the virus correctly.

Re: ClamAV Detected virus not getting quarantined

Posted: 25 Jun 2013, 16:09
by Sarah
There must be a problem with your cxswatch.sh file. Please log a ticket on our helpdesk and attach the full contents of this file.

Regards,
Sarah