How to set AV just for server wide but not email? Options

[Sergio]

Hi Pairote,
is there a way to install just the AntiVirus to check the data on a server but not for email?

Regards,
Sergio

[pairote]

You can scan your files using clamdscan. Try this command to scan the whole /home.

locate -i -r '^/home/' | xargs -i clamdscan --no-summary '{}'

It will take 15 - 30 minutes. You should test it by replacing /home to one of your client folder to see its result.

[Sergio]

You can scan your files using clamdscan. Try this command to scan the whole /home.

locate -i -r '^/home/' | xargs -i clamdscan --no-summary '{}'

It will take 15 - 30 minutes. You should test it by replacing /home to one of your client folder to see its result.

Thank you Pairote.

This is a really nice command, it even could be set in a cron on the server. Why is not this a regular practice in all servers? or is only me?

Regards,
Sergio

[Sergio]

You can scan your files using clamdscan. Try this command to scan the whole /home.

locate -i -r '^/home/' | xargs -i clamdscan --no-summary '{}'

It will take 15 - 30 minutes. You should test it by replacing /home to one of your client folder to see its result.

Thank you Pairote.

This is a really nice command, it even could be set in a cron on the server. Why is not this a regular practice in all servers? or is only me?

Regards,
Sergio

Working on your locate -i -r '^/home/' | xargs -i clamdscan --no-summary '{}'

I have tweaked it a little bit and found that:
find /home/*/public_html -name *.php | xargs -i clamdscan --no-summary '{}'

runs a lot lot faster as it will only check on php files and not images files. A few seconds compared to a few minutes in the same account.

Regards,
Sergio

[pairote]

Not sure on find command. I used to try it but it run slower and resource intensive.

PS: find has -exec which can execute clamdscan without to pipe (|). I believe that it consumes resouce lower than using pipe.

[Sergio]

Not sure on find command. I used to try it but it run slower and resource intensive.

PS: find has -exec which can execute clamdscan without to pipe (|). I believe that it consumes resouce lower than using pipe.

Hi Pairote,
looking around for xargs and exec, I found the following article:

xargs is the preferred method. It's a lot faster than -exec. Also, with a large number of files, it's possible to overflow the command line buffer. See this link:
http://www.unixreview.com/documents/s=8274...0306g/0306g.htm

I have read a lot of different places and all of them recommends xarg over exec in find, I have used the XARG and it is really fast. I have checked my home directory with thousands of index.php files and it is done in less than 10 minutes in a double quad server, I like it.

[pairote]

Sorry, I am wrong. I thought find -exec faster. I trust you, now xargs is my choice.

If you runtime is not too long, I would suggest you remove public_html and also scan .html, .htm.

find /home/* -name *.php | xargs -i clamdscan --no-summary '{}'
find /home/* -name *.htm | xargs -i clamdscan --no-summary '{}'

[Sergio]

Sorry, I am wrong. I thought find -exec faster. I trust you, now xargs is my choice.

If you runtime is not too long, I would suggest you remove public_html and also scan .html, .htm.

find /home/* -name *.php | xargs -i clamdscan --no-summary '{}'
find /home/* -name *.htm | xargs -i clamdscan --no-summary '{}'

just elaborating a little bit more...

find /home/* -name *.php -o -name *.htm | xargs -i clamdscan --no-summary '{}'

This gives us a one line command checking for php or htm files, what do you think?

Now... How may I can set this in a cron?

[pairote]

Not sure on -o option. If you want to run as a cron, do it as caution. It might overload and take your server down. You write a simple script here if you want to test it.

CODE

#!/usr/bin/perl -w
BEGIN {
    push( @INC, '/scripts' );  
}
use strict;
use cPScript::OSSys ();
cPScript::OSSys::nice(19);

my ($runTime, $startTime);
$startTime = time();

system("find /home/* -name *.php -o -name *.htm | xargs -i clamdscan --no-summary '{}' | grep FOUND");

$runTime = (time() - $startTime) / 60;
print "Total runtime: $runTime minutes. \n\n";

[Sergio]

I am not happy with CLAMAV, it didn't find trojans in a web page.

After playing with the find command I did a test with a trojan code that could be injected in a web page, like the one listed here:
http://www.webtalkforums.com/showthread.php?p=204106
but CLAMAV didn't find it

I wanted to create a cron like the one that you kindly wrote, but it seems that it will not work for what I am intending to do, that is to check in the server for this type of malicious code.

Any idea of what other AV could be used instead of CLAMAV?

[pairote]

Other AV engine will not find it as well. For such code, by itself alone it is not trojan. But if you call to that page, it will call to another website which is not on your server and download trojan.

[Sergio]

Now I understood why CLAMAV didn't find it.

The weird thing is that I have copied all the code into a TXT file in my computer and my AntiVirus deleted the file because it says it is indeed a trojan horse virus.

Any way, I am using now the following find command:

CODE

find /home/ -name *.htm? -exec grep "C7D36720260A79BEECF3B8D6D" '{}' \; -print

Regards,
Sergio

[catwalk]

What does 'C7D36720260A79BEECF3B8D6D' mean?

[Sergio]

What does 'C7D36720260A79BEECF3B8D6D' mean?

That was part of virus in the form of 64 eval code. With that search you can check if any of your pages is infected with that script.

Regards,

Sergio