ClamAV for e-mail and FTP?

I

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,094
ClamAV for e-mail and FTP?

- I just noticed a pattern while scanning the servers. Some e-mail accounts have viruses and some don't. The common denominator is the ones with viruses are accounts linked to contact forms, and the ones without are not. From that, I gather that not every message that makes it into the mailbox has been scanned. Am I missing something here, or is this the basis of a feature request?

- Do we have any FTP protection or is the basis for another feature request?

Thanks!
 
Last edited:
chatwizrd said:
Yes its possible to use clamav on ftp. Search the forums.
Click to expand...
I did search the forums and found that, but I was wondering if it was part of the DA install yet. Both of these items are big because it is common to have php contact forms and ftp sites, yet neither pass through ClamAV by default.
 
I'm not sure I'd want to by default run all uploaded ftp files through ClamAv; though it could keep your users from inadvertently uploading virus-laden files, it could put a huge load on a server.

As far as using ClamAV on php form data, shouldn't that be done at the point where the email is received? In cases where the email created by the form is received on the same server, I believe that if the email is injected through port 127.0.0.1 instead of by a direct call to the sendmail interface, that the standard email install of ClamAV will be invoked.

My recollection (correct me if I'm wrong) is that ClamAV isn't part of a default DirectAdmin install at all; not even for email, so I'm not sure if it should be for FTP and separately at the forms level.

Your mileage may vary; discussin invited and encouraged.

This thread makes more sense as a feature request.

Moved.

Jeff
 
You can install Clamav via custombuild, but that's only for e-mail as far as I know.
It would be nice to have an option to install it for FTP too (like update.script has).
 
nobaloney said:
I'm not sure I'd want to by default run all uploaded ftp files through ClamAv; though it could keep your users from inadvertently uploading virus-laden files.
Click to expand...
What generally happens is they get hacked by a robot.
nobaloney said:
it could put a huge load on a server.
Click to expand...
I wrote a couple of scripts. One executes at 2 AM, and the other one executes every hour. The one that happens every hour, I use find to round up a list of file in the user areas that changed in the past hour, and scan only those. The find takes 2/3rds of the time. ClamAV only takes 20 to 40 seconds. I haven't seen the load issues yet, but I've only had them running for day in a row. I could check Zabbix to see if I can notice a change in load. It's difficult to detect much change while running Top.
nobaloney said:
As far as using ClamAV on php form data, shouldn't that be done at the point where the email is received? In cases where the email created by the form is received on the same server, I believe that if the email is injected through port 127.0.0.1 instead of by a direct call to the sendmail interface, that the standard email install of ClamAV will be invoked.
Click to expand...
I haven't gotten that sorted out yet. I noticed that in every case users had e-mail accounts for their web sites instead of forwarder. I sent out a message how that isn't necessary and explained. The next day I went to scan, and 668 viruses vanished because they dropped the accounts. Fortunately I saved off a sample.
nobaloney said:
My recollection (correct me if I'm wrong) is that ClamAV isn't part of a default DirectAdmin install at all; not even for email, so I'm not sure if it should be for FTP and separately at the forms level.
Click to expand...
They have scripts for it is all I know. I can't imagine rolling out a server without it. It's very good at what it does. However, being cross-platform brings some feature limitations with it.
 
IT_Architect said:
I wrote a couple of scripts. One executes at 2 AM, and the other one executes every hour. The one that happens every hour, I use find to round up a list of file in the user areas that changed in the past hour, and scan only those.
Click to expand...

That is what Linux Malware Detect (http://www.rfxn.com/) does. And if it detects installed ClamAv it uses clamscan as well for scanning files. Of course you can run it every hour, but whan scanning recently modified file, the minimum interval is 1 day. But it finds very well PHP-shells and Trojans uploaded through web-forms and vulnerabilities of different public CMS. Here is a How-To http://forum.directadmin.com/showthread.php?t=45851&p=234807#post234807

I see it from here http://forum.directadmin.com/showthread.php?t=45616&highlight=maldet you've been using it, right? Did you stop using it?
 
OK, I'm not trying to persuade you to use the software. Though it might find not all malware, but it helps a lot to find PHP shells, just before an attacker (hacker) starts to use them actively. If to a miss such a malware we get a spamming account. And yes, they seem to not approve comments, but still I believe they update malware signatures base.
 
We were using ClamAV on FTP about two years ago, but we don't do this anymore because of very high loads caused by clamav. And a short comment @Alex:

> Though it might find not all malware, but it helps
> a lot to find PHP shells, just before an attacker
> (hacker) starts to use them actively.

I think the load generated by this is not worth it. Most shells/backdors are (IMO) uploaded via HTTP (outdated Joomla/whatever with 777 directories) and not FTP, at least I noticed this. Hacked FTP accounts - i think CSF is good at reporting these (distributed logins/etc).
 
I was reviewing feature-request forums and found this thread. ClamAV FTP/email/PHP uploads scanning is already available in CustomBuild 2.0.
 
You must log in or register to reply here.
Back
Top