HOWTO: ProFTPD Antivirus using CLAMAV

hello. where can i find :

Command: STOR eicar_com.zip
Response: 150 Opening BINARY mode data connection for eicar_com.zip
Response: 550 Virus Detected and Removed: Eicar-Test-Signature
Status: Retrieving directory listing...

i cant find something like this after upload that file on this files:
/var/log/proftpd/access.log
/var/log/proftpd/auth.log
/var/log/messages

These lines are from FTP clients connection log window.
What do you want to do? If you tell it we can help.
 
what about mod_clamav ?
is it work and useful near this installation?
 
Last edited:
Is anyone test it ?

I have now written a script to carry out the steps required to setup the scanning of FTP files via ClamAV.

This is supported for CentOS and Directadmin currently.

Code:
wget http://src.brightlayer.net/secureftp.sh
chmod +x secureftp.sh
./secureftp.sh do CLAMAV
./secureftp.sh do PROFTPD

Please note that I do not officially support this script, it's just that I've written it into a bash script and it has been proven to work on my servers, please use with care, I do not accept liability for any damage done to your servers by running this script.
 
Last edited:
Great how to, thanks!
One question. Emails with virus attachments are blocked?
 
Thanks for your reply floyd.

I think that it will be good if the email protection will be here too in a single post, so

Add in the begining of /etc/exim.conf :

av_scanner = clamd:127.0.0.1 3310

and after check_message:

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat: com: pif: prf:scr : vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
Last edited:
nice job sHuKKo! :)

I'll have a go and try..
btw.. does this include handling files uploaded via DA's file manager??
 
i tried and everything looks fine apparently (after spending time to fix some errors)... however, when i uploaded the test virus file.. it's not removed! :(

when running proftpd in debug mode.. i found the below lines...

Code:
session.xfer.path is '/eicar.com'.
ClamMinSize=0 ClamMaxSize=5242880 Filesize=68
Going to virus scan absolute filename = '/home/demouser/eicar.com' with relative filename = '/eicar.com'.
mod_clamav/0.11rc: Connecting to remote Clamd host 'localhost' on port 3310
ROOT PRIVS at mod_clamav.c:227
ROOT PRIVS: ID switching disabled
PRIVS_RELINQUISH: ID switching disabled
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success
No virus detected in filename = '/home/demouser/eicar.com'.

from the last line.. it looks like it scanNED the file and found no virus.. but how can that be? :confused: and for the below 2 lines..

Code:
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success

it seems there are problems? is this the error that makes it not cleaning up properly? please kindly help! :confused::confused::confused:
 
GREAT! I got it working after using the following codes in /etc/proftpd.conf instead...

Code:
<IfModule mod_clamav.c>
   ClamAV on
   ClamServer 127.0.0.1
   ClamPort 3310
   ClamMaxSize 5 Mb
</IfModule>

:D:D:D


i tried and everything looks fine apparently (after spending time to fix some errors)... however, when i uploaded the test virus file.. it's not removed! :(

when running proftpd in debug mode.. i found the below lines...

Code:
session.xfer.path is '/eicar.com'.
ClamMinSize=0 ClamMaxSize=5242880 Filesize=68
Going to virus scan absolute filename = '/home/demouser/eicar.com' with relative filename = '/eicar.com'.
mod_clamav/0.11rc: Connecting to remote Clamd host 'localhost' on port 3310
ROOT PRIVS at mod_clamav.c:227
ROOT PRIVS: ID switching disabled
PRIVS_RELINQUISH: ID switching disabled
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success
No virus detected in filename = '/home/demouser/eicar.com'.

from the last line.. it looks like it scanNED the file and found no virus.. but how can that be? :confused: and for the below 2 lines..

Code:
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success

it seems there are problems? is this the error that makes it not cleaning up properly? please kindly help! :confused::confused::confused:
 
echo "127.0.0.1 localhost localhost" >> /etc/hosts
 
Hello,

Whether somebody tried to configure CLAMAV on the remote server? Locally all works fine for me, but when I try to specify a remote host in ProFTPd configuration, on a remote host I receive an error after uploading file:

-> WARNING: lstat () failed on: <file name>

I suspect that the problem can be linked to the rights of users, maybe somebody faced it?

ProFTPd configuration:
<IfModule mod_clamav.c>
ClamAV on
ClamServer remote.hostname
ClamPort 3310
ClamMaxSize 5 Mb
</IfModule>

CLAMAV configuration at remote.hostname:
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
FixStaleSocket yes
TCPSocket 3310
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User root
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no

As I understand ProFTPd connects to the remote server but for some reason can not check file for viruses.
 
This is horrible! (just kidding of course :D:D ).

However, I do have a problem with the clam_mod.

I have my fair share of iframe injections and I have a sanitize script that helps clean already infected files recurrsively.
However, I just tested the following scenario:


I have a valid index.php file on the server - clean with no virus.
I then uploaded a new INFECTED copy of the index.php file to the same location, whereas it is overwritting the clean file.
I was alerted by proftpd that ClamAV found the virus and deleted the file.
Well.. guess what: it left me with NO files at all.

While previously I was able to run a cleaning script, now I have no files to clean,. it simply erases the entire file.
That is not good for me!
In an EMAIL scenario, that is perfect, but in FTP,. it will erase existing files with no way to fix them.
Is there any way to NOT erase the file, but instead - clean it?

Thanks,

-Sup.
 
While previously I was able to run a cleaning script, now I have no files to clean,. it simply erases the entire file.
That is not good for me!
In an EMAIL scenario, that is perfect, but in FTP,. it will erase existing files with no way to fix them.
Is there any way to NOT erase the file, but instead - clean it?

Thanks,

-Sup.

Well then ask this from clamav developers.
This is how clamav is programmed.
Here is a quote from their FAQ which you can find in: http://www.clamav.net/support/faq/faq-misc/ address

* Can ClamAV disinfect files?

* No, it can’t. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?
 
Well then ask this from clamav developers.
This is how clamav is programmed.
Here is a quote from their FAQ which you can find in: http://www.clamav.net/support/faq/faq-misc/ address

Thanks for pinpointing the answer.

I have a specific server that is being hit by numerous iframe injection attacks from multiple IPs.
This is obviously a bot attack that runs in a recursive way all over the account that is being hit.
I'm thinking that I might look into mod_wrap to Deny all IPs in the proftpd.conf, then if you visit a specific page on the server, it will capture your IP, enter your IP for a 24 hours approved to access the FTP login.
That way,. unless your IP is in the Allow list of the mod_wrap, you won't be able to log in to proftpd.
This will not prevent a virus to be uploaded to the server, but it will effectively deny access from random attackers that try to brute force their way in via FTP, and even if they have the FTP username and password, unless they visit that webpage, they will not be able to log in. Not a perfect solution, but I'm thinking it is an effective blocking mechanism which reminds the "change your ssh port number" solution, and possibly even more effective.

-Sup.
 
clamav+proftpd on freebsd?

Hello,

does anyone have an idea how to install proftpd+clamav on FreeBSD without the update script?

Thanks
 
Why not just look at the code so you know what its doing and do it manually?
 
Back
Top