have clamscan be able to scan user home folders

I would like to be able to enable user folder scanning using clamscan form inside of virtualmin as well as the ability to schedule the scans and also actions to be taken upon detection(warn, rename, delete).

Status: 
Active

Comments

Howdy -- thanks for contacting us!

We've experimented a bit with using clamscan for scanning web files, but it seems to be more designed for detecting email based viruses moreso than the kind of malware that would be infecting web content.

It hasn't been able to detect any of the recent infections I've tested it with.

Some years ago, we did find maldet to be useful:

https://www.rfxn.com/projects/linux-malware-detect/

However, it's detection rate seems to have gone down, and the updates aren't quite as frequent.

So can Virtualmin include a filesystem-based virus scanner at some point? I'm not sure, it's a discussion we can have. However, if we add it, we'd want it to work reasonably well, and I'm not sure that's something we can say for existing free solutions at the moment.

We'll re-evaluate them at some point though and see if that's something we feel we'd be able to add.

This is my solution.

At the beginning we need to download the appropriate virus database. You can do this with a simple script. Tested on the debian system.

----
cd /tmp
wget http://cdn.rfxn.com/downloads/rfxn.hdb
wget http://cdn.rfxn.com/downloads/rfxn.ndb
mv rfxn.ndb /var/lib/clamav/rfxn.ndb
mv rfxn.hdb /var/lib/clamav/rfxn.hdb
chown clamav:clamav /var/lib/clamav/rfxn.ndb
chown clamav:clamav /var/lib/clamav/rfxn.hdb
wget http://cdn.malware.expert/malware.expert.ndb
wget http://cdn.malware.expert/malware.expert.hdb
mv malware.expert.ndb /var/lib/clamav/malware.expert.ndb
mv malware.expert.hdb /var/lib/clamav/malware.expert.hdb
chown clamav:clamav /var/lib/clamav/malware.expert.ndb
chown clamav:clamav /var/lib/clamav/malware.expert.hdb
echo "done"
------------

Once we have the right virus database, we can fire clamscan. Normally clamscan is quite slow. It scans all files using all available virus databases.

In order for clamscan to do it quickly, we launch it in the following way:

clamscan -ir --include='\.(php)$' --database=/var/lib/clamav/rfxn.hdb --database=/var/lib/clamav/rfxn.ndb --database=/var/lib/clamav/malware.expert.hdb --database=/var/lib/clamav/malware.expert.ndb --max-filesize=200000 --exclude-dir=drush-backups* /home

In this way, we scan what we are interested in with appropriate virus databases.

Quickly and efficiently.