Clam Anti-VIrus Enable or Disable the ClamAV malware detection engine for the system.
Realtime Malware Detection Enable or Disable the ClamAV kernel module.
Note this requires the official Atomicorp build of clamav.
Realtime Malware Prevention: Block Access Enable or Disable blocking malware in the file system.
Note This requires the official Atomicorp build of clamav.
TCP Server Address Set the IP address for clamd to listen on. Default: localhost
TCP Port TCP port address
Local Socket Path to a local socket file the daemon will listen on.
Temporary Directory Optional path to the global temporary directory.
Database Directory Path to the database directory.
Database Self Check Perform a database check. Default: 600 seconds (10 minutes)
Log File Full path to the clamd log file. Default: /var/log/clamav/clamd.log
Log: Maximum Log File Size Maximum size of the log file. Value of 0 disables the limit.
CLog: Log Time Log time with each message.
Scan Safebrowing
Note This will increase memory usage in clamd significantly. Not enabling this will prevent AP from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.
Below is a simple test you can run to see if an URL is on the google safe browsing list:
URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -
And provided your signatures are up to date, if the URL Is on the list you’ll see output like the following:
stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND
Detect PUA This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:
PUA.Script.Packed-1 FOUND
That means you have enabled this option. If you do not want ClamAV to find files like this you must either:
-
Disable this option
-
Specifically whitelist the signatures you no longer with ClamAV to detect. Please see the ‘Disabling Signatures’ section below.
Detect ELF Executable and Linking Format is a standard format for UNIX executables.
Detect Broken Executables With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
Scan OLE2 This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
Scan PDF This option enables scanning within PDF files.
Scan Mail Enable internal e-mail scanner. Note This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.
Detect Bad Extensions With this option enabled ClamAV will try to detect malicious extensions using signatures.
Detect Phishing With this option enabled ClamAV will try to detect phishing attempts by using signatures.
Phishing Always Block SSL Mismatch Always block SSL mismatches in URLs, even if the URL isn’t in the database. This can lead to false positives.
Phishing Always Block Cloak Always block cloaked URLs, even if URL isn’t in database. This can lead to false positives.
Data Loss Prevention (DLP) Enable the (Data Loss Prevention) DLP module.
DLP: Minimum credit card Count Minimum credit card count - This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file. Default: 3
DLP: Minimum SSN Count This option sets the lowest number of Social Security Numbers found in a file to generate a detect. Default: 3
Structured SSN Format With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz. Default: yes
Structured SSN Format Stripped - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz. Default: no.
Scan: HTML Perform HTML normalization and decryption of MS Script Encoder code.
Scan: Archive ClamAV can scan within archives and compressed file.
Scan: Archive Encrypted Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Max Pending Connections Queue Maximum Length the queue of pending connections may grow to
Max Threads Maximum number of threads running at the same time
Read Timeout Waiting for data from a client socket will timeout after this time (seconds). Value of 0 disables the timeout
Max Number of Queued Items Maximum number of queued items (including those being processed by MaxThreads threads) It is recommended to have this value at least twice MaxThreads if possible. WARNING: you shouldn't increase this too much to avoid running out of file descriptors, the following condition should hold: MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
Scan Partial Messages Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.Max Scan size
Max Scan Size This option sets the maximum amount of data to be scanned for each input file. Value of 0 disables the limit. Note: disabling this limit or setting it too high may result in severe damage to the system.
Max File Size Files larger than this limit won't be scanned. Note: disabling this limit or setting it too high may result in severe damage to the system. Value of 0 disables the limit.
Max Recursion Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Note: disabling this limit or setting it too high may result in severe damage to the system. Value of 0 disables the limit.
Max Archive Files Number of files to be scanned within an archive, a document, or any other container file. Value of 0 disables the limit. Note: disabling this limit or setting it too high may result in severe damage to the system.
Real Time Malware Protection
The basic behavior when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the AP gui.
Atomic Protector:
Enable: To enable this feature follow the steps below
Step 1: You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current AP kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the AP secure kernel. Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.
If you are using either the current AP kernel, or a modern 3.x kernel please follow the steps below:
Step 2: Log into the AP Web Console
Step 3: Click on the ‘Scan’ tab
Step 4: Click on ‘Malware Scan’
Step 5: Click on ‘Realtime’
Step 6: Make sure ‘Realtime Malware Detection’ is checked
Step 7: Please continue to the configuration steps below. Enabling the protection will NOT tell AP what to protect, so the component must be configured.
Configuration:
Step 1: Ensure that your AP kernel is 3.2.52 or above.
Step 2: Click on the ‘Scan’ tab, then select the ‘Malware Scan’ menu option.
Step 3: Open the ‘Realtime’ tab.
Step 4: If not already enabled, select the checkbox next to “Realtime Malware detection”.
Step 5: Select the directories you want to be scanned in realtime
Add the directories you want to protect. For example:
/home
AP will then ask for any directories in /home you do not want to protect, for example /home/cpanel.
/var/www/vhosts /tmp /var/tmp /homeDO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES such as these:
/var/clamav /var/lib/clamav /etc/httpd/modsecurity.d/ /dev /var/log /home/user/apache/logWe also recommend for source built systems that you exclude build directories such as these:
/home/cpeasyapache /home/.cpan /home/.cpanm /home/.cpananYour should also never include system partition’s or directories, such as:
/home/virtfs /proc /selinux /sys /dev
Step 6: Configure the Upload Malware Scanner
AP includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.
Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.
Option 1: Change the temporary directory modsecurity uses. Modify this setting under the AP WAF MODSEC_TMPDIR
Option 2: Exclude the temporary directory modsecurity uses. By default, this is /tmp.
Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AP WAF MODSEC_99_SCANNER.
Step 7: Click Update to apply the new settings
Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.
Note
It is not recommended you enable malware scanning for the default excluded users.
Atomic Protector:
Enable: To enable this feature follow the steps below
Step 1: You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current AP kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the AP secure kernel. Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.
If you are using either the current AP kernel, or a modern 3.x kernel please follow the steps below:
Step 2: Log into the AP Web Console
Step 3: Click on the ‘Scan’ tab
Step 4: Click on ‘Malware Scan’
Step 5: Click on ‘Realtime’
Step 6: Make sure ‘Realtime Malware Detection’ is checked
Step 7: Please continue to the configuration steps below. Enabling the protection will NOT tell AP what to protect, so the component must be configured.
Configuration:
Step 1: Ensure that your AP kernel is 3.2.52 or above.
Step 2: Click on the ‘Scan’ tab, then select the ‘Malware Scan’ menu option.
Step 3: Open the ‘Realtime’ tab.
Step 4: If not already enabled, select the checkbox next to “Realtime Malware detection”.
Step 5: Select the directories you want to be scanned in realtime
Add the directories you want to protect. For example:
/home
AP will then ask for any directories in /home you do not want to protect, for example /home/cpanel.
/var/www/vhosts /tmp /var/tmp /homeDO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES such as these:
/home/user/apache/log /var/logWe also recommend for source built systems that you exclude build directories such as these:
/home/cpeasyapache /home/.cpan /home/.cpanm /home/.cpananYour should also never include system partition’s or directories, such as:
/home/virtfs /proc /selinux /sys /dev
Step 6: Configure the Upload Malware Scanner
AP includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.
Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.
Option 1: Change the temporary directory modsecurity uses. Modify this setting under the AP WAF MODSEC_TMPDIR
Option 2: Exclude the temporary directory modsecurity uses. By default, this is /tmp.
Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AP WAF MODSEC_99_SCANNER.
Step 7: Click Update to apply the new settings
Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.
Note
It is not recommended you enable malware scanning for the default excluded users.
Rebooting the System
If you are not already using the AP Kernel, you will need to reboot the system into the AP Kernel by running the following command:
reboot
If you are using the AP Kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.
Testing Your Protection
If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the AP kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site
Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:
cat eicar.com.txt
If permission is denied, then you have successfully configured and enabled real time malware protection for your system.
Detecting False Positives
If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:
/var/clamav/local.ign
For Example, if your system reported this file and this signature:
Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND
You would add “Some Signature Name” to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do NOT add UNOFFICAL to the signature name. For example:
somesignature.UNOFFCIAL
In the case above, you would only add “somesignature” to the local.ign* file, and **NOT “somesignature.UNOFFICAL”