Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Antimalware File Scan

The Antimalware File Scan app provides a quick way to check for viruses on your file shares. The scanner check:

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

Server|File|Antimalware File Scanner

Configuration

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_antimalware_file_scanner.png

Before you can scan your file system, you must select folders to scan. Click on the Scanner button and enter *Edit* mode.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_antimalware_file_scanner_settings1.png

On this form, you'll be able to make several configuration changes as described in the sections below.

If you enable scanning of Flexshares, websites will also be scanned (if the websites were created in the webconfig). If you also enable Web scanning, the websites will get scanned twice, slowing the scan down

Schedule

To configure automated, daily settings, select an hour of the day to start a file system scan.

Actions

Select if you want the scanner to automatically quarantine the files

Email Notifications

Once a scan has successfully run (either automated or manual), you'll want to be alerted in the event there were errors or infected files discovered during the scan. Enabling email alerts and providing an address to send to is a convenient way to stay informed of scans running on the server.

Alert on Virus

Sends alerts any time an infected file is discovered.

Alerts on Error

Sends alerts any time there were errors or warning during a scan.

Notify Email

The email address to send notifications to. Antimalware file scanning uses the Mail Notification app to send notifications out in the event a mail server is not running on your server. Make sure you have configured and tested to receive email alerts.

Directories

Directories to include in your scan. Preset folders are defined in the table below but depend on which apps you have installed:

Name Folder
Home /home
Flexshare /var/flexshare
Web /var/www
FTP /var/ftp
Web Proxy Cache /var/spool/squid
E-mail /var/spool/imap

Custom Directories

If you want to include folders not on the default list (eg. mount points, root etc.) or if you want to be more selective (eg. some users home directories, but not all), you can do this by editing the /etc/avscan.conf configuration file using your favourite editor or shell scripts.

For example, if you had a mount point named /backup and wanted it included, you could run:

echo "/backup" >> /etc/avscan.conf


if you want to exclude certain file types from the scan, in /usr/sbin/file_scan around line 195 change:

$clam_scan_options = '';

to something like:

$clam_scan_options = '--exclude="\.(jpg|jpeg|mkv)$"';

The exclude parameter is a regex of the file names to exclude.
There is a similar parameter “–exclude-dir” which can contain a regex of folders to exclude. Both parameters can be repeated multiple times. For more information check out the man page for clamscan

Antimalware Signatures and Updates

ClamAV Community Updates

The Antimalware File Scan app uses the ClamAV engine to scan for viruses. The ClamAV engine is used in multiple apps available for ClearOS - Content Filter Scanning, Mail Antimalware and the File Scan app to name a few. The engine is set to update itself with community signatures once per hour, by default.

These updates come from the ClamAV community. If this is a valuable service to you, please consider donating to the ClamAV Signature Update Team.

ClearCenter Antimalware Updates

ClearCenter provides a value-added service for a fee to increase the number of signatures available to the ClamAV engine. For information on this app/service, click here.

Summary Data

When at least one successful scan has been run, the main scanner form will auto-populate with addition fields showing a collection of statistics and interesting summary data. Most of the data fields (shown in the screenshot to the right) is self-evident.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_antimalware_file_scanner_scanner.png

One frequently asked question is “What is the difference between Total Data Scanned and Total Data Read”. Often, these totals will be exactly or nearly the same. However, if you have large files on your server or archive files (.tar, .tgz etc.) comprised of many individual files that when combined total more than 25MB, you may see these numbers differ.

If your total data scanned is significantly lower than the total scanned, the difference in bytes is what is *not* being scanned through the filter. While unlikely, viruses could be missed in these cases.

ClamAV's scanner uses two default settings that controls the way the scanner iterates and scans through folders and files.

MaxScanSize

Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. The system default is 100MB.

This option protects your system against DoS attacks (default: 100 MB, max: <4 GB)

Modifying this parameter for the ClearOS scanner can be done by adding a line in /etc/clearos/file_scan.conf e.g:

max-scansize=80M

MaxFileSize

Files larger than this limit won’t be scanned. It affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). The system default is 25MB.

This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)

Modifying this parameter for the ClearOS scanner can be done by adding a line in /etc/clearos/file_scan.conf e.g:

max-filesize=30M

Excluding Files and Folders from scanning

There are a couple of hidden options which you can use to exclude files and folders from being scanned. You can add these parameters with a couple of lines in /etc/clearos/file_scan.conf:

exclude=
exclude-dir=

These take a regex of what you what to exclude. As an example:

exclude="\.(jpg|jpeg)$"

will exclude all files with the jpg and jpeg file extensions from the scan. Similarly:

exclude-dir="(\/shares\/(foscam|docker|shared\/Photos)\/|\/home\/foscam\/)"

will exclude the following folders and their sub-folders:

/shares/foscam/
/shares/docker/
/shares/shared/Photos/
/home/foscam/

Please consult “man clamscan” for more information.

Although the man pages say that multiple occurrences of the parameters are allowed, this is correct at the command line, but not for the webconfig where each parameter must only occur once in the file.

Help

content/en_us/7_ug_file_scan.txt · Last modified: 2019/11/27 08:28 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_file_scan&1710841486