Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Clamav hourly updates

  1. #1
    Join Date
    Feb 2012
    Beans
    11

    Question Clamav hourly scan of modified files

    Hi Guys,

    I'm running ubuntu server, I have just installed ClamAV and would like to scan the web directory /var/www/* hourly, but i would like to scan only the files created/modified within the hour..

    How would i set up ClamAV to do that? scan web directories modified files hourly
    Last edited by TheHippy; December 18th, 2012 at 03:01 PM.

  2. #2
    dino99's Avatar
    dino99 is offline Ubuntu addict and loving it
    Join Date
    Jun 2006
    Location
    Nux Jam
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Clamav hourly updates

    set clamav-daemon into a cronjob

    https://help.ubuntu.com/community/ClamAV

  3. #3
    Join Date
    Feb 2012
    Beans
    11

    Re: Clamav hourly updates

    Hi dino99 thanks for your reply

    sorry for the misleading topic, i actually want to scan files every hour, but only scan files which are modified within that hour

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,253
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Clamav hourly updates

    You could a command that uses the "find" command, but why bother? ClamAV is pretty quick. Unless you have thousands of files in /var/www it should scan the whole directory in a just a few seconds. Have you tried installing ClamAV and running "clamscan /var/www"? What kind of performance do you see?

    You can restrict it to particular types of files with commands like "clamscan /var/www/*.exe" or "clamscan /var/www/*.zip".

    Just curious, but why would you let anyone post executable files to /var/www? That's a big security hole, and not one you can fix just by running hourly scans. If you want to let people post files, put them into a quarantine directory outside the web directories, then run a script periodically that scans each file with clamscan and moves clean ones into /var/www. Another alternative is to write a PHP script that handles the uploading task and scans each file as it is received. I'd also add some code to send you an email if someone submits an infected file.
    Last edited by SeijiSensei; December 18th, 2012 at 05:58 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Feb 2012
    Beans
    11

    Re: Clamav hourly updates

    Quote Originally Posted by SeijiSensei View Post
    You could a command that uses the "find" command, but why bother? ClamAV is pretty quick. Unless you have thousands of files in /var/www it should scan the whole directory in a just a few seconds. Have you tried installing ClamAV and running "clamscan /var/www"? What kind of performance do you see?

    You can restrict it to particular types of files with commands like "clamscan /var/www/*.exe" or "clamscan /var/www/*.zip".

    Just curious, but why would you let anyone post executable files to /var/www? That's a big security hole, and not one you can fix just by running hourly scans. If you want to let people post files, put them into a quarantine directory outside the web directories, then run a script periodically that scans each file with clamscan and moves clean ones into /var/www. Another alternative is to write a PHP script that handles the uploading task and scans each file as it is received. I'd also add some code to send you an email if someone submits an infected file.
    Thanks for your advice - I am happy that what I develop is secure & there's no way i'd allow executable files to be uploaded unless there was a reason for it.. but we have a client who is requesting some space on one of our servers, and if we grant it i cannot guarantee that what he puts up there will be secure, and so i wanted to have something running which will notify me & purge anything bad. I.e if he writes a upload facility that someone exploits etc.

    At the moment:
    root@:/var/www# find . -type f | wc -l
    56253
    I will do what you said - let it scan and see how quickly it goes through them.

    Ok that was quick!
    ----------- SCAN SUMMARY -----------
    Known viruses: 1395503
    Engine version: 0.97.6
    Scanned directories: 6921
    Scanned files: 56170
    Infected files: 0
    Data scanned: 1415.58 MB
    Data read: 2081.22 MB (ratio 0.68:1)
    Time: 171.586 sec (2 m 51 s)
    I guess it might as well just do that.

    Thanks for your help!

    just for reference, could you tell me how would i apply a find to the clamscan?
    Last edited by TheHippy; December 18th, 2012 at 06:49 PM. Reason: Results

  6. #6
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,253
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Clamav hourly updates

    I find "find" to be a difficult command, but you can use things like the -ctime and -mtime switches to identify files changed within a particular period. There's a way to pipe the list to another process like clamscan. I suggest studying the man page for find.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  7. #7
    Join Date
    Feb 2012
    Beans
    11

    Re: Clamav hourly updates

    SeijiSensei, thanks a lot for your direction.

    This morning i have done the following:

    Modified two files, then done

    find . -mmin -60 -type f -print0 | xargs -0 -r clamscan

    ----------- SCAN SUMMARY -----------
    Known viruses: 1400628
    Engine version: 0.97.6
    Scanned directories: 0
    Scanned files: 2
    Infected files: 0
    Data scanned: 0.01 MB
    Data read: 0.00 MB (ratio 2.00:1)
    Time: 2.966 sec (0 m 2 s)
    Works a treat!

    I ended up using -mmin as it appears to be specifically for grabbing files modified between now and -x minutes ago.

  8. #8
    Join Date
    Feb 2012
    Beans
    11

    Re: Clamav hourly updates

    So i added it into a file like this

    find /var/www/ -mmin -60 -type f -print0 | xargs -0 -r clamscan | mail -s "xxx.xxx.xxx.xxx (SVR5) Scan Results for `date +%T` - `date +%D`" me@myemail.com
    named it hourlyscan

    and added it to crontab -e

    0 * * * * /home/www/mycron/hourlyscan
    but it doesnt appear to be running?

    Could you please point me in the right direction again

  9. #9
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,253
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Clamav hourly updates

    Did you start the script with a "hash-bang"?

    Code:
    #!/bin/bash
    
    [stuff]
    Is the script marked executable? Is it in root's crontab (/var/spool/cron/root)? If it is in /etc/crontab, you need to include the username like this:

    Code:
    1 * * * * root /path/to/your/script
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  10. #10
    Join Date
    Feb 2012
    Beans
    11

    Re: Clamav hourly updates

    i didn't add the hash bang!

    I kept getting an error when i added root to the script like in your example
    /bin/sh: root: command not found
    So i took it out and it works perfectly now.

    Thanks a lot for your help SeijiSensei!
    Last edited by TheHippy; December 21st, 2012 at 02:32 PM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •