ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved ClamAV not showing infected files in logs

    IT Discussion
    clamav
    2
    4
    5.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ
      last edited by

      So I ran clamscan on my test server and found two infections. Both of which are rules for suricata, so they are false postives. Either way, this is perfect for my testing as I want to integrate notifications of infections found. The documentation is extremely sparse.

      Here are my settings in /etc/clamav/clam/freshclam.conf

      # Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

      You'll notice NotifyClamd is pointing towards /etc/clamav/clamd.conf That file does not exist.

      There is also nothing of interest in /var/lib/clamav . It only contains the database files and the whitelist file which i created to exclude one infection. The whitelist is working as expected, but I still should be getting some type of notification for the other infection.

      1 Reply Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403
        last edited by

        I found this

        Which says specifically:

        Infected files reporting

        In case you are recursively scanning the whole /home folder (or even the whole system) from a terminal emulator on your GUI, possibly there will be lots of files. In that case, as the output you will get is not infinite, it probably will help to generate a report containing the paths to all infected files. In that case you can do the following:

        sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

        Be patient if you run that command and it doesn't seem to be working because even if you don't see the complete output it is really scanning the files. When you see the prompt again, that will mean the scan is finished and that you can open the file it has created to check any infected file detected in your system.

        As Clamav doesn't disinfect the files, sometimes will be better to just know what are the infected files before putting it on quarantine or removing it. For example, you could be using Wine and by deleting an infected file you could break a program without having saved some data.

        IRJI 2 Replies Last reply Reply Quote 1
        • IRJI
          IRJ @DustinB3403
          last edited by

          @DustinB3403 said in ClamAV not showing infected files in logs:

          I found this

          Which says specifically:

          Infected files reporting

          In case you are recursively scanning the whole /home folder (or even the whole system) from a terminal emulator on your GUI, possibly there will be lots of files. In that case, as the output you will get is not infinite, it probably will help to generate a report containing the paths to all infected files. In that case you can do the following:

          sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

          Be patient if you run that command and it doesn't seem to be working because even if you don't see the complete output it is really scanning the files. When you see the prompt again, that will mean the scan is finished and that you can open the file it has created to check any infected file detected in your system.

          As Clamav doesn't disinfect the files, sometimes will be better to just know what are the infected files before putting it on quarantine or removing it. For example, you could be using Wine and by deleting an infected file you could break a program without having saved some data.

          Got this so I just need only include "FOUND" with grep

          /usr/lib/python2.7/dist-packages/libcloud/test/dns/fixtures/digitalocean/_v2_domains_testdomain_records_1$
/usr/lib/python2.7/dist-packages/libcloud/test/dns/fixtures/digitalocean/_v2_domains_testdomain_NOT_FOUND$
/etc/suricata/rules/emerging-deleted.rules: Html.Trojan.Blackhole-65 FOUND
          1 Reply Last reply Reply Quote 0
          • IRJI
            IRJ @DustinB3403
            last edited by

            @DustinB3403 said in ClamAV not showing infected files in logs:

            sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

            The command above also grabs NOT_FOUND

            Exact command to find just FOUND should be:

            sudo clamscan -r /folder/to/scan/ | grep " FOUND" >> /path/to/save/report/file.txt

            1 Reply Last reply Reply Quote 1
            • 1 / 1
            • First post
              Last post