ClamAV not showing infected files in logs



  • So I ran clamscan on my test server and found two infections. Both of which are rules for suricata, so they are false postives. Either way, this is perfect for my testing as I want to integrate notifications of infections found. The documentation is extremely sparse.

    Here are my settings in /etc/clamav/clam/freshclam.conf

    # Automatically created by the clamav-freshclam postinst
    # Comments will get lost when you reconfigure the clamav-freshclam package
    
    DatabaseOwner clamav
    UpdateLogFile /var/log/clamav/freshclam.log
    LogVerbose false
    LogSyslog false
    LogFacility LOG_LOCAL6
    LogFileMaxSize 0
    LogRotate true
    LogTime true
    Foreground false
    Debug false
    MaxAttempts 5
    DatabaseDirectory /var/lib/clamav
    DNSDatabaseInfo current.cvd.clamav.net
    ConnectTimeout 30
    ReceiveTimeout 30
    TestDatabases yes
    ScriptedUpdates yes
    CompressLocalDatabase no
    SafeBrowsing false
    Bytecode true
    NotifyClamd /etc/clamav/clamd.conf
    # Check for new database 24 times a day
    Checks 24
    DatabaseMirror db.local.clamav.net
    DatabaseMirror database.clamav.net
    

    You'll notice NotifyClamd is pointing towards /etc/clamav/clamd.conf That file does not exist.

    There is also nothing of interest in /var/lib/clamav . It only contains the database files and the whitelist file which i created to exclude one infection. The whitelist is working as expected, but I still should be getting some type of notification for the other infection.



  • I found this

    Which says specifically:

    Infected files reporting

    In case you are recursively scanning the whole /home folder (or even the whole system) from a terminal emulator on your GUI, possibly there will be lots of files. In that case, as the output you will get is not infinite, it probably will help to generate a report containing the paths to all infected files. In that case you can do the following:

    sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

    Be patient if you run that command and it doesn't seem to be working because even if you don't see the complete output it is really scanning the files. When you see the prompt again, that will mean the scan is finished and that you can open the file it has created to check any infected file detected in your system.

    As Clamav doesn't disinfect the files, sometimes will be better to just know what are the infected files before putting it on quarantine or removing it. For example, you could be using Wine and by deleting an infected file you could break a program without having saved some data.



  • @DustinB3403 said in ClamAV not showing infected files in logs:

    I found this

    Which says specifically:

    Infected files reporting

    In case you are recursively scanning the whole /home folder (or even the whole system) from a terminal emulator on your GUI, possibly there will be lots of files. In that case, as the output you will get is not infinite, it probably will help to generate a report containing the paths to all infected files. In that case you can do the following:

    sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

    Be patient if you run that command and it doesn't seem to be working because even if you don't see the complete output it is really scanning the files. When you see the prompt again, that will mean the scan is finished and that you can open the file it has created to check any infected file detected in your system.

    As Clamav doesn't disinfect the files, sometimes will be better to just know what are the infected files before putting it on quarantine or removing it. For example, you could be using Wine and by deleting an infected file you could break a program without having saved some data.

    Got this so I just need only include "FOUND" with grep

    /usr/lib/python2.7/dist-packages/libcloud/test/dns/fixtures/digitalocean/_v2_domains_testdomain_records_1$
    /usr/lib/python2.7/dist-packages/libcloud/test/dns/fixtures/digitalocean/_v2_domains_testdomain_NOT_FOUND$
    /etc/suricata/rules/emerging-deleted.rules: Html.Trojan.Blackhole-65 FOUND
    


  • @DustinB3403 said in ClamAV not showing infected files in logs:

    sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

    The command above also grabs NOT_FOUND

    Exact command to find just FOUND should be:

    sudo clamscan -r /folder/to/scan/ | grep " FOUND" >> /path/to/save/report/file.txt


Log in to reply