Bolstering Malware Defences On cPanel Servers With ClamAV


Bolstering Malware Defences On cPanel Servers With ClamAV

When administering shared servers with lots of accounts, dealing with malware is almost an inevitability. With platforms such as WordPress and Joomla being exploited constantly, it’s increasingly important to know how to deal with malware.

Here are some useful tips to improve your defences against malicious activity on a typical cPanel server using ClamAV. The guide could apply equally to other types of servers but we’ve focused on cPanel here.

ClamAV

ClamAV is an open source high-performance virus and malware scanner suitable for a range of applications such as email scanning, webpage scanning and end point security. It features an intuitive GUI as well as powerful command-line tools, so it’s easy to use as well as flexible.

Installation

First of all, install ClamAV if not already. These commands will check if the application is installed, and install it if it’s not.

/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav

Security-Enhanced Linux (SELinux) should be disabled on cPanel servers but just in case it isn’t, run the following command to allow ClamAV SELinux support.

setsebool -P antivirus_can_scan_system true

Signatures

The default signatures that ClamAV ships with aren’t always sufficient. It can only detect a fraction of the malware out there. So our next step is to install additional signatures. We recommend the excellent ClamAV Unofficial Signatures Updater which can be installed as follows.

mkdir /etc/clamav-unofficial-sigs/
mkdir /var/log/clamav-unofficial-sigs/
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git
mv clamav-unofficial-sigs/config/* /etc/clamav-unofficial-sigs/
mv clamav-unofficial-sigs/systemd/ /etc/systemd/

The next part of the installation depends on what operating system you are using so let’s find that out first by using the cat command to view the OS version.

cat /etc/*-release

Most cPanel servers will be running CentOS or a variant but you still need to know the OS version (e.g. 6 or 7) and copy the correct configuration file. The following commands will copy the configuration file to the correct directory.

For CentOS 6 with cPanel:

mv /etc/clamav-unofficial-sigs/os.centos6-cpanel.conf /etc/clamav-unofficial-sigs/os.conf

For CentOS 7 with cPanel:

mv /etc/clamav-unofficial-sigs/os.centos7.conf /etc/clamav-unofficial-sigs/os.conf

On our systems, ClamAV runs under the user/group “clamav” and not “clam” so the file needs amending to reflect that. The following command uses sed to achieve this.

sed -i 's|\"clam\"|\"clamav\"|' /etc/clamav-unofficial-sigs/os.conf

Updating

Now we’ve got the configuration file in place, let’s install the script updater with cron and logrotate options. This will keep the signatures up-to-date and prevent the log sizes getting too big by rotating them. We must first copy the installation file to the correct directory, and then change the permissions to 755 to allow us to execute it.

cp clamav-unofficial-sigs/clamav-unofficial-sigs.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh

We can then proceed with executing the installer


/usr/local/sbin/clamav-unofficial-sigs.sh --install-cron --install-logrotate

If it completes without error then we’re safe to enable user_configuration_complete. This can be done with the sed command once more.

sed -i 's|^#user_configuration_complete="yes"|user_configuration_complete="yes"|' /etc/clamav-unofficial-sigs/user.conf

To update ClamAV with the newly added signatures let’s run freshclam.

/usr/local/cpanel/3rdparty/bin/freshclam

Scanning

If you want to run a scan on a particular folder, use the following command:

/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/username/public_html/

Adding –remove=yes will automatically remove any hits found but you might want to take a backup first and possibly inspect the files first. False positives aren’t unheard of.

/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/username/public_html/ --remove=yes