Nethserver-clamscan think tank

I’m working on a rpm to scan the filesystem of a NS based on a cron (daily/weekly) with clamav. Basically I have something workable but without GUI yet.

The command launched is

/usr/bin/clamscan --recursive --infected --stdout --log /var/log/clamav/clamscan.log --exclude=/proc --exclude=/sys --exclude=/usr/share/doc --exclude=/var/spool/clamav/quarantine --official-db-only=yes /

some options are disabled, the default cron job is ‘daily’ at 00h


But I’m sure that we can even add more things, even disabled by default if needed…so I need your skills :slight_smile:

the documentation of clamscan

and clamd.conf


cc/ @asavinok @medworthy @m.traeumner @GG_jr @craaaft @Krajczar_Jeno @Juan_Fernandez @shodanki @WillZen

1 Like


Thank you for let it me know. Unfortunately I have no skills to greate a GUI and no time either.

I hope I can find the time and have a look at Ver 7 in the next days.


Great job. I like the idea and super work. I will test it soon.


1 Like

Nethserver-clamscan teaser :slight_smile:


Like the screenshot but am wondering if it is possible to have user defined times for the daily / weekly scans (ie. predefine time and days for the scans – hh:mm-day).

This should be a simple task if used with a crontab styled interface.

Also, why the ‘yes, I am really sure’ tick box?


yep it could be added, indeed it is a cron job, so we can change it

clamav can produce some false positive and if you set the move, you can have some headaches to put back the files in the good folders :slight_smile:

Yes, I have had similar problems with previous usage of clamscan (it might be a good idea to restrict the virus checks to the ibay, email spool / attachments, /var/www and any other user specific directories).

Just out of interest, can you provide a full list of the syntaxes you have used with clamscan? (as an example, have you included the various --phishing modules, the --algorithmic-detection, --scan-mail or the --log switches?)

/usr/bin/clamscan --recursive --infected --stdout --log /var/log/clamav/clamscan.log --max-files=10000 --max-filesize=30M --max-scansize=100M --max-recursion=16 --max-dir-recursion=15 --exclude=/boot --exclude=/proc --exclude=/sys --exclude=/usr/share/doc --exclude=/var/spool/clamav/quarantine --bytecode=yes --bytecode-timeout=120000 --detect-pua=yes --scan-html=yes --scan-mail=yes --scan-archive=yes --scan-pdf=yes --scan-ole2=yes --scan-elf=yes --scan-pe=yes --detect-broken=yes --block-encrypted=yes /

this is the full command, but some are optional

in the full command you don’t see --official-db-only=yes so the unofficial signatures are used.

you don’t find also --move=/var/spool/clamav/quarantine

I would be tempted to increase the max-files max-scansize, recursions and max-filesize (users may have multimedia files larger then 30mb, I also store a number of iso files / optical disc images on a NAS, some of these files could be 4gb or above).

Also, I probably would include --algorithmic-detection, --detect-broken, --scan-xmldocs, --scan-swf, --scan-hwp3 and maybe --detect-structured plus --partition-intersection

I refer to the man clamscan and some of the options you gave are not there ?


I examined various online documents but mainly used the --help page provided by clamscan
(for reference, I am using ClamAV version 0.99.1)

1 Like
          Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files.

why not

              In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be  used  to  control
              the algorithmic detection.

why not

          Detect partition intersections in raw disk images using heuristics.

don’t know :slight_smile:

–scan-hwp3 and --scan-xmldocs are not known by clamav.

My concern is that if you offer to much settings you can loose you end user :slight_smile:

done, day and hour for the job is an option

1 Like

I would suggest that these extra switches could be included by default (and maybe don’t include them as user choices)

Also the --scan-hwp3 and --scan-xmldocs are recognised by v0.99.1

pointers please ?

I am also thinking that the scan-ole2 syntax may not include the scanning of the later MS office 2003 (and above) xml / docx formats, therefore it may be wise to include the --scan-xmldocs syntax

The following includes the help page from v0.99.1

       Clam AntiVirus Scanner 0.99.1
       By The ClamAV Team:
       (C) 2007-2015 Cisco Systems, Inc.

--help                -h             Print this help screen
--version             -V             Print version number
--verbose             -v             Be verbose
--archive-verbose     -a             Show filenames inside scanned archives
--debug                              Enable libclamav's debug messages
--quiet                              Only output error messages
--stdout                             Write to stdout instead of stderr
--no-summary                         Disable summary at end of scanning
--infected            -i             Only print infected files
--suppress-ok-results -o             Skip printing OK files
--bell                               Sound bell on virus detection

--tempdir=DIRECTORY                  Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)]            Do not remove temporary files
--database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load
                                     all supported db files from DIR
--official-db-only[=yes/no(*)]       Only load official signatures
--log=FILE            -l FILE        Save scan report to FILE
--recursive[=yes/no(*)]  -r          Scan subdirectories recursively
--allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
--cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE      -f FILE        Scan files from FILE
--remove[=yes/no(*)]                 Remove infected files. Be careful!
--move=DIRECTORY                     Move infected files into DIRECTORY
--copy=DIRECTORY                     Copy infected files into DIRECTORY
--exclude=REGEX                      Don't scan file names matching REGEX
--exclude-dir=REGEX                  Don't scan directories matching REGEX
--include=REGEX                      Only scan file names matching REGEX
--include-dir=REGEX                  Only scan directories matching REGEX

--bytecode[=yes(*)/no]               Load bytecode from the database
--bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
--bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
--exclude-pua=CAT                    Skip PUA sigs of category CAT
--include-pua=CAT                    Load PUA sigs of category CAT
--detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
--structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N             Min SSN count to generate a detect
--structured-cc-count=N              Min CC count to generate a detect
--scan-mail[=yes(*)/no]              Scan mail files
--phishing-sigs[=yes(*)/no]          Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no]     URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)]           Always block SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)]         Always block cloaked URLs (phishing module)
--partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.
--algorithmic-detection[=yes(*)/no]  Algorithmic detection
--scan-pe[=yes(*)/no]                Scan PE files
--scan-elf[=yes(*)/no]               Scan ELF files
--scan-ole2[=yes(*)/no]              Scan OLE2 containers
--scan-pdf[=yes(*)/no]               Scan PDF files
--scan-swf[=yes(*)/no]               Scan SWF files
--scan-html[=yes(*)/no]              Scan HTML files
--scan-xmldocs[=yes(*)/no]           Scan xml-based document files
--scan-hwp3[=yes(*)/no]              Scan HWP3 files
--scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)]          Try to detect broken executable files
--block-encrypted[=yes/no(*)]        Block encrypted archives
--nocerts                            Disable authenticode certificate chain verification in PE files
--dumpcerts                          Dump authenticode certificate chain in PE files

--max-filesize=#n                    Files larger than this will be skipped and assumed clean
--max-scansize=#n                    The maximum amount of data to scan for each container file (**)
--max-files=#n                       The maximum number of files to scan for each container file (**)
--max-recursion=#n                   Maximum archive recursion level for container file (**)
--max-dir-recursion=#n               Maximum directory recursion level
--max-embeddedpe=#n                  Maximum size file to check for embedded PE
--max-htmlnormalize=#n               Maximum size of HTML file to normalize
--max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n             Maximum size of script file to normalize
--max-ziptypercg=#n                  Maximum size zip to type reanalyze
--max-partitions=#n                  Maximum number of partitions in disk image to be scanned
--max-iconspe=#n                     Maximum number of icons in PE file to be scanned
--max-rechwp3=#n                     Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n                Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n               Maximum size file to perform PCRE subsig matching.
--enable-stats                       Enable statistical reporting of malware
--disable-pe-stats                   Disable submission of individual PE sections in stats submissions
--stats-timeout=#n                   Number of seconds to wait for waiting a response back from the stats server
--stats-host-id=UUID                 Set the Host ID used when submitting statistical info.
--disable-cache                      Disable caching and cache checks for hash sums of scanned files.

(*) Default scan settings

1 Like

ok got it…my human error, but it is still in development and I need feedbacks like yours :slight_smile:

Now I’m coding for NS6 and even if it is the version 0.99, you have less options than with NS7 and the version 0.99.2

Possibly, but I’m a big fan to make settings being optional, available to the end user…but like I said, it is the coding time and the right time to modify stuffs, please stay tuned.

In the same manner, if you see non English sentences, please shout…I’m French

1 Like