Community forum to discuss cxs.
beez
Junior Member
Posts: 2 Joined: 06 Mar 2025, 09:34
Post
by beez 06 Mar 2025, 10:13
Hello all,
I'm currently trying to figure out why cxs scan doesn't quarantine the virus it found
Code: Select all
# /usr/sbin/cxs --clamdsock /var/clamd --dbreport --deep --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --mail root --options mMOLfuSGchexdnwZRrD --paction veryhigh --preport medium --probability --quarantine /home/cxs_quarantine --sizemax 1000000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --user cpaneluser --virusscan --vmrssmax 2000000 --waitscan 0 --www --xtra /etc/cxs/cxs.xtra --debug
debug: Virus Scan - [PING]
debug: Virus Scan - [PONG]
Scanning /home/cpaneluser/public_html:
debug: Exploit Scan - [/home/cpaneluser/public_html]
debug: Exploit Scan - [/home/cpaneluser/public_html/.htaccess]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/.htaccess]
debug: Virus Scan - [/home/cpaneluser/public_html/.htaccess: OK]
...
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/eicar.com]
debug: Virus Scan - [/home/cpaneluser/public_html/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
debug: Exploit Scan - [/home/cpaneluser/public_html/eicar.com-2]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/eicar.com-2]
debug: Virus Scan - [/home/cpaneluser/public_html/eicar.com-2: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
debug: Exploit Scan - [/home/cpaneluser/public_html/eicar.com-3]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/eicar.com-3]
debug: Virus Scan - [/home/cpaneluser/public_html/eicar.com-3: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
debug: Exploit Scan - [/home/cpaneluser/public_html/eicar.com-4]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/eicar.com-4]
debug: Virus Scan - [/home/cpaneluser/public_html/eicar.com-4: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
debug: Exploit Scan - [/home/cpaneluser/public_html/error_log]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/error_log]
...
----------- SCAN SUMMARY -----------
Scanned directories: 8
Scanned files: 79
Ignored items: 1
Suspicious matches: 0
Probability medium: 0
Probability high: 0
Probability veryhigh: 0
Viruses found: 0
Fingerprint matches: 0
Data scanned: 0.46 MB
Scan peak memory: 200772 kB
Scan time/item: 0.029 sec
Scan time: 2.491 sec
before that, it worked but seems like the signature was different
Code: Select all
'/home/cpaneluser/public_html/eicar.com'
# (quarantined to /home/cxs_quarantine/cxsuser/cpaneluser/eicar.com.1740503979_1) ClamAV detected virus = [Win.Test.EICAR_HDB-1]
Sarah
Moderator
Posts: 944 Joined: 09 Dec 2006, 22:49
Post
by Sarah 06 Mar 2025, 16:03
It looks like an unofficial eicar test. Try it using the official eicar file. Also, you do not appear to have --qoptions set in your cxs command line. I'm not sure how you've done that since it should be set to --qoptions Mv if the --quarantine option is set.
beez
Junior Member
Posts: 2 Joined: 06 Mar 2025, 09:34
Post
by beez 07 Mar 2025, 06:18
The eicar file is the official downloaded from eicar.org, but somehow clamav report it as that.
I'm using the clamav for cpanel, no customization on the configuration file.
here is the scan result using -qoptions Mv:
Code: Select all
# cxs --user cpaneluser --www --quarantine /home/cxs_quarantine --qoptions Mv --debug
debug: Virus Scan - [PING]
debug: Virus Scan - [PONG]
Scanning /home/cpaneluser/public_html:
...
debug: Exploit Scan - [/home/cpaneluser/public_html/eicar.com]
debug: Virus Scan - [SCAN /home/cpaneluser/public_html/eicar.com]
debug: Virus Scan - [/home/cpaneluser/public_html/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
...
----------- SCAN REPORT -----------
TimeStamp: Fri, 7 Mar 2025 13:07:39 +0700
(/usr/sbin/cxs --clamdsock /var/clamd --dbreport --debug --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --options mMOLfSGchexdnwZDRru --noprobability --qoptions Mv --quarantine /home/cxs_quarantine --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --nounofficial --user cpaneluser --virusscan --vmrssmax 2000000 --waitscan 0 --www --xtra /etc/cxs/cxs.xtra)
Scanning /home/cpaneluser/public_html:
----------- SCAN SUMMARY -----------
Scanned directories: 8
Scanned files: 76
Ignored items: 1
Suspicious matches: 0
Viruses found: 0
Fingerprint matches: 0
Data scanned: 0.46 MB
Scan peak memory: 79784 kB
Scan time/item: 0.024 sec
Scan time: 2.024 sec
VmPeak: 79784 kB
VmSize: 79784 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 71484 kB
VmRSS: 71484 kB
VmData: 59736 kB
VmStk: 132 kB
VmExe: 4 kB
VmLib: 9340 kB
VmPTE: 192 kB
VmSwap: 0 kB
Scan Report saved to database
and here is the clamscan result directly on the file:
Code: Select all
# clamscan /home/cpaneluser/public_html/eicar.com
Loading: 16s, ETA: 0s [========================>] 8.72M/8.72M sigs
Compiling: 4s, ETA: 0s [========================>] 42/42 tasks
/home/cpaneluser/public_html/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8720787
Engine version: 1.0.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 21.429 sec (0 m 21 s)
Start Date: 2025:03:07 13:09:34
End Date: 2025:03:07 13:09:56
Code: Select all
# which clamscan
/usr/local/bin/clamscan
# ll /usr/local/bin/clamscan
lrwxrwxrwx 1 root root 39 Mar 6 17:14 /usr/local/bin/clamscan -> /usr/local/cpanel/3rdparty/bin/clamscan