ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
    • DDoSX®
    • Web Application Firewall
    • Threat Monitoring and Threat Response
      • General Information and FAQs
      • How does it work?
      • System Requirements
      • Getting Started
      • Installing on a UKFast hosted server
      • Installing on a non-UKFast hosted server
      • PCI DSS Compliance
      • Alerts and rulesets
      • Attack Ruleset
      • High Level Alerts Explained
      • Alert Remediation Tips
      • Common Attacks
      • Databases
      • Exploits
      • File Monitoring (FIM)
      • Malware
      • Service Specific Alerts
      • System
      • Windows
      • Scans and Reconnaissance
    • McAfee Antivirus
    • Vulnerability Scans
    • ANS MDR
    • Keeping Magento secure
    • Keeping WordPress secure
    • Brute Force Attacks
    • CryptoLocker
    • Dirty COW
    • The Logjam attack
    • Meltdown and Spectre
    • Memcached security concerns and reflection/amplification DDoS attacks
    • Wana Decryptor / Wana Decrypt0r 2.0 / WannaCry
    • Log4J Vulnerability
    • Polkit Security Vulnerability CVE-2021-4034
    • CVE-2022-0847 - Dirty Pipe Vulnerability
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Security >
  • Threat Monitoring and Threat Response >
  • High Level Alerts Explained >
  • ClamAV

ClamAV¶

ClamAV Virus detected multiple times¶

What does this rule mean?

Potentially indicating an outbreak, this rule is triggered when multiple anti-virus warning messages are triggered. This could mean that multiple malware has been discovered, and further action may be needed. It’s common to see other rules trigger in addition to this that may elaborate on the nature of the malware. Nevertheless, we always recommend manually checking your anti-virus logs and status for information, and acting accordingly.

Many attackers follow an attack with malware. Installing a trojan, backdoor or, rootkit or RAT on your server is high on an attackers priority list. Should they be discovered, and the exploits patched, this malware could allow the attacker to regain access to your server, potentially bypassing authentication and auditing techniques.

Outbreaks are common with more difficult malware. They’ll often replicate themselves, creating different signatures and changing their code in the progress in an attempt to become undetectable. This is called polymorphic malware and it’s incredibly difficult to discover and remove.

What triggers this rule?

One of the most common triggers for this rule is unwanted software that is installed along with third-party applications, such as Tool Bars to viruses like the infamous PCOptimiserPro Trojan. This rule can also trigger when legitimate software is triggered. This can happen when the operating system doesn’t recognise an application.

Additionally, malware may have infected the system from other sources, like succeeding an attack, through a malicious email or suspicious file. After the initial malware event has been dealt with, the Threat Monitoring team is on hand to provide support when investigating further into the origins of malware.

What action do I need to take?

As a first responder, you should log into the server in question to determine whether the file in question was deleted by the anti-virus software. If it was successfully removed, we recommend manually running a system scan to check for any remnants of the malware. Should the malware be present on the system still, it should be removed, either through the anti-virus programs quarantine features or manually? Once this has been done another system scan should be run.

For good measure, we also recommend running a fresh Clam AV scan.

First, you have to update the virus definitions with:

`sudo freshclam`

Then you can scan for viruses.

`clamscan OPTIONS File/Folder`

If necessary start with root permissions: sudo clamscan.

Examples:

To check all files on the computer, displaying the name of each file:

`clamscan -r /`

To check all files on the computer, but only display infected files and ring a bell when finding:

`clamscan -r --bell -i /`

To scan all files on the computer but only display infected files when found and have this run in the background:

`clamscan -r -i / &`

Note - Display background process status by running the jobs command.

To check files in the all users home directories:

`clamscan -r /home`

To check files in the USER home directory and move infected files to another folder:

`clamscan -r --move/home/USER/VIRUS /home/USER`

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

`clamscan -r --remove /home/USER`

To see more options:

`clamscan --help`

Source: https://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav

Clamd Error¶

What does this mean?

As an informational rule, this will trigger when the ClamAV service hits an error. Pending further investigation, this error could mean that the ClamAV watchdog/service has crashed or that a scan has failed before it could complete.

Unfortunately, ClamAV does not pass much information as the root cause of the error in its log file to Threat Monitoring. In response to this rule, a quick investigation into the cause of the issue is recommended and any remediation to pick the service up again would be advisable.

How can I fix this?

We recommend looking directly at the raw ClamAV log, they may share some more verbose information that could indicate why the service hot an error state.

The claim service can be restarted easily with:

service clamd restart

or on a cpanel installation:

/scripts/restartsrv_clamd

For good measure, we also recommend running a fresh Clam AV scan.

First, you have to update the virus definitions with:

sudo freshclam

Then you can scan for viruses.

clamscan OPTIONS File/Folder

If necessary start with root permissions: sudo clamscan.

Examples:

To check all files on the computer, displaying the name of each file:

clamscan -r /

To check all files on the computer, but only display infected files and ring a bell when finding:

clamscan -r --bell -i /

To scan all files on the computer but only display infected files when found and have this run in the background:

clamscan -r -i / &

Note - Display background process status by running the jobs command.

To check files in the all users home directories:

clamscan -r /home

To check files in the USER home directory and move infected files to another folder:

clamscan -r --move/home/USER/VIRUS /home/USER

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

clamscan -r --remove /home/USER

To see more options:

clamscan --help

Source: https://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav

Next Article > Common Attacks

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ