Hi there, On Sat, 6 Apr 2019, Robert F. Poe wrote:
I need clarification for the proper action to take after finding viruses and malware.
I'll try not to be misled by your questions.
I use ClamAv Virus Scanner (or Clamscan) to scan my server on a weekly basis. I have the Virus Scanner via my cPanel control panel. I have always taken the action to Destroy the files, but others will return over a period of time.
Later, I'll ask you to provide more information.
My Question is "What is the difference between the choices Disinfect and Quarantine?"
This question is inappropriate, so I'll skip some and explain later.
I have been Destroying all infected files, both malware and email,
It's not clear to me what these infected files are.
but I'm not sure if that is my best option.
I'm quite sure it isn't. You should stop whatever you're doing and, before you start doing it again, take some time to think about it. As I said earlier, more information is needed. You haven't said what operating system or systems you're using on your server. You haven't said who provides your "control panel", nor what it actually does when you "scan my server". You haven't said what these files are that you have always destroyed nor what you think was wrong with them. Without much more information (and I'm fairly sure that you don't yet have it, so you will need to direct questions to your supplier) we can't help much more than give general advice. So this is general advice - back to thinking about it. If the server we're talking about is for example a Linux box, then it will definitely not be normal to find malware and viruses on it - at least for most definitions of 'normal'. There are (and here I take a few liberties) two exceptions to this, and I'm going to distinguish between those cases and the rest (the vast majority) of more or less any server. The exceptions are when the server provides space for unknown data to be stored, and when the server handles email; similar, but not quite the same thing. Both are effectively handling unknown data from unknown sources. In one case you store it and maybe serve it back to clients, in the other you usually pass it on. This isn't something that I'd recommend to anyone, and if you're not strong on security I'd strongly recommend against doing it, because you will just become part of the problem and you might even be blamed for it. Drink deep, or taste not. Apart from handling mail and unknown data, using something like ClamAV to scan a server should be contemplated only after a great deal of work has been done to make yourself as sure as is possible that there will never be anything for ClamAV to find. That means at least making an inventory of all the software (and that includes firmware) on the machine, and putting in place procedures to keep informed of security issues as they appear and to deal with them promptly and effectively. You will shut down all but essential services, set up defences against attacks on any services which are available over the network, make sure that you control access to the server by any other means, and of course set up a monitoring system to keep an eye on it all and record for posterity - or at least the Courts - that you've been doing the job conscientiously. Recently, even some processors (CPUs) have been found to be vulnerable to some kinds of attack, and you'll need to understand the implications of that in your situation. Security issues pop up more than daily in a population of software packages which on most machines will number at least in the hundreds, usually in the thousands and quite possibly in the tens of thousands. So it's quite a task; nobody else can really do it for you unless you can pay them to do it. Not doing it (or not having it done for you) is at best irresponsible. Doing the job well will probably mean that scanning the server with ClamAV uses resources which could be more profitably employed in other ways. Trawling the system's logs springs to mind, when did you last look at yours? Having put in place the proper mechanisms for keeping yourself well- informed and your server software patched up to date and very possibly taking steps to be able to replace the server hardware if it becomes necessary, then you can breathe a little more easily. This doesn't mean that your server won't be successfully attacked, but it means it won't be hanging amongst the low fruit, which is where you seem to be telling us that it IS hanging at the moment. The low-hanging fruit is routinely attacked, by automated means. Its compromise is a foregone conclusion, and is just a matter of time. You've said that you always destroy "all infected files" but you haven't said what they've been infected with, nor what you did to prevent a repetition, nor even what steps you've taken to ensure that they were, in fact, infected. Don't make the mistake of thinking that if ClamAV says it has found a file is infected, that you have to believe it. Like any other scanning engine ClamAV is prone to what we call 'false positives'. One way that scanners use to decide if a file contains something malicious is to compare it against a bunch of data 'patterns'. These patterns are produced by humans in response to new threats as they arise, and then propagated around the world by an automated system. Since new threats appear by the minute, patterns are being produced all the time, and sometimes under less than ideal conditions - inadequate information, not enough time, not enough coffee/pizza/sleep, and so on. Very often the result is a pattern which not only matches some malicious bit of code, but also happens to match some vital bit of code which has lived on a server and worked perfectly properly for the past several years. Suddenly the scanner says it's infected. If you delete, disinfect, or quarantine it, something might break. The server might well go down, and/or become unbootable. Earlier I said a question was inappropriate. It assumed that (a) the file's infection is a proven fact, and (b) that there are perhaps two alternatives for action to be taken after an infection is found. Both are wrong. The first question should be "Do I believe what this is telling me?". There is only one action to be taken if you do. There are ways of verifying a claim that a file is infected. If you don't do that, but just jump in with both feet and delete (or move) a file or files, then you're playing Russian roulette with the system (and you aren't solving the problem - you're just hiding a symptom). So first verify that what you think has happened has in fact happened. If there really is some infection, and especially if it "will return over a period of time", then the next question must wait a little. It must wait until you've disconnected the system from all networks, and shut it down hopefully in as forensic a manner a possible so that any evidence is preserved. If it's a remote system that might present a few issues, but it's still feasible. I'll leave aside the question of the backup system which you have ready for such an occasion. The next question is then "What is it?" and a more important one is "How did it get there?" Finally, "What did I do wrong, and how am I going to stop this from happening again?" Getting rid of it will come later, that usually means blowing away the whole system, and starting again from scratch. Thesedays, as long as you took the right precautions, that's not necessarily quite as big a deal as it might sound. Over to you. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
