Topic: Does ClamAV on SME remove viruses it finds ?

[Amir Inbar]

I couldn't find any direct answer to that question.

Using SME as a file - server, can the daily anti virus scan remove the infected files after it finds them or do i HAVE TO setup "Quarantine infected files" on the server panel ?

If i do setup "Quarantine infected files" - what happens to the files quarantined ? does the server delete them ? if it does, when ?

[dgs]

If you set the option "Quarantine infected files" the anti virus will move infected files to a quarantine directory. If you do not set it the virus scanner will report the location only requiring you to take action manually.

Quarantined files are moved to /var/spool/clamav/quarantine/ which will only be accessible with administrator access.

An email report is sent to the admin account after each run of the virus scanner. You can set the frequency that the scanner runs.

eg:

----------- SCAN SUMMARY -----------
Known viruses: 936566
Engine version: 0.94.2
Scanned directories: 3599
Scanned files: 58227
Infected files: 0
Data scanned: 34875.64 MB
Time: 11193.436 sec (186 m 33 s)


An identified virus is reported similar to the example shown below.

/home/e-smith/files/users/bob/home/Store/Olddocs/australia.exe: Joke.Flipped-2 FOUND
/home/e-smith/files/users/bob/home/Store/Olddocs/australia.exe: moved to '/var/spool/clamav/quarantine//australia.exe'

[Amir Inbar]

That means that if i did NOT mar "Quarantine infected files" at the server panel, the anti virus is only preventing infected emails to enter the server and the anti virus scan does nothing but reporting.
It is very importanat to let administrators know (i think) and that they need to activly keep an eye on the virus scanner log.

Is there any pre-written script to automatically delete the quarantined files or shold i create a cron job manually ?

[dgs]

That means that if i did NOT mar "Quarantine infected files" at the server panel, the anti virus is only preventing infected emails to enter the server and the anti virus scan does nothing but reporting.

It is very important to let administrators know (i think) and that they need to actively keep an eye on the virus scanner log.

It is very important for administrators to keep an eye on the reports and logs even when the quarantine option is selected.

The SME server antiviral does not remove the need to maintain active and up to date virus scanner software on any connected workstations.

[Amir Inbar]

The SME server antiviral does not remove the need to maintain active and up to date virus scanner software on any connected workstations.

It is obvious that workstations need an active anti virus solutions but i am trying to emphasis a point here : SME acts as a file server and as such, it contains files stored by users.

The server panel nor the documentation dose not say that clearly !
One can understand that as long as there is a virus scan running daily or weakly on the server, the files stored on it are protected and cleaned.

This is NOT the case ! and i think that as i have made the mistake of beliving it is, more administrators can missunderstand that point...

[Stefano]

It is obvious that workstations need an active anti virus solutions but i am trying to emphasis a point here : SME acts as a file server and as such, it contains files stored by users.

The server panel nor the documentation dose not say that clearly !
One can understand that as long as there is a virus scan running daily or weakly on the server, the files stored on it are protected and cleaned.

This is NOT the case ! and i think that as i have made the mistake of beliving it is, more administrators can missunderstand that point...

just my point of view: if clients have AV, files on SME should be clean.. if no, SME, as a FILE SERVER, should not delete files, but only report to admin that:
- probably an AV on client failed/is failing (trojan, malware, false negative?)
- probably CLamav is failing (false positive?)

anyway, I, as an admin, don't want my server to delete files..

Ciao
Stefano

[Amir Inbar]

if clients have AV, files on SME should be clean..

That is only theoretically correct !
I can tell you that there are a lot of bad things a USER can do - even if he had an excellent working anti virus software installed ...
Besides, SME dose not, as a default, scan inside compressed files so any user can receive a compressed infected file...
As you know, users do things they shouldn't - and yes - i know i can prevent them from having rights to do stuff  ...

[Amir Inbar]

I've re-read your post and again - the problem is not whether the anti virus SHOULD delete or not, the problem I'm pointing here is that it should be written explicitly that when you don not use "Quarantine infected files" at the server manager, the scan will only produce a log and that's all.

[dgs]

The server panel nor the documentation dose not say that clearly !
One can understand that as long as there is a virus scan running daily or weakly on the server, the files stored on it are protected and cleaned.

This is NOT the case ! and i think that as i have made the mistake of believing it is, more administrators can missunderstand that point...

Yes it appears there are some holes in the documentation regarding the SME implementation of Clam AV, but we should all be well aware of the limited resources available for completing these tasks. As administrators the onus is on us to know how our servers are behaving and configure them to our own satisfaction. Any antivirus measure is only a helpful tool, none are an absolute guarantee.

just my point of view: if clients have AV, files on SME should be clean.. if no, SME, as a FILE SERVER, should not delete files, but only report to admin that:
- probably an AV on client failed/is failing (trojan, malware, false negative?)
- probably CLamav is failing (false positive?)

anyway, I, as an admin, don't want my server to delete files..

Ciao
Stefano

The SME server DOES NOT delete files it suspects as infected! It Quarantines them the file is moved not destroyed, even if for the end user it may appear to have disappeared. This give the admin some (but far from perfect) measures to halt the spread of a virus.

It's up to the individual admin whether the benefit of quarantining a file exceed the disadvantage of having false positives quarantined. Thankfully we have the option so select our personal preference.

For my two bobs worth, I prefer to have suspect files quarantined so I can check and then delete of reinstate as appropriate. Generally I find that the occasional false positives are no longer detected as such.

There is plenty of scope for transfer of infected files between SME AV scan, but like all things antivirus it's a trade off between functionality.

This may be a good opportunity for us all to collect our thoughts and to help contribute with the missing documentation.