ClamAV is free opensource antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. Here in this article we will look at setting up clamAV in Ubuntu 14.04 LTS server, integrate it with Apache ModSecurity Firewall and scan the uploaded file through a web application.
Install ClamAV
Install clamav and clamav-daemon from repo
$ sudo apt-get install clamav clamav-daemon -y
Update clamav malware patterns
$ sudo freshclam
Start clamav-daemon
$ sudo /etc/init.d/clamav-daemon start
Add Anti-virus scanning rules in the ModSecurity
Create a soft link to an Anti-virus rule file. i.e modsecurity_crs_46_av_scanning.conf
# cd /usr/share/modsecurity-crs/activated_rules
# ln -s ../optional_rules/modsecurity_crs_46_av_scanning.conf
Edit configuration in the rule file modsecurity_crs_46_av_scanning.conf
# nano modsecurity_crs_46_av_scanning.conf
Here, edit the location of script in the "@inspectfile" operator.
SecRule FILES_TMPNAMES "@inspectFile /usr/share/modsecurity-crs/util/av-scanning/runav.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity$
Restart Apache2
# service apache2 restart
Test the configuration by uploading a test virus file through the upload function of an web application hosted in the server. You can use EICAR test file if you dont want to take risk using real malicious files.
Check modsecurity log if ModSecurity is in DetectionOnly mode, else ModSecurity will do the default action set in the Active Mode. i.e 403 Forbidden error display
Note: File upload service might get little bit sluggish due to scanning task by ClamAV.
Install ClamAV
Install clamav and clamav-daemon from repo
$ sudo apt-get install clamav clamav-daemon -y
Update clamav malware patterns
$ sudo freshclam
Start clamav-daemon
$ sudo /etc/init.d/clamav-daemon start
Add Anti-virus scanning rules in the ModSecurity
Create a soft link to an Anti-virus rule file. i.e modsecurity_crs_46_av_scanning.conf
# cd /usr/share/modsecurity-crs/activated_rules
# ln -s ../optional_rules/modsecurity_crs_46_av_scanning.conf
Edit configuration in the rule file modsecurity_crs_46_av_scanning.conf
# nano modsecurity_crs_46_av_scanning.conf
Here, edit the location of script in the "@inspectfile" operator.
SecRule FILES_TMPNAMES "@inspectFile /usr/share/modsecurity-crs/util/av-scanning/runav.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity$
Restart Apache2
# service apache2 restart
Test the configuration by uploading a test virus file through the upload function of an web application hosted in the server. You can use EICAR test file if you dont want to take risk using real malicious files.
Check modsecurity log if ModSecurity is in DetectionOnly mode, else ModSecurity will do the default action set in the Active Mode. i.e 403 Forbidden error display
Note: File upload service might get little bit sluggish due to scanning task by ClamAV.
4 comments:
Hi,
Could you please post the content of /usr/share/modsecurity-crs/util/av-scanning/runav.pl so that I can configure the same in our server
hi Jibin,
we dont have to make any changes in the runav.pl script, by default it has been written for clamav. But if you want to configure for your different antivirus solution then, u can check in https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runav.pl
regards,
Hello,
I have configured the script in our server but resulting the following error :-
================
[Thu Jan 14 06:30:34 2016] [error] [client 184.168.193.120] ModSecurity: Exec: Execution failed while reading output: /usr/local/bin/filescan.sh (End of file found) [hostname "domain.com"] [uri "/modules/dashboard/dashboard.api.php"] [unique_id "VpeU5sxdo3wADZrzp1sAAAAC"]
[Thu Jan 14 06:30:34 2016] [error] [client 184.168.193.120] ModSecurity: Rule processing failed. [hostname "domain.com"] [uri "/modules/dashboard/dashboard.api.php"] [unique_id "
VpeU5sxdo3wADZrzp1sAAAAC"]
=================
What could be the reason for this error . I have setup root:nobody ownership for inspect script, but still getting error.
I'm not sure about this. can you elaborate how to came into this error. your error seems pointing to different location than normal.
Post a Comment