Hi there,
On Sat, 6 Apr 2019, Robert F. Poe wrote:
> I need clarification for the proper action to take after finding
> viruses and malware.
I'll try not to be misled by your questions.
> I use ClamAv Virus Scanner (or Clamscan) to scan my server on a
> weekly basis. I have the Virus Scanner via my cPanel control
> panel. I have always taken the action to Destroy the files, but
> others will return over a period of time.
Later, I'll ask you to provide more information.
> My Question is "What is the difference between the choices Disinfect
> and Quarantine?"
This question is inappropriate, so I'll skip some and explain later.
> I have been Destroying all infected files, both malware and email,
It's not clear to me what these infected files are.
> but I'm not sure if that is my best option.
I'm quite sure it isn't. You should stop whatever you're doing and,
before you start doing it again, take some time to think about it.
As I said earlier, more information is needed. You haven't said what
operating system or systems you're using on your server. You haven't
said who provides your "control panel", nor what it actually does when
you "scan my server". You haven't said what these files are that you
have always destroyed nor what you think was wrong with them. Without
much more information (and I'm fairly sure that you don't yet have it,
so you will need to direct questions to your supplier) we can't help
much more than give general advice.
So this is general advice - back to thinking about it.
If the server we're talking about is for example a Linux box, then it
will definitely not be normal to find malware and viruses on it - at
least for most definitions of 'normal'. There are (and here I take a
few liberties) two exceptions to this, and I'm going to distinguish
between those cases and the rest (the vast majority) of more or less
any server. The exceptions are when the server provides space for
unknown data to be stored, and when the server handles email; similar,
but not quite the same thing. Both are effectively handling unknown
data from unknown sources. In one case you store it and maybe serve
it back to clients, in the other you usually pass it on. This isn't
something that I'd recommend to anyone, and if you're not strong on
security I'd strongly recommend against doing it, because you will
just become part of the problem and you might even be blamed for it.
Drink deep, or taste not.
Apart from handling mail and unknown data, using something like ClamAV
to scan a server should be contemplated only after a great deal of
work has been done to make yourself as sure as is possible that there
will never be anything for ClamAV to find. That means at least making
an inventory of all the software (and that includes firmware) on the
machine, and putting in place procedures to keep informed of security
issues as they appear and to deal with them promptly and effectively.
You will shut down all but essential services, set up defences against
attacks on any services which are available over the network, make
sure that you control access to the server by any other means, and of
course set up a monitoring system to keep an eye on it all and record
for posterity - or at least the Courts - that you've been doing the
job conscientiously. Recently, even some processors (CPUs) have been
found to be vulnerable to some kinds of attack, and you'll need to
understand the implications of that in your situation. Security
issues pop up more than daily in a population of software packages
which on most machines will number at least in the hundreds, usually
in the thousands and quite possibly in the tens of thousands. So it's
quite a task; nobody else can really do it for you unless you can pay
them to do it. Not doing it (or not having it done for you) is at
best irresponsible. Doing the job well will probably mean that
scanning the server with ClamAV uses resources which could be more
profitably employed in other ways. Trawling the system's logs springs
to mind, when did you last look at yours?
Having put in place the proper mechanisms for keeping yourself well-
informed and your server software patched up to date and very possibly
taking steps to be able to replace the server hardware if it becomes
necessary, then you can breathe a little more easily. This doesn't
mean that your server won't be successfully attacked, but it means it
won't be hanging amongst the low fruit, which is where you seem to be
telling us that it IS hanging at the moment. The low-hanging fruit is
routinely attacked, by automated means. Its compromise is a foregone
conclusion, and is just a matter of time. You've said that you always
destroy "all infected files" but you haven't said what they've been
infected with, nor what you did to prevent a repetition, nor even what
steps you've taken to ensure that they were, in fact, infected. Don't
make the mistake of thinking that if ClamAV says it has found a file
is infected, that you have to believe it. Like any other scanning
engine ClamAV is prone to what we call 'false positives'. One way
that scanners use to decide if a file contains something malicious is
to compare it against a bunch of data 'patterns'. These patterns are
produced by humans in response to new threats as they arise, and then
propagated around the world by an automated system. Since new threats
appear by the minute, patterns are being produced all the time, and
sometimes under less than ideal conditions - inadequate information,
not enough time, not enough coffee/pizza/sleep, and so on. Very often
the result is a pattern which not only matches some malicious bit of
code, but also happens to match some vital bit of code which has lived
on a server and worked perfectly properly for the past several years.
Suddenly the scanner says it's infected. If you delete, disinfect, or
quarantine it, something might break. The server might well go down,
and/or become unbootable.
Earlier I said a question was inappropriate. It assumed that (a) the
file's infection is a proven fact, and (b) that there are perhaps two
alternatives for action to be taken after an infection is found. Both
are wrong. The first question should be "Do I believe what this is
telling me?". There is only one action to be taken if you do.
There are ways of verifying a claim that a file is infected. If you
don't do that, but just jump in with both feet and delete (or move) a
file or files, then you're playing Russian roulette with the system
(and you aren't solving the problem - you're just hiding a symptom).
So first verify that what you think has happened has in fact happened.
If there really is some infection, and especially if it "will return
over a period of time", then the next question must wait a little. It
must wait until you've disconnected the system from all networks, and
shut it down hopefully in as forensic a manner a possible so that any
evidence is preserved. If it's a remote system that might present a
few issues, but it's still feasible. I'll leave aside the question of
the backup system which you have ready for such an occasion. The next
question is then "What is it?" and a more important one is "How did it
get there?" Finally, "What did I do wrong, and how am I going to stop
this from happening again?" Getting rid of it will come later, that
usually means blowing away the whole system, and starting again from
scratch. Thesedays, as long as you took the right precautions, that's
not necessarily quite as big a deal as it might sound.
Over to you.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
image001.gif (1.09 KB)