Run ClamAV scan from command line on cPanel server

One of our client server’s was affected by virus and he can’t control it. And he is aks me to look into the issues. I have verified on server and found that one account got affected severely and run the below steps to remove it.

Note : If you installed the clamav from WHM Plugin, your clamav installation location is follow. If you installed manually find the exact path and use it according that.

1) How to run clamscan to particular user account in cpanel server ?

Use the below method to run the clamscan to particular user account. Change your username according that. I’m going to run the scan to iconbuil account because i have found that few infected files this account. You will be got the output smiler like below. After completing the scan

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/iconbuil/public_html

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld. The /usr/local/cpanel/3rdparty/share/clamav/main.cvd database is older and will not be loaded, you should manually remove it from the database directory.
/home/iconbuil/public_html/wp-content/plugins/tinymce-advanced/css/index2CDEN.php: PHP.Trojan.Spambot FOUND
/home/iconbuil/public_html/wp-content/themes/twentyeleven/images/infocf5D.php: PHP.Trojan.Spambot FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 257
Scanned files: 2066
Infected files: 2
Data scanned: 61.04 MB
Data read: 43.68 MB (ratio 1.40:1)
Time: 17.003 sec (0 m 17 s)

Verify the infected files and remove it.

The major common options for clamav command.

-r: To check files Recursively.
-i: To show only Infected files.

2) How to run clamscan to all account in cpanel server ?

Use the below method to run the clamscan to all user account. I’m going to run the scan to all user account on server. You will be got the output smiler like below. After completing the scan

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
/home/wwwrival/mail/rivalcloth.com/rajkumar/cur/1369241351.H225665P9618.pulzar.websitedns.in,S=13655:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1361984937.H541722P30696.iaaxin.in,S=9982: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1369690920.H24514P2643.pulzar.websitedns.in,S=9844: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1362076650.H603724P3839.iaaxin.in,S=9944: Heuristics.Phishing.Email.SpoofedDomain FOUND
LibClamAV Warning: SWF: Invalid tag length.

----------- SCAN SUMMARY -----------
Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 70469
Scanned files: 1688827
Infected files: 32
Data scanned: 23658.66 MB
Data read: 44894.86 MB (ratio 0.53:1)
Time: 7090.407 sec (118 m 10 s)

Verify the infected files and remove it.

3) How to run clamscan to public_html directory for all account in cpanel server ?

Use the below method to run the clamscan to public_html directory for all account in cpanel server

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/*/public_html

4) How to remove infected file while scanning itself ?

Use the below method to run the clamscan to remove infected file while scanning itself.

# /usr/local/cpanel/3rdparty/bin/clamscan -ri --remove /home/*/public_html

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

6 Comments on “Run ClamAV scan from command line on cPanel server”

      1. Just for updated clarity – the correct syntax should be:

        /usr/local/cpanel/3rdparty/bin/clamscan -ir –remove /home/*/public_html

        This will scan all website files in user home directories and remove them with output.

Leave a Reply to Shiv Singh Cancel reply

Your email address will not be published. Required fields are marked *