Scan every file clam antivirus scanner with ModSecurity

ClamAV® is an open source antivirus engine for detecting Trojans, viruses, malware & other malicious threats.

We scan every file which is uploaded to the server with clamdscan daemon.

ModSecurity – USAGE:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'399999'"

Example clamdscan path in cPanel server:

$CLAMDSCAN = "/usr/local/cpanel/3rdparty/bin/clamdscan";

runav.pl – perl script: (remember chmod 755)

#!/usr/bin/perl
#
# runav.pl
#
# This script is an interface between ModSecurity and its
# ability to intercept files being uploaded through the
# web server, and ClamAV

# Fix clamdscan path to correct!
$CLAMDSCAN = "/usr/local/bin/clamdscan";

if ($#ARGV != 0) {
print "Usage: runav.pl <filename>\n";
exit;
}

my ($FILE) = shift @ARGV;

$cmd = "$CLAMDSCAN --stdout --no-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;

$output = "0 Unable to parse clamscan output [$1]";

if ($error_message =~ m/: Empty file\.?$/) {
$output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
$output = "1 clamscan: OK";
}

print "$output\n";