Skip to main content

ClamAV disabled in WHM, but still running hourly scans

Answered

Comments

19 comments

  • cPRex Jurassic Moderator

    Hey there!  That's an interesting one - if you look inside /var/log/cron do you see it being fired additional times outside of your one scheduled run?  If not, is it possible it's just running for a long time and you're seeing the process reappear?

    1
  • msklut

    /var/log/cron shows the 'clamscan' job only running during its scheduled time at 01:00. However, it shows LMD ('maldetect') running precisely every 5 minutes! 

    Aug 14 14:10:01 server CROND[14287]: (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
    Aug 14 14:15:01 server CROND[14870]: (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
    Aug 14 14:20:02 server CROND[15390]: (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
    Aug 14 14:25:01 server CROND[16047]: (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
    0
  • msklut

    I looked inside /etc/cron.d/maldet_pub and the following cron job was there:

    */5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1
    0
  • cPRex Jurassic Moderator

    Well there you go - so someone configured maldet to run a bit too often to be useful it would seem.

    0
  • msklut

    I just glanced at the maldet readme file and it seems intentional. The odd thing is the scan_user_access setting is disabled in the conf file.

    Given that the maldetect installation path is owned by user root, we either need to set a pub
    path world writable (777) or populate the pub path with user owned paths. It was undesirable
    to set any path world writable and as such a feature to populate path data was created. This
    feature is controlled with the --mkpubpaths flag and is executed from cron every 10 minutes,
    it will only execute if the scan_user_access variable is enabled in conf.maldet. As such, it is
    important to make sure the scan_user_access variable is set to enabled (1) in conf.maldet and it is
    advised to run 'maldet --mkpubpaths' manually to prepopulate the user paths. There after, the
    cron will ensure new users have paths created no later than 10 minutes after creation.
    
    0
  • msklut

    Solved by commenting out the cron job in /etc/cron.d/maldet_pub! Thanks cPRex!

    0
  • cPRex Jurassic Moderator

    I'm glad that thought got you pointed in the right direction!

    0
  • msklut

    I may have spoken too soon... I just looked at the process log and it shows that same one as before even though the cron that ran every 5 min is now disabled... Any other ideas?

    ps aux | grep maldet

    root     21994  104 28.2 1415140 1097880 ?     RN   15:14   0:14 /usr/local/cpanel/3rdparty/bin/clamscan --max-filesize=6947618 --max-scansize=13895236 -d /usr/local/maldetect/tmp/.runtime.user.5653.hdb -d /usr/local/maldetect/tmp/.runtime.user.5653.ndb -d /var/clamav/ -r --infected --no-summary -f /usr/local/maldetect/tmp/.monitor.scan.139802460
    0
  • cPRex Jurassic Moderator

    Did you restart cron after you made that adjustment to ensure the new changes are loaded?

    0
  • msklut

    Yes

    0
  • cPRex Jurassic Moderator

    Well that's just odd then, as that should be all that needs to happen to in order to stop that from running.  Could you create a ticket so this can be examined?

    0
  • msklut

    Are there any other logs you would suggest looking at to make sure it's not a fluke?

    0
  • cPRex Jurassic Moderator

    You said you looked at the process log - is the PID changing every 5 minutes in that log?  If you check /var/log/cron again and don't see any new crons firing, it could be that it is just taking some time to run and that is why it's showing up in the process log.

    0
  • msklut

    yes, the PID is changing with each instance when it runs. /var/log/cron stopped showing the maldet cron after commenting it out in the .conf file earlier. 

    0
  • cPRex Jurassic Moderator

    The only random thought I have would be to try this command

    pstree PID

    and see if another process is calling that tool.  At least we know it isn't cron, though.

    0
  • msklut

    this was the result:

    pstree 28901
    clamscan
    0
  • cPRex Jurassic Moderator

    That's good info - so that confirms that the parent clamscan process called maldet, and it's not maldet itself being called from the cron.  That would seem like expected behavior according to the server's configuration, correct?

    0
  • msklut

     That would seem like expected behavior according to the server's configuration, correct?

    What is triggering it to run that process every 5 minutes if clamscan is only set to run a 1:00am as a cron?

    0
  • cPRex Jurassic Moderator

    That's the part we don't know.  I'd still think a ticket would be the best option if you're not seeing anything that is obviously calling clamscan at a specific interval.

    1

Please sign in to leave a comment.