- --help
-
Displays this help page
- --clamdsock [sock]
-
This should be the full path to the ClamAV Daemon socket if running. cxs will by default look for the socket at /tmp/clamd and /var/clamd unless specified with this option.
Note: The cPanel Clamavsocket locates the socket at /var/clamd and is automatically detected. Our MailScanner installation locates the socket at /tmp/clamd and is automatically detected.
- --quiet
-
Does not display the progress of the requested scan. The progress indicator uses symbols to indicate particular file matches or a dot (.) for every 50 files scanned:
m = regex pattern match
M = fingerprint match
v = virus
O = socket
L = symlink
f = suspicious file name/type
F = skipped directory with too many entries
S = SUID file
G = GUID file
c = core dump file
C = core dump file deleted
h = suspected exploit file
e = Linux binary or executable file
x = Windows binary or executable file
d = suspicious directory name
n = hidden directory owned by nobody user
w = world writable directory
T = script file
[Zzzzzzz] = sleeping for 60 seconds as load average is > --throttle [num]
- --ignore [file]
-
[file] points to a file containing resources that the scanning engine should ignore. Each entry in [file] should be on its own line and prefixed with one of the following (no spaces after the : separator):
user: - ignore user
file: - ignore file
dir: - ignore directory
match: - ignore regex pattern match
puser: - regex of users to ignore
pfile: - regex of files to ignore
pdir: - regex of directories to ignore
hfile: - file relative to the users homedir to ignore
(Only works with B<--all> and B<--user>)
hdir: - directory relative to the users homedir to ignore
(Only works with B<--all> and B<--user>)
script: - web script to ignore
See /etc/cxs/cxs.ignore.example for examples.
[file] needs to have world read access (644) to allow Web script file upload scanning.
- --xtra [file]
-
[file] points to a file containing a list of regular expression matches and filenames that cxs will additionally scan for:
regall: - regular expression match for all script files
regphp: - regular expression match for only php script files
regperl: - regular expression match for only perl script files
file: - file or directory name match (not a regex)
See /etc/cxs/cxs.xtra.example for examples.
[file] needs to have world read access (644) to allow Web script file upload scanning.
- --logfile [file]
-
This will append scan results per item found to [file]
If [file] is intended to log web script file uploads it must have world writable permissions.
It would be best to create [file] in advance with:
# touch [file]
# chmod 666 [file]
# chattr +a [file]
This will then only allow appending to [file]. You will have to remove the a attribute to empty/delete/rotate [file].
- --report [file]
-
This will (re)create [file] and write the full scan report to it
If [file] is intended to log web script file uploads it must have world writable permissions.
- --voptions [mMfhexT]
-
By default --virusscan will scan all files. If --voptions [mMfhexT] is also used then only the selected file types will be scanned, from a choice of:
m = regex pattern match
M = fingerprint match
f = suspicious file name/type
h = suspected exploit file
e = Linux binary or executable file
x = Windows binary or executable file
T = script file
(See the Exploit Scanning Reference for a detailed description for each option)
This option will only work with --virusscan enabled.
This option is disabled when scanning uploaded Web script or FTP files as all uploads are virus scanned if --virusscan is enabled.
- --options [mMOLfSGcChexdnwT]
-
By default --exploitscan will scan for all of the following, except C and T which need to be specified explicitly using this option.
If --options [mMOLfSGcChexdnwT] is also used then only the selected scanning options will be performed:
m = regex pattern match
M = fingerprint match
O = socket
L = symlink
f = suspicious file name/type
S = SUID file
G = GUID file
c = core dump file
C = core dump file deleted
h = suspected exploit file
e = Linux binary or executable file
x = Windows binary or executable file
d = suspicious directory name
n = hidden directory owned by nobody user
w = world writable directory
T = script file - identifies PHP, Perl, and other shebang ($!) script files
(See the Exploit Scanning Reference for a detailed description for each option)
This option will only work with --exploitscan enabled.
- --delete
-
This option will delete an uploaded Web script or FTP file that matches an suspected exploit or virus. Caution should be exercised when using this options as it could cause confusion, or damage to user data. In such circumstances it would be better to consider using --quarantine instead.
This option has no effect on manual or scheduled scans.
Do not use --delete with --quarantine, the former takes precedence.
- --generate
-
This is a special option that requires the options --report [file] and --ignore [file], where --report [file] is taken as input and cxs will append ignore rules to --ignore [file]
When a cxs report is first run it is likely to show some false-positives. If you do not want to see those same files in subsequent reports, you can ignore them by adding appropriate records to an ignore file and using the --ignore [file] option with that file.
To help create such an ignore file from a report containing a large number of false-positives, you can use this --generate option which takes the report file as input and cxs will append correctly specified ignore rules to the ignore file listed. Subsequent scans using that ignore file will then ignore those listed files.
- --quarantine [dir]
-
This option will move an uploaded Web script or FTP file that matches an exploit or virus to [dir]. FTP files can be restored from quarantined through the UI.
If the file move fails, the file will be deleted.
FTP files are moved to /[dir]/ftp/{username}/{file}.{timestamp} Web script files are moved to /[dir]/{username}/{file}.{timestamp} A restore file is also created in the same directory as the quarantined file for use through the UI as {file}.{timestamp}.restore
[dir] should always be chmod 1777
This option has no effect on manual or scheduled scans.
- --deep
-
This option will scan all text files for all regex and fingerprint matches which will obviously take longer. The default, without --deep, checks for php and perl file extensions and file types (using file magic) and scans each appropriately. A deep scan is always performed on web script and FTP text file uploads.
- --decode [file] (experimental)
-
This option will attempt to recursively decode PHP [file] which contains base64 encoded data and display the results.
This is not a foolproof option and it may not produce meaningful results.
An additional option --depth [num] is included so that the final result can be stopped at a specific depth level rather than recursing to the end.
Once decoding is complete cxs will run a deep scan against the result.
- --block
-
This option will enable cxs to block FTP connections uploading suspicious files.
Careful consideration should be made before using this option in cxsftp.sh as there is a significant risk of false-positives with using this option for two reasons:
1. It's relatively easy for an innocent user to upload a file that could trigger one of the scan results
2. The FTP IP address isn't completely reliable (see FTP IP addresses)
If you want to block web script upload IP addresses, use the appropriate option in the csf configuration: LF_MODSEC, LF_SUHOSIN
- --throttle [num]
-
This option will force cxs to sleep for 60 seconds if the one minute load average is greater than [num]. cxs performs the load check every 60 seconds.
If the load average on the server is continuously high when cxs is running the process will take much longer to complete, so care should be taken when specifying this option.
- --sizemax [bytes]
-
This option will prevent scanning for regex matches in text files > [bytes] in size. This does not apply to virus scanning.
- --filemax [num]
-
This option will prevent scanning of a directory and all its subdirectories if there are more than [num] resources contained within this directory level.
- --[no]summary
-
If you want to disable summary statistics then use --nosummary. Doing so will also force cxs to only report accounts with suspicious files when using the --all and --mail [email] options. However, --report [file] will still display a full report.
- /etc/cxs/install.txt
-
The installation document for this application.
- /etc/cxs/reference.txt - Exploit Scanning Reference
-
The Exploit Scanning Reference document that explains the different exploit scanning options reported by cxs.
- /etc/cxs/cxs.fp
-
The database of exploit fingerprints.
The file needs to have world read access (644) to allow Web script file upload scanning.
- /etc/cxs/cxs.defaults
-
If you create this file you can add default options for cxs. For example, you might want cxs to always use --clamdsock /some/other/path/to/socket
The file is a simple list of option=value statements, e.g.:
clamdsock=/some/other/path/to/clamd.socket
ignore=/etc/cxs/cxs.ignore
virusscan=0
The file needs to have world read access (644) to allow Web script file upload scanning.
Note: Options used on the command line will override the default settings.
- FTP IP addresses
-
FTP IP addresses are determined by scanning (in /var/log/messages) for the IP address, first by trying to find an account and file match, if not found the last successful login via pure-ftpd for the affected account. This could lead to false-positives, so care should be taken before blocking the IP addresses reported by cxs.
- --options [T]
-
If you do not want to allow any script uploading via web scripts include this option which will identify: PHP, Perl, C and other scripts that use a shebang (#!)
Note: This could cause problems for people using a CMS to manage their site
You could also use this option when scanning vulnerable directories such as /tmp or /dev/shm
- Performance and Restrictions
-
We would recommend using --virusscan for the PHP, CGI and FTP uploads. There can be a performance overhead using ClamAV for multiple files which means that the scan will run for longer using more resources when performing user and large directory scans. For this reason it might be sensible to use --voptions for such scans. On systems where users store large amounts of email, it might also be sensible to use the example mail ignore regex provided in /etc/cxs/cxs.ignore.example for user scans.
PHP and Perl CGI script scanning is performed on the temporary file created before the data is passed back to the initiating web script. This means that cxs cannot determine what the destination file will be as it is up to the calling script to determine that. This means that you will not be notified of the actual file that a web script creates with the data from the uploaded file. For this reason it would be sensible to enable the --delete or --quarantine option in /etc/cxs/cxscgi.sh. It is also for this reason it isn't possible to restore such files from quarantine.
The pure-ftpd file scanner scans files after they have been uploaded via FTP. This means that if the --delete option is used, the end user will not know that the uploaded file has been removed during the FTP session. It also means that cxs is deleting a file within the users account and so great care should be used when considering use of the --delete option here. Since in this case the destination file is known it may not be sensible to enable --delete in /etc/cxs/cxsftp.sh, though using --quarantine may be a good idea. You can restore such files from quarantine through the UI.
Redhat/CentOS Linux
or
FreeBSD v7.2 - not all UI options are available
Perl modules:
LWP::UserAgent
File::Basename
File::Copy
File::Find
File::stat
IO::Socket
Getopt::Long
Time::HiRes
Pod::Usage
IPC::Open3
Digest::MD5
ClamAV daemon process for virus scanning
mod_security for web upload script scanning (suhosin can be used instead for PHP script only scanning)
Pure-ftpd compiled with --with-uploadscript for ftp upload scanning
Note: web upload scanning can only be performed on files uploaded via the HTML ENCTYPE multipart/form-data
1. Create a report file; do not virus scan; use the ignore file; only do selected scan options; scan all users:
# cxs -r /root/scan.log --novir -i /etc/cxs/cxs.ignore -o OLmMfSGChexd -a
2. Create a report file; use the ignore file; only do selected scan options;only virus scan selected file types; scan all users:
# cxs -r /root/scan.log -i /etc/cxs/cxs.ignore -o mMfhexd --vir --vop mMfhexT -a
3. Email scan report to root; use all scan options including "no scripts"; scan directory /tmp:
# cxs -m root -o mMOLfSGcChexdnwT /tmp
4. Process /root/scan.log and append to ignore file /etc/cxs/cxs.ignore
# cxs --gen --rep /root/scan.log --ign /etc/cxs/cxs.ignore
5. Daily cron job to check for cxs updates:
0 4 * * * /usr/sbin/cxs --upgrade --quiet
ConfigServer eXploit Scanner - cxs v1.15