Run ClamAV scan from command line on cPanel server

One of our client server’s was affected by virus and he can’t control it. And he is aks me to look into the issues. I have verified on server and found that one account got affected severely and run the below steps to remove it.

Note : If you installed the clamav from WHM Plugin, your clamav installation location is follow. If you installed manually find the exact path and use it according that.

1) How to run clamscan to particular user account in cpanel server ?

Use the below method to run the clamscan to particular user account. Change your username according that. I’m going to run the scan to iconbuil account because i have found that few infected files this account. You will be got the output smiler like below. After completing the scan

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/iconbuil/public_html

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld. The /usr/local/cpanel/3rdparty/share/clamav/main.cvd database is older and will not be loaded, you should manually remove it from the database directory.
/home/iconbuil/public_html/wp-content/plugins/tinymce-advanced/css/index2CDEN.php: PHP.Trojan.Spambot FOUND
/home/iconbuil/public_html/wp-content/themes/twentyeleven/images/infocf5D.php: PHP.Trojan.Spambot FOUND

Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 257
Scanned files: 2066
Infected files: 2
Data scanned: 61.04 MB
Data read: 43.68 MB (ratio 1.40:1)
Time: 17.003 sec (0 m 17 s)

Verify the infected files and remove it.

The major common options for clamav command.

-r: To check files Recursively.
-i: To show only Infected files.

2) How to run clamscan to all account in cpanel server ?

Use the below method to run the clamscan to all user account. I’m going to run the scan to all user account on server. You will be got the output smiler like below. After completing the scan

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
/home/wwwrival/mail/rivalcloth.com/rajkumar/cur/1369241351.H225665P9618.pulzar.websitedns.in,S=13655:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1361984937.H541722P30696.iaaxin.in,S=9982: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1369690920.H24514P2643.pulzar.websitedns.in,S=9844: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1362076650.H603724P3839.iaaxin.in,S=9944: Heuristics.Phishing.Email.SpoofedDomain FOUND
LibClamAV Warning: SWF: Invalid tag length.

Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 70469
Scanned files: 1688827
Infected files: 32
Data scanned: 23658.66 MB
Data read: 44894.86 MB (ratio 0.53:1)
Time: 7090.407 sec (118 m 10 s)

Verify the infected files and remove it.

3) How to run clamscan to public_html directory for all account in cpanel server ?

Use the below method to run the clamscan to public_html directory for all account in cpanel server

# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/*/public_html

4) How to remove infected file while scanning itself ?

Use the below method to run the clamscan to remove infected file while scanning itself.

# /usr/local/cpanel/3rdparty/bin/clamscan -ri --remove /home/*/public_html