• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Which is the best Antivirus for Plesk with a minimal impact on server resources

M

MicheleB

Regular Pleskian
Hello,
I'm searching an antivirus (better if is available from the Plesk's extension manager) to scan automatically a cloud server only one time a day (scheduled at night time) or to scan manually when needed.
I need to avoid to update the current specifications of the server (Debian 9, 2 Core, 5GB RAM) for economic reasons, so I need an antivirus with a minimal impact on its resources.
Any suggestions?
Thanks.
 
MicheleB said:
Hello,
I'm searching an antivirus (better if is available from the Plesk's extension manager) to scan automatically a cloud server only one time a day (scheduled at night time) or to scan manually when needed.
I need to avoid to update the current specifications of the server (Debian 9, 2 Core, 5GB RAM) for economic reasons, so I need an antivirus with a minimal impact on its resources.
Any suggestions?
Thanks.
Click to expand...

Hello MicheleB,

You have tried Plesk Premium Antivirus or Kaspersky Antivirus?
Software antivirus
 
My hosting provider has already installed ClamAV (and RKHunter... either I think from Debian repository) on the server (Debian 9.6, Plesk 17.8.11... with "managed server" service) but I need to have a control panel where is possible to monitoring the activity.
Now I receive every morning an automatically email with a report activity but if (for example) ClamAV found a virus, I need every time to ask to my hosting provider where is it and how to remove it (with obviously an extra cost).

I've found these solutions from Plesk's extensions:

Kaspersky Antivirus for Servers
Kaspersky Antivirus for Servers extension - Plesk
€ 36,59 monthly (included taxes)

Premium Antivirus for Servers
Premium Antivirus for Servers extension - Plesk
€ 36,59 monthly (included taxes)

Warden Anti-spam and Virus Protection
Warden Anti-spam and Virus Protection - Plesk Extension
$24 monthly

Sentinel Anti-malware
Sentinel Anti-malware extension - Plesk
$12 monthly

Which could be the best solution (as I said previously, I've already ClamAV and RKHunter installed on the server)?
Which solution uses less server resources (CPU, RAM, etc.)?
Thanks!
 
MicheleB said:
My hosting provider has already installed ClamAV (and RKHunter... either I think from Debian repository) on the server (Debian 9.6, Plesk 17.8.11... with "managed server" service) but I need to have a control panel where is possible to monitoring the activity.
Now I receive every morning an automatically email with a report activity but if (for example) ClamAV found a virus, I need every time to ask to my hosting provider where is it and how to remove it (with obviously an extra cost).

I've found these solutions from Plesk's extensions:

Kaspersky Antivirus for Servers
Kaspersky Antivirus for Servers extension - Plesk
€ 36,59 monthly (included taxes)

Premium Antivirus for Servers
Premium Antivirus for Servers extension - Plesk
€ 36,59 monthly (included taxes)

Warden Anti-spam and Virus Protection
Warden Anti-spam and Virus Protection - Plesk Extension
$24 monthly

Sentinel Anti-malware
Sentinel Anti-malware extension - Plesk
$12 monthly

Which could be the best solution (as I said previously, I've already ClamAV and RKHunter installed on the server)?
Which solution uses less server resources (CPU, RAM, etc.)?
Thanks!
Click to expand...

Hello,
have you tried the extension revisium Antivirus published by Plesk ? It provide a free antivirus to scan your websites and you can manage it from the Plesk interface.
However, all antivirus will use your server resources during files processing, you can only limit resources usage.
But have you been attacked of infected on your server ? Because if your sites are up-to-date and your server secured (ssh keys, firewall, fail2ban), the probability to be infected on Debian are very low, this is not Windows.
 
No, never tried Revisium extension but it seems good (the price is very cheaper, € 4,90 monthly).
On the server I've activated all the security features (plesk firewall, fall2ban, modsecurity) but every morning in the last four days I receive this message from ClamAV and I don't know how to fix it (my server provider said me that it could be a "false positive" but I'd like to have more details about it):
--------
[VIRUS!] - ClamAV scan report
----------- SCAN SUMMARY -----------
Known viruses: 6727319
Engine version: 0.100.2
Scanned directories: 13154
Scanned files: 156120
Infected files: 1
Data scanned: 12637.89 MB
Data read: 10106.04 MB (ratio 1.25:1)
Time: 2505.496 sec (41 m 45 s)
--------
 
I'm scanning manually (ssh) with ClamAV but if I try to update the virus definitions ("freshclam -v"), the system send me this error message:
---------
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
[Exit 62]
---------

Another question, if I want to scan only the email accounts, which is the correct path on a Debian server? For the websites the path is "/var/www/vhosts/" but I don't know that one for the emails.
Thanks
 
MicheleB said:
I'm scanning manually (ssh) with ClamAV but if I try to update the virus definitions ("freshclam -v"), the system send me this error message:
---------
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
[Exit 62]
---------

Another question, if I want to scan only the email accounts, which is the correct path on a Debian server? For the websites the path is "/var/www/vhosts/" but I don't know that one for the emails.
Thanks
Click to expand...

Hello,
about freshclam, try to do :
Code: 
/etc/init.d/clamav-freshclam stop

freshclam

/etc/init.d/clamav-freshclam start

To scan your emails, run clamscan on the directory /var/qmail
 
Thanks, now I can update manually ClamAV.
After several hours, this is the result of the scanning process ("clamscan -r --bell -i /"):

----------- SCAN SUMMARY -----------
Known viruses: 6727830
Engine version: 0.100.2
Scanned directories: 50144
Scanned files: 326024
Infected files: 24
Total errors: 7792
Data scanned: 48229.48 MB
Data read: 31788.90 MB (ratio 1.52:1)
Time: 13493.572 sec (224 m 53 s)
------------------------

So... 24 files infected founded (in the last four days the email received from ClamAV indicated only 1 file infected):
--------
15 logs file:
/var/log/modsec_audit.log.6.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.2.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.7.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.6.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.2.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.3.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.3.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.1.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.4.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.7.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.1.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.4.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/fail2ban.log.5.gz: Win.Exploit.Unicode_Mixed-1 FOUND
/var/log/modsec_audit.log.5.gz: Win.Exploit.Unicode_Mixed-1 FOUND
--------
13 emails in the "/var/qmail/mailnames/" folders, with these labels:
(6) Heuristics.Phishing.Email.SpoofedDomain FOUND
(1) Doc.Downloader.00536d-6756524-0 FOUND
(2) Java.Malware.Agent-5752771-0 FOUND
(2) Doc.Dropper.Agent-5774863-0 FOUND
(2) Xls.Dropper.Generic-6595971-0 FOUND
--------
Over 1000+ of these "LibClamAV warnings":
LibClamAV Warning: cli_tnef: file truncated, returning CLEAN
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Error: fmap_readpage: pread error: Input/output error
--------
This single warning:
WARNING: Can't open file /sys/module/jbd2/uevent: Permission denied
--------
--------

Which is the best procedure to fix them?
  1. Can I delete the logs file ("modsec_audit.log.6.gz", "fail2ban.log.5.gz", etc) or I need to wait that the system automatically rotate them in the next days?
  2. "LibClamAV" warnings (and the permission denied on the "uevent" file) are important or can I ignore them?
  3. For the emails, I've the name of the single account but I don't know how to find the single email in the list because is identificated with numbers (e.g. /var/qmail/mailnames/domain.com/info/Maildir/cur/1485766957.M998109P22046.domain.com,S=349058,W=353674:2,Sb: Java.Malware.Agent-5744403-0 FOUND)
  4. "Premium Antivirus" or "Kaspersky Antivirus" could they help me (e.g. scanning the email accounts and moving the infected files in the quarantine zone)?
 
Last edited:
@MicheleB

In your (recent) posts, you talk about ClamAV and also (implicitly) provide a reason to NOT use ClamAV.

Of the 24 files allegedly to be infected, 15 files are (logrotated) log files!

These genuine log files are not malicious and/or do not contain malicious code, they only contain (harmless) patterns that ClamAV is acting upon (and creating false positives).

In short, do NOT delete them, just ignore them!

That answers questions 1 and 2, as formulated by you in the last post.

The notifications created by ClamAV with respect to mail related directories can be a bit more severe: it is indicating that you do not have a proper virus scanner in place.

Again, ClamAV has proven itself to be not the right tool for the purpose of blocking and neutralizing bad mail before entering your systems.

In essence, virus scanners for mail related purposes and virus scanners for files and directories are a completely different thing.

The golden rule should be that virus scanners for mail related purposes should intercept malicious mail before entering the system, whereas virus scanners for files and directories should detect malicious code that is on the system.

Another golden rule is that a virus scanner for files and directories is a bit "odd": you should have everything in place to prevent that bad code enters the system and for that purposes, the combination of ModSecurity, Fail2Ban, a (properly configured and strict) firewall AND a virus scanner for mail purposes should at least be present!

Stated differently: when having configured your system properly, there should be no need for a virus scanner for files and directories.

Now, let's return to some (concrete) answers for your questions 3 and 4.

Plesk Premium Antivirus (which is actually drWeb + some other goodies, nicely integrated into Plesk) is highly recommended: it might be costly, but it works like a charm.

Plesk Premium Antivirus will, certainly when combined with proper DNSBL like zen.spamhause.org, be a proper solution that

- prevents specific mails from entering the system: malicious mail is being rejected, primarily due to zen.spamhause.org based blocking
- quarantines malicious mail, if it passes all security measures taken: the mail is rendered effectively harmless and is being put in a quarantaine dock

and that solution will give you a decent automated protection against bad mails, with that protection including the required neutralization of malicious code in mails.

However, you should always keep in mind that the before mentioned solution is a solution "in the case that something happens", while the golden rule is that one should try to "prevent that any bad case scenario will occur": you should always keep track of mail and other logs and simply ban offending IPs permanently via a firewall.

In conclusion: yes! Plesk Premium Antivirus can help, but always keep in mind that you have to update the firewall to disallow offending traffic completely.

Hope the above helps a bit.

Regards........
 
trialotto said:
@MicheleB

The notifications created by ClamAV with respect to mail related directories can be a bit more severe: it is indicating that you do not have a proper virus scanner in place.

In conclusion: yes! Plesk Premium Antivirus can help, but always keep in mind that you have to update the firewall to disallow offending traffic completely.

Regards........
Click to expand...

Thanks... actually I have a virus scanner for checking incoming emails that use an external server to scan them before to coming on my server, directly supplied from my hosting provider but obviously it doesn't work as it should... so, yes, you're right it's time for me to activate an antivirus directly on the server.
 
A last question, is there a way to find an email with object/title, sender, date, etc from this code:
/var/qmail/mailnames/domain.com/info/Maildir/cur/1485766957.M998109P22046.domainserver.com,S=349058,W=353674:2,Sb: Java.Malware.Agent-5744403-0 FOUND

I'd like to check (and in case remove) these emails using the webmail but I can't found them from the above code.
I can only see the account "[email protected]" and the sub-folder (in the code above I think that "cur" is not a subfolder but the root, the main folder "incoming mail").
 
MicheleB said:
Thanks... actually I have a virus scanner for checking incoming emails that use an external server to scan them before to coming on my server, directly supplied from my hosting provider but obviously it doesn't work as it should... so, yes, you're right it's time for me to activate an antivirus directly on the server.
Click to expand...

@MicheleB

You could also consider to make use of expert external services, aimed at preventing spam and viruses via mail: think of SpamExperts!

In my experience, putting SpamExperts mail services (i.e. mail relays) in front of your mail server helps a lot........ but it should not be necessary, when having a mail system and the server properly configured (read: most malicious mail traffic is originating from not-so-smart scripts and origin servers that can be easily blocked).

Regards......
 
MicheleB said:
A last question, is there a way to find an email with object/title, sender, date, etc from this code:
/var/qmail/mailnames/domain.com/info/Maildir/cur/1485766957.M998109P22046.domainserver.com,S=349058,W=353674:2,Sb: Java.Malware.Agent-5744403-0 FOUND

I'd like to check (and in case remove) these emails using the webmail but I can't found them from the above code.
I can only see the account "[email protected]" and the sub-folder (in the code above I think that "cur" is not a subfolder but the root, the main folder "incoming mail").
Click to expand...

@MicheleB

If you gain access via SSH, you should be able to find the string

/var/qmail/mailnames/domain.com/info/Maildir/cur/1485766957.M998109P22046.domainserver.com,S=349058,W=353674:2

and the remainder, in particular the Java.Malware part, should not be present in the file name.

Otherwise, if you cannot find it, just run the command: find /var/qmail -name 1485766957.M998109P22046* (do not forget the wildcard!)

Regards.........
 
You must log in or register to reply here.

Similar threads

afuego
Question Best linux for Plesk?
Replies
2
Views
1K
afuego
afuego
B
Issue Assistance Required: Correct DNS Settings for Mail Servers in Plesk
Replies
0
Views
865
BHK
B
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
3
Views
276
BjornTheBassist
B
DigitalWeb
Issue Need help with some questions I have about Web Hosting Server
Replies
2
Views
2K
gulshan212
gulshan212
G
Question WP installs are quarantined daily.
Replies
4
Views
1K
Bobbbb
B
Back
Top