How to virus scan FTP uploads

Posted by: Chris  :  Category: Linux Tips

To help protect your server, you may want to scan your users FTP uploads.  Here is a great way of doing this, if you are using Pure-FTP and ClamAV.  Pure-FTP has an option to run a file after an upload, called the pure-uploadscript.  What you do, is tie the virus scanner into this script, so that when a file gets uploaded, it will get scanned.  As long as you have your virus scanner up to date, this will pick up most of the main stream virii, as well as the dreaded php shell scripts.

Here is how we do it.  We first need to ssh into our server, and then switch user to root.  Now, execute the following from the command line:

echo \#\!/bin/sh > /etc/pure-ftpd/

This command will create a file called, and place an interpreter call on the first line.  Next, we add the action line to the file, by executing this command:

echo /usr/bin/clamdscan –move=/root/badfiles/ –quiet –no-summary –log=/var/log/clamscan.log “\$1” >> /etc/pure-ftpd/

This will insert the second line in the upload-check script.  This line calls the virus scanner, clamdscan, and passes some information to it.  The first one, tells the scanner to move the file, if it has found a problem with it.  I always find it usefull to see what people are trying to upload, instead of just deleting the file as soon as its scanned.  The other important parameter here, is the log value.  We are telling the scanner to log all activity to the clamscan.log file, which is usefull to view every so often, to see if anyone was trying to upload something nasty.  Now, chmod the script:

chmod 700 /etc/pure-ftpd/

The next step, is to ensure that when your server starts up, that the pure-uploadscript binary is running, using the newly created script:

echo /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/ >> /etc/rc.d/rc.local

This places a line at the bottom of your rc.local file, telling it to run the pure-uploadscript, with the parameters you have assigned to it.

Next, we tell pure-ftpd to use the upload scanner, use what ever editor you prefer:

vi /etc/pure-ftpd.conf

Search for – CallUploadScript, and uncomment the line.  Save your changes, and exit.

Now, all we need to do, is start the pure-uploadscript daemon, and restart pure-ftpd:

/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/

service pure-ftpd restart

Once done, you should now be scanning all files uploaded through ftp.  To check if you have found any virii, you can check the log file, running this command only displays the lines that have reported a virus:

tail -n 1000 /var/log/clamscan.log | grep FOUND

The files found to have virii’s, will also have been moved to /root/badfiles, so that you can take a look at them, and if it is a false positive, move the file back to the users directory.

18 Responses to “How to virus scan FTP uploads”

  1. » Blog Archive » How to install ClamAV in cPanel Says:

    […] was reading through my post on how to virus scan ftp uploads, and I realized, I never mentioned how to setup ClamAV, the antivirus software.  So, here we go:1. […]

  2. KattyBlackyard Says:

    Hi, gr8 post thanks for posting. Information is useful!

  3. Ed Says:

    Can’t seem to get this working.
    Any additional tips?

  4. Ed Says:

    Okay got it working.
    Works with FTP and FTPS but not SFTP.
    Any thoughts about that?

  5. Ed Says:

    One other thing that would be nice is if an email could be sent when a file is moved from a user account.

  6. Chris Says:

    It will not work through SFTP because it is not using the ftp server, it is using the ssh protocol. Are you looking for an email alert once a virus has been found/removed?

  7. Ed Says:

    Thanks Chris.
    Yes on the email question.

  8. Don Says:

    My FTP service as gone down. When I disabled CallUploadScript in ftp conf it started again. Any idea?

  9. Chris Says:

    Hi there, can you tell me what OS you are using and what version of pure-ftp you have?

  10. Don Says:

    Hello Chris, sorry for the late reply. I am using CentOS release 5.2. and pure-ftpd v1.0.21 cpanel control panel is installed in the server. When I enable CallUploadScript, FTP service is going down.

  11. Chris Says:

    Hi Don,

    Are you making sure that you are starting the upload check script prior to restarting the ftp server? Also, if you have made changes to the upload script, you will have to kill all processes of it currently running, and then re-run the start up script:

    /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/

  12. How to virus scan FTP uploads | Kroko Says:

    […] text from […]

  13. Renaldo Parda Says:

    Really Good Articles/posts that you have on this site. Thanks

  14. Topsoil Says:

    Here’s a comment. Great advice =) Thanks

  15. Tyson Oregel Says:

    Great article! I bet a lot of work went into this post.

  16. Casino Gambling Says:

    Being a complete newbie, all I can say is thanks for sharing this.

  17. online banking Says:

    Thanks for sharing this helpful info!

  18. Mark Vice Says:

    I love it!

Leave a Reply