ConfigServer Community Forum

I've recently added quarantine form cxsftp and enabled the service, but it seems that any PHP script that gets uploaded I'm notified.

Scanning FTP file...
Time : Thu, 15 Jun 2017 14:10:32 -0300
FTP user : webmaster@*******.***
FTP file : /home/*******/public_html/*******/page.php
FTP owner : ******* (882)
FTP file md5sum : *******
Remote IP : *******
Blocked : No
Deleted : No
Quarantined : No

----------- SCAN REPORT -----------
TimeStamp: Thu, 15 Jun 2017 14:10:32 -0300
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --ftp --html --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfSGchexdnwWETDZ --qoptions Mv --quarantine /home/malware --quiet --sizemax 500000 --smtp --ssl --summary --timemax 30 --nounofficial --virusscan --voptions mfhexT /home/*******/public_html/*******/page.php)

'/home/*******/public_html/*******/page.php'
Script file [application/x-php]

All the ******* are for censored information about usernames and stuff.
On the CXSFTP file I only have these options:
I don't know where all the other options are added or which one I should remove so that I'm only warned via e-mail when something gets blocked / quarantined / deleted

Crap, just noticed that I've created this on the wrong forum, could someone move it to "General Discussion (cxs)" ?

Hello,

You must have put a list of options in your defaults file at some point. It is the "--options T" that is reporting every php script. Check the file /etc/cxs/cxs.defaults and remove that to stop cxs ftp scanning from reporting every script being uploaded.

As for your other question about configuring cxs to only send an email when something is quarantined, cxs has two primary actions as we recommend configuring it:

1) To automatically quarantine files that match as known viruses or exploits. We configure cxs to do this by default when we install it (unless requested to not do so).

2) To alert you to files or directories that are suspicious for one reason or another, but do not match as already known viruses or exploits. Some of the matches in this category are probably exploits and therefore you should examine the file reported to determine whether or not it is an exploit.

If you are getting repeated reports for files that you know are not exploits, you can configure cxs to ignore them. Please see the cxs documentation for the "--ignore [file]" option as well as the file /etc/cxs/cxs.ignore or /etc/cxs/cxs.ignore.example.

It is not possible to configure cxs to scan for certain file types but not send an email if it detects them, as that would be pointless. If you do not want cxs to even scan for certain types of files or matches, then you can change the "--options" setting in your cxs command or script file (cxswatch.sh, cxsftp.sh, etc.). Please see the documentation for the various file types and how to configure the "--options" setting.

Regards,
Sarah