Is there a static, server-side vulnerability/virus/malware/BadThings™ scanner?

Solution 1:

In addition to ClamAV, consider using Maldet for additional malware detection. According to the docs, it has the ability to integrate with ClamAV, though I haven't personally set this up.

Solution 2:

Snort can detect while the malware is being uploaded. Also, use Cloud Linux or SELinux etc. This prevents many works from compromising the site, if configured to do so. You can run Kaspersky Scan on the web server too, it detects some things, but not always disinfect it properly. Above all, you can implement policy the way, that anything uploaded has to be with restricted access, as well what you can do, is to prevent overwriting the files except for the special folders, which cannot be linked externally. This is possible and there are many ways of doing it. ACLs, SELinux, SUEXEC etc.

Solution 3:

Clam AntiVirus is the tool you want. It sees common duty in mail systems, but there's no reason you couldn't monitor the uploads that come in through your web application.

Just remember that you'll probably need changes to application code to use this effectively. It will need to deal with the fact that ClamAV will scan, detect, and possibly remove/obstruct files independently of your application. The best option would be to call ClamAV from your application for each upload, but that may be more development time than you'd like to invest.

Solution 4:

I recommend you to try using Linux Malware Detect (http://www.rfxn.com/projects/linux-malware-detect/). Put it to cron to run periodic scans:

0 * * * * /usr/local/sbin/maldet -r ~ >output