Script I wrote to scan completed torrents for viruses

EDIT: I've had a chance to test this now and it works properly, I've added a reply bellow which explains how it works a little better.

This is a simple script I wrote which is used to automatically scan a completed torrent for viruses on linux. Obviously if you're using linux you don't need to worry too much about viruses, this is more for if the files are accessed by windows PCs and you want to make sure they're clean before storing them.

The script should work (I haven't actually been able to test it with a torrent client yet) with torrent clients which allow you to run an external program on completion. For example qbittorent. You set it to run '/path/to/ %n' where %n is the parameter for the torrent name.

The script will move the completed torrent to a temporary scanning directory and then either move it back if it's clean or move it to an infected directory and send an e-mail notification if it's infected. The reason for moving it to a temporary directory and then returning it is so that you can still use the torrent client to remove the torrent data and so that the user can tell that a file hasn't finished scanning yet if they try to access it early.


#This script is used to scan completed torrent downloads with clamav and notify via e-mail if there are infected files. It will also move infeted files to a new directory

EMAIL="[email protected]"         #E-mail address that notifications will be sent to
DOWNLOAD_PATH="Downloads"          #Path to download directory
SCAN_PATH="Downloads/scanning"     #Path to temporary scanning dirrectory. File will be moved back whem completes, this allows for deleting data from within torrent clinet while also allowing user to see that a file is currently being scanned.
INFECTED_PATH="Downloads/infected" #Path to move infected files
OUTPUT_PATH="/tmp"                 #Temporary storage of output       

#Internal variables
FILE="$1"                                #Name of torrent files passed from torrent client
OUTPUT="$OUTPUT_PATH/clamscan.$FILE.out" #File which output text will be storred in

echo "Scanning $FILE"

#Move completed torrent download to scanning directory

#Scan files with clamav
clamscan -ir $SCAN_PATH/$FILE >> $OUTPUT

#Check output and store number of infected files in $INFECTED"
INFECTED=$(cat $OUTPUT | sed -n -e 's/^Infected files: //p')
echo "Scan complete, $INFECTED infected files found"

#Check whether there are infected files, if so move and notify. If not move back to download directory.
if (($INFECTED > 0))
    echo "Moving infected files"
    echo "Sending E-mail to $EMAIL"
    mail -s "Virus detected in torrent file" "$EMAIL" < $OUTPUT
    echo "Copying E-Mail to infected directory"
    echo "Returning file to download directory"

echo "Removing temporary files"

Anyway, like I said I haven't actually been able to test it yet but I thought I'd share it anyway, I'll update it when I do get a chance to test it and find any problems.

I am interested in hearing what people think of this script. I won't really be able to test it out myself, but am still curious none-the-less.

I ran into two problems, one with your script.

"mv: cannot move ‘Downloads/’ to a subdirectory of itself, ‘Downloads/scanning’"

I added a ../scanning directory and it gave me the same sort of problem. Should be easy to fix - just change the SCAN_PATH variable to "Documents/scanning" or something.

"LibClamAV Error: cli_loaddbdir(): No supported database files found in /var/lib/clamav"

I got it because I only just installed clamav without researching anything first. You have to initialize the database with # freshclam -v (as root) in order for clamav to work. I figured I'd mention it since someone won't feel like googling it.

Once I fixed those small issues, it seems to work fine - then again, I wouldn't know unless I actually had viruses, I suppose.

It's not supposed to move the downloads directory but the downloaded file or folder within that directory. You pass the name of the file to the script as an argument so that when used with a torrent client the torrent client can give the script that file name and allow it to run automatically for each torrent downloaded, rather than scanning the whole directory each time a torrent finishes.

Try running it like ''

I should also have mentioned that you will need to make the scanning and infected directories, I didn't think to have the script make them.

The thing I'm yet to test is what qbittorrent actually outputs with the %n parameter, I'm hoping it's the same name as what is given to the file when saved to the disk.

I still haven't had a chance to test this, but I think the correct way of running this script with a torrent client (at least with qbittorrent) is to add it like this to the option to run external program k completion:

/bin/bash "path/to/" "%n"

I think that's why I couldn't get it to work when I tried it with utorrent server, you need to run bash and give the script as an argument. %n is an argument for the script which needs to be the parameter the torrent client gives as the name of the torrent, not sure if this is the correct syntax yet but I think it's close. When I get back to my laptop I'll try it out.

Can't really test this script, but from what i understand, most cracks are detected as a virus at first ( usually a false positive). Does the script implement anything to sort that?

Not really, it just notifies you if it finds something and then lets you decide what to do with it. It doesn't remove or quarantine anything pretty much for that exact reason.

using clam... hmm clean and neat. You don't have to push it to tmp you can push it straight to null ~> this way you can remove cleanup part. Also it'd be better to add some log file instead of email (not everyone has it set up + if you're setting up box like that last thing you want are emails from it).

That's good to know.

Yeah, I set it up with email as that's what works with me but a log file would be easy enough to do instead. It also copies the output of clam to the infected folder with the name of the torrent in the file name, so really you don't NEED any kind of notification as if the torrent isn't in the download folder you can look in the infected folder and find it there with a copy of the clam output. I suppose to make it more obvious you could have the output file saved to the download folder in place of the torrent so that it's more obvious what's happened.

Okay, so I've had a chance to test this and got it working with utorrent server, but it should work in a similar way with any client which has the ability to run an external program upon completion of the torrent download.
As I mentioned above the correct syntax for running the script is:

/bin/bash "/path/to/" "%N"

where %N is whatever paramater is used by the torrent client to give the name of the torrent (in utorrent it is %N in qbittorrent it is %n, etc.)

This is my setting page in utorrent.

as @Jeol mentioned above if you haven't installed clamav before you need to run freshclam as root first in order to download the definition files.

Also I made the script to notify me via e-mail, so for that to work you'll need to make sure you can send e-mails using the mail command (for me I installed sendmail and mailutils and it worked, but I have a local mail server and I'm not sure if there's anything else you have to do to get it to send mail to an external mail server ie. gmail). If you don't want e-mail notifications just remove or comment out the line which runs the mail command, or change it to something else like writing the output to a log file or whatever else you'd like. Infact I'll probably add logging just so it's easy to tell if it's working.

but how about this? Make a menu in php where it will show viruses found, or it could create new element with nasty bug or something ~ and when you click it, it shows you log?

Nice idea, but I wouldn't know where to begin with something like that.

you are already running it on apache right?

I'm not really sure how the webui is served, I assume utorrent has a built in Web server for it. I don't know how much control I can get over it. I do have Apache running but only as a proxy.

meh, then its most likely using java apache ~ if you find its web files there wouldn't be problem changing/adding new stuff there.

Haha, I feel stupid. I completely overlooked that $1 at least three times when looking through the script.

I'll test it again soon. Looks good, though.