Option to quarantine only new files

[jeroenvermeulen]

Hi Ryan, Congratulations with LMD, its a great project and the community loves it.

We would like to have a configuration option to only quarantine new files. We host a lot of Magento webshops, and sometimes extension vendors use eval(base64_decode to try to protect their licence check PHP code. At the moment we can not enable quarantine because it may break an existing shop because of such a false positive. If new files are uploaded, we would like to quarantine. Then it's not a big problem to quarantine a false positive because the developer uploading the files will notice his new change does not work. My suggestion would be a setting like quarantine_hits_below_age="60" (in seconds) and set it by default to 0 which means always quarantine if quarantine_hits is enabled. Is it posible to realise this feature request?

[rfxn]

This is a great idea and shouldn't be terribly hard to put into place. I will scope this out for inclusion into the next release update.

Thanks

[jeroenvermeulen]

Our sysadmin, @Rolandwalraven , reminded me the file creation date of harmful files is often manipulated, so may not be reliable. The kind of event from Inotify is reliable, however: An attacker may "touch" the file first, and put data in it a few seconds later.