linux-malware-detect
linux-malware-detect copied to clipboard
rfxn
Request: Differ between normal scan and upload
Maybe a consideration. I use maldetect with hookscan/mod_security to prove uploads. But my upload restrictions are much more straighter than for normal scans. But both uses same sigs. Thats my problem
An example. So my custom hex dat includes hex data for tar.gz, zip, pdf , php files and so on. Cause i dont want uploaded these file types. Generally for server upload security i prefer just images .-)
If i setup up my own custom hex data for these file types uploads are regognized properly.
But the main problem is, if my customer upload files via ftp (this is allowed), the daily cron script remove these files cause of the restriction of the same used custom hex dat. Maybe there is a chance to separate these sigs for normal scan and hookscan .-)
greetz lars
by the way. great job. just because and not of this request i did small donation .-)
This is a great idea @lassos. To be clear, you are proposing the ability to have separate custom signature files for hook scans and normal scan operations?
I will see about getting this into the next release, it should be fairly trivial to include.
Thanks for the donation!
Yes. Just distinguish between normal scan and hookscan (mod_security). With this separation i would be able to forbid any eval , hexadecimal codes and so on for fileuploads. I think so will clean 99% of customers content hacks via fileuploads with hided php code like gzinflate, base64 , hexacodes ...
I have tested it and had for more than 4 weeks no new content hack.. The only problem is if customer install files via FTP or file_get _content all thes files will be deleted too.
So main thing:
Uploads -> no trust -> go restrictive with your own custom and kill all hex, base64 , eval data Normal scan -> go with not so restrictive own custom hex data
i think this feature would be the most important step for any hosting service provider. with this setting youl could avoid any malware due to uploads via web , eg unsecure wordpress lolugins and so on
This is made difficult at the moment since the hookscan functionality heavily relies upon ClamAV running the clamd service for performant upload scans. In this setup, you can not easily define separate rule sets to scan with through clamd.
It is an incredibly good idea and I am seriously looking at ways to make it happen.
So dont know what it makes so difficult but you are expert. i have sent a version to you. main thing is in function. i am using this version since 10 weeks on 18 servers and had never had any infected uploaded file yet, really believe me .-)
#echo "func scan hscan $hscan sig_user_hex_file before $sig_user_hex_file sig_hscan_user_hex_file $sig_hscan_user_hex_file"; if [ "$hscan" = "1" ] && [ -s "$sig_hscan_user_hex_file" ]; then #echo "file is not empty" sig_user_hex_file=$sig_hscan_user_hex_file fi #echo "stefla func scan hscan $hscan sig_user_hex_file after $sig_user_hex_file sig_hscan_user_hex_file $sig_hscan_user_hex_file";
And my hscan.custom.hex.dat config file.
7f454c46020101000000000000000000:{HEX}ELFStefla.32bit 7f454c46010101000000000000000000:{HEX}ELFStefla.64bit 2f6574632f7073612f:{HEX}EtcPsaStefla.inject 2f6574632f736861646f77:{HEX}EtcShadowStefla.inject 6576616c286261736536345f6465636f646528:{HEX}EvalBase64DecodeStefla.inject 7837335c3136345c7837325c3136325c7836355c313636:HEX{}EvalDecodedStefla.inject 6261736536345F6465636F64652866696C655F6765745F636F6E74656E747328245F504F5354:{HEX}BaseDecodeFileGetContentPOSTStefla.inject 6576616c28677a696e666c617465:{HEX}EvalGzinflateStefla.inject 3c3f706870:{HEX}PhpTagStefla.inject 23212f7573722f62696e2f7065726c:{HEX}ShebangUsrBinPerlTagStefla.inject 41646448616e646c6572:{HEX}AddHandlerStefla.inject 41646454797065:{HEX}AddTypeStefla.inject