search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.2k stars 233 forks source link

ignore_file_ext and ignore_sigs files not working when scan_clamscan=1 #31

Closed Gazoo closed 9 years ago

Gazoo commented 9 years ago

Entries added to either ignore_file_ext or ignore_sigs are not being ignored.

cat /usr/local/maldetect/ignore_file_ext

.txt

cat /usr/local/maldetect/ignore_sigs

{CAV}Eicar-Test-Signature

Command run:

maldet -b --scan-all /var/www/vhosts/?/httpdocs

maldet --report 150107-1249.29105

HOST:      example.com
SCAN ID:   150107-1249.29105
STARTED:   Jan  7 2015 12:49:34 -0700
COMPLETED: Jan  7 2015 12:49:34 -0700
ELAPSED:   0s [find: 0s]

PATH:          /var/www/vhosts/*/httpdocs
TOTAL FILES:   154
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 150107-1249.29105

FILE HIT LIST:
{CAV}Eicar-Test-Signature  :  /var/www/vhosts/example.com/httpdocs/eicar.txt
===============================================
Linux Malware Detect v1.5 < proj@rfxn.com >
Gazoo commented 9 years ago

Also note that I tried setting the signature with and without the {CAV} prefix and its still not ignored. eg.

Eicar-Test-Signature

or 

{CAV}Eicar-Test-Signature
Gazoo commented 9 years ago

Further testing revealed that the ignore_file_ext and ignore_sigs files don't work when scan_clamscan=1 (currently the default).

dhardison commented 9 years ago

In my testing using version 1.4.2, ignore_file_ext is not being processed no matter what the clamscan setting is. I am trying to disable scanning of image files ( jpg/gif/etc.. ) due to errors processing these types of files using modsec.sh.

ignore_sigs is being honored, and I can see that the log output shows as such:

Apr 28 10:12:39 web05cp maldet(31517): {glob} processed 1 signature ignore entries Apr 28 10:12:39 web05cp maldet(31517): {scan} signatures loaded: 10748 (8838 MD5 / 1910 HEX) Apr 28 10:12:39 web05cp maldet(31517): {scan} building file list for /tmp, this might take awhile... Apr 28 10:12:39 web05cp maldet(31517): {scan} file list completed, found 213 files... Apr 28 10:12:39 web05cp maldet(31517): {scan} found ClamAV clamscan binary, using as scanner engine... Apr 28 10:12:39 web05cp maldet(31517): {scan} scan of /tmp (213 files) in progress... Apr 28 10:12:39 web05cp maldet(31517): {scan} scan completed on /tmp: files 213, malware hits 0, cleaned hits 0 Apr 28 10:12:39 web05cp maldet(31517): {scan} scan report saved, to view run: maldet --report 042815-1012.31517

Gazoo commented 9 years ago

@dhardison The logs you submitted show that maldet is still trying to use the clamav scanner.

dhardison commented 9 years ago

@Gazoo Apologies, too many terminals open. I've tried every combination, extensions just aren't skipped.

I've configured ignore_file_ext to skip .com files, but eicar.com is still scanned and stopped.

cat ignore_file_ext

.com

--9d27ea1d-A-- [28/Apr/2015:11:40:31 --0400] VT@p75gB420AAHJfB64AAAAB 152.7.148.134 37033 152.1.227.109 80 --9d27ea1d-B-- POST /wrd/wp-admin/update.php?action=upload-theme HTTP/1.1 Host: woody Connection: keep-alive Content-Length: 627 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: http://woody User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6vlfLgwbwDcTo0YY Referer: http://woody/wrd/wp-admin/theme-install.php?upload Accept-Encoding: gzip,deflate Accept-Language: en-US,en;q=0.8 Cookie: wordpress_37697072787136fbe1ad01e236858611=woody%7C1431021854%7CF8yc5uiROuv8wCgGP5mUS8Z2WSoNmNfGuVSYhElC92h%7C24fdff70ae5f9b13dcf14edffad707d18d509d4d3b45186cc22ffd670342dcd0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_37697072787136fbe1ad01e236858611=woody%7C1431021854%7CF8yc5uiROuv8wCgGP5mUS8Z2WSoNmNfGuVSYhElC92h%7C3d0a7dab0ee1c316b59495d64ce74214589a819f6ed63ed85335acc18af62340; wp-settings-1=libraryContent%3Dupload; wp-settings-time-1=1430235251; hsfirstvisit=http%3A%2F%2F%2Fmba%2F||1426860635744; hstc=232213632.47906c38e0585bc603a7661d34487ca5.1426860635746.1426860635746.1426882655096.2; hssrc=1; hubspotutk=47906c38e0585bc603a7661d34487ca5; WRAP_REFERER=https://here/cpanel-inventory; WRAP16=ZpD+ST79twJqN/QA/c0+QJmsSD6jJIBfFPHVbz7Mf9mvBXPkesO4mv/y4HLNo/CmgO6VcQxCjegteVQZ3YO+wDZ1ZFyfBBx//sAcYjFUaXYhCW9Hs9h+/EgWB6yeA8FQ; utma=1.1966845203.1421957202.1429534220.1429538338.4; utmc=1; __utmz=1.1423680460.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1966845203.1421957202

--9d27ea1d-C-- ------WebKitFormBoundary6vlfLgwbwDcTo0YY Content-Disposition: form-data; name="_wpnonce"

3d3b7f174a ------WebKitFormBoundary6vlfLgwbwDcTo0YY Content-Disposition: form-data; name="_wp_http_referer"

/wrd/wp-admin/theme-install.php ------WebKitFormBoundary6vlfLgwbwDcTo0YY Content-Disposition: form-data; name="themezip"; filename="eicar.com" Content-Type: application/octet-stream

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

------WebKitFormBoundary6vlfLgwbwDcTo0YY Content-Disposition: form-data; name="install-theme-submit"

Install Now ------WebKitFormBoundary6vlfLgwbwDcTo0YY--

--9d27ea1d-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Connection: close Transfer-Encoding: chunked Content-Type: text/html

--9d27ea1d-H-- Message: Access denied with code 403 (phase 2). File "/tmp//20150428-114031-VT@p75gB420AAHJfB64AAAAB-file-uRX2xE" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(32246): {scan} setting nice scheduler priorities for all operations: cpunice 10 , ionice 6 [file "/usr/local/apache/conf/userdata/std/2_2/woody/modsec.conf"] [line "3"] [id "999999"] [severity "CRITICAL"] Action: Intercepted (phase 2) Apache-Handler: default-handler Stopwatch: 1430235631589732 203705 (- - -) Stopwatch2: 1430235631589732 203705; combined=202043, p1=47, p2=201991, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/). Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_perl/2.0.8 Perl/v5.10.1 Engine-Mode: "ENABLED"

--9d27ea1d-Z--

paulie51 commented 9 years ago

Hi,

Thats maldet 1.5 isn't it? 1.4.2 (which you mentioned originally) doesn't have cpunice and ionice settings as I recall.

Anyway, the file that is being scanned is not eicar.com its got a different name :

Message: Access denied with code 403 (phase 2). File "/tmp//20150428-114031-VT@p75gB420AAHJfB64AAAAB-file-uRX2xE" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(32246

mod_security passes the temporary file to modsec.sh before its been parsed by PHP so it doesn't have its end name.

Hope this helps

Paul.

paulie51 commented 9 years ago

Also regarding the original issue, currently ignore_sigs is only programmed to ignore maldet sigs not clamav sigs. Looking at the code ignoring sigs works by creating a temporary sig file for the run, which of course won't have much effect for clamscan (or in my case clamdscan).

I'm not a programmer but an alternative approach would be filter out the ignore_sigs after a hit is made (in record_hit or just before) which would work to filter out clamav signatures.

I'm still working on the ignore_file_ext to ascertain why thats not working, I don't believe it should work in the case of specifying a specific file (ie maldet -a eicar.txt) but its not working for me when I scan a directory with eicar.txt in it.

Paul.

rfxn commented 9 years ago

Ignore rules are now respected in monitor mode as well as between clam and native scan modes.