| Current Path : /proc/3/task/3/cwd/usr/local/maldetect.bk15949/ |
| Current File : //proc/3/task/3/cwd/usr/local/maldetect.bk15949/CHANGELOG |
v1.6.4 | Mar 18 2019:
[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error
[New] add support for slack alerts; pr #240 mostafahussein
[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000
[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule
[Change] update cron.daily for ispmanager5; pr #305 yogsottot
[Change] normalize variable naming of pr #300 , #304
[Change] validate cron_daily_scan is set; otherwise default to 1
[Change] update importconf for cron_daily_scan block
[Change] don't need "find" if given a file list; pr# 303 sporks5000
[Change] rename ambiguous internal variables related to user signatures
[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits
[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors
[Change] add backward compatibility for renamed internals.conf variables
[Change] removed legacy $verbose tagging at the end of eout() calls
[Change] modified cleaner rules to set their own PATH scoping
[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming
[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls
[Change] added inotify elapsed run time to scan report output
[Change] adjust '-e|--report' output for etime value and spacing
[Change] force email_ignore_clean=1 to stop the most common email requested issue
[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319
[Fix] typo in PR #300; missing '; then' on elif
[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service
[Fix] sad mail/sendmail validation logic, fix issue #316
[Fix] normalized scan start time output in scan reports when inotify monitoring is used
[Fix] scan report list summary to always display an etime value, even if null
[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203
[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000
[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error
[Fix] modified install.sh 'ps' execution to be BSD compliant
[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules
[Fix] clean function was not properly handling signature names with both underscores and periods
[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203
[Fix] ignore_inotify file exist/empty file negative match; issue #330
[Fix] operator issue cron.daily #331
[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work
v1.6.3 | Sep 01 2018:
[Fix] ensure clamscan_max_filesize is always set; pr #296
[Fix] remove escaping from inotifywait exclude regexp; pr #246 issue #205
[Fix] always set a value for monitor mode systemd unit; pr #257
[Fix] quar_get_filestat variable collisions during restore operations
[Fix] quarantine files could be prematurely deleted, during 'cron.daily/maldet', on distributions where the 'mv' command
preserves origin file mtime; call 'touch' on quarantined files to set current mtime post-move to quarantine path; issue #294
[Fix] update tlog inotify tracking file before trimming to prevent rescan loop; pr #292
[Fix] revert pruning empty lines from signature files to 1.6.1 behavior
[Fix] usage semantics of cd'ing to a wildcard path on newer versions of Bash were causing version updates to fail; we now explicitly
'cd' to maldetect-${upstreamver}
[Fix] spelling corrections; pr# 269
[Change] update importconf text to reflect monitor mode on systemd behavior
[Change] on restore actions, reset restored files to original mtime value
[Change] increase default remote_uri timeout from 10s to 30s
[Change] increase default remote_uri tries from 3 to 4
[Change] added base_domain variable to internals.conf
[Change] cleanup .tgz/.md5 files on version updates mid-flight to prevent potential 'cd: too many arguments' errors
[Change] trim inotify log from beginning instead of end of file; pr #292
[Change] user mode scanning no longer scans system temporary paths; issue #283
[Change] improve regexp of scan start time values for '-e|--list' output
[Change] added '--beta' flag to '-d|--update-ver' to support pulling down beta release of LMD
[Change] stage v1.6.3 release; update version and date stamps
[Kudos] Thank you to those that contributed pull requests and issues during this release cycle. PR contributions from:
sporks5000
jsoref
Joshua-Snapp
mkubenka
jkronza
AnnopAlias
v1.6.2 | Jul 13 2017:
[Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242
[Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237
[New] added support to send email through 'sendmail' binary as alternative to 'mail'; pr #241 & issue #238
v1.6.1 | May 28 2017:
[New] added conf.maldet option cron_prune_days to configure cron.daily pruning max age of quar/sess/tmp data; issue #197
[New] added curl support, as new default, into get_remote_file; wget support is preserved secondary to curl; issue #200
[New] added --force option on -u|--update-sigs
[New] added --force option on -d|--update-ver
[New] added empty lines cleaner for runtime signatures and sorting of hdb for better performance; pr #223
[Change] modified default prune interval of quarantine/sess/tmp data from older than 7d to 21d
[Change] set email alerts to disabled when -z $mail / issue verbose warning on CLI; issue #220
[Change] scan_export_filelist feature had no real need to be limited to just cron runs;
modified so when set, it will export find results for all '-r|--recent' scans
[Change] updated help and README to reflect '--force' option on '-u|--update-sigs' and '-d|--update-ver'
[Change] post-change to get_remote_file(); signature version file was truncating with tmp file for maldet-clean
[Change] replaced all calls of wget with get_remote_file()
[Change] refactored get_remote_file() to be more generic / not depend on wget
[Change] increased default values for wget --timeout from 5 to 10 seconds
[Change] replace egrep with posix 'grep -E'; direct invocation of egrep/fgrep is deprecated; pr #214
[Fix] modified sourcing of conf files and order of precedence in mald…et.sh init script to properly
treat default_monitor_mode being defined in conf.maldet; issue #224
[Fix] escape quotes within eval md5sum command as fix for issues #230 and #216
[Fix] test condition for systemd was generating unary errors on older versions of bash; pr #36
[Fix] systemd based systems were skipping addition of sysconfig entry; pr #36
[Fix] install.sh find operation to prune old install backups was generating error when no previous installs existed
[Fix] wgetopt was single quoted making the variables inside of it strings, set double quotes
[Fix] potential out of memory issue while scanning a large set of files on native LMD scanner; pr #223
[Fix] -f option issue with relative path message; pr #223
[Fix] issue with checkout of relative file path for non root user; pr #223
v1.6 | Mar 17 2017:
[New] added curated set of YARA webshell & malware signatures for use with ClamAV >= 0.99b
[New] added cleaner rule 'VisitorTracker.Mob'
[New] added cleaner rule 'js.inject.fakejquery02'
[New] added support for 'froxlor' to cron.daily execution
[New] added support for 'vestacp' to cron.daily execution
[New] added support for 'ispconfig3' to cron.daily execution
[New] added support for 'DTC' to cron.daily execution
[New] added '$confpath', '$varlibpath' and '$libpath' for FHS separation
[New] moved compatibility (legacy) variables out of internals.conf into compat.conf
[New] added support to pull configuration variables for cron executions from 'sysconfig/maldet'
[New] added Debian derivatives sysconfig and initd compatibility for function sourcing and subsys locking
[New] added LSB tags to init script
[New] added capability of moving public scan path with $userbasedir variable
[New] manpage added and setup default with install.sh execution
[New] added support for clamd running as an unprivileged user through clamdscan w/ --fdpass options
[New] added --wget-proxy CLI option for http(s) proxy support
[New] added clam(d)scan_extraopts variables to internals.conf for appending extra CLI options on clam(d)scan;
these values can also be defined in sysconfig or cron/exec based config files and on CLI
[New] sysconfig support through '/etc/sysconfig/maldet' or '/etc/default/maldet', system dependant, to
allow easier configuration overrides; all conf.maldet and internals.conf variables supported
[Change] file stat calls replaced with function file_stat
[Change] stat calls are now (Free|Net)BSD compatible through file_stat function
[Change] report listing, '-e|--report list', now displays scan run time
[Change] scan reports and cli outputs once again display simplified path definitions instead of expanded paths
[Change] unified all clamav selection logic for data paths, running clamd processes, clam(d)scan CLI options etc...
into a single function, clamselector(); this will make clam behavior more predictable across all functions
[Change] added subdomains path for ISPConfig to cron.daily
[Change] corrected variable naming semantics for import_*_(md5|hex)_url parameters
[Change] monitor mode now identifies inotifywait processes based on a string pattern unique to maldet
to avoid conflicts with any other inotifywait processes
[Change] added wget_proxy variable for us in sysconfig and conf.maldet options
[Change] YARA-LMD curated signature set will now be included with signature updates
[Change] differentiate signature hits for YARA with '{YARA}' signame prefix
[Change] inotify_docroot now accepts comma or white spaced list of paths under user root to monitor
[Change] removed absolute path usage from 'pidof'
[Change] drop unneeded usage of shebang from sourced configuration files
[Change] modified shebang usage with 'env' prefix for portability
[Change] temporary path usage now consistently using $tmpdir value
[Change] scan paths must now be absolute paths
[Change] modified init script stop function for Debian derivatives
[Change] improved history tracking with proper date stamps, more verbose quarantine history logging and storing
into more explicitly named files '$sessdir/hits.hist' and '$sessdir/quarantine.hist'
[Change] added scan_days value to cron.daily allowing customization of the date range scanned by daily cron
[Change] replaced remaining absolute calls to sigdirs with '$sigdir'
[Change] added Debian derivatives support for MONITOR_MODE checks
[Change] updated cron.daily to provide for a custom execution file and modified custom config file into
'cron/conf.maldet.cron' and 'cron/custom.cron'
[Change] install.sh cased variable on find execution
[Change] symlink hookscan.sh to modsec.sh for pre-v1.5 compat
[Change] added '^/tmp/clamav-.*' to ignored paths where ownership matches clamd process
[Change] preserve custom cron configuration files on upgrade
[Change] hookscan.sh was calling LMD using legacy, deprecated, '--config-option' options
[Change] normalize installation path variable between LMD proper and installation scripts
[Change] reduced redundant path definitions
[Change] added test for main.cvd and main.cld in determining clamav signature paths
[Change] README changes to reflect new cron customization setup
[Change] added attempting passive ftp when active fails for malware checkout uploads
[Change] .ca.def configuration template renamed importconf and now copied over during installation to
'internals/importconf'
[Change] new versions of 'chown' don't support use of . (dot) to separate user and group
[Change] find option regextype is now dropped on FreeBSD for compatibility
[Change] scan.tpl reporting template handles column spacing on filenames with spaces better
[Change] CLI usage semantics of --include-regex and --exclude-regex now consistently passing to 'find' command
[Change] moved all internal field separator line break modifications to lbreakifs()
[Change] quarantine .info file is now field separated with colon symbol (:)
[Change] quarantine .info file value ordering has been modified
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
[Change] record_hits() now writes file mode and file times (a|m|c) into hits history file
[Change] 'eval' is now used as a prefix on the 'find' command to better handle the complex set of options passed to 'find'
and avoid globbing, splitting and other bash'esque semantic issues
[Change] modified mkpubpaths cronjob to execute every 5 minutes instead of 10
[Change] public mode scanning errors are now more verbose
[Change] updated README to reflect required modsec >=2.9 variable 'SecTmpSaveUploadedFiles'
for upload scanning
[Change] hookscan.sh (modsec.sh) now checks for variable override file at conf.maldet.hookscan
[Change] added use of sed flag -E for FreeBSD compatibility with GNU sed usage
[Change] clamscan will now respect scan_max_filesize value instead of hardcoded 5M
[Change] default scan_max_filesize increased from 768k to 2048k
[Change] clamscan max-scansize for archive depth set as scan_max_filesize*2
[Fix] improved special character argument escaping for -a|-r options that could have caused arbitrary command
executions in environments where LMD was allowed to be called by non-root users and/or set-uid/gid wrappers
[Fix] FreeBSD calls to 'md5 -q' were being incorrectly escaped causing file names to never pass and return valid
md5 hash string; corrected by preprending 'eval' to the md5 command callouts.
[Fix] corrected typo with import_* variables causing configuration imports to fail
[Fix] suppress eout() output for certain import_*() and get_remote_file() calls; this was causing
false-positive hits for modsec integration
[Fix] install.sh may not have preserved certain variables on upgrade
[Fix] clamdscan was running as a non-root user, would generate lstat errors for all file find results
leading to potential false positive hit/quarantine
[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on
startup due as a result of lstat errors on the custom user signature files stored under $tmpdir
[Fix] clamd.conf configurations containing Follow(File|Directory)Symlinks set to false results in
the rfxn.*/lmd.user.* links causing clamd startup failures
[Fix] suppress error output to cli for customer user signature files when they do not exist
[Fix] uninstall.sh now cleans up signature files from clamav data paths
[Fix] corrected invalid matching against clamdscan binary when clamd was running as non-root user
[Fix] inotifywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile
for better compatibility
[Fix] conditionally test for vz container and disable use of ionice which is not support in vz containers
[Fix] '-k|--kill-monitor' would under certain circumstances leave zombie processes
[Fix] monitor_cycle() could lead to memory depletion due to infinite loop cycle calls
[Fix] uninstall.sh was not shutting off monitor mode on uninstall
[Fix] legacy variable suppress_cleanhit references updated to email_ignore_clean
[Fix] email alerting broke during an iterative update due to order of precedence change of how configuration
files were loaded and compatibility (legacy) variables being set before main conf.maldet was loaded;
caused by FHS refactoring
[Fix] installation upgrade configuration importer was not properly executing after FHS refactoring during an
iterative update
[Fix] issue #167 certain variables not being preserved on importconf execution, updated 'compat.conf'
[Fix] custom signature runtime files could grow exponentially in monitor mode
[Fix] make '--mkpubpaths' option cross-platform compatible (debian, rh, bsd)
[Fix] replaced usage of 'awk' on file name sensitive variables with 'cut' and/or better scoped field separator for awk
[Fix] double quote wrapped file name variables properly on restore*() functions
[Fix] quarantine .info files were not properly recording source file atime,mtime,ctime values manual quarantine calls
[Fix] user supplied paths to CLI are now better handled if they contain special characters
[Fix] multiple user supplied paths to CLI would generate an error if the first path contained a space and
subsequent paths did not
[Fix] commit c8a1279 introduced bug where clamav could be fed zero sized signature files resulting in fatal exit
[Fix] public mode scanning will now properly error if mkpubpaths paths do not exist
[Fix] hookscan.sh (modsec.sh) will now default to not using clamav if clamd is not running
[Fix] though functional, public mode scanning would result in permission errors on console due to pathing issues with
history tracking files
[Fix] clam(d)scan was not respecting values in 'ignore_sigs' file, this has been corrected for both CLI and monitor mode
[Fix] addition of prefixing eval to find command required certain values to be escaped differently for proper function
of '-r|--recent'
[Fix] util-linux 2.23 supports 'column' command with '-o' but earlier versions do not, resulting in scan reports
generating empty hit lists
[Fix] importconf was setting invalid vars for custom signature imports; correct variables are import_custsigs_md5_url
and import_custsigs_hex_url
[Fix] multiplying maldet monitor processes due to 'ps' command expansion under parent bash process on CentOS6
[Fix] added default installation path to ignore_inotify to prevent monitor looping when '/' is scoped into
monitoring mode; results in notify log filling disk space
[Fix] importconf was not importing the value for import_config_url
v1.5 | Sep 19 2015:
[New] added -f|--file-list CLI option to allow user supplied run-time file list for scanning
[New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
[New] added -x|--exclude-regex CLI option for run-time path/file exclusion based on posix-egrep regular expressions
[New] added support for custom md5/hex signatures with preservation across signature and version updates, files located at:
sigs/custom.md5.dat
sigs/custom.hex.dat
[New] custom signatures perform run-time conversion into clamscan compatible format on systems that use clamscan engine
[New] new md5 signature format (md5v2) now includes file size that an md5 hash was derived from in format of:
hash:filesize:signame
[New] added support for custom cleaner rules to be executed on clean events, file name format of
"clean/custom.signame"; rules are preserved across signature and version updates
[New] added support for clam(d) engine when running in inotify monitoring mode
[New] added URL import feature for global configuration overrides using import_config_url variable in conf.maldet
[New] added URL import feature for user custom signatures using import_custsigs_md5_url & import_custsigs_hex_url variables in conf.maldet
[New] added set of defined exit codes for errored exits(1), successful runs with hits(2), successful runs with no hits(0)
[New] added uninstall.sh script to maldetect installation path
[New] added md5 hash verification of signature and version update downloads
[New] added scan_cpunice option to control CPU priority value of all scan operations such as find, clamscan etc.. (default 19)
[New] added scan_ionice option to control IO priority value of all scan operations such as find, clamscan etc.. (default 6)
[New] added autoupdate_signatures/autoupdate_version options to control daily cron based signature/version updates
[New] added autoupdate_version_hashed option to control validating hash of maldet executable against upstream version
[New] added support for virtualmin to cron.daily scans
[New] added support for ispmanager to cron.daily scans
[New] added support/detection of clamdscan to leverage memory preloaded signatures and multi-threaded scanning
[New] added scan_find_timeout option which controls the maximum execution time, in seconds, for the find command to generate a file list
[New] added scan_ignore_root option to exclude root owned files from scans
[New] added scan_ignore_user and scan_ignore_group options which allow for the exclusion of specified user and group names from scans
[New] added scan_export_filelist option allowing for daily scan of recent added/modified files to be exported to a static path
[New] added sourcing of of conf.maldet.cron into the cron.daily task which allows for cron specific configurations
[New] added inotify_reloadtime which controls the time at which inotify watcher will reload LMD configuration data
[New] added support for comma space (,) path list on CLI
[New] added reload option for monitor mode to invoke forced configuration reload (-m|--monitor reload)
[New] added maldet init script for monitor mode with $default_monitor_mode conf.maldet variable
[New] added usage of /etc/sysconfig/maldet for configuration of monitor mode init/systemd options, overrides conf.maldet
[New] added support for 'cpulimit' usage, when installed, through scan_cpulimit and inotify_cpulimit configuration variables
[Change] increased randomness of quarantine temporary file names
[Change] added atime,mtime,ctime since epoch values into quarantine info files
[Change] monitor mode now supports all existing ignore options as well as enforcing minimum/maximum file sizes
[Change] monitor mode now supports hot configuration reloads by touching reload_monitor under installation path (e.g: touch /usr/local/maldetect/monitor_reload)
[Change] modsec.sh has been renamed to hookscan.sh and more generic hook based scanning conventions set
[Change] hookscan.sh will now autodetect if clamdscan is running and perform scans through clamd when appropriate
[Change] hookscan.sh will now provide more verbose output on malware hit events
[Change] hookscan.sh now explicitly disables scanning of temporary paths, ensuring only requested file/paths are scanned
[Change] install.sh now gracefully handles upgrades when monitoring mode is enabled by restarting monitor mode
[Change] improved handling of single file scans which should now behave as expected
[Change] explicitly removed the inclusion of tmpdir paths during single file scans
[Change] automagically remove empty lines from ignore files
[Change] reordered configuration file, expanded on variable descriptions, overall attempt to simplify/streamline conf.maldet
[Change] installer symlinks LMD signatures into known/existing ClamAV paths to ensure signatures are loaded into memory by clamd
[Change] installer issues SIGUSR2 to any running clamd processes to force reload of signature databases
[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of signature databases
[Change] cron.daily signature/version updates sleep random interval 1-999 secs before contacting upstream rfxn.com servers to reduce cdn load
[Change] modified clamscan database path checks to support cPanel >=11.40 RPM clamAV connector RPM's
[Change] modified location of statistical data files from tmpdir to sessdir making tmpdir a stateless path that can be purged at anytime
[Change] when clamscan engine is enabled scan_max_filesize value is now set dynamically based on the largest known file in the md5v2 signature set
[Change] modified e-mail based alerts to source from an e-mail template file at .email.template
[Change] clamscan execution command logged to logs/clamscan_log to make debugging clamscan errors easier
[Change] clamscan stderr/stdout output now pipes to logs/clamscan_log and if clamscan returns an error code (2), flag with an appropriate
error message to check the clamscan_log file for more details
[Change] ambiguous variables renamed for better consistency and more logical naming conventions, documented in CHANGELOG.VARIABLES
[Change] modified sessionid values to derive from YYMMDD instead of MMDDYY and adjusted human readable report START/END date to include year value
[Change] modified view_report output to sort output on unix time of scan start times
[Change] signature updates now download as a single file tgz to reduce bandwidth usage and request load on upstream cdn
[Change] modified signature update function for additional error checking and better handling of zero sized signature downloads
[Change] modified version update function for additional error checking and better handling of zero sized file downloads
[Change] modified '-e|--report list' output include total files scanned, hits and cleaned results, reversed output order and
consistent column spacing (column -t)
[Change] moved tlog executable out of inotify/ path, changed inotify_log path to logs/, removed inotify directory
[Change] created logs/ path, moved event_log path to logs/
[Change] modified previous wget timeout values of 3s timeout & 3 retries to 5s timeout & 3 retries
[Change] wget timeout and retry attempts are now configurable through internals.conf wget_timeout & wget_retries variables
[Change] removed file type check on native LMD stage2 hex scanner which was part of legacy code and no longer needed
[Change] removed verbose progressive scan output for native LMD scanner as performance penalty was unreasonable
[Change] replaced usage of tmpwatch with find in cron.daily for temporary path pruning
[Change] removed internals.conf from version check hashing for installation version updates (-d|--update-ver)
[Change] cron.daily now tests for directadmin and scans appropriate user domain paths
[Change] directory checkout uploads limited to maximum of 50 files
[Change] added tmpdir_paths option to explicitly scan known temporary (world-write) paths on all scan types
[Change] updated example ModSecurity rule in README file for compatibility with ModSec 2.7 which now requires
every rule, even hooks, to have a rule ID
[Change] -r|--recent scan now uses mtime and ctime, instead of just mtime, to find recently changed/modified files
[Change] LMD v1.4.2+ will now use the new md5 v2 signature format and make direct requests on signature
updates to the appropriate upstream file (md5v2.dat); old format, md5 v1, preserved in signature
releases for compatibility of pre-1.4.2 releases
[Change] modified hexfifo.pl & hexstring.pl to accept user supplied value for path to hex signature file
[Change] install.sh now deletes LMD backup installation copies older than 30days
[Change] references to www.rfxn.com for remote signature and version updates now query cdn.rfxn.com
[Change] cleaner rules are now executable scripts in which infected files are passed as an argument ($1)
allowing for a diverse set of cleaner rule options apart from the previous sed only setup
[Change] converted current cleaner rules to new executable scripts format
[Change] checkout uploads now store malware in the filename format of (hostid is an anonymous md5 identifier):
$hostid.$RANDOM.$filename.[ascii|bin]
[Change] inotifywait from inotify-tools is no longer packaged with LMD, it should be downloaded in binary or
source form from:
https://github.com/rvoicilas/inotify-tools/wiki/
binary versions are also available from dag repo at:
http://pkgs.repoforge.org/inotify-tools/
[Change] internals.conf will now attempt to detect the path to inotifywait from $PATH
[Change] inotify max_user_watches was static set to 128, now configurable with inotify_user_watches
[Change] inotify values for max_user_instances|watches will first be checked and only modified if the existing
values are lower than what maldet requires
[Change] modified error output for missing inotifywait to display URL to inotify-tools github page
[Change] modified default scan_hexdepth value to 65k as a result of improved scan efficiency in native scanner engine
[Change] added backwards compatibility for all pre-v1.5 configuration options however they should be considered deprecated and will be removed in the future
[Change] expanded on EICAR test signature support for native LMD scanner engine to better facilitate testing of functional installed signature set
[Change] added scan/find elapsed execution time values to scan report and cli output
[Change] relocated internal files into $inspath/internals/
[Change] created generic clean_exit() function to handle file cleanups on all fatal exist and replaced many random rm -f calls with it
[Change] moved all pre/post actions into a prerun() and postrun() functions
[Change] moved statistical logging to record_hits() function
[Change] quarantine() function borrows stat file data from record_hits to reduce calls to stat
[Change] more extensible cleaner rules with additional input arguments:
$1 file path, $2 signame, $3 owner.group, $4 file_chmod, $5 file_size, $6 file_md5
[Change] added additional fields file_size and file_md5 to quarantine info file
[Change] added caching support for import_config_url with import_config_expire to control expiry interval
[Change] stricter handling of variable definitions which contain dynamic variable values
[Change] modified daily cron recent range from 2 to 1 as mtime/ctime values are n*24h, as such value of 1 is equal to two days
[Change] modified daily cron to use comma spaced path lists instead of multiple maldet executions
[Change] changed quarantine malware cleaning default value to 0
[Change] use of clamav engine output statement now more verbose
[Change] previously LMD only linked clamav signatures into clamav data paths on install, this is now done after each signature update
[Change] maldet.sh init script exites code 1 on status check when maldet monitor mode is not found running
[Change] monitor mode now invokes every 15 seconds, legacy installations will preserve 30 second cycle timing
[Change] modified shebang to use env bash for portability
[Fix] when clamdscan was running as a non-root user, would generate lstat errors for all file find results leading
to potential false positive hits/quarantines
[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on startup due
as a result of lstat errors on the custom user signature files stored under $tmpdir
[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the
rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy
signatures into clamav data paths instead of linking them
[Fix] inotify monitor execution now properly passes ionice configuration value
[Fix] monitor_paths was not being preserved on version updates
[Fix] record_hit() was not being invoked outside of clamscan based events
[Fix] monitor.pid file would potentially have an incorrect pid written to it on each execution of monitor_check()
[Fix] quote syntax error in scan.etpl
[Fix] help output for -k|--kill-monitor incorrectly referred to --kill instead of --kill-monitor
[Fix] inotify_user_instances was defined in internals.conf incorrectly as inotify_user_watches
[Fix] tlog executable was not being set +x during installation
[Fix] install.sh was attempt to create default event_log while the parent directory did not yet exist
[Fix] invalid find expression was causing find to return directory paths on recent scans
[Fix] OSTYPE env checking was not properly matching on all FreeBSD versions
[Fix] renamed alert() to genalert() to avoid builtin function conflict on Ubuntu
[Fix] corrected -r|--recent scan mode trap on SIGINT (CTRL+C) not calling trap_exit() for cleanup actions
[Fix] modified native LMD scanner to better leverage bash internal field separator for handling of paths with spaces
[Fix] modified all calls to system executables to use paths derived from $PATH
[Fix] suppressed ignore signature count being displayed when calling with --modsec
[Fix] set modsec.sh to use /bin/bash as interpreter instead of /bin/sh for compatibility
[Fix] removed MAILTO & SHELL variables from crons which were causing crond 'bad minute' errors on some systems
[Fix] quoted extension values from ignore_file_ext input to provide consistent behavior
[Fix] added trailing slash '/' to all cron.daily scan (find) paths to properly handle symlinked paths
[Fix] install.sh now links LMD clamav signatures into all clamav data paths it finds instead of just the first
[Fix] clean() function was improperly exiting after first file hit clean attempt and ignoring all other hits
[Fix] set interpreter in uninstall.sh to /bin/bash instead of /bin/sh for better compatibility
[Fix] modified psa scan paths to pull in top level and sub domain content
[Fix] corrected invalid matching against clamdscan binary when clamd was not available
v1.4.2 | Feb 25th 2013:
[New] detection and alerting of libkeyutils root compromised libraries
[Change] cron.daily now tests for directadmin and scans appropriate user domain paths
[Change] removed temporary paths /var/tmp, /tmp, and /dev/shm from cron.daily which are
now added explicitly to all scanning paths / modes
v1.4.1 | Nov 20th 2011:
[Change] rfxn.com ftp server moved and anonymous FTP checkout uploads changed
[Change] modsec.sh force sets clamav_scan=0 as native LMD scanner engine is faster on
single / small file sets
[Fix] correct plesk if statement added to to daily scan cronjob
[New] added -U|--user to force execution under defined user, ideal for restoring user
quarantined data or viewing user reports
e.g: maldet --user nobody --report
e.g: maldet --user nobody --restore 050910-1534.21135
[New] added public_scan variable to conf.maldet to control enabling of public mode
scanning, disabled by default
[New] added cron.d/maldet_pub cronjob to populate public user paths when public mode
scanning is enabled; does nothing when disabled
[Change] README file updated, had fallen behind on CLI usage help details
[New] added -co|--config-option for defining conf.maldet options on the CLI
[Fix] README, COPYING.GPL and CHANGELOG are now properly copied into the installation path
[Fix] version header in config import template was incorrect
[Fix] value of email_ignore_clean is now properly preserved on version upgrades
[New] added modsec.sh to allow for easy calls from mod_security2 inspectFile hook
[Change] autodetect executing uid and define public mode scanning variables
[New] added public mode scanning which redefines tmpdir, sessdir, quardir to pub/username/
directory tree for user initiated (non-root) scans
[Change] installation permissions changed to 644/755 for public mode support
[Change] revised (gz)base64 rules to be more specific thus reducing false positives
[Fix] tlog was set to use /bin/sh which breaks usage on systems with default shells other
than bash
v1.4.0 | Apr 17th 2011:
[Change] default editor now inherited from $EDITOR
[New] clamav signatures update through sigup(), -u|--update
[New] cleaner rules update through sigup(), -u|--update
[Change] added error checking for missing or corrupted signature files
[Fix] monitor_cycle() now properly trims inotify_log
[Fix] version dates in CHANGELOG for 1.3.8 -> current had 2010 instead of 2012
[New] added -b|--background flag to execute scans in background
[Change] cron.daily now uses the -b flag for background scanning
[Change] wget calls now use the --referer option to broadcast local LMD version
[Fix] replaced stray references of absolute install path with the install path variable
[New] stage2 (HEX) scanner now supports use of named pipe (FIFO) for passing file hex contents,
enabled by default, provides better performance with larger depth analysis of files
[New] added hex_fifo_scan & hex_fifo_depth variables to conf.maldet for fifo hex scanning
[Change] -c|--checkout now supports directory paths
[Change] -r|--scan-recent and -a|--scan-all now supports single file scans
[Fix] replaced absolute path to nice on inotifywait exec to which located variable value
[Change] added error checking for all internally required binaries e.g: wget, find, od etc...
[New] detection of ClamAV clamscan binary and usage as default scanner engine; when detected,
clamscan is executed on scan file lists using rfxn.com LMD clamav-compat sigs
[Change] added OSTYPE check for differentiating md5 sum binaries on linux and FreeBSD
[Change] added OSTYPE check on monitor mode to disable on FreeBSD, pending kqueue alternative
to inotifywait
[Fix] revised od flags for FreeBSD support
[Fix] ignore_inotify now properly interprets extended posix regexp as ignore parameters
[Change] added sample ignore values into ignore_inotify along with sane defaults to
ignore common noisy files
[New] added statistical analysis for string length to identify threats based on the longest
uninterrupted string within files, common of obfuscated code (e.g: base64, gzip etc...)
[New] added string_length_scan & string_length variables to conf.maldet for strlength scanning
[Fix] ignore_file_ext has been readded and now correctly ignores files based on extension
[Fix] replaced absolute path to mail with which located variable value
[Fix] lmdup() now properly errors out when rfxn.com web server is offline
[New] added clamav_scan variable to conf.maldet to toggle clamscan detection
[New] Full compatibility under the following distros has been verified :)
- FreeBSD 9.0-CURRENT
- RHEL/CentOS 5.6
- RHEL 6
- Fedora Core 14
- OpenSuse 11.4
- Suse Linux Enterprise Server 11 SP1
- Ubuntu Desktop/Server 10.10
- Debian 6.0.1a
[Change] updated README file for new features & vars, sample ignore usage, revised features
and updated cymru hash statistics
[Fix] relaxed grep for inotify sysfunctions to just inotify_ on System.map file
[New] can now pass list to -e|--report to view all available scan reports
e.g: maldet --report list
[New] can now pass an e-mail address to -e|--report to email a specific report
e.g: maldet --report SCANID user@domain.com
[New] added email_ignore_clean variable to suppress alerts where all hits are cleaned
v1.3.9 | Mar 16th 2011:
[Fix] ignore files are now properly imported on version updates
[Change] cron.daily now checks for version updates
[Fix] hexdepth greater than 65Kb caused an 'argument list too long' error with hexstring.pl
which would fail-clean any malware on hex checks
[Change] default hex depth increased to 61440 as there was an increasing margin of error on
missing threats due to them falling outside the default hexdepth; will add offset
option to signatures in the near future
[Change] updated cymru hash statistics in README file
v1.3.8 | Jan 30th 2011:
[Fix] revised inotify tracking log file to properly rotate instead of growing indefinitely
v1.3.7 | Nov 27th 2010:
[Fix] package ownership at some point got set to uid 501 instead of root
[Fix] daily cronjob now checks ps output for inotifywait proc instead of pidof
[Fix] monitor mode users would exit prematurely if a user home path did not exist
[Fix] a file hijacking race condition existed with quarantine mode restore function
[Fix] inotify max_user_instances value was being set to a value that would cause inotifywait
to fail
v1.3.6 | May 21st 2010:
[Fix] restore option will now handle session based restores for quarantines that
were manually invoked with -q|--quar SCANID
[Fix] session data gets recreated if it disappears during scan
v1.3.5 | May 18th 2010:
[Fix] tlog now handles data that logged between 0bytes and first wake cycle
[Fix] monitor_check now properly handles CREATE,ISDIR events
[Change] --alert-daily|weekly alerts have been changed similar to manual alerts
[Fix] cleaner was not properly running on monitor_check calls to scan files
[Fix] quar_suspend was not properly running on monitor_check calls to quar()
[Change] monitor tracker files now pass through trim_log to avoid oversizing
[Fix] monitor_check now properly handles path names with spaces
[Fix] monitor_check was throwing nx file/directory error for monitor.pid
[Fix] older bash versions were having trouble with the [[ =~ ]] regexp search
[Change] set all script files from shebang/bin/sh to shebang/bin/bash
[Change] --alert-daily|weekly will now only send alerts if hits were found
[New] -d|--update-ver now compares file hashes to determine update status
[Fix] suspend events were not properly being added to monitor alerts
[Change] all alerts have had spacing changes to make them more readable
[Fix] signature names now properly list for daily|weekly alerts hit list
[Fix] monitor_check will now recursive monitor newly created directories
[New] monitor daily|weekly alerts now save as a pseudo scan report with SCANID
[Fix] monitor reports now generate properly when quar_hits=0
v1.3.4 | May 16th 2010:
[Fix] cleaner function was not properly executing under certain conditions
[Change] additional error checking/output added to the cleaner function
[Change] default status output of scans changed for better performance
[New] added ignore_inotify for ignoring paths from the monitor service
[Change] updated ignore section of README
[Fix] backreference errors kicking from scan_stage1 function
[New] -d|--update-ver option added to update installed version from rfxn.com
[Change] updated short and long usage output for update-ver usage
[Fix] -k|--kill-monitor now properly kills only the inotifywait/monitor pid's
[Fix] monitor_cycle function now correctly stores its pid in the pidfile
[Fix] files with multiple events in the same waking cycle are only scanned once
[Change] install.sh now symlinks maldet executable to /usr/local/sbin/lmd
v1.3.3 | May 15th 2010:
[Fix] quarantined files were not properly dropping owner
[New] signature based, rule driven, cleaner component added
[New] base64.inject cleaner rule
[New] gzbase64.inject cleaner rule
[New] -n|--clean SCANID option added to batch clean scan all files from a scan
[Fix] made default install file/path permissions more strict (750/640)
[New] install.sh now preserves conf.maldet settings
[New] install.sh now links backups of old installation to INSTALL_PATH.last
[Fix] install.sh now properly imports session data from previous install
[New] -s|--restore can now take a SCANID to batch restore all files from a scan
[Change] improved the layout of conf.maldet; more scan options and commenting
[New] added quar_susp_minuid option for suspend user minimum user id
[Fix] inotify monitor now properly acts on MODIFY,MOVE_TO,MOVE_FROM states
[Change] inotify monitor now can take a list of paths or file for path input
[Change] inotify monitor now has no default use, must specify USER|FILE|PATHS
[Change] revised short and long usage output for new options/usage changes
[Change] inotify monitor now spawns only one process for all monitored paths
[Change] inotify monitor sets max_user_instances to processors*2
[Change] inotify monitor sets max_user_watches to inotify_base_watches*users
[Change] migrated all inotify options from internals.conf to conf.maldet
[New] added inotify_base_watches to conf.maldet for max file watches multiplier
[New] added inotify_nice to conf.maldet for run-time prio of inotifywait
[New] added inotify_webdir to conf.maldet for html/web root only monitoring
[Change] extensive format change to README
[Change] rewrote inotify section of README to reflect the many changes
[New] added cleaner section to README
[Change] -q|--quarantine now calls cleaner if quar_clean=1
[Change] -n|--clean can now do in place cleaning without quarantine
[Fix] cleaner function was not properly executing under certain conditions
v1.3.2 | May 13th 2010:
[New] added ignore files: ignore_paths , ignore_sigs
[Change] ignore_sigs is processed as a pre-scan component before all scans
[Change] revised README file to include details on new ignore options
[Change] signature counts now displayed pre-scan and post-update
[Change] install.sh now runs --update after installation
[Fix] -p|--purge now properly clears session state data
[New] added [ SIGNATURE UPDATES ] section to README file
[Fix] some functions were referencing full paths instead of the variable equivs
v1.3.1 | May 12th 2010:
[Fix] typo in report command eout()
[Fix] cron.daily tmpwatch on invalid path
[Change] redirect stdout to /dev/null on tmpwatch calls in cron.daily
[Change] better commented cron.daily actions
[Change] cron.daily scans will now hit /home*/*/public_html on non-ensim systems
[Change] inotify monitor now properly handles any user homedir paths
[Fix] sigup will now download full signature set when no sigs are found local
[Fix] rewrote 17 signatures that would never match due to hexdepth restrictions
[Fix] removed some HEX signatures derived from ClamAV that would never hit
[Change] files must now be >32bytes to be included in search results
[Change] search results default to a max directory depth of 15
[New] added vars for minfilesize and maxdepth scan options
[Change] updated inotifywait to v1.3.6, statically linked binary
[Info] signature RSS and XML data sources added, see:
http://www.rfxn.com/signature-updates-rss-feed/
[Info] LMD now has a homepage on rfxn.com:
http://www.rfxn.com/projects/linux-malware-detect/
[New] adopted new versioning scheme
[MAJOR].[MINOR].[REV]
1 3 1
v1.3 | May 11th 2010:
- First public release
v1.1 - v1.2 | Mar. 2010 - May 2010:
- Internal releases
v0.5 - v1.0 | Nov. 2009 - Feb. 2010:
- Closed beta
v0.4< | Oct. 2009:
- Internal releases
Copyright 2K16 - 2K18 Indonesian Hacker Rulez
;?>)