Join the community today
Become a Member

Security Extending Maldet Malware Detect Linux & ClamAV Signatures

Discussion in 'System Administration' started by eva2000, Jul 9, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod addons/maldet.sh auto installs Maldet (Malware Detect Linux) and ClamAV malware and anti-virus scanners for linux. Full details and particular note on quarantine option can be found at Maldet - Linux Malware Detect Addon (discussion). For specific instructions to install addons/maldet.sh here.

    The Maldet has it's own signature database but can use ClamAV's scanning engine instead of it's own to dramatically speed up scanning. Hence, why addons/maldet.sh installs and sets up both Maldet and ClamAV.

    This thread outlines how to extend ClamAV's own signature databases it uses to check for viruses and malware. I will show examples for both scanning using Maldet and ClamAV.

    Install addons/maldet.sh



    First install addons/maldet.sh as per instructions here. Edit addons/maldet.sh, and you'd need to fill in ALERTEMAIL='your@emailaddress.com' to get email alerts. The maldet.sh script should detect if ALERTEMAIL is empty and abort install until you fill in ALERTEMAIL variable.

    If you have a pushover.net account, you can also get mobile device push notifications for maldet detected malware hits/alerts by setting your pushover.net email i.e. youruserkey+devicename+p1@api.pushover.net and also configuring ALERT_POEMAIL='' variable in maldet.sh.
    Code (Text):
    # enter email address you want alerts sent to
    # i.e. your@domain.com
    ALERTEMAIL=''
    
    # enter your pushover.net email you want alerts sent to
    # i.e. youruserkey+devicename+p1@api.pushover.net
    ALERT_POEMAIL=''
    

    To install maldet.sh

    change into addons directory
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./maldet.sh
    


    Running maldet & clamav scans



    To run maldet scan and recursively check directories and subdirectories at /home/nginx/domains/
    Code (Text):
    time maldet -u; time maldet -a /home/nginx/domains/;
    

    To run clamav scan via clamscan
    Code (Text):
    time freshclam; time clamscan -ri /home/nginx/domains/;
    


    example output for maldet
    Code (Text):
    Linux Malware Detect v1.6.2
               (C) 2002-2017, R-fx Networks <proj@rfxn.com>
               (C) 2017, Ryan MacDonald <ryan@rfxn.com>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(13726): {sigup} performing signature update check...
    maldet(13726): {sigup} local signature set is version 2018070518685
    maldet(13726): {sigup} latest signature set already installed
    real    0m0.574s
    user    0m0.093s
    sys     0m0.109s
    
    Linux Malware Detect v1.6.2
               (C) 2002-2017, R-fx Networks <proj@rfxn.com>
               (C) 2017, Ryan MacDonald <ryan@rfxn.com>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(13835): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    maldet(13835): {scan} building file list for /home/nginx/domains/, this might take awhile...
    maldet(13835): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    maldet(13835): {scan} file list completed in 0s, found 12122 files...
    maldet(13835): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
    maldet(13835): {scan} scan of /home/nginx/domains/ (12122 files) in progress...
    
    maldet(13835): {scan} scan completed on /home/nginx/domains/: files 12122, malware hits 0, cleaned hits 0, time 91s
    maldet(13835): {scan} scan report saved, to view run: maldet --report 180708-1803.13835
    
    real    1m31.469s
    user    1m16.321s
    sys     0m11.502s
    

    example output for clamscan
    Code (Text):
    ClamAV update process started at Sun Jul  8 18:03:19 2018
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cld is up to date (version: 24734, sigs: 2007489, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 322, sigs: 90, f-level: 63, builder: neo)
    
    real    0m0.008s
    user    0m0.003s
    sys     0m0.004s
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 6583036
    Engine version: 0.100.0
    Scanned directories: 2086
    Scanned files: 12283
    Infected files: 0
    Data scanned: 201.21 MB
    Data read: 194.84 MB (ratio 1.03:1)
    Time: 120.241 sec (2 m 0 s)
    
    real    2m0.248s
    user    1m47.283s
    sys     0m11.967s
    


    Extending ClamAV Signatures



    You can use 3rd party compiled malware/virus signature databases to extend ClamAV's signature database collection. Some additional sources are from
    Add the following database lines into /etc/freshclam.conf at very bottom of file
    Code (Text):
    DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
    DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
    DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
    DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp
    DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
    DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
    DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.yara
    DatabaseCustomURL https://rbldata.interserver.net/interserver256.hdb
    DatabaseCustomURL https://rbldata.interserver.net/interservertopline.db
    DatabaseCustomURL https://rbldata.interserver.net/shellb.db
    DatabaseCustomURL https://rbldata.interserver.net/shell.hdb
    DatabaseCustomURL https://rbldata.interserver.net/whitelist.fp
    


    Updated: April 6th, 2021 also added Interserver.net curated signatures as well.

    Interserver.net
    malware expert outlines what those databases contain:
    Pay attention to malware.expert.ndb database it may contain false positive alert/alarms due to normal PHP code having legit use for specific PHP patterns i.e. eval/base64 so you will need to bare that in mind and inspect manually the files it reports as malware.

    example scan with extended ClamAV signature databases
    Code (Text):
    time freshclam; time clamscan -ri /home/nginx/domains/;
    ClamAV update process started at Sun Jul  8 18:20:04 2018
    malware.expert.ndb is up to date (version: custom database)
    malware.expert.hdb is up to date (version: custom database)
    malware.expert.ldb is up to date (version: custom database)
    malware.expert.fp is up to date (version: custom database)
    rfxn.ndb is up to date (version: custom database)
    rfxn.hdb is up to date (version: custom database)
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cld is up to date (version: 24734, sigs: 2007489, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 322, sigs: 90, f-level: 63, builder: neo)
    
    real    0m0.442s
    user    0m0.009s
    sys     0m0.012s
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 6584398
    Engine version: 0.100.0
    Scanned directories: 2086
    Scanned files: 12283
    Infected files: 0
    Data scanned: 201.21 MB
    Data read: 194.84 MB (ratio 1.03:1)
    Time: 125.575 sec (2 m 5 s)
    
    real    2m5.583s
    user    1m51.515s
    sys     0m13.688s
    

     
    Last edited: Apr 6, 2021
  2. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Notes


    • vBulletin forum users should not use Maldet as vB code has alot of evals in it that can cause Maldet to report and quarantine false positive malware explained here. Some Xenforo/Wordpress addons/plugins may also have false positives. Or if you do want to run on vBulletin forum installed servers, you want to disable maldet auto quarantine option in maldet config file /usr/local/maldetect/conf.maldet - which is enabled by default for CentOS 6, setting is quar_hits=0 and CentOS 7 setting is quarantine_hits="0" to disable
    • maldet automatically runs nightly via cronjob so if you are unsure if you have php scripts that cause false positives, you'd want to disable maldet auto quarantine option in maldet config file /usr/local/maldetect/conf.maldet - which is enabled by default for CentOS 6, setting is quar_hits=0 and CentOS 7 setting is quarantine_hits="0" to disable
    • Pay attention to malware.expert.ndb database it may contain false positive alert/alarms due to normal PHP code having legit use for specific PHP patterns i.e. eval/base64 so you will need to bare that in mind and inspect manually the files it reports as malware.
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Clamscan help


    Code (Text):
    clamscan --help
    
                           Clam AntiVirus: Scanner 0.100.0
               By The ClamAV Team: https://www.clamav.net/about.html#credits
               (C) 2007-2018 Cisco Systems, Inc.
    
        clamscan [options] [file/directory/-]
    
        --help                -h             Show this help
        --version             -V             Print version number
        --verbose             -v             Be verbose
        --archive-verbose     -a             Show filenames inside scanned archives
        --debug                              Enable libclamav's debug messages
        --quiet                              Only output error messages
        --stdout                             Write to stdout instead of stderr
        --no-summary                         Disable summary at end of scanning
        --infected            -i             Only print infected files
        --suppress-ok-results -o             Skip printing OK files
        --bell                               Sound bell on virus detection
    
        --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
        --leave-temps[=yes/no(*)]            Do not remove temporary files
        --gen-json[=yes/no(*)]               Generate JSON description of scanned file(s). JSON will be printed and also-
                                             dropped to the temp directory if --leave-temps is enabled.
        --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load all supported db files from DIR
        --official-db-only[=yes/no(*)]       Only load official signatures
        --log=FILE            -l FILE        Save scan report to FILE
        --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
        --allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
        --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
        --follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
        --follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
        --file-list=FILE      -f FILE        Scan files from FILE
        --remove[=yes/no(*)]                 Remove infected files. Be careful!
        --move=DIRECTORY                     Move infected files into DIRECTORY
        --copy=DIRECTORY                     Copy infected files into DIRECTORY
        --exclude=REGEX                      Don't scan file names matching REGEX
        --exclude-dir=REGEX                  Don't scan directories matching REGEX
        --include=REGEX                      Only scan file names matching REGEX
        --include-dir=REGEX                  Only scan directories matching REGEX
    
        --bytecode[=yes(*)/no]               Load bytecode from the database
        --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
        --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
        --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
        --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
        --exclude-pua=CAT                    Skip PUA sigs of category CAT
        --include-pua=CAT                    Load PUA sigs of category CAT
        --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
        --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
        --structured-ssn-count=N             Min SSN count to generate a detect
        --structured-cc-count=N              Min CC count to generate a detect
        --scan-mail[=yes(*)/no]              Scan mail files
        --phishing-sigs[=yes(*)/no]          Signature-based phishing detection
        --phishing-scan-urls[=yes(*)/no]     URL-based phishing detection
        --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
        --phishing-ssl[=yes/no(*)]           Always block (flag) SSL mismatches in URLs (phishing module)
        --phishing-cloak[=yes/no(*)]         Always block (flag) cloaked URLs (phishing module)
        --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics
        --algorithmic-detection[=yes(*)/no]  Algorithmic detection
        --normalize[=yes(*)/no]              Normalize html, script, and text files. Use normalize=no for yara compatibility
        --scan-pe[=yes(*)/no]                Scan PE files
        --scan-elf[=yes(*)/no]               Scan ELF files
        --scan-ole2[=yes(*)/no]              Scan OLE2 containers
        --scan-pdf[=yes(*)/no]               Scan PDF files
        --scan-swf[=yes(*)/no]               Scan SWF files
        --scan-html[=yes(*)/no]              Scan HTML files
        --scan-xmldocs[=yes(*)/no]           Scan xml-based document files
        --scan-hwp3[=yes(*)/no]              Scan HWP3 files
        --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
        --detect-broken[=yes/no(*)]          Try to detect broken executable files
        --block-encrypted[=yes/no(*)]        Block (flag) encrypted archives
        --block-macros[=yes/no(*)]           Block (flag) OLE2 files with VBA macros
        --block-max[=yes/no(*)]              Block (flag) files that exceed max file size, max scan size, or max recursion limit
        --nocerts                            Disable authenticode certificate chain verification in PE files
        --dumpcerts                          Dump authenticode certificate chain in PE files
    
        --max-filesize=#n                    Files larger than this will be skipped and assumed clean
        --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
        --max-files=#n                       The maximum number of files to scan for each container file (**)
        --max-recursion=#n                   Maximum archive recursion level for container file (**)
        --max-dir-recursion=#n               Maximum directory recursion level
        --max-embeddedpe=#n                  Maximum size file to check for embedded PE
        --max-htmlnormalize=#n               Maximum size of HTML file to normalize
        --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
        --max-scriptnormalize=#n             Maximum size of script file to normalize
        --max-ziptypercg=#n                  Maximum size zip to type reanalyze
        --max-partitions=#n                  Maximum number of partitions in disk image to be scanned
        --max-iconspe=#n                     Maximum number of icons in PE file to be scanned
        --max-rechwp3=#n                     Maximum recursive calls to HWP3 parsing function
        --pcre-match-limit=#n                Maximum calls to the PCRE match function.
        --pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.
        --pcre-max-filesize=#n               Maximum size file to perform PCRE subsig matching.
        --disable-cache                      Disable caching and cache checks for hash sums of scanned files.
    
    Pass in - as the filename for stdin.
    
    (*) Default scan settings
    (**) Certain files (e.g. documents, archives, etc.) may in turn contain other
       files inside. The above options ensure safe processing of this kind of data.
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    maldet help


    Code (Text):
    maldet --help
    Linux Malware Detect v1.6.2
                (C) 2002-2017, R-fx Networks <proj@rfxn.com>
                (C) 2017, Ryan MacDonald <ryan@rfxn.com>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    signature set: 2018070518685
    usage /usr/local/sbin/maldet [ OPTION ]
        -b, --background
          Execute operations in the background, ideal for large scans
          e.g: maldet -b -r /home/?/public_html 7
    
        -u, --update-sigs [--force]
           Update malware detection signatures from rfxn.com
    
        -d, --update-ver [--force]
           Update the installed version from rfxn.com
    
        -f, --file-list
           Scan files or paths defined in line spaced file
           e.g: maldet -f /root/scan_file_list
    
        -r, --scan-recent PATH DAYS
           Scan files created/modified in the last X days (default: 7d, wildcard: ?)
           e.g: maldet -r /home/?/public_html 2
    
        -a, --scan-all PATH
           Scan all files in path (default: /home, wildcard: ?)
           e.g: maldet -a /home/?/public_html
    
        -i, --include-regex REGEX
           Include paths/files from file list based on supplied posix-egrep regular
           expression.
           e.g: To include only paths named wp-content and files ending in .php:
           --include-regex ".*/wp-content/.*|.*.php$"
    
        -x, --exclude-regex REGEX
           Exclude paths/files from file list based on supplied posix-egrep regular
           expression.
           e.g: To exclude paths containing 'wp-content/w3tc/' and core files:
           --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"
    
        -m, --monitor USERS|PATHS|FILE|RELOAD
           Run maldet with inotify kernel level file create/modify monitoring
           If USERS is specified, monitor user homedirs for UID's > 500
           If FILE is specified, paths will be extracted from file, line spaced
           If PATHS are specified, must be comma spaced list, NO WILDCARDS!
           e.g: maldet --monitor users
           e.g: maldet --monitor /root/monitor_paths
           e.g: maldet --monitor /home/mike,/home/ashton
    
        -k, --kill-monitor
           Terminate inotify monitoring service
    
        -c, --checkout FILE
           Upload suspected malware to rfxn.com for review & hashing into signatures
    
        -l, --log
           View maldet log file events
    
        -e, --report SCANID email
           View scan report of most recent scan or of a specific SCANID and optionally
           e-mail the report to a supplied e-mail address
           e.g: maldet --report
           e.g: maldet --report list
           e.g: maldet --report 050910-1534.21135
           e.g: maldet --report SCANID user@domain.com
    
        -s, --restore FILE|SCANID
           Restore file from quarantine queue to orginal path or restore all items from
           a specific SCANID
           e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
           e.g: maldet --restore 050910-1534.21135
    
        -q, --quarantine SCANID
           Quarantine all malware from report SCANID
           e.g: maldet --quarantine 050910-1534.21135
    
        -n, --clean SCANID
           Try to clean & restore malware hits from report SCANID
           e.g: maldet --clean 050910-1534.21135
    
        -U, --user USER
           Set execution under specified user, ideal for restoring from user quarantine or
           to view user reports.
           e.g: maldet --user nobody --report
           e.g: maldet --user nobody --restore 050910-1534.21135
    
        -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
           Set or redefine the value of conf.maldet config options
           e.g: maldet --config-option email_addr=you@domain.com,quarantine_hits=1
    
        -p, --purge
           Clear logs, quarantine queue, session and temporary data.
    
        --web-proxy IP:PORT
           Enable use of HTTP/HTTPS proxy for all remote URL calls.
    
     
Thread Status:
Not open for further replies.