forked from rfxn/linux-malware-detect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG.RELEASE
134 lines (134 loc) · 12.6 KB
/
CHANGELOG.RELEASE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
v1.5 | ? ? 2015
[New] added -f|--file-list CLI option to allow user supplied run-time file list for scanning
[New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
[New] added -x|--exclude-regex CLI option for run-time path/file exclusion based on posix-egrep regular expressions
[New] added support for custom md5/hex signatures with preservation across signature and version updates, files located at:
sigs/custom.md5.dat
sigs/custom.hex.dat
[New] custom signatures perform run-time conversion into clamscan compatible format on systems that use clamscan engine
[New] new md5 signature format (md5v2) now includes file size that an md5 hash was derived from in format of:
hash:filesize:signame
[New] added support for custom cleaner rules to be executed on clean events, file name format of
"clean/custom.signame"; rules are preserved across signature and version updates
[New] added URL import feature for global configuration overrides using import_config_url variable in conf.maldet
[New] added URL import feature for user custom signatures using import_sigs_md5_url & import_sigs_hex_url variables in conf.maldet
[New] added set of defined exit codes for errored exits(1), successful runs with hits(2), successful runs with no hits(0)
[New] added uninstall.sh script to maldetect installation path
[New] added md5 hash verification of signature and version update downloads
[New] added scan_cpunice option to control CPU priorty value of all scan operations such as find, clamscan etc.. (default 19)
[New] added scan_ionice option to control IO priority value of all scan operations such as find, clamscan etc.. (default 6)
[New] added autoupdate_signatures/autoupdate_version options to control daily cron based signature/version updates
[New] added autoupdate_version_hashed option to control validating hash of maldet executable against upstream version
[New] added support for virtualmin to cron.daily scans
[New] added support for ispmanager to cron.daily scans
[New] added support/detection of clamdscan to leverage memory preloaded signatures and multi-threaded scanning
[New] added scan_find_timeout option which controls the maximum execution time, in seconds, for the find command to generate a file list
[New] added scan_ignore_root option to exclude root owned files from scans
[New] added scan_ignore_user and scan_ignore_group options which allow for the exclusion of specified user and group names from scans
[New] added scan_export_filelist option allowing for daily scan of recent added/modified files to be exported to a static path
[New] added sourcing of of conf.maldet.cron into the cron.daily task which allows for cron specific configurations
[New] added inotify_reloadtime which controls the time at which inotify watcher will reload LMD configuration data
[New] added support for comma space (,) path list on CLI
[New] added reload option for monitor mode to invoke forced configuration reload (-m|--monitor reload)
[Change] modsec.sh has been renamed to hookscan.sh and more generic hook based scanning conventions set
[Change] hookscan.sh will now autodetect if clamdscan is running and perform scans through clamd when appropriate
[Change] hookscan.sh will now provide more verbose output on malware hit events
[Change] hookscan.sh now explicitly disables scanning of temporary paths, ensuring only requested file/paths are scanned
[Change] install.sh now gracefully handles upgrades when monitoring mode is enabled by restarting monitor mode
[Change] improved handling of single file scans which should now behave as expected
[Change] explicitly removed the inclusion of tmpdir paths during single file scans
[Change] automagically remove empty lines from ignore files
[Change] reordered configuration file, expanded on variable descriptions, overall attempt to simplify/streamline conf.maldet
[Change] installer symlinks LMD signatures into known/existing ClamAV paths to ensure signatures are loaded into memory by clamd
[Change] installer issues SIGUSR2 to any running clamd processes to force reload of signature databases
[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of siganture databases
[Change] cron.daily signature/version updates sleep random interval 1-999 secs before contacting upstream rfxn.com servers to reduce cdn load
[Change] modified clamscan database path checks to support cPanel >=11.40 RPM clamAV connector RPM's
[Change] modified location of statistical data files from tmpdir to sessdir making tmpdir a stateless path that can be purged at anytime
[Change] when clamscan engine is enabled scan_max_filesize value is now set dynamically based on the largest known file in the md5v2 signature set
[Change] modified e-mail based alerts to source from an e-mail template file at .email.template
[Change] clamscan execution command logged to logs/clamscan_log to make debugging clamscan errors easier
[Change] clamscan stderr/stdout output now pipes to logs/clamscan_log and if clamscan returns an error code (2), flag with an appropriate
error message to check the clamscan_log file for more details
[Change] ambiguous variables renamed for better consistency and more logical naming conventions, documented in CHANGELOG.VARIABLES
[Change] modified sessionid values to derive from YYMMDD instead of MMDDYY and adjusted human readable report START/END date to include year value
[Change] modified view_report output to sort output on unix time of scan start times
[Change] signature updates now download as a single file tgz to reduce bandwidth usage and request load on upstream cdn
[Change] modified signature update function for additional error checking and better handling of zero sized signature downloads
[Change] modified version update function for additional error checking and better handling of zero sized file downloads
[Change] modified '-e|--report list' output include total files scanned, hits and cleaned results, reversed output order and
consistent column spacing (column -t)
[Change] moved tlog executable out of inotify/ path, changed inotify_log path to logs/, removed inotify directory
[Change] created logs/ path, moved event_log path to logs/
[Change] modified previous wget timeout values of 3s timeout & 3 retries to 5s timeout & 3 retries
[Change] wget timeout and retry attempts are now configurable through internals.conf wget_timeout & wget_retries variables
[Change] removed file type check on native LMD stage2 hex scanner which was part of legacy code and no longer needed
[Change] removed verbose progressive scan output for native LMD scanner as performance penalty was unreasonable
[Change] replaced usage of tmpwatch with find in cron.daily for temporary path pruning
[Change] removed internals.conf from version check hashing for installation version updates (-d|--update-ver)
[Change] cron.daily now tests for directadmin and scans appropriate user domain paths
[Change] directory checkout uploads limited to maximum of 50 files
[Change] added tmpdir_paths option to explicitly scan known temporary (world-write) paths on all scan types
[Change] updated example ModSecurity rule in README file for compatibility with ModSec 2.7 which now requires
every rule, even hooks, to have a rule ID
[Change] -r|--recent scan now uses mtime and ctime, instead of just mtime, to find recently changed/modified files
[Change] LMD v1.4.2+ will now use the new md5 v2 signature format and make direct requests on signature
updates to the appropriate upstream file (md5v2.dat); old format, md5 v1, preserved in signature
releases for compatibility of pre-1.4.2 releases
[Change] modified hexfifo.pl & hexstring.pl to accept user supplied value for path to hex signature file
[Change] install.sh now deletes LMD backup installation copies older than 30days
[Change] references to www.rfxn.com for remote signature and version updates now query cdn.rfxn.com
[Change] cleaner rules are now executable scripts in which infected files are passed as an argument ($1)
allowing for a diverse set of cleaner rule options apart from the previous sed only setup
[Change] converted current cleaner rules to new executable scripts format
[Change] checkout uploads now store malware in the filename format of (hostid is an anonymous md5 identifier):
$hostid.$RANDOM.$filename.[ascii|bin]
[Change] inotifywait from inotify-tools is no longer packaged with LMD, it should be downloaded in binary or
source form from:
https://github.com/rvoicilas/inotify-tools/wiki/
binary versions are also available from dag repo at:
http://pkgs.repoforge.org/inotify-tools/
[Change] internals.conf will now attempt to detect the path to inotifywait from $PATH
[Change] inotify max_user_watches was static set to 128, now configurable with inotify_user_watches
[Change] inotify values for max_user_instances|watches will first be checked and only modified if the existing
values are lower than what maldet requires
[Change] modified error output for missing inotifywait to display URL to inotify-tools github page
[Change] modified default scan_hexdepth value to 65k as a result of improved scan efficiency in native scanner engine
[Change] added backwards compatibility for all pre-v1.5 configuration options however they should be considered deprecated and will be removed in the future
[Change] expanded on EICAR test signature support for native LMD scanner engine to better facilitate testing of functional installed signature set
[Change] added scan/find elapsed execution time values to scan report and cli output
[Change] relocated internal files into $inspath/internals/
[Change] created generic clean_exit() function to handle file cleanups on all fatal exist and replaced many random rm -f calls with it
[Change] moved all pre/post actions into a prerun() and postrun() functions
[Change] moved statistical logging to record_hits() function
[Change] quarantine() function borrows stat file data from record_hits to reduce calls to stat
[Change] more extensible cleaner rules with additional input arguments:
$1 file path, $2 signame, $3 owner.group, $4 file_chmod, $5 file_size, $6 file_md5
[Change] added additional fields file_size and file_md5 to quarantine info file
[Change] added caching support for import_config_url with import_config_expire to control expiry interval
[Change] stricter handling of variable definitions which contain dynamic variable values
[Change] modified daily cron recent range from 2 to 1 as mtime/ctime values are n*24h, as such value of 1 is equal to two days
[Change] modified daily cron to use comma spaced path lists instead of multiple maldet executions
[Change] changed quarantine malware cleaning default value to 0
[Change] use of clamav engine output statement now more verbose
[Change] previously LMD only linked clamav signatures into clamav data paths on install, this is now done after each signature update
[Fix] quote syntax error in scan.etpl
[Fix] help output for -k|--kill-monitor incorrectly referred to --kill instead of --kill-monitor
[Fix] inotify_user_instances was defined in internals.conf incorrectly as inotify_user_watches
[Fix] tlog executable was not being set +x during installation
[Fix] install.sh was attempt to create default event_log while the parent directory did not yet exist
[Fix] invalid find expression was causing find to return directory paths on recent scans
[Fix] OSTYPE env checking was not properly matching on all FreeBSD versions
[Fix] renamed alert() to genalert() to avoid builtin function conflict on Ubuntu
[Fix] corrected -r|--recent scan mode trap on SIGINT (CTRL+C) not calling trap_exit() for cleanup actions
[Fix] modified native LMD scanner to better leverage bash internal field separator for handling of paths with spaces
[Fix] modified all calls to system executables to use paths derived from $PATH
[Fix] suppressed ignore signature count being displayed when calling with --modsec
[Fix] set modsec.sh to use /bin/bash as interpreter instead of /bin/sh for compatibility
[Fix] removed MAILTO & SHELL variables from crons which were causing crond 'bad minute' errors on some systems
[Fix] quoted extension values from ignore_file_ext input to provide consistent behavior
[Fix] added trailing slash '/' to all cron.daily scan (find) paths to properly handle symlinked paths
[Fix] install.sh now links LMD clamav signatures into all clamav data paths it finds instead of just the first
[Fix] clean() function was improperly exiting after first file hit clean attempt and ignoring all other hits
[Fix] set interpreter in uninstall.sh to /bin/bash instead of /bin/sh for better compatibility
[Fix] modified psa scan paths to pull in top level and sub domain content