Difference between revisions of "Anti virus"
m |
m (→Configure) |
||
(52 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | + | = Description = | |
− | ASL has | + | [[ASL]] has built in kernel level real time malware protection as well as upload malware protection, and on demand malware scanning. |
+ | = Configuration = | ||
+ | == General Options == | ||
− | + | See this article for instructions about where to access these options in the ASL web console: | |
− | + | https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#Post_Installation_Configuration | |
+ | ==== CLAMAV_ENABLED ==== | ||
− | + | Enable or Disable the ClamAV malware detection engine for the system. | |
− | + | ==== Realtime Malware detection ==== | |
− | + | Enable or Disable the ClamAV kernel module. Note this requires the ASL kernel, and the official Atomicorp build of clamav. | |
− | + | Alternate name: CLAMAV_ENABLE_REALTIME: | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | ==== Realtime Malware Prevention: Block Access ==== | ||
− | + | Realtime Malware Prevention: Block Access | |
− | + | Alternate name: CLAMAV_PREVENTONACCESS | |
− | + | ||
− | + | Enable or Disable blocking malware in the file system. Note this requires the ASL kernel, and the official Atomicorp build of clamav. | |
− | + | ==== TCP Server Address ==== | |
− | + | ||
− | + | ||
− | + | ||
− | Step 5) | + | Set the IP address for clamd to listen on. Default: localhost |
+ | |||
+ | ==== Local Socket ==== | ||
+ | |||
+ | CLAMAV_LocalSocket: Path to a local socket file the daemon will listen on. | ||
+ | |||
+ | ==== Temporary Directory ==== | ||
+ | |||
+ | CLAMAV_TemporaryDirectory: Optional path to the global temporary directory. | ||
+ | |||
+ | ==== Database directory ==== | ||
+ | |||
+ | CLAMAV_DatabaseDirectory: Path to the database directory. | ||
+ | |||
+ | ==== Database Self check ==== | ||
+ | |||
+ | CLAMAV_SelfCheck: Perform a database check. Default: 600 (10 min) | ||
+ | |||
+ | ==== Log File ==== | ||
+ | |||
+ | CLAMAV_LogFile: Full path to the clamd log file. Default: /var/log/clamav/clamd.log | ||
+ | |||
+ | ==== Log: Maximum log file size ==== | ||
+ | |||
+ | CLAMAV_LogFileMaxSize: Maximum size of the log file. Value of 0 disables the limit. | ||
+ | |||
+ | ==== Log: Log time ==== | ||
+ | |||
+ | CLAMAV_LogTime: Log time with each message. | ||
+ | |||
+ | ==== Detect PUA ==== | ||
+ | |||
+ | CLAMAV_DetectPUA: Detect Possibly Unwanted Applications. | ||
+ | |||
+ | Default: Off | ||
+ | |||
+ | This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this: | ||
+ | |||
+ | PUA.Script.Packed-1 FOUND | ||
+ | |||
+ | That means you have enabled this option. If you do not want clamav to find files like this you must either: | ||
+ | |||
+ | 1) Disable this option | ||
+ | |||
+ | 2) Specifically whitelist the signatures no longer wish clamav to detect. See the article below to do this: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/Atomic_CLAMAV_Signatures_FAQ#Disabling_signatures | ||
+ | |||
+ | ==== Scan Safebrowsing ==== | ||
+ | |||
+ | Set to "yes" to enable the Google Safe Browsing database. Set to "no" to disable the Google Safe Browsing database. | ||
+ | |||
+ | '''Note: This will increase memory usage in clamd significantly. Not enabling this will prevent ASL from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.''' | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | The Safebrowsing database is designed by the clamav project to detect URLs from compromised sites in email messages, its not designed to find these in other file types. Therefore, this database is only useful for screening incoming email messages, and not as a general antimalware signature set. | ||
+ | |||
+ | Heres a simple test you can run to see if an URL is on the google safebrowsing list: | ||
+ | |||
+ | URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan - | ||
+ | |||
+ | And provided your signatures are up to date, if the URL is on the list you'll see this: | ||
+ | |||
+ | stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND | ||
+ | |||
+ | ==== Detect PE ==== | ||
+ | |||
+ | PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX, FSG, and Petite. | ||
+ | |||
+ | |||
+ | ==== Detect ELF ==== | ||
+ | |||
+ | CLAMAV_ScanELF: Executable and Linking Format is a standard format for UN*X executables. | ||
+ | |||
+ | ==== Detect Broken executables ==== | ||
+ | |||
+ | CLAMAV_DetectBrokenExecutables: With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable. | ||
+ | ==== Scan OLE2 ==== | ||
+ | |||
+ | CLAMAV_ScanOLE2: This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files. | ||
+ | |||
+ | ==== Scan PDF ==== | ||
+ | |||
+ | CLAMAV_ScanPDF: This option enables scanning within PDF files. | ||
+ | |||
+ | ==== Scan Email ==== | ||
+ | |||
+ | Note: This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance. | ||
+ | |||
+ | CLAMAV_ScanMail: Enable internal e-mail scanner | ||
+ | |||
+ | ==== Detect Bad Extensions ==== | ||
+ | |||
+ | CLAMAV_CDB_SIGNATURES: With this option enabled ClamAV will try to detect malicious extensions using signatures. | ||
+ | |||
+ | ==== Detect Phishing ==== | ||
+ | |||
+ | CLAMAV_PhishingSignatures: With this option enabled ClamAV will try to detect phishing attempts by using signatures. | ||
+ | |||
+ | ==== Detect Phishing URLs ==== | ||
+ | |||
+ | CLAMAV_PhishingScanURLs: Scan URLs found in mails for phishing attempts using heuristics. | ||
+ | |||
+ | ==== Phishing Always block ssl mismatch ==== | ||
+ | |||
+ | CLAMAV_PhishingAlwaysBlockSSLMismatch: Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives. | ||
+ | |||
+ | ==== Phishing Always block cloak ==== | ||
+ | |||
+ | CLAMAV_PhishingAlwaysBlockCloak: Always block cloaked URLs, even if URL isn't in database. This can lead to false positives. | ||
+ | |||
+ | ==== Data Loss Prevention (DLP) ==== | ||
+ | |||
+ | Enable the (Data Loss Prevention) DLP module. | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | WARNING: This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system. | ||
+ | |||
+ | ===== DLP: Minimum credit card count ===== | ||
+ | |||
+ | This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file. | ||
+ | |||
+ | Default: 3 | ||
+ | |||
+ | ===== DLP: Minimum SSN count ===== | ||
+ | |||
+ | This option sets the lowest number of Social Security Numbers found in a file to generate a detect. | ||
+ | |||
+ | Default: 3 | ||
+ | |||
+ | ===== DLP: Structured SSN format ===== | ||
+ | |||
+ | With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz | ||
+ | |||
+ | Default: yes | ||
+ | |||
+ | ===== DLP: Structured SSN format stripped ===== | ||
+ | |||
+ | With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | ==== Scan: HTML ==== | ||
+ | |||
+ | Perform HTML normalisation and decryption of MS Script Encoder code. | ||
+ | |||
+ | ==== Scan: Archive ==== | ||
+ | |||
+ | ClamAV can scan within archives and compressed files. | ||
+ | |||
+ | ==== Archive Encrypted ==== | ||
+ | |||
+ | Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). | ||
+ | |||
+ | |||
+ | == Real Time Malware Protection == | ||
+ | |||
+ | The basic behaviour when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the ASL gui. | ||
+ | |||
+ | === ASL V === | ||
+ | |||
+ | ==== Enable ==== | ||
+ | |||
+ | To enable this feature follow the steps below: | ||
+ | |||
+ | Step 1) | ||
+ | |||
+ | You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current [[ASL]] kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the [[ASL]] secure kernel. | ||
+ | |||
+ | Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel. | ||
+ | |||
+ | Step 2) If you are using either the current ASL kernel, or a modern 3.x kernel | ||
+ | |||
+ | Log into the ASL web console | ||
+ | |||
+ | Step 3) Click on the Scan tab | ||
+ | |||
+ | Step 4) Click on Malware Scan | ||
+ | |||
+ | Step 5) Click on Realtime | ||
+ | |||
+ | Step 6) Make sure Realtime Malware Detection is checked | ||
+ | |||
+ | Step 7) Please continue with the Configure steps below. Enabling this will not tell ASL what to protect, so you must configure this in the step below or it wont do anything. | ||
+ | |||
+ | ==== Configure ==== | ||
+ | |||
+ | '''Step 1) ASL kernel 3.2.52 and above required.''' | ||
+ | |||
+ | Ensure you are using the ASL kernel. | ||
+ | |||
+ | '''Step 2) Open the malware scan window''' | ||
+ | |||
+ | Click the Scan tab, then select the Malware Scan menu option. | ||
+ | |||
+ | '''Step 3) Open the real time tab''' | ||
+ | |||
+ | Select the "Realtime" tab. | ||
+ | |||
+ | '''Step 4) If not already enabled, select the check box next to "Realtime Malware detection"''' | ||
+ | |||
+ | '''Step 5) Select the directories you want to be scanned in realtime''' | ||
+ | |||
+ | Add in the directories you want to protect. For example: | ||
+ | |||
+ | /home | ||
+ | |||
+ | ASL will then ask for any directories in /home you do not want to protect, for example /home/cpanel. We recommend you configure ASL to protect directories your users can write to, for example: | ||
+ | |||
+ | <pre> | ||
+ | /var/www/vhosts | ||
+ | /tmp | ||
+ | /var/tmp | ||
+ | /home | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | '''DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES OR MALWARE SIGNATURES''' such as these: | ||
+ | |||
+ | Examples: | ||
+ | |||
+ | /var/clamav | ||
+ | /var/lib/clamav | ||
+ | /etc/httpd/modsecurity.d/ | ||
+ | /dev | ||
+ | /var/log | ||
+ | /home/user/apache/log | ||
+ | |||
+ | |||
+ | We also recommend for source built systems that you exclude build directories such as these: | ||
+ | |||
+ | /home/cpeasyapache | ||
+ | /home/.cpan | ||
+ | /home/.cpanm | ||
+ | /home/.cpanan | ||
+ | |||
+ | Your should also '''never''' include system partition's or directories, such as: | ||
+ | |||
+ | <pre> | ||
+ | /home/virtfs | ||
+ | /proc | ||
+ | /selinux | ||
+ | /sys | ||
+ | /dev | ||
+ | / | ||
+ | </pre> | ||
+ | |||
+ | '''Step 6) Configure Upload malware scanner''' | ||
+ | |||
+ | ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner. | ||
+ | |||
+ | Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use. | ||
+ | |||
+ | Option 1) | ||
+ | |||
+ | Change the temporary directory modsecurity uses. Documentation is provided at the link below: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR | ||
+ | |||
+ | Option 2) | ||
+ | |||
+ | Exclude the temporary directory modsecurity uses. By default, this is /tmp. | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR | ||
+ | |||
+ | Option 3) | ||
+ | |||
+ | Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER | ||
+ | |||
+ | '''Step 7) Click update to apply the new settings.''' | ||
+ | |||
+ | Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded. | ||
+ | |||
+ | Note: It is not recommended you enable malware scanning for the default excluded users. | ||
+ | |||
+ | === ASL 4 === | ||
+ | |||
+ | ==== Enable ==== | ||
+ | |||
+ | To enable this feature follow the steps below: | ||
+ | |||
+ | Step 1) | ||
+ | |||
+ | You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current [[ASL]] kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the [[ASL]] secure kernel. | ||
+ | |||
+ | Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel. | ||
+ | |||
+ | Step 2) If you are using either the current ASL kernel, or a modern 3.x kernel | ||
+ | |||
+ | Log into the ASL web console | ||
+ | |||
+ | Step 3) Click on the Scan tab | ||
+ | |||
+ | Step 4) Click on Malware Scan | ||
+ | |||
+ | Step 5) Click on Realtime | ||
+ | |||
+ | Step 6) Make sure Realtime Malware Detection is checked | ||
+ | |||
+ | Step 7) Please continue with the Configure steps below. Enabling this will not tell ASL what to protect, so you must configure this in the step below or it wont do anything. | ||
+ | |||
+ | ==== Configure ==== | ||
+ | |||
+ | '''Step 1) ASL kernel 3.2.52 and above required.''' | ||
+ | |||
+ | Ensure you are using the ASL kernel. | ||
+ | |||
+ | '''Step 2) Open the malware scan window''' | ||
+ | |||
+ | Click the Scan tab, then select the Malware Scan menu option. | ||
+ | |||
+ | '''Step 3) Open the real time tab''' | ||
+ | |||
+ | Select the "Realtime" tab. | ||
+ | |||
+ | '''Step 4) If not already enabled, select the check box next to "Realtime Malware detection"''' | ||
+ | |||
+ | '''Step 5) Select the directories you want to be scanned in realtime''' | ||
+ | |||
+ | Add in the directories you want to protect. For example: | ||
+ | |||
+ | /home | ||
+ | |||
+ | ASL will then ask for any directories in /home you do not want to protect, for example /home/cpanel. We recommend you configure ASL to protect directories your users can write to, for example: | ||
+ | |||
+ | <pre> | ||
+ | /var/www/vhosts | ||
+ | /tmp | ||
+ | /var/tmp | ||
+ | /home | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | '''DO NOT INCLUDE DIRECTORIES THAT CONTAIN MALWARE SIGNATURES''' such as these: | ||
+ | |||
+ | Signature directories: | ||
+ | |||
+ | /var/clamav | ||
+ | /var/lib/clamav | ||
+ | /etc/httpd/modsecurity.d/ | ||
+ | |||
+ | We also recommend you exclude log directories, as this can add unnecessary load to the system as it is typically unnecessary to scan logs, and because they may change constantly, they will be rescanned each time they change. For example: | ||
+ | |||
+ | /home/user/apache/log | ||
+ | /var/log | ||
+ | |||
+ | We also recommend for source built systems that you exclude build directories such as these: | ||
+ | |||
+ | /home/cpeasyapache | ||
+ | /home/.cpan | ||
+ | /home/.cpanm | ||
+ | /home/.cpanan | ||
+ | |||
+ | Your should also '''never''' include system partition's or directories, such as: | ||
+ | |||
+ | <pre> | ||
+ | /home/virtfs | ||
+ | /proc | ||
+ | /selinux | ||
+ | /sys | ||
+ | /dev | ||
+ | </pre> | ||
+ | |||
+ | '''Step 6) Configure Upload malware scanner''' | ||
+ | |||
+ | ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner. | ||
+ | |||
+ | Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use. | ||
+ | |||
+ | Option 1) | ||
+ | |||
+ | Change the temporary directory modsecurity uses. Documentation is provided at the link below: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR | ||
+ | |||
+ | Option 2) | ||
+ | |||
+ | Exclude the temporary directory modsecurity uses. By default, this is /tmp. | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR | ||
+ | |||
+ | Option 3) | ||
+ | |||
+ | Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER | ||
+ | |||
+ | '''Step 7) Click update to apply the new settings.''' | ||
+ | |||
+ | Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded. | ||
+ | |||
+ | Note: It is not recommended you enable malware scanning for the default excluded users. | ||
+ | |||
+ | === ASL 3 === | ||
+ | |||
+ | ==== Enable ==== | ||
+ | |||
+ | Enable the appropriate settings in the ASL GUI for your needs. Please see the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#ClamAV_configuration ASL AntiMalware Configuration documentation]. | ||
+ | |||
+ | These are the recommended settings: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Option !! Recommended Setting | ||
+ | |- | ||
+ | | CLAMAV_ENABLED || yes | ||
+ | |- | ||
+ | | CLAMAV_ENABLE_DAZUKO || yes | ||
+ | |||
+ | |- | ||
+ | | CLAMAV_TCPADDRESS || 127.0.0.1 | ||
+ | |- | ||
+ | | CLAMAV_SCANONOPEN || yes | ||
+ | |||
+ | |- | ||
+ | | CLAMAV_SCANONCLOSE || yes | ||
+ | |||
+ | |- | ||
+ | | CLAMAV_SCANONEXEC || yes | ||
+ | |||
+ | |- | ||
+ | | CLAMAV_CLAMUKO_MAXFILESIZE || 10m | ||
+ | |} | ||
+ | |||
+ | ==== Set directories to exclude ==== | ||
+ | |||
+ | Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry | ||
/path/to/directory/exclude1 | /path/to/directory/exclude1 | ||
/path/to/directory/exclude2 | /path/to/directory/exclude2 | ||
− | + | ==== Plesk notes ==== | |
− | /var/www | + | If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are: |
− | /var/www | + | |
− | + | ||
+ | /var/www/vhosts/www.example.com/statistics/ | ||
+ | /var/www/vhosts/www.example.com/conf/ | ||
+ | /var/www/vhosts/www.example.com/pd/ | ||
+ | |||
+ | Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore: | ||
+ | |||
+ | find /var/www/vhosts/ -type d | egrep "/(statistics|conf|pd)$" | ||
A future version of [[ASL]] will configure this automatically. | A future version of [[ASL]] will configure this automatically. | ||
− | + | ==== CPanel Notes ==== | |
− | + | If you are running a control panel, such as CPanel, that puts its build direcory and apache logs files in /home and if you have included /home in dazukos include paths (a good idea for CPanel web servers), and those build and logs files and directories can only be modified by root (which is the default case with Cpanel), then you should exclude those directories. They contains thousands of files and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are: | |
− | + | /home/cpeasyapache | |
+ | /home/.cpan | ||
+ | /home/.cpanm | ||
+ | /home/.cpcpan | ||
+ | /home/cptmp | ||
+ | /home/installd | ||
+ | |||
+ | If /home is mounted as its own filesystem, you will also want to exclude this directory: | ||
+ | |||
+ | /home/lost+found | ||
+ | |||
+ | You can not use wildcards. | ||
+ | |||
+ | A future version of [[ASL]] will configure this automatically. | ||
+ | |||
+ | ==== Other control panels ==== | ||
+ | |||
+ | For other controls, such as Interworx, etc. you will want to exclude any configuration, log, and build (if any) directories as per the examples above (your directories will vary). In particular you will want to exclude any locally generated Apache logs. For example, with Interworx you will also want to exclude directories such as: | ||
+ | |||
+ | /home/example/var/example.com/logs | ||
+ | |||
+ | === Reboot === | ||
+ | |||
+ | If you are not already using the ASL kernel, you will need to reboot the system into the ASL kernel. | ||
reboot | reboot | ||
+ | |||
+ | If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot. | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the [[ASL]] kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site: | ||
+ | |||
+ | http://www.eicar.org/85-0-Download.html | ||
+ | |||
+ | |||
+ | Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below: | ||
+ | |||
+ | cat eicar.com.txt | ||
+ | |||
+ | If permission is denied, then you have successfully configured and enabled real time malware protection for your system. | ||
+ | |||
+ | = False Positives = | ||
+ | |||
+ | If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file: | ||
+ | |||
+ | /var/clamav/local.ign | ||
+ | |||
+ | For example, if your system reported this file and this signature: | ||
+ | |||
+ | Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND | ||
+ | |||
+ | You would add "Some.Signature.Name" to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do not add UNOFFICIAL to the signature name. For example. | ||
+ | |||
+ | somesignature.UNOFFICIAL | ||
+ | |||
+ | In that case, you would only add "somesignature" to the local.ign file, and not "somesignature.UNOFFICIAL". |
Latest revision as of 18:04, 4 May 2020
[edit] Description
ASL has built in kernel level real time malware protection as well as upload malware protection, and on demand malware scanning.
[edit] Configuration
[edit] General Options
See this article for instructions about where to access these options in the ASL web console:
https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#Post_Installation_Configuration
[edit] CLAMAV_ENABLED
Enable or Disable the ClamAV malware detection engine for the system.
[edit] Realtime Malware detection
Enable or Disable the ClamAV kernel module. Note this requires the ASL kernel, and the official Atomicorp build of clamav.
Alternate name: CLAMAV_ENABLE_REALTIME:
[edit] Realtime Malware Prevention: Block Access
Realtime Malware Prevention: Block Access
Alternate name: CLAMAV_PREVENTONACCESS
Enable or Disable blocking malware in the file system. Note this requires the ASL kernel, and the official Atomicorp build of clamav.
[edit] TCP Server Address
Set the IP address for clamd to listen on. Default: localhost
[edit] Local Socket
CLAMAV_LocalSocket: Path to a local socket file the daemon will listen on.
[edit] Temporary Directory
CLAMAV_TemporaryDirectory: Optional path to the global temporary directory.
[edit] Database directory
CLAMAV_DatabaseDirectory: Path to the database directory.
[edit] Database Self check
CLAMAV_SelfCheck: Perform a database check. Default: 600 (10 min)
[edit] Log File
CLAMAV_LogFile: Full path to the clamd log file. Default: /var/log/clamav/clamd.log
[edit] Log: Maximum log file size
CLAMAV_LogFileMaxSize: Maximum size of the log file. Value of 0 disables the limit.
[edit] Log: Log time
CLAMAV_LogTime: Log time with each message.
[edit] Detect PUA
CLAMAV_DetectPUA: Detect Possibly Unwanted Applications.
Default: Off
This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:
PUA.Script.Packed-1 FOUND
That means you have enabled this option. If you do not want clamav to find files like this you must either:
1) Disable this option
2) Specifically whitelist the signatures no longer wish clamav to detect. See the article below to do this:
https://www.atomicorp.com/wiki/index.php/Atomic_CLAMAV_Signatures_FAQ#Disabling_signatures
[edit] Scan Safebrowsing
Set to "yes" to enable the Google Safe Browsing database. Set to "no" to disable the Google Safe Browsing database.
Note: This will increase memory usage in clamd significantly. Not enabling this will prevent ASL from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.
Default: no
The Safebrowsing database is designed by the clamav project to detect URLs from compromised sites in email messages, its not designed to find these in other file types. Therefore, this database is only useful for screening incoming email messages, and not as a general antimalware signature set.
Heres a simple test you can run to see if an URL is on the google safebrowsing list:
URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -
And provided your signatures are up to date, if the URL is on the list you'll see this:
stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND
[edit] Detect PE
PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX, FSG, and Petite.
[edit] Detect ELF
CLAMAV_ScanELF: Executable and Linking Format is a standard format for UN*X executables.
[edit] Detect Broken executables
CLAMAV_DetectBrokenExecutables: With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
[edit] Scan OLE2
CLAMAV_ScanOLE2: This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
[edit] Scan PDF
CLAMAV_ScanPDF: This option enables scanning within PDF files.
[edit] Scan Email
Note: This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.
CLAMAV_ScanMail: Enable internal e-mail scanner
[edit] Detect Bad Extensions
CLAMAV_CDB_SIGNATURES: With this option enabled ClamAV will try to detect malicious extensions using signatures.
[edit] Detect Phishing
CLAMAV_PhishingSignatures: With this option enabled ClamAV will try to detect phishing attempts by using signatures.
[edit] Detect Phishing URLs
CLAMAV_PhishingScanURLs: Scan URLs found in mails for phishing attempts using heuristics.
[edit] Phishing Always block ssl mismatch
CLAMAV_PhishingAlwaysBlockSSLMismatch: Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
[edit] Phishing Always block cloak
CLAMAV_PhishingAlwaysBlockCloak: Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
[edit] Data Loss Prevention (DLP)
Enable the (Data Loss Prevention) DLP module.
Default: no
WARNING: This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system.
[edit] DLP: Minimum credit card count
This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file.
Default: 3
[edit] DLP: Minimum SSN count
This option sets the lowest number of Social Security Numbers found in a file to generate a detect.
Default: 3
[edit] DLP: Structured SSN format
With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz
Default: yes
[edit] DLP: Structured SSN format stripped
With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz
Default: no
[edit] Scan: HTML
Perform HTML normalisation and decryption of MS Script Encoder code.
[edit] Scan: Archive
ClamAV can scan within archives and compressed files.
[edit] Archive Encrypted
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
[edit] Real Time Malware Protection
The basic behaviour when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the ASL gui.
[edit] ASL V
[edit] Enable
To enable this feature follow the steps below:
Step 1)
You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current ASL kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the ASL secure kernel.
Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.
Step 2) If you are using either the current ASL kernel, or a modern 3.x kernel
Log into the ASL web console
Step 3) Click on the Scan tab
Step 4) Click on Malware Scan
Step 5) Click on Realtime
Step 6) Make sure Realtime Malware Detection is checked
Step 7) Please continue with the Configure steps below. Enabling this will not tell ASL what to protect, so you must configure this in the step below or it wont do anything.
[edit] Configure
Step 1) ASL kernel 3.2.52 and above required.
Ensure you are using the ASL kernel.
Step 2) Open the malware scan window
Click the Scan tab, then select the Malware Scan menu option.
Step 3) Open the real time tab
Select the "Realtime" tab.
Step 4) If not already enabled, select the check box next to "Realtime Malware detection"
Step 5) Select the directories you want to be scanned in realtime
Add in the directories you want to protect. For example:
/home
ASL will then ask for any directories in /home you do not want to protect, for example /home/cpanel. We recommend you configure ASL to protect directories your users can write to, for example:
/var/www/vhosts /tmp /var/tmp /home
DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES OR MALWARE SIGNATURES such as these:
Examples:
/var/clamav /var/lib/clamav /etc/httpd/modsecurity.d/ /dev /var/log /home/user/apache/log
We also recommend for source built systems that you exclude build directories such as these:
/home/cpeasyapache /home/.cpan /home/.cpanm /home/.cpanan
Your should also never include system partition's or directories, such as:
/home/virtfs /proc /selinux /sys /dev /
Step 6) Configure Upload malware scanner
ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.
Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.
Option 1)
Change the temporary directory modsecurity uses. Documentation is provided at the link below:
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR
Option 2)
Exclude the temporary directory modsecurity uses. By default, this is /tmp.
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR
Option 3)
Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner:
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER
Step 7) Click update to apply the new settings.
Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.
Note: It is not recommended you enable malware scanning for the default excluded users.
[edit] ASL 4
[edit] Enable
To enable this feature follow the steps below:
Step 1)
You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current ASL kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the ASL secure kernel.
Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.
Step 2) If you are using either the current ASL kernel, or a modern 3.x kernel
Log into the ASL web console
Step 3) Click on the Scan tab
Step 4) Click on Malware Scan
Step 5) Click on Realtime
Step 6) Make sure Realtime Malware Detection is checked
Step 7) Please continue with the Configure steps below. Enabling this will not tell ASL what to protect, so you must configure this in the step below or it wont do anything.
[edit] Configure
Step 1) ASL kernel 3.2.52 and above required.
Ensure you are using the ASL kernel.
Step 2) Open the malware scan window
Click the Scan tab, then select the Malware Scan menu option.
Step 3) Open the real time tab
Select the "Realtime" tab.
Step 4) If not already enabled, select the check box next to "Realtime Malware detection"
Step 5) Select the directories you want to be scanned in realtime
Add in the directories you want to protect. For example:
/home
ASL will then ask for any directories in /home you do not want to protect, for example /home/cpanel. We recommend you configure ASL to protect directories your users can write to, for example:
/var/www/vhosts /tmp /var/tmp /home
DO NOT INCLUDE DIRECTORIES THAT CONTAIN MALWARE SIGNATURES such as these:
Signature directories:
/var/clamav /var/lib/clamav /etc/httpd/modsecurity.d/
We also recommend you exclude log directories, as this can add unnecessary load to the system as it is typically unnecessary to scan logs, and because they may change constantly, they will be rescanned each time they change. For example:
/home/user/apache/log /var/log
We also recommend for source built systems that you exclude build directories such as these:
/home/cpeasyapache /home/.cpan /home/.cpanm /home/.cpanan
Your should also never include system partition's or directories, such as:
/home/virtfs /proc /selinux /sys /dev
Step 6) Configure Upload malware scanner
ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.
Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.
Option 1)
Change the temporary directory modsecurity uses. Documentation is provided at the link below:
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR
Option 2)
Exclude the temporary directory modsecurity uses. By default, this is /tmp.
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR
Option 3)
Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner:
https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER
Step 7) Click update to apply the new settings.
Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.
Note: It is not recommended you enable malware scanning for the default excluded users.
[edit] ASL 3
[edit] Enable
Enable the appropriate settings in the ASL GUI for your needs. Please see the ASL AntiMalware Configuration documentation.
These are the recommended settings:
Option | Recommended Setting |
---|---|
CLAMAV_ENABLED | yes |
CLAMAV_ENABLE_DAZUKO | yes |
CLAMAV_TCPADDRESS | 127.0.0.1 |
CLAMAV_SCANONOPEN | yes |
CLAMAV_SCANONCLOSE | yes |
CLAMAV_SCANONEXEC | yes |
CLAMAV_CLAMUKO_MAXFILESIZE | 10m |
[edit] Set directories to exclude
Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry
/path/to/directory/exclude1 /path/to/directory/exclude2
[edit] Plesk notes
If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:
/var/www/vhosts/www.example.com/statistics/ /var/www/vhosts/www.example.com/conf/ /var/www/vhosts/www.example.com/pd/
Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:
find /var/www/vhosts/ -type d | egrep "/(statistics|conf|pd)$"
A future version of ASL will configure this automatically.
[edit] CPanel Notes
If you are running a control panel, such as CPanel, that puts its build direcory and apache logs files in /home and if you have included /home in dazukos include paths (a good idea for CPanel web servers), and those build and logs files and directories can only be modified by root (which is the default case with Cpanel), then you should exclude those directories. They contains thousands of files and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:
/home/cpeasyapache /home/.cpan /home/.cpanm /home/.cpcpan /home/cptmp /home/installd
If /home is mounted as its own filesystem, you will also want to exclude this directory:
/home/lost+found
You can not use wildcards.
A future version of ASL will configure this automatically.
[edit] Other control panels
For other controls, such as Interworx, etc. you will want to exclude any configuration, log, and build (if any) directories as per the examples above (your directories will vary). In particular you will want to exclude any locally generated Apache logs. For example, with Interworx you will also want to exclude directories such as:
/home/example/var/example.com/logs
[edit] Reboot
If you are not already using the ASL kernel, you will need to reboot the system into the ASL kernel.
reboot
If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.
[edit] Testing
If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the ASL kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site:
http://www.eicar.org/85-0-Download.html
Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:
cat eicar.com.txt
If permission is denied, then you have successfully configured and enabled real time malware protection for your system.
[edit] False Positives
If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:
/var/clamav/local.ign
For example, if your system reported this file and this signature:
Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND
You would add "Some.Signature.Name" to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do not add UNOFFICIAL to the signature name. For example.
somesignature.UNOFFICIAL
In that case, you would only add "somesignature" to the local.ign file, and not "somesignature.UNOFFICIAL".