Difference between revisions of "Anti virus"

From Atomicorp Wiki
Jump to: navigation, search
m (ASL 4)
m (Reboot)
Line 380: Line 380:
  
 
If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.
 
If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.
 +
 +
=== Testing ===
 +
 +
If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the [[ASL]] kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site:
 +
 +
http://www.eicar.org/85-0-Download.html
 +
 +
 +
Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected.  If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:
 +
 +
cat eicar.com.txt
 +
 +
If permission is denied, then you have successfully configured and enabled real time malware protection for your system.
  
 
= False Positives =
 
= False Positives =

Revision as of 14:03, 20 June 2016

Contents

Description

ASL has built in kernel level real time malware protection as well as upload malware protection, and on demand malware scanning.

Configuration

General Options

See this article for instructions about where to access these options in the ASL web console:

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#Post_Installation_Configuration

CLAMAV_ENABLED

Enable or Disable the ClamAV malware detection engine for the system.

Realtime Malware detection

Enable or Disable the ClamAV kernel module. Note this requires the ASL kernel, and the official Atomicorp build of clamav.

Alternate name: CLAMAV_ENABLE_REALTIME:

Realtime Malware Prevention: Block Access

Realtime Malware Prevention: Block Access

Alternate name: CLAMAV_PREVENTONACCESS

Enable or Disable blocking malware in the file system. Note this requires the ASL kernel, and the official Atomicorp build of clamav.

TCP Server Address

Set the IP address for clamd to listen on. Default: localhost

Local Socket

CLAMAV_LocalSocket: Path to a local socket file the daemon will listen on.

Temporary Directory

CLAMAV_TemporaryDirectory: Optional path to the global temporary directory.

Database directory

CLAMAV_DatabaseDirectory: Path to the database directory.

Database Self check

CLAMAV_SelfCheck: Perform a database check. Default: 600 (10 min)

Log File

CLAMAV_LogFile: Full path to the clamd log file. Default: /var/log/clamav/clamd.log

Log: Maximum log file size

CLAMAV_LogFileMaxSize: Maximum size of the log file. Value of 0 disables the limit.

Log: Log time

CLAMAV_LogTime: Log time with each message.

Detect PUA

CLAMAV_DetectPUA: Detect Possibly Unwanted Applications.

Default: Off

This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:

PUA.Script.Packed-1 FOUND

That means you have enabled this option. If you do not want clamav to find files like this you must either:

1) Disable this option

2) Specifically whitelist the signatures no longer wish clamav to detect. See the article below to do this:

https://www.atomicorp.com/wiki/index.php/Atomic_CLAMAV_Signatures_FAQ#Disabling_signatures

Scan Safebrowsing

Set to "yes" to enable the Google Safe Browsing database. Set to "no" to disable the Google Safe Browsing database.

Note: This will increase memory usage in clamd significantly. Not enabling this will prevent ASL from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.

Default: no

The Safebrowsing database is designed by the clamav project to detect URLs from compromised sites in email messages, its not designed to find these in other file types. Therefore, this database is only useful for screening incoming email messages, and not as a general antimalware signature set.

Heres a simple test you can run to see if an URL is on the google safebrowsing list:

URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -

And provided your signatures are up to date, if the URL is on the list you'll see this:

stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND

Detect PE

PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX, FSG, and Petite.


Detect ELF

CLAMAV_ScanELF: Executable and Linking Format is a standard format for UN*X executables.

Detect Broken executables

CLAMAV_DetectBrokenExecutables: With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.

Scan OLE2

CLAMAV_ScanOLE2: This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.

Scan PDF

CLAMAV_ScanPDF: This option enables scanning within PDF files.

Scan Email

Note: This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.

CLAMAV_ScanMail: Enable internal e-mail scanner

Detect Bad Extensions

CLAMAV_CDB_SIGNATURES: With this option enabled ClamAV will try to detect malicious extensions using signatures.

Detect Phishing

CLAMAV_PhishingSignatures: With this option enabled ClamAV will try to detect phishing attempts by using signatures.

Detect Phishing URLs

CLAMAV_PhishingScanURLs: Scan URLs found in mails for phishing attempts using heuristics.

Phishing Always block ssl mismatch

CLAMAV_PhishingAlwaysBlockSSLMismatch: Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.

Phishing Always block cloak

CLAMAV_PhishingAlwaysBlockCloak: Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.

Data Loss Prevention (DLP)

Enable the (Data Loss Prevention) DLP module.

Default: no

WARNING: This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system.

DLP: Minimum credit card count

This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file.

Default: 3

DLP: Minimum SSN count

This option sets the lowest number of Social Security Numbers found in a file to generate a detect.

Default: 3

DLP: Structured SSN format

With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz

Default: yes

DLP: Structured SSN format stripped

With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz

Default: no

Scan: HTML

Perform HTML normalisation and decryption of MS Script Encoder code.

Scan: Archive

ClamAV can scan within archives and compressed files.	

Archive Encrypted

Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).


Real Time Malware Protection

The basic behaviour when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the ASL gui.

ASL 4

Enable

To enable this feature follow the steps below:

Step 1)

You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current ASL kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the ASL secure kernel.

Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.

Step 2) If you are using either the current ASL kernel, or a modern 3.x kernel

Log into the ASL web console

Step 3) Click on the Scan tab

Step 4) Click on Malware Scan

Step 5) Click on Realtime

Step 6) Make sure Realtime Malware Detection is checked

Step 7) Please continue with the Configure steps below. Enabling this will not tell ASL what to protect, so you must configure this in the step below or it wont do anything.

Configure

Step 1) ASL kernel 3.2.52 and above required.

Ensure you are using the ASL kernel.

Step 2) Open the malware scan window

Click the Scan tab, then select the Malware Scan menu option.

Step 3) Open the real time tab

Select the "Realtime" tab.

Step 4) If not already enabled, select the check box next to "Realtime Malware detection"

Step 5) Select the partitions you want to be scanned in realtime

Add in the directories you want to protect. For example:

/home

ASL will then ask for any directories in /home you do not want to protect, for example /home/cpanel.

Add in directories in the box at the bottom left of the window one at a time.

DO NOT INCLUDE DIRECTORIES THAT CONTAIN MALWARE SIGNATURES such as these:

Signature directories:

 /var/clamav
 /var/lib/clamav
 /etc/httpd/modsecurity.d/

We also recommend you exclude log directories, as this can add unnecessary load to the system. For example:

 /home/user/apache/log
 /var/log

We also recommend for source built systems that you exclude build directories such as these:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpanan

Your should also never include system partition's or directories, such as /proc, /selinux, /sys and /dev.

Step 6) Configure Upload malware scanner

ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.

Option 1)

Change the temporary directory modsecurity uses. Documentation is provided at the link below:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR

Option 2)

Exclude the temporary directory modsecurity uses. By default, this is /tmp.

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR

Option 3)

Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER

Step 7) Click update to apply the new settings.

Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

Note: It is not recommended you enable malware scanning for the default excluded users.

ASL 3

Enable

Enable the appropriate settings in the ASL GUI for your needs. Please see the ASL AntiMalware Configuration documentation.

These are the recommended settings:

Option Recommended Setting
CLAMAV_ENABLED yes
CLAMAV_ENABLE_DAZUKO yes
CLAMAV_TCPADDRESS 127.0.0.1
CLAMAV_SCANONOPEN yes
CLAMAV_SCANONCLOSE yes
CLAMAV_SCANONEXEC yes
CLAMAV_CLAMUKO_MAXFILESIZE 10m

Set directories to exclude

Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory/exclude1
 /path/to/directory/exclude2

Plesk notes

If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /var/www/vhosts/www.example.com/statistics/
 /var/www/vhosts/www.example.com/conf/
 /var/www/vhosts/www.example.com/pd/

Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:

 find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"

A future version of ASL will configure this automatically.

CPanel Notes

If you are running a control panel, such as CPanel, that puts its build direcory and apache logs files in /home and if you have included /home in dazukos include paths (a good idea for CPanel web servers), and those build and logs files and directories can only be modified by root (which is the default case with Cpanel), then you should exclude those directories. They contains thousands of files and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpcpan
 /home/cptmp
 /home/installd

If /home is mounted as its own filesystem, you will also want to exclude this directory:

 /home/lost+found

You can not use wildcards.

A future version of ASL will configure this automatically.

Other control panels

For other controls, such as Interworx, etc. you will want to exclude any configuration, log, and build (if any) directories as per the examples above (your directories will vary). In particular you will want to exclude any locally generated Apache logs. For example, with Interworx you will also want to exclude directories such as:

 /home/example/var/example.com/logs

Reboot

If you are not already using the ASL kernel, you will need to reboot the system into the ASL kernel.

 reboot

If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.

Testing

If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the ASL kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site:

http://www.eicar.org/85-0-Download.html


Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:

cat eicar.com.txt

If permission is denied, then you have successfully configured and enabled real time malware protection for your system.

False Positives

If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:

/var/clamav/local.ign

For example, if your system reported this file and this signature:

Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND

You would add "Some.Signature.Name" to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do not add UNOFFICIAL to the signature name. For example.

somesignature.UNOFFICIAL

In that case, you would only add "somesignature" to the local.ign file, and not "somesignature.UNOFFICIAL".

Personal tools