Anti virus

From Atomicorp Wiki
Revision as of 15:37, 3 May 2014 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

Description

ASL has a kernel space anti-virus/anti-malware module. This module is not activated by default. The basic behaviour when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and the ASL gui.


Configuration

ASL 4

Enable

Step 1)

You must be running an ASL 3.x kernel use the real time malware system.

Step 2) If you are using an ASL 3.x kernel

Log into the ASL web console

Step 3) Click on the Scan tab

Step 4) Click on Malware Scan

Step 5) Click on Realtime

Step 6) Make sure Realtime Malware Detection is checked

Configure

Step 1) ASL kernel 3.2.52 and above required.

Ensure you are using the ASL kernel.

Step 2) Open the malware scan window

Click the Scan tab, then select the Malware Scan menu option.

Step 3) Open the real time tab

Select the "Realtime" tab.

Step 4) If not already enabled, select the check box next to "Realtime Malware detection"

Step 5) Select the partitions you want to be scanned in realtime

Add in the partition you want to protect. The new system is partition, and not directory based. For example, if you have the following partitions:

/home

/var

/opt

And you want to protect /var/www, then you must add in the /var partition. ASL will then ask for any directories in /var you do not want to protect, for example /var/log.

Add in paritions in the box at the bottom left of the window one at a time.

ALWAYS EXCLUDE DIRECTORIES THAT CONTAIN MALWARE SIGNATURES such as these:

Signature directories:

 /var/clamav
 /var/lib/clamav
 /etc/httpd/modsecurity.d/

We also recommend you exclude log directories, as this can add unnecessary load to the system:

 /home/user/apache/log
 /var/log

We also recommend for source built systems that you exclude build directories such as these:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpanan

Your should also never include system partition's or directories, such as /proc, /selinux, /sys and /dev.

Step 6) Configure Upload malware scanner

ASL includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.

Option 1)

Change the temporary directory modsecurity uses. Documentation is provided at the link below:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR

Option 2)

Exclude the temporary directory modsecurity uses. By default, this is /tmp.

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_TMPDIR

Option 3)

Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Please see the documentation at the link below to disable the HTTP upload scanner:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_SCANNER

Step 7) Click update to apply the new settings.

Options

Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

Note: It is not recommended you enable malware scanning for the default excluded users.

ASL 3

Enable

Enable the appropriate settings in the ASL GUI for your needs. Please see the ASL AntiMalware Configuration documentation.

These are the recommended settings:

Option Recommended Setting
CLAMAV_ENABLED yes
CLAMAV_ENABLE_DAZUKO yes
CLAMAV_TCPADDRESS 127.0.0.1
CLAMAV_SCANONOPEN yes
CLAMAV_SCANONCLOSE yes
CLAMAV_SCANONEXEC yes
CLAMAV_CLAMUKO_MAXFILESIZE 10m

Set directories to exclude

Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory/exclude1
 /path/to/directory/exclude2

Plesk notes =

If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /var/www/vhosts/www.example.com/statistics/
 /var/www/vhosts/www.example.com/conf/
 /var/www/vhosts/www.example.com/pd/

Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:

 find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"

A future version of ASL will configure this automatically.

CPanel Notes

If you are running a control panel, such as CPanel, that puts its build direcory and apache logs files in /home and if you have included /home in dazukos include paths (a good idea for CPanel web servers), and those build and logs files and directories can only be modified by root (which is the default case with Cpanel), then you should exclude those directories. They contains thousands of files and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpcpan
 /home/cptmp
 /home/installd

If /home is mounted as its own filesystem, you will also want to exclude this directory:

 /home/lost+found

You can not use wildcards.

A future version of ASL will configure this automatically.

Other control panels

For other controls, such as Interworx, etc. you will want to exclude any configuration, log, and build (if any) directories as per the examples above (your directories will vary). In particular you will want to exclude any locally generated Apache logs. For example, with Interworx you will also want to exclude directories such as:

 /home/example/var/example.com/logs

Reboot

If you are not already using the ASL kernel, you will need to reboot the system into the ASL kernel.

 reboot

If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.

False Positives

If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:

/var/clamav/local.ign

For example, if your system reported this file and this signature:

Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND

You would add "Some.Signature.Name" to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do not add UNOFFICIAL to the signature name. For example.

somesignature.UNOFFICIAL

In that case, you would only add "somesignature" to the local.ign file, and not "somesignature.UNOFFICIAL".

Personal tools