Poboljšajte ClamAV skener dodatnim bazama + MalDetect realtime virus monitoring

Poboljšajte detekcju ClamAV skenera sa dodatnim bazama…

Otvorite /etc/freshclam.conf

i dodajte sledeće na kraju fajla

DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb

Ukoliko na serveru imate instaliran cPanel lokacija fajla je: /usr/local/cpanel/3rdparty/etc/freshclam.conf

Osvežite ClamAV:

freshclam

Na cPanel-u:

/usr/local/cpanel/3rdparty/bin/freshclam

Sada je ClamAV obogaćen MalDetect i MalwareExpert bazama, i virusi će vam teže bežati.

Više informacija:

malware.expert.ndb is a Generic Hex pattern PHP malware, which can cause false positive alarms, because there are generic eval, base64 and other hex pattern signatures (very low false positive rate). We want to scan all .php files and check the false positives manually for malware. If some signature causes to you problems, you can whitelist them.

malware.expert.hdb is statics MD5 pattern for files, and there are no false positive.

malware.expert.ldb is LDB signatures(read more), which use multi-words search for malware in files.

malware.expert.fp is whitelisted, what we found is that cause false positive malware.

Preporuka:

Instalirajte maldetect i aktivirajte realtime monitoring uz inotify, evo i kako:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
sh ./install.sh

Otvorite /usr/local/maldetect/conf.maldet
email_alert postavite na 1
email_addr postavite email adresu na koju želite da dobijate obaveštenja.
email_ignore_clean postavite na 0
quarantine_hits, quarantine_clean postavite na 1
Sklonite komentar # ispred default_monitor_mode="users"

Sačuvajte

(Ukoliko nemate epel-release, biće neophodo da ga instalirate.)

yum install epel-release -y
Instalirajte inotify-tools
yum install inotify-tools -y

Pokrenite maldetect monitoring servis:

Za Centos >=7

systemctl start maldet.service
systemctl enable maldet.service

za Centos <7 service maldet start
chkconfig maldet on

Sada će Maldetect, koristeći ClamAV i sve njegove baze da vrši monitoring svih novokreiranih fajlova, svih vaših korisnika i da obriše svaki virus u trenutku njegovog nastanka, o čemu ćete vi biti obavešteni mejlom. Takođe, možete u podešavanjima MalDetect-a postaviti da suspenduje korisnika kod koga pronađe virus.