Linux Malware Detect v1.3.3: Making good things better

This morning I have put out LMD v1.3.3, this is on the back of two other successive releases in recent days that improved LMD in many areas, along with correcting some bugs that were graciously reported by those helping to break-in the project. I have also listened to feedback and revised a number of features along with completely redoing how the inotify monitoring operates, to provide a much more robust model for real-time file monitoring.

I am also happy to say that people are embracing the use of the -c|–checkout option to send me malware that is not currently detected, which is being processed daily with my regular signature maintenance tasks. I have today added 24 new signatures, all of them created from user submissions.

There are a few big changes in this release…

First and foremost is that the configuration file conf.maldet has been completely revised with more granular options provided for quarantine, scan and monitoring, along with better commenting. Adding to the configuration convenience is that the install.sh script will now import config settings from previous install along with migrating session data.

Next up and something I am excited about, is a rule driven – signature based – cleaner function that can remove string based malware injections from files. The cleaner has two default rules created by me that will clean files of base64 and gzinflate injected strings very accurately. Through the next couple of days/weeks, I will be adding more cleaner rules that will allow for a much broader base of signatures that we can clean files for.

Finally, inotify monitoring got some loving with a top-down review of things and I came up with a less-invasive way of spawning the inotifywait processes that no longer requires a process for each path/user monitored. There is now a single master process that will monitor all configured paths, with better dynamic scaling of the sysctl hooks for inotify based on system resources. In addition, I added an option to pass the monitor service a comma spaced paths list or file containing line spaced paths, from the command line. This is in addition to preserving the users monitoring feature which has also been improved but is no longer the default, you must now call -m|–monitor with one of the USERS|FILE|PATHS options, see –help or the README file for more details.

Please be mindful that although LMD is considered stable it is still a relatively new project and as such your mileage may be a little bumpy, if you run into any issues please post comments on the project page, in this post or send me an email to ryan rfxn.com.

Home: http://www.rfxn.com/projects/linux-malware-detect/
Current Release:
http://www.rfxn.com/downloads/maldetect-current.tar.gz
http://www.rfxn.com/appdocs/README.maldetect
http://www.rfxn.com/appdocs/CHANGELOG.maldetect

v1.3.3 | May 15th 2010:
[Fix] quarantined files were not properly dropping owner
[New] signature based, rule driven, cleaner component added
[New] base64.inject cleaner rule
[New] gzbase64.inject cleaner rule
[New] -n|--clean SCANID option added to batch clean scan all files from a scan
[Fix] made default install file/path permissions more strict (750/640)
[New] install.sh now preserves conf.maldet settings
[New] install.sh now links backups of old installation to INSTALL_PATH.last
[Fix] install.sh now properly imports session data from previous install
[New] -s|--restore can now take a SCANID to batch restore all files from a scan
[Change] improved the layout of conf.maldet; more scan options and commenting
[New] added quar_susp_minuid option for suspend user minimum user id
[Fix] inotify monitor now properly acts on MODIFY,MOVE_TO,MOVE_FROM states
[Change] inotify monitor now can take a list of paths or file for path input
[Change] inotify monitor now has no default use, must specifiy USER|FILE|PATHS
[Change] revised short and long usage output for new options/usage changes
[Change] inotify monitor now spawns only one process for all monitored paths
[Change] inotify monitor sets max_user_instances to processors*2
[Change] inotify monitor sets max_user_watches to inotify_base_watches*users
[Change] migrated all inotify options from internals.conf to conf.maldet
[New] added inotify_base_watches to conf.maldet for max file wathces multiplier
[New] added inotify_nice to conf.maldet for run-time prio of inotifywait
[New] added inotify_webdir to conf.maldet for html/web root only monitoring
[Change] extensive format change to README
[Change] rewrote inotify section of README to reflect the many changes
[Change] -q|--quarantine now calls cleaner if quar_clean=1
[Change] -n|--clean can now do in place cleaning without quarantine