Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjustments required for malware detection #8

Open
marwenius opened this issue Nov 25, 2024 · 0 comments
Open

Adjustments required for malware detection #8

marwenius opened this issue Nov 25, 2024 · 0 comments

Comments

@marwenius
Copy link

marwenius commented Nov 25, 2024
edited
Loading

I had to adjust a few things to make the malware detection work.

I had the following problems:

  • manual scanning was not possible
  • scanning of files/folders with the user/group permission root:root was not possible
  • the directory /shareboxx/files was not scanned

To be able to scan manually, I had to change the value of scan_user_access from 0 to 1 in the file /usr/local/maldetect/conf.maldet.

To be able to scan files/folders with root:root permissions I had to change the value of scan_ignore_root from 1 to 0 in the file /usr/local/maldetect/conf.maldet.

After installing the clamav-testfiles package, I was then able to scan the testfiles manually:

sudo maldet -a /usr/share/clamav-testfiles
sudo maldet --report

Regarding the last problem, I had to edit the service.

This is what it looked like before editing:

pi@shareboxx:~ $ sudo systemctl cat maldet.service
# /lib/systemd/system/maldet.service
[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
EnvironmentFile=/usr/local/maldetect/conf.maldet
ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

It is about the line that starts with ExecStart.

According to this output, the folders /dev/shm, /var/tmp and /tmp were monitored:

pi@shareboxx:~ $ sudo systemctl status maldet.service
● maldet.service - Linux Malware Detect monitoring - maldet
     Loaded: loaded (/lib/systemd/system/maldet.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-11-25 19:29:23 CET; 24s ago
    Process: 14924 ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode (code=exited, status=0/SUCCESS)
   Main PID: 15344 (inotifywait)
      Tasks: 3 (limit: 8738)
        CPU: 10.772s
     CGroup: /system.slice/maldet.service
             ├─15344 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.14924 --exclude "(^/var/tmp/mysql.sock>
             ├─15357 bash /usr/local/maldetect/maldet --monitor users
             └─15428 /usr/bin/clamscan --max-filesize=6947618 --max-scansize=13895236 -d /usr/local/maldetect/tmp/.runtime.user.14924.>

Nov 25 19:29:21 shareboxx maldet[14924]:             (C) 2002-2023, R-fx Networks <[email protected]>
Nov 25 19:29:21 shareboxx maldet[14924]:             (C) 2023, Ryan MacDonald <[email protected]>
Nov 25 19:29:21 shareboxx maldet[14924]: This program may be freely redistributed under the terms of the GNU GPL v2
Nov 25 19:29:21 shareboxx maldet[14924]: maldet(14924): {mon} added /dev/shm to inotify monitoring array
Nov 25 19:29:21 shareboxx maldet[14924]: maldet(14924): {mon} added /var/tmp to inotify monitoring array
Nov 25 19:29:21 shareboxx maldet[14924]: maldet(14924): {mon} added /tmp to inotify monitoring array
Nov 25 19:29:21 shareboxx maldet[14924]: maldet(14924): {mon} starting inotify process on 3 paths, this might take awhile...
Nov 25 19:29:23 shareboxx maldet[14924]: maldet(14924): {mon} inotify startup successful (pid: 15344)
Nov 25 19:29:23 shareboxx maldet[14924]: maldet(14924): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Nov 25 19:29:23 shareboxx systemd[1]: Started maldet.service - Linux Malware Detect monitoring - maldet.

I customized the line that starts with ExecStart (with sudo nano /usr/local/maldetect/conf.maldet):

pi@shareboxx:~ $ sudo systemctl cat maldet.service
# /lib/systemd/system/maldet.service
[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
EnvironmentFile=/usr/local/maldetect/conf.maldet
ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

The /shareboxx/files folder is now monitored:

pi@shareboxx:~ $ sudo systemctl status maldet.service
● maldet.service - Linux Malware Detect monitoring - maldet
     Loaded: loaded (/lib/systemd/system/maldet.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-11-25 19:31:09 CET; 5s ago
    Process: 15668 ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths (code=exited, status=0/SUCCESS)
   Main PID: 15772 (inotifywait)
      Tasks: 3 (limit: 8738)
        CPU: 377ms
     CGroup: /system.slice/maldet.service
             ├─15772 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.15668 --exclude "(^/var/tmp/mysql.sock>
             ├─15785 bash /usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
             └─15792 sleep 15

Nov 25 19:31:07 shareboxx systemd[1]: Starting maldet.service - Linux Malware Detect monitoring - maldet...
Nov 25 19:31:07 shareboxx maldet[15668]: Linux Malware Detect v1.6.5
Nov 25 19:31:07 shareboxx maldet[15668]:             (C) 2002-2023, R-fx Networks <[email protected]>
Nov 25 19:31:07 shareboxx maldet[15668]:             (C) 2023, Ryan MacDonald <[email protected]>
Nov 25 19:31:07 shareboxx maldet[15668]: This program may be freely redistributed under the terms of the GNU GPL v2
Nov 25 19:31:07 shareboxx maldet[15668]: maldet(15668): {mon} added /shareboxx/files to inotify monitoring array
Nov 25 19:31:07 shareboxx maldet[15668]: maldet(15668): {mon} starting inotify process on 1 paths, this might take awhile...
Nov 25 19:31:09 shareboxx maldet[15668]: maldet(15668): {mon} inotify startup successful (pid: 15772)
Nov 25 19:31:09 shareboxx maldet[15668]: maldet(15668): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Nov 25 19:31:09 shareboxx systemd[1]: Started maldet.service - Linux Malware Detect monitoring - maldet.

Before the adjustment, uploaded testfiles were not recognized, but after the adjustment they were.

And don't forget to restart everything after the changes:

sudo systemctl daemon-reload
sudo systemctl restart maldet.service

Further reading:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marwenius