261 lines
11 KiB
Plaintext
261 lines
11 KiB
Plaintext
##
|
|
# Linux Malware Detect v1.5
|
|
# (C) 2002-2016, R-fx Networks <proj@r-fx.org>
|
|
# (C) 2016, Ryan MacDonald <ryan@r-fx.org>
|
|
# This program may be freely redistributed under the terms of the GNU GPL v2
|
|
##
|
|
#
|
|
##
|
|
# [ General Options ]
|
|
##
|
|
|
|
# Enable or disable e-mail alerts, this includes application version
|
|
# alerts as well as automated/manual scan reports. On-demand reports
|
|
# can still be sent using '--report SCANID user@domain.com'.
|
|
# [0 = disabled, 1 = enabled]
|
|
email_alert="0"
|
|
|
|
# The destination e-mail addresses for automated/manual scan reports
|
|
# and application version alerts.
|
|
# [ multiple addresses comma (,) spaced ]
|
|
email_addr=""
|
|
|
|
# Ignore e-mail alerts for scan reports in which all malware hits
|
|
# have been automatically and successfully cleaned.
|
|
# [0 = disabled, 1 = enabled]
|
|
email_ignore_clean="1"
|
|
|
|
# This controls the daily automatic updates of LMD signature files
|
|
# and cleaner rules. The signature update process preserves any
|
|
# custom signature or cleaner files. It is highly recommended that this
|
|
# be enabled as new signatures a released multiple times per-week.
|
|
# [0 = disabled, 1 = enabled]
|
|
autoupdate_signatures="1"
|
|
|
|
# This controls the daily automatic updates of the LMD installation.
|
|
# The installation update process preserves all configuration options
|
|
# along with custom signature and cleaner files. It is recommended that
|
|
# this be enabled to ensure the latest version, features and bug fixes
|
|
# are always available.
|
|
# [0 = disabled, 1 = enabled]
|
|
autoupdate_version="1"
|
|
|
|
# This controls validating the LMD executable MD5 hash with known
|
|
# good upstream hash value. This allows LMD to replace the the
|
|
# executable / force a reinstalltion in the event the LMD executable
|
|
# is tampered with or corrupted. If you intend to make customizations
|
|
# to the LMD executable, you should disable this feature.
|
|
# [0 = disabled, 1 = enabled]
|
|
autoupdate_version_hashed="1"
|
|
|
|
# When defined, the import_config_url option allows a configuration file to be
|
|
# downloaded from a remote URL. The local conf.maldet and internals.conf are
|
|
# parsed followed by the imported configuration file. As such, only variables
|
|
# defined in the imported configuration file are overridden and a full set of
|
|
# configuration options is not explicitly required in the imported file.
|
|
import_config_url=""
|
|
|
|
# The expiry interval for refreshing the local cached version of the imported
|
|
# configuration file. The default is every 12h (43200 sec) which should be ok
|
|
# for most setups.
|
|
import_config_expire="43200"
|
|
|
|
# When defined, the import_sigs_*_url options allow for the custom signature
|
|
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
|
|
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
|
|
# variables within a import_config_url file.
|
|
import_sigs_md5_url=""
|
|
import_sigs_hex_url=""
|
|
|
|
##
|
|
# [ SCAN OPTIONS ]
|
|
##
|
|
|
|
# The maximum directory depth that the scanner will search, a value
|
|
# of 10-15 is recommended.
|
|
# [ changing this may have an impact on scan performance ]
|
|
scan_max_depth="1"
|
|
|
|
# The minimum file size in bytes for a file to be included in LMD scans.
|
|
# [ changing this may have an impact on scan performance ]
|
|
scan_min_filesize="24"
|
|
|
|
# The maximum file size for a file to be included in LMD scans. Accepted
|
|
# value formats are b, k, M. When using the clamscan engine, the max_filesize
|
|
# will be dynamically set based on the largest known filesize from the MD5
|
|
# hash signature file.
|
|
# [ changing this may have an impact on scan performance ]
|
|
scan_max_filesize="20M"
|
|
|
|
# The maximum byte depth that the scanner will search into a files content.
|
|
# The default signature rules expect a depth size of at least 65536 bytes.
|
|
# [ changing this may have an impact on scan performance ]
|
|
scan_hexdepth="65536"
|
|
|
|
# Use named pipe (FIFO) for passing file contents hex data instead of stdin
|
|
# default; improved performance and greater scanning depth. This is highly
|
|
# recommended and works on most systems. The hexfifo will be disabled
|
|
# automatically if for any reason it can not be successfully utilized.
|
|
# [ 0 = disabled, 1 = enabled ]
|
|
scan_hexfifo="1"
|
|
|
|
# The maximum byte depth that the scanner will search into a files content
|
|
#s when using named pipe (FIFO). Improved performance allows for greater
|
|
# scan depth over default scan_hexdepth value.
|
|
# [ changing this may have an impact on scan performance ]
|
|
scan_hexfifo_depth="524288"
|
|
|
|
# If installed, use ClamAV clamscan binary as default scan engine which
|
|
# provides improved scan performance on large file sets. The clamscan
|
|
# engine is used in conjunction with native ClamAV signatures updated
|
|
# through freshclam along with LMD signatures providing additional
|
|
# detection capabilities.
|
|
# [ 0 = disabled, 1 = enabled ]
|
|
scan_clamscan="1"
|
|
|
|
# Include the scanning of known temporary world-writable paths for
|
|
# -a|--al and -r|--recent scan types.
|
|
scan_tmpdir_paths="/data/av/scan"
|
|
|
|
# Allows non-root users to perform scans. This must be enabled when
|
|
# using mod_security2 upload scanning or if you want to allow users
|
|
# to perform scans. When enabled, this will populate 'pub/' with user
|
|
# owned quarantine, session and temporary paths to faciliate scans.
|
|
# [ 0 = disabled, 1 = enabled, disabled by default ]
|
|
scan_user_access="0"
|
|
|
|
# Process CPU scheduling (nice) priority level for scan operations.
|
|
# [ -19 = high prio , 19 = low prio, default = 19 ]
|
|
scan_cpunice="-17"
|
|
|
|
# Process IO scheduling (ionice) priority levels for scan operations.
|
|
# (uses cbq best-effort scheduling class [-c2])
|
|
# [ 0 = most favorable IO, 7 = least favorable IO ]
|
|
scan_ionice="0"
|
|
|
|
# Set hard limit on CPU usage for find and clam(d)scan processes. This
|
|
# requires the 'cpulimit' binary to be available on the server. The values
|
|
# are expressed as relative percentage * N cores on system. An 8 CPU core
|
|
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
|
|
scan_cpulimit="0"
|
|
|
|
# As a design and common use case, LMD typically only scans user space paths
|
|
# and as such it makes sense to ignore files that are root owned. It is
|
|
# recommended to leave this enabled for best performance.
|
|
# [ 0 = disabled, 1 = enabled ]
|
|
scan_ignore_root="1"
|
|
|
|
# This allows for specific user or groups to be ignored entirely from scan
|
|
# file lists. This option should be used with care and is not ideal for
|
|
# ignoring false positives. Instead, you should use one of the ignore files,
|
|
# such as ignore_paths, to exclude a specific file name or path from scans.
|
|
# [ comma or white spaced list of user and group names ]
|
|
scan_ignore_user=""
|
|
scan_ignore_group=""
|
|
|
|
# The maximum amount of time, in seconds, that the 'find' file list generation
|
|
# will run before it is terminated. All 'find' results up to the point of
|
|
# termination will be fully scanned. If performing a full scan of all user paths
|
|
# on a large server, it is reasonable to expect the find operation may take a
|
|
# long time to complete and as such this feature may interfere. In such cases,
|
|
# this feature can be disabled/modified on a per-scan basis using the
|
|
# '-co|--config-option' CLI option, such as:
|
|
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
|
|
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
|
|
scan_find_timeout="0"
|
|
|
|
# The daily cron 'find' operation performed by LMD detects recently created/modifed
|
|
# user files. This 'find' operation can be especially resource intensive and it may
|
|
# be desirable to persist the file list results so that other applications/tasks
|
|
# may make use of the results. When scan_export_filelist is set enabled, the most
|
|
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
|
|
# [ 0 = disabled, 1 = enabled ]
|
|
scan_export_filelist="0"
|
|
|
|
##
|
|
# [ QUARANTINE OPTIONS ]
|
|
##
|
|
# The default quarantine action for malware hits
|
|
# [0 = alert only, 1 = move to quarantine & alert]
|
|
quarantine_hits="1"
|
|
|
|
# Try to clean string based malware injections
|
|
# [NOTE: quarantine_hits=1 required]
|
|
# [0 = disabled, 1 = clean]
|
|
quarantine_clean="0"
|
|
|
|
# The default suspend action for users wih hits
|
|
# Cpanel suspend or set shell /bin/false on non-Cpanel
|
|
# [NOTE: quarantine_hits=1 required]
|
|
# [0 = disabled, 1 = suspend account]
|
|
quarantine_suspend_user="0"
|
|
|
|
# The minimum userid value that can be suspended
|
|
# [ default = 500 ]
|
|
quarantine_suspend_user_minuid="500"
|
|
|
|
##
|
|
# [ MONITORING OPTIONS ]
|
|
##
|
|
# The default startup option for monitor mode, either 'users' or path to line
|
|
# spaced file containing local paths to monitor. This option is used for the
|
|
# init based startup script. This value is ignored when '/etc/sysconfig/maldet'
|
|
# or '/etc/default/maldet' is present with a defined value for $MONITOR_MODE.
|
|
# default_monitor_mode="users"
|
|
# default_monitor_mode="/usr/local/maldetect/monitor_paths"
|
|
|
|
# The base number of files that can be watched under a path,
|
|
# this ends up being a relative value per-user in user mode.
|
|
# [ maximum file watches = inotify_base_watches*users ]
|
|
inotify_base_watches="16384"
|
|
|
|
# The sleep time in seconds between monitor runs to scan files
|
|
# that have been created/modified/moved.
|
|
inotify_sleep="15"
|
|
|
|
# The interval in seconds that inotify will reload configuration
|
|
# data, including remote configuration imports and user signatures.
|
|
inotify_reloadtime="3600"
|
|
|
|
# The minimum userid that will be added to path monitoring when
|
|
# the USERS option is specified.
|
|
inotify_minuid="500"
|
|
|
|
# This is the html/web root for users relative to homedir, when
|
|
# this option is set, users will only have the webdir monitored
|
|
# [ clear option to default monitor entire user homedir ]
|
|
inotify_docroot="public_html"
|
|
|
|
# Process CPU scheduling (nice) priority level for scan operations.
|
|
# [ -19 = high prio , 19 = low prio, default = 19 ]
|
|
inotify_cpunice="18"
|
|
|
|
# Process IO scheduling (ionice) priority levels for scan operations.
|
|
# (uses cbq best-effort scheduling class [-c2])
|
|
# [ 0 = most favorable IO, 7 = least favorable IO ]
|
|
inotify_ionice="6"
|
|
|
|
# Set hard limit on CPU usage for inotify monitoring processes. This requires
|
|
# the 'cpulimit' binary to be available on the server. The values are expressed
|
|
# as relative percentage * N cores on system. An 8 CPU core system would accept
|
|
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
|
|
inotify_cpulimit="0"
|
|
|
|
# Log every file scanned by inotify monitoring mode; this is not recommended
|
|
# and will drown out your 'event_log' file, intended only for debugging purposes.
|
|
inotify_verbose="0"
|
|
|
|
##
|
|
# [ STATISTICAL ANALYSIS ]
|
|
# This is an EXPERIMENTAL feature and should be used with caution.
|
|
# Currently, this feature can have a substantially negative impact
|
|
# on scan performance, especially with large file sets.
|
|
##
|
|
# The string length test is used to identify threats based on the
|
|
# length of the longest uninterrupted string within a file. This is
|
|
# useful as obfuscated code is often stored using encoding methods
|
|
# that produce very long strings without spaces (e.g: base64)
|
|
# [ string length in characters, default = 150000 ]
|
|
string_length_scan="0" # [ 0 = disabled, 1 = enabled ]
|
|
string_length="150000" # [ max string length ]
|