Also note that I tried setting the signature with and without the {CAV} prefix and its still not ignored.
eg.

Eicar-Test-Signature

or

{CAV}Eicar-Test-Signature

from linux-malware-detect.

Further testing revealed that the ignore_file_ext and ignore_sigs files don't work when scan_clamscan=1 (currently the default).

from linux-malware-detect.

In my testing using version 1.4.2, ignore_file_ext is not being processed no matter what the clamscan setting is.
I am trying to disable scanning of image files ( jpg/gif/etc.. ) due to errors processing these types of files using modsec.sh.

ignore_sigs is being honored, and I can see that the log output shows as such:

Apr 28 10:12:39 web05cp maldet(31517): {glob} processed 1 signature ignore entries
Apr 28 10:12:39 web05cp maldet(31517): {scan} signatures loaded: 10748 (8838 MD5 / 1910 HEX)
Apr 28 10:12:39 web05cp maldet(31517): {scan} building file list for /tmp, this might take awhile...
Apr 28 10:12:39 web05cp maldet(31517): {scan} file list completed, found 213 files...
Apr 28 10:12:39 web05cp maldet(31517): {scan} found ClamAV clamscan binary, using as scanner engine...
Apr 28 10:12:39 web05cp maldet(31517): {scan} scan of /tmp (213 files) in progress...
Apr 28 10:12:39 web05cp maldet(31517): {scan} scan completed on /tmp: files 213, malware hits 0, cleaned hits 0
Apr 28 10:12:39 web05cp maldet(31517): {scan} scan report saved, to view run: maldet --report 042815-1012.31517

from linux-malware-detect.

@dhardison The logs you submitted show that maldet is still trying to use the clamav scanner.

from linux-malware-detect.

@Gazoo Apologies, too many terminals open. I've tried every combination, extensions just aren't skipped.

I've configured ignore_file_ext to skip .com files, but eicar.com is still scanned and stopped.

cat ignore_file_ext

.com

--9d27ea1d-A--
[28/Apr/2015:11:40:31 --0400] VT@p75gB420AAHJfB64AAAAB 152.7.148.134 37033 152.1.227.109 80
--9d27ea1d-B--
POST /wrd/wp-admin/update.php?action=upload-theme HTTP/1.1
Host: woody
Connection: keep-alive
Content-Length: 627
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Origin: http://woody
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6vlfLgwbwDcTo0YY
Referer: http://woody/wrd/wp-admin/theme-install.php?upload
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_37697072787136fbe1ad01e236858611=woody%7C1431021854%7CF8yc5uiROuv8wCgGP5mUS8Z2WSoNmNfGuVSYhElC92h%7C24fdff70ae5f9b13dcf14edffad707d18d509d4d3b45186cc22ffd670342dcd0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_37697072787136fbe1ad01e236858611=woody%7C1431021854%7CF8yc5uiROuv8wCgGP5mUS8Z2WSoNmNfGuVSYhElC92h%7C3d0a7dab0ee1c316b59495d64ce74214589a819f6ed63ed85335acc18af62340; wp-settings-1=libraryContent%3Dupload; wp-settings-time-1=1430235251; hsfirstvisit=http%3A%2F%2F%2Fmba%2F||1426860635744; __hstc=232213632.47906c38e0585bc603a7661d34487ca5.1426860635746.1426860635746.1426882655096.2; __hssrc=1; hubspotutk=47906c38e0585bc603a7661d34487ca5; WRAP_REFERER=https://here/cpanel-inventory; WRAP16=ZpD+ST79twJqN/QA/c0+QJmsSD6jJIBfFPHVbz7Mf9mvBXPkesO4mv/y4HLNo/CmgO6VcQxCjegteVQZ3YO+wDZ1ZFyfBBx//sAcYjFUaXYhCW9Hs9h+/EgWB6yeA8FQ; __utma=1.1966845203.1421957202.1429534220.1429538338.4; __utmc=1; __utmz=1.1423680460.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1966845203.1421957202

--9d27ea1d-C--
------WebKitFormBoundary6vlfLgwbwDcTo0YY
Content-Disposition: form-data; name="_wpnonce"

3d3b7f174a
------WebKitFormBoundary6vlfLgwbwDcTo0YY
Content-Disposition: form-data; name="_wp_http_referer"

/wrd/wp-admin/theme-install.php
------WebKitFormBoundary6vlfLgwbwDcTo0YY
Content-Disposition: form-data; name="themezip"; filename="eicar.com"
Content-Type: application/octet-stream

X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

------WebKitFormBoundary6vlfLgwbwDcTo0YY
Content-Disposition: form-data; name="install-theme-submit"

Install Now
------WebKitFormBoundary6vlfLgwbwDcTo0YY--

--9d27ea1d-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

--9d27ea1d-H--
Message: Access denied with code 403 (phase 2). File "/tmp//20150428-114031-VT@p75gB420AAHJfB64AAAAB-file-uRX2xE" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(32246): {scan} setting nice scheduler priorities for all operations: cpunice 10 , ionice 6 [file "/usr/local/apache/conf/userdata/std/2_2/woody/modsec.conf"] [line "3"] [id "999999"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: default-handler
Stopwatch: 1430235631589732 203705 (- - -)
Stopwatch2: 1430235631589732 203705; combined=202043, p1=47, p2=201991, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_perl/2.0.8 Perl/v5.10.1
Engine-Mode: "ENABLED"

--9d27ea1d-Z--

from linux-malware-detect.

Hi,

Thats maldet 1.5 isn't it? 1.4.2 (which you mentioned originally) doesn't have cpunice and ionice settings as I recall.

Anyway, the file that is being scanned is not eicar.com its got a different name :

Message: Access denied with code 403 (phase 2). File "/tmp//20150428-114031-VT@p75gB420AAHJfB64AAAAB-file-uRX2xE" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(32246

mod_security passes the temporary file to modsec.sh before its been parsed by PHP so it doesn't have its end name.

Hope this helps

Paul.

from linux-malware-detect.

Also regarding the original issue, currently ignore_sigs is only programmed to ignore maldet sigs not clamav sigs. Looking at the code ignoring sigs works by creating a temporary sig file for the run, which of course won't have much effect for clamscan (or in my case clamdscan).

I'm not a programmer but an alternative approach would be filter out the ignore_sigs after a hit is made (in record_hit or just before) which would work to filter out clamav signatures.

I'm still working on the ignore_file_ext to ascertain why thats not working, I don't believe it should work in the case of specifying a specific file (ie maldet -a eicar.txt) but its not working for me when I scan a directory with eicar.txt in it.

Paul.

from linux-malware-detect.

Ignore rules are now respected in monitor mode as well as between clam and native scan modes.

from linux-malware-detect.

Not sure if this will reopen this issue or not, but here goes.

[root@hipchat maldetect]# head /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m

[root@hipchat maldetect]# clamscan --version
ClamAV 0.99/21374/Mon Feb 15 12:59:30 2016

[root@hipchat maldetect]# yum list clamav
Installed Packages
clamav.x86_64 0.99-3.el6 @epel

[root@hipchat maldetect]# maldet --version
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2
signature set: 201602065489

[root@hipchat maldet_test]# cat /usr/local/maldetect/conf.maldet | grep clamscan | grep -v '^#'
scan_clamscan="1"

[root@hipchat maldet_test]# cat /usr/local/maldetect/ignore_sigs
{HEX}gzbase64.inject.unclassed.15
{HEX}php.exe.globals.406
php.exe.globals.406
php.exe.globals.407

[root@hipchat maldet_test]# cat test_file.txt
drush_shell_exec('rm -rf ' . $dirname);

Example 1:

[root@hipchat maldet_test]# maldet -a $(pwd)

Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(21115): {glob} processed 4 signature ignore entries
maldet(21115): {scan} signatures loaded: 10822 (8909 MD5 / 1913 HEX / 0 USER)
maldet(21115): {scan} building file list for /home/jwoodard/maldet_test, this might take awhile...
maldet(21115): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(21115): {scan} file list completed in 0s, found 3 files...
maldet(21115): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(21115): {scan} scan of /home/jwoodard/maldet_test (3 files) in progress...
maldet(21115): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(21115): {scan} scan completed on /home/jwoodard/maldet_test: files 3, malware hits 1, cleaned hits 0, time 1s
maldet(21115): {scan} scan report saved, to view run: maldet --report 160216-0051.21115
maldet(21115): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 160216-0051.21115
maldet(21115): {alert} sent scan report to

[root@hipchat maldet_test]# maldet --report 160216-0051.21115

HOST: hipchat
SCAN ID: 160216-0051.21115
STARTED: Feb 16 2016 00:51:39 -0500
COMPLETED: Feb 16 2016 00:51:40 -0500
ELAPSED: 1s [find: 0s]

PATH: /home/jwoodard/maldet_test
TOTAL FILES: 3
TOTAL HITS: 1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 160216-0051.21115

FILE HIT LIST:
{HEX}php.exe.globals.406 : /home/jwoodard/maldet_test/test_file.txt

Linux Malware Detect v1.5 < [email protected] >

Example 2:

[root@hipchat maldet_test]# cat /usr/local/maldetect/conf.maldet | grep clamscan | grep -v '^#'
scan_clamscan="0"

[root@hipchat maldet_test]# maldet -a $(pwd)
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(22632): {glob} processed 4 signature ignore entries
maldet(22632): {scan} signatures loaded: 10821 (8909 MD5 / 1912 HEX / 0 USER)
maldet(22632): {scan} building file list for /home/jwoodard/maldet_test, this might take awhile...
maldet(22632): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(22632): {scan} file list completed in 0s, found 3 files...
maldet(22632): {scan} scan of /home/jwoodard/maldet_test (3 files) in progress...
maldet(22632): {scan} 3/3 files scanned: 0 hits 0 cleaned
maldet(22632): {scan} scan completed on /home/jwoodard/maldet_test: files 3, malware hits 0, cleaned hits 0, time 0s
maldet(22632): {scan} scan report saved, to view run: maldet --report 160216-0059.22632

from linux-malware-detect.