[root@server maldetect]# cat conf.maldet ### Linux Malware Detect v1.5#

1. [root@server maldetect]# cat conf.maldet
2. ##
3. # Linux Malware Detect v1.5
4. # (C) 2002-2015, R-fx Networks <proj@r-fx.org>
5. # (C) 2015, Ryan MacDonald <ryan@r-fx.org>
6. # This program may be freely redistributed under the terms of the GNU GPL v2
7. ##
8. #
9. ##
10. # [ General Options ]
11. ##
12.  
13. # Enable or disable e-mail alerts, this includes application version
14. # alerts as well as automated/manual scan reports. On-demand reports
15. # can still be sent using '--report SCANID user@domain.com'.
16. # [0 = disabled, 1 = enabled]
17. email_alert="1"
18.  
19. # The destination e-mail addresses for automated/manual scan reports
20. # and application version alerts.
21. # [ multiple addresses comma (,) spaced ]
22. email_addr="removed"
23.  
24. # Ignore e-mail alerts for scan reports in which all malware hits
25. # have been automatically and successfully cleaned.
26. # [0 = disabled, 1 = enabled]
27. email_ignore_clean="1"
28.  
29. # This controls the daily automatic updates of LMD signature files
30. # and cleaner rules. The signature update process preserves any
31. # custom signature or cleaner files. It is highly recommended that this
32. # be enabled as new signatures a released multiple times per-week.
33. # [0 = disabled, 1 = enabled]
34. autoupdate_signatures="1"
35.  
36. # This controls the daily automatic updates of the LMD installation.
37. # The installation update process preserves all configuration options
38. # along with custom signature and cleaner files. It is recommended that
39. # this be enabled to ensure the latest version, features and bug fixes
40. # are always available.
41. # [0 = disabled, 1 = enabled]
42. autoupdate_version="1"
43.  
44. # This controls validating the LMD executable MD5 hash with known
45. # good upstream hash value. This allows LMD to replace the the
46. # executable / force a reinstalltion in the event the LMD executable
47. # is tampered with or corrupted. If you intend to make customizations
48. # to the LMD executable, you should disable this feature.
49. # [0 = disabled, 1 = enabled]
50. autoupdate_version_hashed="1"
51.  
52. # When defined, the import_config_url option allows a configuration file to be
53. # downloaded from a remote URL. The local conf.maldet and internals.conf are
54. # parsed followed by the imported configuration file. As such, only variables
55. # defined in the imported configuration file are overridden and a full set of
56. # configuration options is not explicitly required in the imported file.
57. import_config_url=""
58.  
59. # The expiry interval for refreshing the local cached version of the imported
60. # configuration file. The default is every 12h (43200 sec) which should be ok
61. # for most setups.
62. import_config_expire="43200"
63.  
64. # When defined, the import_sigs_*_url options allow for the custom signature
65. # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
66. # SIGNATURE FILES! It is recommended for large-scale deployments to define these
67. # variables within a import_config_url file.
68. import_sigs_md5_url=""
69. import_sigs_hex_url=""
70.  
71. ##
72. # [ SCAN OPTIONS ]
73. ##
74.  
75. # The maximum directory depth that the scanner will search, a value
76. # of 10-15 is recommended.
77. # [ changing this may have an impact on scan performance ]
78. scan_max_depth="15"
79.  
80. # The minimum file size in bytes for a file to be included in LMD scans.
81. # [ changing this may have an impact on scan performance ]
82. scan_min_filesize="24"
83.  
84. # The maximum file size for a file to be included in LMD scans. Accepted
85. # value formats are b, k, M. When using the clamscan engine, the max_filesize
86. # will be dynamically set based on the largest known filesize from the MD5
87. # hash signature file.
88. # [ changing this may have an impact on scan performance ]
89. scan_max_filesize="768k"
90.  
91. # The maximum byte depth that the scanner will search into a files content.
92. # The default signature rules expect a depth size of at least 65536 bytes.
93. # [ changing this may have an impact on scan performance ]
94. scan_hexdepth="65536"
95.  
96. # Use named pipe (FIFO) for passing file contents hex data instead of stdin
97. # default; improved performance and greater scanning depth. This is highly
98. # recommended and works on most systems. The hexfifo will be disabled
99. # automatically if for any reason it can not be successfully utilized.
100. # [ 0 = disabled, 1 = enabled ]
101. scan_hexfifo="1"
102.  
103. # The maximum byte depth that the scanner will search into a files content
104. #s when using named pipe (FIFO). Improved performance allows for greater
105. # scan depth over default scan_hexdepth value.
106. # [ changing this may have an impact on scan performance ]
107. scan_hexfifo_depth="524288"
108.  
109. # If installed, use ClamAV clamscan binary as default scan engine which
110. # provides improved scan performance on large file sets. The clamscan
111. # engine is used in conjunction with native ClamAV signatures updated
112. # through freshclam along with LMD signatures providing additional
113. # detection capabilities.
114. # [ 0 = disabled, 1 = enabled ]
115. scan_clamscan="1"
116.  
117. # Include the scanning of known temporary world-writable paths for
118. # -a|--al and -r|--recent scan types.
119. scan_tmpdir_paths="/tmp /var/tmp /dev/shm /var/fcgi_ipc"
120.  
121. # Allows non-root users to perform scans. This must be enabled when
122. # using mod_security2 upload scanning or if you want to allow users
123. # to perform scans. When enabled, this will populate 'pub/' with user
124. # owned quarantine, session and temporary paths to faciliate scans.
125. # [ 0 = disabled, 1 = enabled, disabled by default ]
126. scan_user_access="0"
127.  
128. # Process CPU scheduling (nice) priority level for scan operations.
129. # [ -19 = high prio , 19 = low prio, default = 19 ]
130. scan_cpunice="19"
131.  
132. # Process IO scheduling (ionice) priority levels for scan operations.
133. # (uses cbq best-effort scheduling class [-c2])
134. # [ 0 = most favorable IO, 7 = least favorable IO ]
135. scan_ionice="6"
136.  
137. # Set hard limit on CPU usage for find and clam(d)scan processes. This
138. # requires the 'cpulimit' binary to be available on the server. The values
139. # are expressed as relative percentage * N cores on system. An 8 CPU core
140. # server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
141. scan_cpulimit="0"
142.  
143. # As a design and common use case, LMD typically only scans user space paths
144. # and as such it makes sense to ignore files that are root owned. It is
145. # recommended to leave this enabled for best performance.
146. # [ 0 = disabled, 1 = enabled ]
147. scan_ignore_root="1"
148.  
149. # This allows for specific user or groups to be ignored entirely from scan
150. # file lists. This option should be used with care and is not ideal for
151. # ignoring false positives. Instead, you should use one of the ignore files,
152. # such as ignore_paths, to exclude a specific file name or path from scans.
153. # [ comma or white spaced list of user and group names ]
154. scan_ignore_user=""
155. scan_ignore_group=""
156.  
157. # The maximum amount of time, in seconds, that the 'find' file list generation
158. # will run before it is terminated. All 'find' results up to the point of
159. # termination will be fully scanned. If performing a full scan of all user paths
160. # on a large server, it is reasonable to expect the find operation may take a
161. # long time to complete and as such this feature may interfere. In such cases,
162. # this feature can be disabled/modified on a per-scan basis using the
163. # '-co|--config-option' CLI option, such as:
164. # "maldet -co scan_find_timeout=0 -a /home/?/public_html".
165. # [ 0 = disabled, 14400 = 4hr recommended timeout ]
166. scan_find_timeout="0"
167.  
168. # The daily cron 'find' operation performed by LMD detects recently created/modifed
169. # user files. This 'find' operation can be especially resource intensive and it may
170. # be desirable to persist the file list results so that other applications/tasks
171. # may make use of the results. When scan_export_filelist is set enabled, the most
172. # recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
173. # [ 0 = disabled, 1 = enabled ]
174. scan_export_filelist="0"
175.  
176. ##
177. # [ QUARANTINE OPTIONS ]
178. ##
179. # The default quarantine action for malware hits
180. # [0 = alert only, 1 = move to quarantine & alert]
181. quarantine_hits="1"
182.  
183. # Try to clean string based malware injections
184. # [NOTE: quarantine_hits=1 required]
185. # [0 = disabled, 1 = clean]
186. quarantine_clean="1"
187.  
188. # The default suspend action for users wih hits
189. # Cpanel suspend or set shell /bin/false on non-Cpanel
190. # [NOTE: quarantine_hits=1 required]
191. # [0 = disabled, 1 = suspend account]
192. quarantine_suspend_user="0"
193.  
194. # The minimum userid value that can be suspended
195. # [ default = 500 ]
196. quarantine_suspend_user_minuid="500"
197.  
198. ##
199. # [ MONITORING OPTIONS ]
200. ##
201. # The default startup option for monitor mode, either 'users' or path to line
202. # spaced file containing local paths to monitor. This option is used for the
203. # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
204. # is present with a defined value for $MONITOR_MODE.
205. # default_monitor_mode="users"
206. # default_monitor_mode="/usr/local/maldetect/monitor_paths"
207.  
208. # The base number of files that can be watched under a path,
209. # this ends up being a relative value per-user in user mode.
210. # [ maximum file watches = inotify_base_watches*users ]
211. inotify_base_watches="16384"
212.  
213. # The sleep time in seconds between monitor runs to scan files
214. # that have been created/modified/moved.
215. inotify_sleep="15"
216.  
217. # The interval in seconds that inotify will reload configuration
218. # data, including remote configuration imports and user signatures.
219. inotify_reloadtime="3600"
220.  
221. # The minimum userid that will be added to path monitoring when
222. # the USERS option is specified.
223. inotify_minuid="500"
224.  
225. # This is the html/web root for users relative to homedir, when
226. # this option is set, users will only have the webdir monitored
227. # [ clear option to default monitor entire user homedir ]
228. inotify_docroot="public_html"
229.  
230. # Process CPU scheduling (nice) priority level for scan operations.
231. # [ -19 = high prio , 19 = low prio, default = 19 ]
232. inotify_cpunice="18"
233.  
234. # Process IO scheduling (ionice) priority levels for scan operations.
235. # (uses cbq best-effort scheduling class [-c2])
236. # [ 0 = most favorable IO, 7 = least favorable IO ]
237. inotify_ionice="6"
238.  
239. # Set hard limit on CPU usage for inotify monitoring processes. This requires
240. # the 'cpulimit' binary to be available on the server. The values are expressed
241. # as relative percentage * N cores on system. An 8 CPU core system would accept
242. # values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
243. inotify_cpulimit="0"
244.  
245. # Log every file scanned by inotify monitoring mode; this is not recommended
246. # and will drown out your 'event_log' file, intended only for debugging purposes.
247. inotify_verbose="0"
248.  
249. ##
250. # [ STATISTICAL ANALYSIS ]
251. # This is an EXPERIMENTAL feature and should be used with caution.
252. # Currently, this feature can have a substantially negative impact
253. # on scan performance, especially with large file sets.
254. ##
255. # The string length test is used to identify threats based on the
256. # length of the longest uninterrupted string within a file. This is
257. # useful as obfuscated code is often stored using encoding methods
258. # that produce very long strings without spaces (e.g: base64)
259. # [ string length in characters, default = 150000 ]
260. string_length_scan="0" # [ 0 = disabled, 1 = enabled ]
261. string_length="150000" # [ max string length ]