Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@server maldetect]# cat conf.maldet
- ##
- # Linux Malware Detect v1.5
- # (C) 2002-2015, R-fx Networks <proj@r-fx.org>
- # (C) 2015, Ryan MacDonald <ryan@r-fx.org>
- # This program may be freely redistributed under the terms of the GNU GPL v2
- ##
- #
- ##
- # [ General Options ]
- ##
- # Enable or disable e-mail alerts, this includes application version
- # alerts as well as automated/manual scan reports. On-demand reports
- # can still be sent using '--report SCANID user@domain.com'.
- # [0 = disabled, 1 = enabled]
- email_alert="1"
- # The destination e-mail addresses for automated/manual scan reports
- # and application version alerts.
- # [ multiple addresses comma (,) spaced ]
- email_addr="removed"
- # Ignore e-mail alerts for scan reports in which all malware hits
- # have been automatically and successfully cleaned.
- # [0 = disabled, 1 = enabled]
- email_ignore_clean="1"
- # This controls the daily automatic updates of LMD signature files
- # and cleaner rules. The signature update process preserves any
- # custom signature or cleaner files. It is highly recommended that this
- # be enabled as new signatures a released multiple times per-week.
- # [0 = disabled, 1 = enabled]
- autoupdate_signatures="1"
- # This controls the daily automatic updates of the LMD installation.
- # The installation update process preserves all configuration options
- # along with custom signature and cleaner files. It is recommended that
- # this be enabled to ensure the latest version, features and bug fixes
- # are always available.
- # [0 = disabled, 1 = enabled]
- autoupdate_version="1"
- # This controls validating the LMD executable MD5 hash with known
- # good upstream hash value. This allows LMD to replace the the
- # executable / force a reinstalltion in the event the LMD executable
- # is tampered with or corrupted. If you intend to make customizations
- # to the LMD executable, you should disable this feature.
- # [0 = disabled, 1 = enabled]
- autoupdate_version_hashed="1"
- # When defined, the import_config_url option allows a configuration file to be
- # downloaded from a remote URL. The local conf.maldet and internals.conf are
- # parsed followed by the imported configuration file. As such, only variables
- # defined in the imported configuration file are overridden and a full set of
- # configuration options is not explicitly required in the imported file.
- import_config_url=""
- # The expiry interval for refreshing the local cached version of the imported
- # configuration file. The default is every 12h (43200 sec) which should be ok
- # for most setups.
- import_config_expire="43200"
- # When defined, the import_sigs_*_url options allow for the custom signature
- # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
- # SIGNATURE FILES! It is recommended for large-scale deployments to define these
- # variables within a import_config_url file.
- import_sigs_md5_url=""
- import_sigs_hex_url=""
- ##
- # [ SCAN OPTIONS ]
- ##
- # The maximum directory depth that the scanner will search, a value
- # of 10-15 is recommended.
- # [ changing this may have an impact on scan performance ]
- scan_max_depth="15"
- # The minimum file size in bytes for a file to be included in LMD scans.
- # [ changing this may have an impact on scan performance ]
- scan_min_filesize="24"
- # The maximum file size for a file to be included in LMD scans. Accepted
- # value formats are b, k, M. When using the clamscan engine, the max_filesize
- # will be dynamically set based on the largest known filesize from the MD5
- # hash signature file.
- # [ changing this may have an impact on scan performance ]
- scan_max_filesize="768k"
- # The maximum byte depth that the scanner will search into a files content.
- # The default signature rules expect a depth size of at least 65536 bytes.
- # [ changing this may have an impact on scan performance ]
- scan_hexdepth="65536"
- # Use named pipe (FIFO) for passing file contents hex data instead of stdin
- # default; improved performance and greater scanning depth. This is highly
- # recommended and works on most systems. The hexfifo will be disabled
- # automatically if for any reason it can not be successfully utilized.
- # [ 0 = disabled, 1 = enabled ]
- scan_hexfifo="1"
- # The maximum byte depth that the scanner will search into a files content
- #s when using named pipe (FIFO). Improved performance allows for greater
- # scan depth over default scan_hexdepth value.
- # [ changing this may have an impact on scan performance ]
- scan_hexfifo_depth="524288"
- # If installed, use ClamAV clamscan binary as default scan engine which
- # provides improved scan performance on large file sets. The clamscan
- # engine is used in conjunction with native ClamAV signatures updated
- # through freshclam along with LMD signatures providing additional
- # detection capabilities.
- # [ 0 = disabled, 1 = enabled ]
- scan_clamscan="1"
- # Include the scanning of known temporary world-writable paths for
- # -a|--al and -r|--recent scan types.
- scan_tmpdir_paths="/tmp /var/tmp /dev/shm /var/fcgi_ipc"
- # Allows non-root users to perform scans. This must be enabled when
- # using mod_security2 upload scanning or if you want to allow users
- # to perform scans. When enabled, this will populate 'pub/' with user
- # owned quarantine, session and temporary paths to faciliate scans.
- # [ 0 = disabled, 1 = enabled, disabled by default ]
- scan_user_access="0"
- # Process CPU scheduling (nice) priority level for scan operations.
- # [ -19 = high prio , 19 = low prio, default = 19 ]
- scan_cpunice="19"
- # Process IO scheduling (ionice) priority levels for scan operations.
- # (uses cbq best-effort scheduling class [-c2])
- # [ 0 = most favorable IO, 7 = least favorable IO ]
- scan_ionice="6"
- # Set hard limit on CPU usage for find and clam(d)scan processes. This
- # requires the 'cpulimit' binary to be available on the server. The values
- # are expressed as relative percentage * N cores on system. An 8 CPU core
- # server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
- scan_cpulimit="0"
- # As a design and common use case, LMD typically only scans user space paths
- # and as such it makes sense to ignore files that are root owned. It is
- # recommended to leave this enabled for best performance.
- # [ 0 = disabled, 1 = enabled ]
- scan_ignore_root="1"
- # This allows for specific user or groups to be ignored entirely from scan
- # file lists. This option should be used with care and is not ideal for
- # ignoring false positives. Instead, you should use one of the ignore files,
- # such as ignore_paths, to exclude a specific file name or path from scans.
- # [ comma or white spaced list of user and group names ]
- scan_ignore_user=""
- scan_ignore_group=""
- # The maximum amount of time, in seconds, that the 'find' file list generation
- # will run before it is terminated. All 'find' results up to the point of
- # termination will be fully scanned. If performing a full scan of all user paths
- # on a large server, it is reasonable to expect the find operation may take a
- # long time to complete and as such this feature may interfere. In such cases,
- # this feature can be disabled/modified on a per-scan basis using the
- # '-co|--config-option' CLI option, such as:
- # "maldet -co scan_find_timeout=0 -a /home/?/public_html".
- # [ 0 = disabled, 14400 = 4hr recommended timeout ]
- scan_find_timeout="0"
- # The daily cron 'find' operation performed by LMD detects recently created/modifed
- # user files. This 'find' operation can be especially resource intensive and it may
- # be desirable to persist the file list results so that other applications/tasks
- # may make use of the results. When scan_export_filelist is set enabled, the most
- # recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
- # [ 0 = disabled, 1 = enabled ]
- scan_export_filelist="0"
- ##
- # [ QUARANTINE OPTIONS ]
- ##
- # The default quarantine action for malware hits
- # [0 = alert only, 1 = move to quarantine & alert]
- quarantine_hits="1"
- # Try to clean string based malware injections
- # [NOTE: quarantine_hits=1 required]
- # [0 = disabled, 1 = clean]
- quarantine_clean="1"
- # The default suspend action for users wih hits
- # Cpanel suspend or set shell /bin/false on non-Cpanel
- # [NOTE: quarantine_hits=1 required]
- # [0 = disabled, 1 = suspend account]
- quarantine_suspend_user="0"
- # The minimum userid value that can be suspended
- # [ default = 500 ]
- quarantine_suspend_user_minuid="500"
- ##
- # [ MONITORING OPTIONS ]
- ##
- # The default startup option for monitor mode, either 'users' or path to line
- # spaced file containing local paths to monitor. This option is used for the
- # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
- # is present with a defined value for $MONITOR_MODE.
- # default_monitor_mode="users"
- # default_monitor_mode="/usr/local/maldetect/monitor_paths"
- # The base number of files that can be watched under a path,
- # this ends up being a relative value per-user in user mode.
- # [ maximum file watches = inotify_base_watches*users ]
- inotify_base_watches="16384"
- # The sleep time in seconds between monitor runs to scan files
- # that have been created/modified/moved.
- inotify_sleep="15"
- # The interval in seconds that inotify will reload configuration
- # data, including remote configuration imports and user signatures.
- inotify_reloadtime="3600"
- # The minimum userid that will be added to path monitoring when
- # the USERS option is specified.
- inotify_minuid="500"
- # This is the html/web root for users relative to homedir, when
- # this option is set, users will only have the webdir monitored
- # [ clear option to default monitor entire user homedir ]
- inotify_docroot="public_html"
- # Process CPU scheduling (nice) priority level for scan operations.
- # [ -19 = high prio , 19 = low prio, default = 19 ]
- inotify_cpunice="18"
- # Process IO scheduling (ionice) priority levels for scan operations.
- # (uses cbq best-effort scheduling class [-c2])
- # [ 0 = most favorable IO, 7 = least favorable IO ]
- inotify_ionice="6"
- # Set hard limit on CPU usage for inotify monitoring processes. This requires
- # the 'cpulimit' binary to be available on the server. The values are expressed
- # as relative percentage * N cores on system. An 8 CPU core system would accept
- # values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
- inotify_cpulimit="0"
- # Log every file scanned by inotify monitoring mode; this is not recommended
- # and will drown out your 'event_log' file, intended only for debugging purposes.
- inotify_verbose="0"
- ##
- # [ STATISTICAL ANALYSIS ]
- # This is an EXPERIMENTAL feature and should be used with caution.
- # Currently, this feature can have a substantially negative impact
- # on scan performance, especially with large file sets.
- ##
- # The string length test is used to identify threats based on the
- # length of the longest uninterrupted string within a file. This is
- # useful as obfuscated code is often stored using encoding methods
- # that produce very long strings without spaces (e.g: base64)
- # [ string length in characters, default = 150000 ]
- string_length_scan="0" # [ 0 = disabled, 1 = enabled ]
- string_length="150000" # [ max string length ]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement