ABSAhmad

Untitled

Dec 18th, 2015
8
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [root@server maldetect]# cat conf.maldet
  2. ##
  3. # Linux Malware Detect v1.5
  4. # (C) 2002-2015, R-fx Networks <proj@r-fx.org>
  5. # (C) 2015, Ryan MacDonald <ryan@r-fx.org>
  6. # This program may be freely redistributed under the terms of the GNU GPL v2
  7. ##
  8. #
  9. ##
  10. # [ General Options ]
  11. ##
  12.  
  13. # Enable or disable e-mail alerts, this includes application version
  14. # alerts as well as automated/manual scan reports. On-demand reports
  15. # can still be sent using '--report SCANID user@domain.com'.
  16. # [0 = disabled, 1 = enabled]
  17. email_alert="1"
  18.  
  19. # The destination e-mail addresses for automated/manual scan reports
  20. # and application version alerts.
  21. # [ multiple addresses comma (,) spaced ]
  22. email_addr="removed"
  23.  
  24. # Ignore e-mail alerts for scan reports in which all malware hits
  25. # have been automatically and successfully cleaned.
  26. # [0 = disabled, 1 = enabled]
  27. email_ignore_clean="1"
  28.  
  29. # This controls the daily automatic updates of LMD signature files
  30. # and cleaner rules. The signature update process preserves any
  31. # custom signature or cleaner files. It is highly recommended that this
  32. # be enabled as new signatures a released multiple times per-week.
  33. # [0 = disabled, 1 = enabled]
  34. autoupdate_signatures="1"
  35.  
  36. # This controls the daily automatic updates of the LMD installation.
  37. # The installation update process preserves all configuration options
  38. # along with custom signature and cleaner files. It is recommended that
  39. # this be enabled to ensure the latest version, features and bug fixes
  40. # are always available.
  41. # [0 = disabled, 1 = enabled]
  42. autoupdate_version="1"
  43.  
  44. # This controls validating the LMD executable MD5 hash with known
  45. # good upstream hash value. This allows LMD to replace the the
  46. # executable / force a reinstalltion in the event the LMD executable
  47. # is tampered with or corrupted. If you intend to make customizations
  48. # to the LMD executable, you should disable this feature.
  49. # [0 = disabled, 1 = enabled]
  50. autoupdate_version_hashed="1"
  51.  
  52. # When defined, the import_config_url option allows a configuration file to be
  53. # downloaded from a remote URL. The local conf.maldet and internals.conf are
  54. # parsed followed by the imported configuration file. As such, only variables
  55. # defined in the imported configuration file are overridden and a full set of
  56. # configuration options is not explicitly required in the imported file.
  57. import_config_url=""
  58.  
  59. # The expiry interval for refreshing the local cached version of the imported
  60. # configuration file. The default is every 12h (43200 sec) which should be ok
  61. # for most setups.
  62. import_config_expire="43200"
  63.  
  64. # When defined, the import_sigs_*_url options allow for the custom signature
  65. # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
  66. # SIGNATURE FILES! It is recommended for large-scale deployments to define these
  67. # variables within a import_config_url file.
  68. import_sigs_md5_url=""
  69. import_sigs_hex_url=""
  70.  
  71. ##
  72. # [ SCAN OPTIONS ]
  73. ##
  74.  
  75. # The maximum directory depth that the scanner will search, a value
  76. # of 10-15 is recommended.
  77. # [ changing this may have an impact on scan performance ]
  78. scan_max_depth="15"
  79.  
  80. # The minimum file size in bytes for a file to be included in LMD scans.
  81. # [ changing this may have an impact on scan performance ]
  82. scan_min_filesize="24"
  83.  
  84. # The maximum file size for a file to be included in LMD scans. Accepted
  85. # value formats are b, k, M. When using the clamscan engine, the max_filesize
  86. # will be dynamically set based on the largest known filesize from the MD5
  87. # hash signature file.
  88. # [ changing this may have an impact on scan performance ]
  89. scan_max_filesize="768k"
  90.  
  91. # The maximum byte depth that the scanner will search into a files content.
  92. # The default signature rules expect a depth size of at least 65536 bytes.
  93. # [ changing this may have an impact on scan performance ]
  94. scan_hexdepth="65536"
  95.  
  96. # Use named pipe (FIFO) for passing file contents hex data instead of stdin
  97. # default; improved performance and greater scanning depth. This is highly
  98. # recommended and works on most systems. The hexfifo will be disabled
  99. # automatically if for any reason it can not be successfully utilized.
  100. # [ 0 = disabled, 1 = enabled ]
  101. scan_hexfifo="1"
  102.  
  103. # The maximum byte depth that the scanner will search into a files content
  104. #s when using named pipe (FIFO). Improved performance allows for greater
  105. # scan depth over default scan_hexdepth value.
  106. # [ changing this may have an impact on scan performance ]
  107. scan_hexfifo_depth="524288"
  108.  
  109. # If installed, use ClamAV clamscan binary as default scan engine which
  110. # provides improved scan performance on large file sets. The clamscan
  111. # engine is used in conjunction with native ClamAV signatures updated
  112. # through freshclam along with LMD signatures providing additional
  113. # detection capabilities.
  114. # [ 0 = disabled, 1 = enabled ]
  115. scan_clamscan="1"
  116.  
  117. # Include the scanning of known temporary world-writable paths for
  118. # -a|--al and -r|--recent scan types.
  119. scan_tmpdir_paths="/tmp /var/tmp /dev/shm /var/fcgi_ipc"
  120.  
  121. # Allows non-root users to perform scans. This must be enabled when
  122. # using mod_security2 upload scanning or if you want to allow users
  123. # to perform scans. When enabled, this will populate 'pub/' with user
  124. # owned quarantine, session and temporary paths to faciliate scans.
  125. # [ 0 = disabled, 1 = enabled, disabled by default ]
  126. scan_user_access="0"
  127.  
  128. # Process CPU scheduling (nice) priority level for scan operations.
  129. # [ -19 = high prio , 19 = low prio, default = 19 ]
  130. scan_cpunice="19"
  131.  
  132. # Process IO scheduling (ionice) priority levels for scan operations.
  133. # (uses cbq best-effort scheduling class [-c2])
  134. # [ 0 = most favorable IO, 7 = least favorable IO ]
  135. scan_ionice="6"
  136.  
  137. # Set hard limit on CPU usage for find and clam(d)scan processes. This
  138. # requires the 'cpulimit' binary to be available on the server. The values
  139. # are expressed as relative percentage * N cores on system. An 8 CPU core
  140. # server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
  141. scan_cpulimit="0"
  142.  
  143. # As a design and common use case, LMD typically only scans user space paths
  144. # and as such it makes sense to ignore files that are root owned. It is
  145. # recommended to leave this enabled for best performance.
  146. # [ 0 = disabled, 1 = enabled ]
  147. scan_ignore_root="1"
  148.  
  149. # This allows for specific user or groups to be ignored entirely from scan
  150. # file lists. This option should be used with care and is not ideal for
  151. # ignoring false positives. Instead, you should use one of the ignore files,
  152. # such as ignore_paths, to exclude a specific file name or path from scans.
  153. # [ comma or white spaced list of user and group names ]
  154. scan_ignore_user=""
  155. scan_ignore_group=""
  156.  
  157. # The maximum amount of time, in seconds, that the 'find' file list generation
  158. # will run before it is terminated. All 'find' results up to the point of
  159. # termination will be fully scanned. If performing a full scan of all user paths
  160. # on a large server, it is reasonable to expect the find operation may take a
  161. # long time to complete and as such this feature may interfere. In such cases,
  162. # this feature can be disabled/modified on a per-scan basis using the
  163. # '-co|--config-option' CLI option, such as:
  164. # "maldet -co scan_find_timeout=0 -a /home/?/public_html".
  165. # [ 0 = disabled, 14400 = 4hr recommended timeout ]
  166. scan_find_timeout="0"
  167.  
  168. # The daily cron 'find' operation performed by LMD detects recently created/modifed
  169. # user files. This 'find' operation can be especially resource intensive and it may
  170. # be desirable to persist the file list results so that other applications/tasks
  171. # may make use of the results. When scan_export_filelist is set enabled, the most
  172. # recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
  173. # [ 0 = disabled, 1 = enabled ]
  174. scan_export_filelist="0"
  175.  
  176. ##
  177. # [ QUARANTINE OPTIONS ]
  178. ##
  179. # The default quarantine action for malware hits
  180. # [0 = alert only, 1 = move to quarantine & alert]
  181. quarantine_hits="1"
  182.  
  183. # Try to clean string based malware injections
  184. # [NOTE: quarantine_hits=1 required]
  185. # [0 = disabled, 1 = clean]
  186. quarantine_clean="1"
  187.  
  188. # The default suspend action for users wih hits
  189. # Cpanel suspend or set shell /bin/false on non-Cpanel
  190. # [NOTE: quarantine_hits=1 required]
  191. # [0 = disabled, 1 = suspend account]
  192. quarantine_suspend_user="0"
  193.  
  194. # The minimum userid value that can be suspended
  195. # [ default = 500 ]
  196. quarantine_suspend_user_minuid="500"
  197.  
  198. ##
  199. # [ MONITORING OPTIONS ]
  200. ##
  201. # The default startup option for monitor mode, either 'users' or path to line
  202. # spaced file containing local paths to monitor. This option is used for the
  203. # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
  204. # is present with a defined value for $MONITOR_MODE.
  205. # default_monitor_mode="users"
  206. # default_monitor_mode="/usr/local/maldetect/monitor_paths"
  207.  
  208. # The base number of files that can be watched under a path,
  209. # this ends up being a relative value per-user in user mode.
  210. # [ maximum file watches = inotify_base_watches*users ]
  211. inotify_base_watches="16384"
  212.  
  213. # The sleep time in seconds between monitor runs to scan files
  214. # that have been created/modified/moved.
  215. inotify_sleep="15"
  216.  
  217. # The interval in seconds that inotify will reload configuration
  218. # data, including remote configuration imports and user signatures.
  219. inotify_reloadtime="3600"
  220.  
  221. # The minimum userid that will be added to path monitoring when
  222. # the USERS option is specified.
  223. inotify_minuid="500"
  224.  
  225. # This is the html/web root for users relative to homedir, when
  226. # this option is set, users will only have the webdir monitored
  227. # [ clear option to default monitor entire user homedir ]
  228. inotify_docroot="public_html"
  229.  
  230. # Process CPU scheduling (nice) priority level for scan operations.
  231. # [ -19 = high prio , 19 = low prio, default = 19 ]
  232. inotify_cpunice="18"
  233.  
  234. # Process IO scheduling (ionice) priority levels for scan operations.
  235. # (uses cbq best-effort scheduling class [-c2])
  236. # [ 0 = most favorable IO, 7 = least favorable IO ]
  237. inotify_ionice="6"
  238.  
  239. # Set hard limit on CPU usage for inotify monitoring processes. This requires
  240. # the 'cpulimit' binary to be available on the server. The values are expressed
  241. # as relative percentage * N cores on system. An 8 CPU core system would accept
  242. # values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
  243. inotify_cpulimit="0"
  244.  
  245. # Log every file scanned by inotify monitoring mode; this is not recommended
  246. # and will drown out your 'event_log' file, intended only for debugging purposes.
  247. inotify_verbose="0"
  248.  
  249. ##
  250. # [ STATISTICAL ANALYSIS ]
  251. # This is an EXPERIMENTAL feature and should be used with caution.
  252. # Currently, this feature can have a substantially negative impact
  253. # on scan performance, especially with large file sets.
  254. ##
  255. # The string length test is used to identify threats based on the
  256. # length of the longest uninterrupted string within a file. This is
  257. # useful as obfuscated code is often stored using encoding methods
  258. # that produce very long strings without spaces (e.g: base64)
  259. # [ string length in characters, default = 150000 ]
  260. string_length_scan="0" # [ 0 = disabled, 1 = enabled ]
  261. string_length="150000" # [ max string length ]
RAW Paste Data