1+ v1.6 | Feb 00 2017:
2+ [New] added curated set of YARA webshell & malware signatures for use with ClamAV >= 0.99b
3+ [New] added cleaner rule 'VistorTracker.Mob'
4+ [New] added cleaner rule 'js.inject.fakejquery02'
5+ [New] added support for 'froxlor' to cron.daily execution
6+ [New] added support for 'vestacp' to cron.daily execution
7+ [New] added support for 'ispconfig3' to cron.daily execution
8+ [New] added support for 'DTC' to cron.daily execution
9+ [New] added '$confpath', '$varlibpath' and '$libpath' for FHS separation
10+ [New] moved compatibility (legacy) variables out of internals.conf into compat.conf
11+ [New] added support to pull configuration variables for cron executions from 'sysconfig/maldet'
12+ [New] added Debian derivatives sysconfig and initd compatibility for function sourcing and subsys locking
13+ [New] added LSB tags to init script
14+ [New] added capability of moving public scan path with $userbasedir variable
15+ [New] manpage added and setup default with install.sh execution
16+ [New] added support for clamd running as an unprivileged user through clamdscan w/ --fdpass options
17+ [New] added --wget-proxy CLI option for http(s) proxy support
18+ [New] added clam(d)scan_extraopts variables to internals.conf for appending extra CLI options on clam(d)scan;
19+ these values can also be defined in sysconfig or cron/exec based config files and on CLI
20+ [New] sysconfig support through '/etc/sysconfig/maldet' or '/etc/default/maldet', system dependant, to
21+ allow easier configuration overrides; all conf.maldet and internals.conf variables supported
22+ [Change] file stat calls replaced with function file_stat
23+ [Change] stat calls are now (Free|Net)BSD compatible through file_stat function
24+ [Change] report listing, '-e|--report list', now displays scan run time
25+ [Change] scan reports and cli outputs once again display simplified path definitions instead of expanded paths
26+ [Change] unified all clamav selection logic for data paths, running clamd processes, clam(d)scan CLI options etc...
27+ into a single function, clamselector(); this will make clam behavior more predictable across all functions
28+ [Change] added subdomains path for ISPConfig to cron.daily
29+ [Change] corrected variable naming semantics for import_*_(md5|hex)_url paramters
30+ [Change] monitor mode now identifies inotifywait processes based on a string pattern unique to maldet
31+ to avoid conflicts with any other inotifywait processes
32+ [Change] added wget_proxy variable for us in sysconfig and conf.maldet options
33+ [Change] YARA-LMD curated signature set will now be included with signature updates
34+ [Change] differentiate signature hits for YARA with '{YARA}' signame prefix
35+ [Change] inotify_docroot now accepts comma or white spaced list of paths under user root to monitor
36+ [Change] removed absolute path usage from 'pidof'
37+ [Change] drop unneeded usage of shebang from sourced configuration files
38+ [Change] modified shebang usage with 'env' prefix for portability
39+ [Change] temporary path usage now consistently using $tmpdir value
40+ [Change] scan paths must now be absolute paths
41+ [Change] modified init script stop function for Debian derivatives
42+ [Change] improved history tracking with proper date stamps, more verbose quarantine history logging and storing
43+ into more explicitly named files '$sessdir/hits.hist' and '$sessdir/quarantine.hist'
44+ [Change] added scan_days value to cron.daily allowing customization of the date range scanned by daily cron
45+ [Change] replaced remaining absolute calls to sigdirs with '$sigdir'
46+ [Change] added Debian derivatives support for MONITOR_MODE checks
47+ [Change] updated cron.daily to provide for a custom execution file and modified custom config file into
48+ 'cron/conf.maldet.cron' and 'cron/custom.cron'
49+ [Change] install.sh cased variable on find execution
50+ [Change] symlink hookscan.sh to modsec.sh for pre-v1.5 compat
51+ [Change] added '^/tmp/clamav-.*' to ignored paths where ownership matches clamd process
52+ [Change] preserve custom cron configuration files on upgrade
53+ [Change] hookscan.sh was calling LMD using legacy, deprecated, '--config-option' options
54+ [Change] normalize installation path variable between LMD proper and installation scripts
55+ [Change] reduced redundant path definitions
56+ [Change] added test for main.cvd and main.cld in determining clamav signature paths
57+ [Change] README changes to reflect new cron customization setup
58+ [Change] added attempting passive ftp when active fails for malware checkout uploads
59+ [Change] .ca.def configuration template renamed importconf and now copied over during installation to
60+ 'internals/importconf'
61+ [Change] new versions of 'chown' don't support use of . (dot) to separate user and group
62+ [Change] find option regextype is now dropped on FreeBSD for compatibility
63+ [Change] scan.tpl reporting template handles column spacing on filenames with spaces better
64+ [Change] CLI usage semantics of --include-regex and --exclude-regex now consistently passing to 'find' command
65+ [Change] moved all internal field separator line break modifications to lbreakifs()
66+ [Change] quarantine .info file is now field separated with colon symbol (:)
67+ [Change] quarantine .info file value ordering has been modified
68+ # owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
69+ [Change] record_hits() now writes file mode and file times (a|m|c) into hits history file
70+ [Change] 'eval' is now used as a prefix on the 'find' command to better handle the complex set of options passed to 'find'
71+ and avoid globbing, splitting and other bash'esque semantic issues
72+ [Change] modified mkpubpaths cronjob to execute every 5 minutes instead of 10
73+ [Change] public mode scanning errors are now more verbose
74+ [Change] updated README to reflect required modsec >=2.9 variable 'SecTmpSaveUploadedFiles'
75+ for upload scanning
76+ [Change] hookscan.sh (modsec.sh) now checks for variable override file at conf.maldet.hookscan
77+ [Change] added use of sed flag -E for FreeBSD compatibility with GNU sed usage
78+ [Change] clamscan will now respect scan_max_filesize value instead of hardcoded 5M
79+ [Change] default scan_max_filesize increased from 768k to 2048k
80+ [Change] clamscan max-scansize for archive depth set as scan_max_filesize*2
81+ [Fix] improved special character argument escaping for -a|-r options that could have caused arbitrary command
82+ executions in environments where LMD was allowed to be called by non-root users and/or set-uid/gid wrappers
83+ [Fix] FreeBSD calls to 'md5 -q' were being incorrectly escaped causing file names to never pass and return valid
84+ md5 hash string; corrected by preprending 'eval' to the md5 command callouts.
85+ [Fix] corrected typo with import_* variables causing configuration imports to fail
86+ [Fix] suppress eout() output for certain import_*() and get_remote_file() calls; this was causing
87+ false-positive hits for modsec integration
88+ [Fix] install.sh may not have preserved certain variables on upgrade
89+ [Fix] clamdscan was running as a non-root user, would generate lstat errors for all file find results
90+ leading to potential false positive hit/quarantine
91+ [Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on
92+ startup due as a result of lstat errors on the custom user signature files stored under $tmpdir
93+ [Fix] clamd.conf configurations containing Follow(File|Directory)Symlinks set to false results in
94+ the rfxn.*/lmd.user.* links causing clamd startup failures
95+ [Fix] suppress error output to cli for customer user signature files when they do not exist
96+ [Fix] uninstall.sh now cleans up signature files from clamav data paths
97+ [Fix] corrected invalid matching against clamdscan binary when clamd was running as non-root user
98+ [Fix] intofiywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile
99+ for better compatibility
100+ [Fix] conditionally test for vz container and disable use of ionice which is not support in vz containers
101+ [Fix] '-k|--kill-monitor' would under certain circumstances leave zombie processes
102+ [Fix] monitor_cycle() could lead to memory depletion due to infinite loop cycle calls
103+ [Fix] uninstall.sh was not shutting off monitor mode on uninstall
104+ [Fix] legacy variable suppress_cleanhit references updated to email_ignore_clean
105+ [Fix] email alerting broke during an iterative update due to order of precedence change of how configuration
106+ files were loaded and compatibility (legacy) variables being set before main conf.maldet was loaded;
107+ caused by FHS refactoring
108+ [Fix] installation upgrade configuration importer was not properly executing after FHS refactoring during an
109+ iterative update
110+ [Fix] issue #167 certain variables not being preserved on importconf execution, updated 'compat.conf'
111+ [Fix] custom signature runtime files could grow exponentially in monitor mode
112+ [Fix] make '--mkpubpaths' option cross-platform compatible (debian, rh, bsd)
113+ [Fix] replaced usage of 'awk' on file name sensitive variables with 'cut' and/or better scoped field separator for awk
114+ [Fix] double quote wrapped file name variables properly on restore*() functions
115+ [Fix] quarantine .info files were not properly recording source file atime,mtime,ctime values manual quarantine calls
116+ [Fix] user supplied paths to CLI are now better handled if they contain special characters
117+ [Fix] multiple user supplied paths to CLI would generate an error if the first path contained a space and
118+ subsequent paths did not
119+ [Fix] commit c8a1279 introduced bug where clamav could be fed zero sized signature files resulting in fatal exit
120+ [Fix] public mode scanning will now properly error if mkpubpaths paths do not exist
121+ [Fix] hookscan.sh (modsec.sh) will now default to not using clamav if clamd is not running
122+ [Fix] though functional, public mode scanning would result in permission errors on console due to pathing issues with
123+ history tracking files
124+ [Fix] clam(d)scan was not respecting values in 'ignore_sigs' file, this has been corrected for both CLI and monitor mode
125+ [Fix] addition of prefixing eval to find command required certain values to be escaped differently for proper function
126+ of '-r|--recent'
127+ [Fix] util-linux 2.23 supports 'column' command with '-o' but earlier versions do not, resulting in scan reports
128+ generating empty hit lists
129+ [Fix] importconf was setting invalid vars for custom signature imports; correct variables are import_custsigs_md5_url
130+ and import_custsigs_hex_url
131+ [Fix] multiplying maldet monitor processes due to 'ps' command expansion under parent bash process on CentOS6
132+ [Fix] added default installation path to ignore_inotify to prevent monitor looping when '/' is scoped into
133+ monitoring mode; results in notify log filling disk space
134+ [Fix] importconf was not importing the value for import_config_url
135+
1136v1.5 | Sep 19 2015:
2137[New] added -f|--file-list CLI option to allow user supplied run-time file list for scanning
3138[New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
@@ -12,7 +147,7 @@ v1.5 | Sep 19 2015:
12147 "clean/custom.signame"; rules are preserved across signature and version updates
13148[New] added support for clam(d) engine when running in inotify monitoring mode
14149[New] added URL import feature for global configuration overrides using import_config_url variable in conf.maldet
15- [New] added URL import feature for user custom signatures using import_sigs_md5_url & import_sigs_hex_url variables in conf.maldet
150+ [New] added URL import feature for user custom signatures using import_custsigs_md5_url & import_custsigs_hex_url variables in conf.maldet
16151[New] added set of defined exit codes for errored exits(1), successful runs with hits(2), successful runs with no hits(0)
17152[New] added uninstall.sh script to maldetect installation path
18153[New] added md5 hash verification of signature and version update downloads
0 commit comments