Linux Malware Detect

Anti-malware engine designed around the threats faced in today's hosting environments. It uses multifaceted threat data from network edge IPS, community data, ClamAV, and user submission systems to extract malware that is actively being used in attacks.

  • Network Edge IPS - The IPS events are processed to extract malware url's, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate.
  • Community Data - Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.
  • ClamAV - The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate.
  • User Submission - checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.

ClamAV Anti-virus

The ClamAV® open source multi-threaded scanner daemon detects trojans, viruses, malware and other malicious threats. Extended signatures from Malware Expert provide ultimate detection of PHP based malware.

  • Advanced database updater with support for scripted updates and digital signatures.
  • The virus signatures are updated multiple times per day.
  • Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
  • Built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others.

Quarantine Malware

Malware can be quatantined storing threats in a safe fashion with no permissions. You can optionally restore files to original path, owner and permissions.

  • Quarantine queue that stores threats in a safe fashion with no permissions.
  • Quarantine batching option to quarantine the results of a current or past scans.
  • Quarantine restore option to restore files to original path, owner and permissions.
  • View, edit, download or restore quarantined files using your web browser.

Clean Infected Files

Cleaner rules will attempt to remove malware injected strings. Supports base64 and gzinflate (base64 injected malware). After clean is performed it will be re-scanned and verify that the clean was successful.

  • Cleaner rules to attempt removal of malware injected strings.
  • Cleaner batching option to attempt cleaning of previous scan reports.
  • Cleaner rules to remove base64 and gzinflate (base64 injected malware).

Real-time Scanning

Kernel based inotify real time file scanning of created/modified/moved files. Monitor your entire vhosts directory tree an instantly scan any changed files. All of its resources are inside kernel memory and has a very small cpu usage and userspace footprint in memory.

  • Kernel based inotify real time file scanning of created / modified / moved files.
  • Kernel inotify monitor that can take path data from STDIN or FILE.
  • Kernel inotify monitor with dynamic sysctl limits for optimal performance.
  • Kernel inotify alerting through daily and/or optional weekly reports.

Signature updates

Signatures are updated typically once per day or more frequently depending on incoming threat data, IPS malware extraction and other sources. Signatures are derived from tracking active in the wild threats that are currently circulating. Threat data includes Network Edge IPS, community, ClamAV, and user submissions.

  • Signature updates are performed daily through the default cron.daily script.
  • You can check for updates manually via the Sentinel interface or the command line using the --update option.
  • RSS & XML data source is available for tracking malware threat updates.

Ignore Options

Sentinel gives you multiple options to minimize any false positives. Ignore specific paths, file extensions or whitelist bad signatures with just a few clicks.

  • Ignore specific paths from malware scanning.
  • Ignore specific file extensions from malware scanning.
  • Ignore specific signatures from triggering false positives.
  • Regular expression support for excluding certain files from scanning.

On-demand Scanning

Sentinel allow you scan a domains web folder with just a few clicks. The scan can automatically quarantine detected threats (if enabled) or allow you to quarantine, clean malware or email a report the the customer.

  • MD5 file hash detection for quick threat identification.
  • HEX based pattern matching for identifying threat variants.
  • Statistical analysis component for detection of obfuscated threats.
  • HTTP upload scanning through mod_security2 inspectFile hook.
  • Integrated detection of ClamAV to use as scanner engine for improved performance.
  • Scan-recent option to scan only files that have been added/changed in X days
  • Scan using regular expression options to include or exclude matching files.

Domain monitoring

Sentinel allows you to check the blacklist status of your domains using the Google Safe Browsing service.

  • Run a nightly, weekly, or monthly check on your domains and get notified by email when a domain gets blacklisted.
  • View the threat type and platform that is reported back by the Google Safe Browsing service.
  • View a full history of every check so you can see exactly when a domain was compromised.
  • Enable or disable notifications for administrators, resellers, or clients.