ModSecurity Rules & Free Malware Signatures

jwillberg

Verified User
Joined
Sep 12, 2016
Messages
24
ModSecurity Rules


Malware Expert selling commercial modsecurity rules and gives special tips to protecting malware attacks and analytics them from Linux releases, that is designed around the threats faced in shared hosted environments.

Try Free Now

Malware Expert Signatures

Clamav Signatures from malware expert help improve the detection rate on malware from PHP files. Our signatures are generated real life PHP malware from Real live Web Hosting Servers.

For Free Now
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Hello,

I wonder for how long are you going to provide Clamav Signatures from malware expert for free? Is it a seasonal promotion?
 

jwillberg

Verified User
Joined
Sep 12, 2016
Messages
24
Hello,

I wonder for how long are you going to provide Clamav Signatures from malware expert for free? Is it a seasonal promotion?
The plan is to keep them in future always free and get sales from ModSecurity rules.
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Tried your signatures, and they seem to work fine. One customer of mine though had an issue with them when he started to scan malware from / (root partition), since that I install the following exceptions in /usr/local/maldetect/ignore_paths:

Code:
/bin/boot
/cgroup
/dev
/dfs
/etc
/lib
/lib64
/lost+found
/media
/mnt
/opt
/proc
/root
/sbin
/selinux
/srv
/sys
/tmp
/usr/backup
/usr/bin
/usr/etc
/usr/games
/usr/include
/usr/lib
/usr/lib64
/usr/libexec
/usr/local
/usr/local/bin
/usr/local/directadmin
/usr/local/maldetect
/usr/local/sbin
/usr/local/sbin/maldet
/usr/local/share/clamav
/usr/lost+found
/usr/sbin
/usr/share
/usr/src
/usr/ssl
/var/cache
/var/cvs
/var/db
/var/empty
/var/games
/var/lib
/var/lib/mysql
/var/local
/var/lock
/var/log
/var/logs
/var/lost+found
/var/named
/var/nginx
/var/nis
/var/opt
/var/preserve
/var/run
/var/spool
/var/yp
Some legitimate binaries were moved to quarantine as they were marked as malware. Unfortunately I don't have more details in my records on which exactly binaries were removed and which signatures matched.
 

jwillberg

Verified User
Joined
Sep 12, 2016
Messages
24
Malware Expert signatures development catch PHP malware, so we haven't tested our signatures to binaries. Also, I think Maldet not tested to Linux binaries, which can cause false alarms and quarantine them.

So Maldet ignore_paths is good choice, if use full scan server files.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Your bases are good. And I do understand that you haven't tested your signatures to binaries. That's OK, no offense. Just think I need to notify other users that they should not scan anything out of /home/ and /var/www/

Two days ago recovered MySQL tables for one of my clients from quarantine of Maldet+Clamav+Malware.Expert, for some reasons they did a full scan starting from / (root) partition. But it was not Malware.Expert signatures which catch "malware":

Code:
{HEX}gzbase64.inject.unclassed
{YARA}r57shell_php_php
 
Top