Atomic Endpoint Anti-asl Configuration

Introduction

AED has built in kernel level real time malware protection as well as upload malware protection, and on demand malware scanning.


Configuring Atomic Secured Anti-asl

Please see the AED Post-Installation article for information on how to access the following settings.

CLAMAV_ENABLED

  • Enable or Disable the ClamAV malware detection engine for the system.

CLAMAV_ENABLE_REALTIME

  • Enable or Disable the ClamAV kernel module. Note this requires the AED kernel, and the official Atomicorp build of clamav.

CLAMAV_PREVENTIONACCESS

  • Enable or Disable blocking malware in the file system.

Note

This requires the AED kernel, and the official Atomicorp build of clamav.

TCP Server Address

  • Set the IP address for clamd to listen on. Default: localhost

CLAMAV_LocalSocket

  • Path to a local socket file the daemon will listen on.

CLAMAV_TemporaryDirectory

  • Optional path to the global temporary directory.

CLAMAV_DatabaseDirectory

  • Path to the database directory.

CLAMAV_SelfCheck

  • Perform a database check. Default: 600 seconds (10 minutes)

CLAMAV_LogFile

  • Full path to the clamd log file. Default: /var/log/clamav/clamd.log

CLAMAV_LogFileMaxSize

  • Maximum size of the log file. Value of 0 disables the limit.

CLAMAV_LogTime

  • Log time with each message.

CLAMAV_DetectPUA

  • This detects potentially unwanted applications, like packed javascript. These fails may not be malicious, and this signature type is disabled by default for this reason. If you are finding files with signature names like this:

    PUA.Script.Packed-1 FOUND
    

That means you have enabled this option. If you do not want ClamAV to find files like this you must either:

  1. Disable this option
  2. Specifically whitelist the signatures you no longer with ClamAV to detect. Please see the ‘Disabling Signatures’ section below.

Scan Safebrowing

Note

This will increase memory usage in clamd significantly. Not enabling this will prevent AED from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this.

  • This will increase memory usage in clamd significantly. Not enabling this will prevent AED from detecting malicious URLs. If your system has sufficient memory, we recommend you enable this. Default: no

  • Below is a simple test you can run to see if an URL is on the google safebrowsing list:

    URL=<URL on blocklist>; echo -e "From test\n\n<a href=http://$URL>test</a>" | clamdscan -
    

    And provided your signatures are up to date, if the URL Is on the list you’ll see output like the following:

    stream: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net FOUND
    

CLAMAV_ScanELF

  • Executable and Linking Format is a standard format for UNIX executables.

CLAMAV_DetectBrokenExecutables

  • With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.

CLAMAV_ScanOLE2

  • This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.

CLAMAV_ScanPDF

  • This option enables scanning within PDF files.

CLAMAV_ScanMail

Note

This requires a third party extension to your mail server to send email to the malware scanning system. This does not install or enable this extension. Please contact your mail vendor or support for assistance.

  • Enable internal e-mail scanner.

CLAMAV_CDB_SIGNATURES

  • With this option enabled ClamAV will try to detect malicious extensions using signatures.

CLAMAV_PhishingSignatures

  • With this option enabled ClamAV will try to detect phishing attempts by using signatures.

CLAMAV_PhishingAlwaysBlockSSLMismatch

  • Always block SSL mismatches in URLs, even if the URL isn’t in the database. This can lead to false positives.

CLAMAV_PhishingAlwaysBlockCloak

  • Always block cloaked URLs, even if URL isn’t in database. This can lead to false positives.

Data Loss Prevention (DLP) Module

Note

This will search files for structured data formats, like SSN and Credit Card numbers. Please see the options below and configure them as appropriate for your system.

  • Minimum credit card count - This option sets the lowest number of numbers, that appear to be Credit Card numbers, found in a file. Default: 3

  • Minimum SSN count - This option sets the lowest number of Social Security Numbers found in a file to generate a detect. Default: 3

  • Structured SSN format - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxx-yy-zzzz. Default: yes

  • Structured SSN format stripped - With this option enabled the DLP module will search for strings that appear to be Social Security Numbers, the format searched for is : xxxyyzzzz. Default: no

Scan: HTML

  • Perform HTML normalisation and decryption of MS Script Encoder code.

Scan: Archive

  • ClamAV can scan within archives and compressed file.

Scan: Archive Encrypted

  • Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

Real Time Malware Protection

The basic behavior when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and via the AED gui.

Atomic Endpoint Defender VI:

  • Information coming soon!

Atomic Endpoint Defender V:

Enable: To enable this feature follow the steps below

Step 1: You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current AED kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the AED secure kernel. Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.

If you are using either the current AED kernel, or a modern 3.x kernel please follow the steps below:

Step 2: Log into the AED Web Console

Step 3: Click on the ‘Scan’ tab

Step 4: Click on ‘Malware Scan’

Step 5: Click on ‘Realtime’

Step 6: Make sure ‘Realtime Malware Detection’ is checked

Step 7: Please continue to the configuration steps below. Enabling the protection will NOT tell AED what to protect, so the component must be configured.

Configuration:

Step 1: Ensure that your AED kernel is 3.2.52 or above.

Step 2: Click on the ‘Scan’ tab, then select the ‘Malware Scan’ menu option.

Step 3: Open the ‘Realtime’ tab.

Step 4: If not already enabled, select the checkbox next to “Realtime Malware detection”.

Step 5: Select the directories you want to be scanned in realtime

Add the directories you want to protect. For example:

/home

AED will then ask for any directories in /home you do not want to protect, for example /home/cpanel.

/var/www/vhosts
/tmp
/var/tmp
/home

DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES such as these:

/var/clamav
/var/lib/clamav
/etc/httpd/modsecurity.d/
/dev
/var/log
/home/user/apache/log

We also recommend for source built systems that you exclude build directories such as these:

/home/cpeasyapache
/home/.cpan
/home/.cpanm
/home/.cpanan

Your should also never include system partition’s or directories, such as:

/home/virtfs
/proc
/selinux
/sys
/dev

Step 6: Configure the Upload Malware Scanner

  • AED includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.

Option 1: Change the temporary directory modsecurity uses. Modify this setting under the AED WAF MODSEC_TMPDIR

Option 2: Exclude the temporary directory modsecurity uses. By default, this is /tmp.

Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AED WAF MODSEC_99_SCANNER.

Step 7: Click Update to apply the new settings

  • Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

Note

It is not recommended you enable malware scanning for the default excluded users.

Atomic Endpoint Defender IV:

Enable: To enable this feature follow the steps below

Step 1: You will need a modern kernel to do real time malware protection. On EL5 or EL6 you can use the current AED kernel or, if you are using a system with a modern kernel, such as EL7, you can use either the native kernel or the AED secure kernel. Very old versions of the Linux kernel, such as 2.6.32, do not have any support for real time malware protection built in, and therefore can not support it. If you are using a product that forces you to use 2.6.32, we recommend you contact the vendor and urge them to upgrade to a modern kernel.

If you are using either the current AED kernel, or a modern 3.x kernel please follow the steps below:

Step 2: Log into the AED Web Console

Step 3: Click on the ‘Scan’ tab

Step 4: Click on ‘Malware Scan’

Step 5: Click on ‘Realtime’

Step 6: Make sure ‘Realtime Malware Detection’ is checked

Step 7: Please continue to the configuration steps below. Enabling the protection will NOT tell AED what to protect, so the component must be configured.

Configuration:

Step 1: Ensure that your AED kernel is 3.2.52 or above.

Step 2: Click on the ‘Scan’ tab, then select the ‘Malware Scan’ menu option.

Step 3: Open the ‘Realtime’ tab.

Step 4: If not already enabled, select the checkbox next to “Realtime Malware detection”.

Step 5: Select the directories you want to be scanned in realtime

Add the directories you want to protect. For example:

/home

AED will then ask for any directories in /home you do not want to protect, for example /home/cpanel.

/var/www/vhosts
/tmp
/var/tmp
/home

DO NOT INCLUDE DIRECTORIES THAT CONTAIN LOGS, DEVICES, or MALWARE SIGNATURES such as these:

/home/user/apache/log
/var/log

We also recommend for source built systems that you exclude build directories such as these:

/home/cpeasyapache
/home/.cpan
/home/.cpanm
/home/.cpanan

Your should also never include system partition’s or directories, such as:

/home/virtfs
/proc
/selinux
/sys
/dev

Step 6: Configure the Upload Malware Scanner

  • AED includes upload malware scanners. The HTTP malware scanner works by temporarily saving the file to a temporary directory, and then calling clamd to scan the file. If the file passes the scan, it removes the file, and continues pushing it to the web application. If the realtime antimalware system is configured to protect this directory, the systems load will go up significantly because the system will go through several loops of scanning the same file over and over again. This may also break the upload scanner.

Therefore, if you are using the real time malware scanner, and the upload scanner for HTTP, you will need to make sure that the real time malware scanner is not configured to protect the temporary directory that modsecurity is configured to use.

Option 1: Change the temporary directory modsecurity uses. Modify this setting under the AED WAF MODSEC_TMPDIR

Option 2: Exclude the temporary directory modsecurity uses. By default, this is /tmp.

Option 3: Disable the upload malware scanner. If the realtime antimalware system is protected the directories apache can upload files to, then the upload malware scans may not be necessary. Modify this setting in the AED WAF MODSEC_99_SCANNER.

Step 7: Click Update to apply the new settings

  • Users can also be excluded from malware protection. By default, the root, mysql and tortix users are excluded.

Note

It is not recommended you enable malware scanning for the default excluded users.


Rebooting the System

If you are not already using the AED Kernel, you will need to reboot the system into the AED Kernel by running the following command:

reboot

If you are using the AED Kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.


Testing Your Protection

If you want to test to see if the realtime malware system is working, once you have it configured and are running an appropriate kernel, such as the AED kernel that supports real time malware scanning, you can use the EICAR test file which you can download from the officer EICAR site

Once you have downloaded an EICAR test file, simply place it in a directory you have configured to be protected. If you have configured the system to allow copying of files, but not opening of files, simple try to view the contents of the file, within the protected directory, with a command like the one below:

cat eicar.com.txt

If permission is denied, then you have successfully configured and enabled real time malware protection for your system.


Detecting False Positives

If you detect a false positive with any clamav signatures, you can exclude the signature by adding its name to this file:

/var/clamav/local.ign

For Example, if your system reported this file and this signature:

Fri Jan 4 00:05:52 2013 -> Clamuko: /some/file.php: Some.Signature.Name FOUND

You would add “Some Signature Name” to the local.ign file. If the signature has an UNOFFICAL at the end of the end, do NOT add UNOFFICAL to the signature name. For example:

somesignature.UNOFFCIAL

In the case above, you would only add “somesignature” to the local.ign* file, and **NOT “somesignature.UNOFFICAL”