Announcement

Collapse
No announcement yet.

Improve malware scanner by submitting quarantined files.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Improve malware scanner by submitting quarantined files.

    Is it possible to submit quarantined files found in other scanners to improve I360? Ive found several of my sites getting infected with malware. I scan with I360 and Cpanels AV. Many times I360 will not catch what Cpanel does and there is another tool I use that always catches malware that is missed by both Cpanl and I360. Id really like this product to work better.

  • #2
    Sean, thank you for helping us make Imunify360 better.

    The syntax (as of Imunify360 ver 2.6) for submitting false negative is:
    imunify360-agent malware submit -t fn FILENAME

    P.S. is the another tool you are using to find malware publicly available?

    Comment


    • #3
      GOTMLS.NET

      Comment


      • #4
        Sean, thank you for the link - well look into this tool

        Comment


        • #5
          What about submitting files? Ive also been running wordfence which has found issues that have gotten past I360 Details: This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "de($x)));@$b374k("rP2HruxcliaIvUpOojGVJZaa3k0biQwygt77gZCg 995TNe8u/plV3dVGM4Ag3IsbQW7Dvfda6zPnnhPnP/4/pmr6079b/3rky5/+05/+jPx76s//4Y/rrd66/I87CUpi7Z/+/O//3udvbd1Y1sPbo/+jA0pA0J/+b39CsPcf8m/NWZ7s5dt...". The infection type is: A backdoor known as 18aaaa. "$wpautop = pre_term_name( $wp_kses_data, $wp_nonce );x0dx0ax0dx0aif( isset( $wpautop ) ){x0dx0ax09if( isset($_POST[f_wp]) ) @setcookie( f_wp, $_POST[f_wp] );x0dx0ax09$shortcode_unautop = create_function( , $wpaut...". The infection type is: A backdoor known as WSO-LOL. "!function_exists(CjKiIRl2l("cm9/a3dmc29sbnB4fg==")))x0a{x0ax0a$qCdH0g4gLghR=J5OPov ewehB;x0ax0a$cgkfN1cC7X4V=y6Rym9B;x0ax09x09x09x09$ LGWXj=lKwbsOBq;x0a$XgkX5goL0jui=53617;x0ax09x09x09 x09x09x09function getallheaders()x0a{x0ax09x09x09x09$GE67OM1...". The infection type is: A backdoor known as cSR.

          Comment


          • #6
            The syntax for all files that are considered to be harmful (but not detected by Imunify360) is essentially the same:
            imunify360-agent malware submit -t fn FILENAME

            Comment


            • #7
              Is it conceivable to submit isolated documents found in different scanners to enhance I360? Ive discovered a few of my locales getting tainted with malware. I check with I360 and Cpanels AV. Ordinarily, I360 wont get what Cpanel does and there is another instrument I utilize that dependably gets malware that is missed by both Cpanel and I360. Id extremely like this item to work better. https://www.linksysroutersupportnumb...uter-password/Reset Linksys router provide 24 hrs services.

              Comment


              • #8
                Hello,

                Sure, please submit such documents via imunify360-agent tool. For example, if you have such document in /root/samples under the name infected.php, you can simply execute:

                Code:
                imunify360-agent submit false-negative /root/samples/infected.php
                This will help us to add detection faster. Thank you.

                Comment


                • #9
                  I would like ability to submit files for analysis from plesk file manager. I often find files missed by IM360 by visually scanning and there is no way to submit.

                  thx

                  Comment


                  • #10
                    Hello,

                    Please open a support ticket with us to request this new functionality. Well be happy to assist.

                    Comment


                    • #11
                      I would also like to see ability to submit files via Plesk instead of having to log into console which is time consuming. Thx!

                      Comment


                      • #12
                        Hello Glenn! Could you open a support ticket please https://cloudlinux.zendesk.com/hc/en-us/requests/new so we can take a closer look at your system? You can post the ticket number here and well link this thread to it. Thank you.

                        Comment


                        • #13
                          Hello,

                          Sorry to revive the old thread. Has syntax changed for this feature? Documentation still has the following syntax:

                          Code:
                          imunify360-agent submit false-negative <file>
                          However this returns an error:

                          Code:
                          usage: imunify360-agent submit false-positive [-h] --reason REASON --scanner
                          
                          {clamav,ai-bolit} [--json]
                          
                          [--verbose]
                          
                          filename
                          I can submit with the new syntax, but submissions are limited to clamav and ai-bolit. Imunify has its own scanning engine, correct? How can I submit a false positive for review?

                          Specifically I want to submit this script. Its a stupid script but I dont think the intent is malicious. Probably some old shared hosting provider populated customer websites with this script. We see it frequently with migrated websites. I have submitted it many times using both clamav and ai-bolit scanner options, but Imunifys scanner still flags it:

                          Code:
                          <!-- PHP Wrapper - 500 Server Error -->
                          
                          <html><head><title>500 Server Error</title></head>
                          
                          <body bgcolor=white>
                          
                          <h1>500 Server Error</h1>
                          
                          A misconfiguration on the server caused a hiccup.
                          
                          Check the server logs, fix the problem, then try again.
                          
                          <hr>
                          
                          <?
                          
                          echo "URL: http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]<br>
                          ";
                          
                          $fixer = "checksuexec ".escapeshellarg($_SERVER[DOCUMENT_ROOT].$_SERVER[REQUEST_URI]);
                          
                          echo `$fixer`;
                          
                          ?>
                          
                          </body></html>

                          Comment


                          • #14
                            Hello John! If you enter a file name without a full path, then this command definitely needs the full path to the file:

                            Code:
                            imunify360-agent submit false-negative /path/to/file
                            Try to enter this path. Please let us know if you have any questions. Thanks in advance!

                            Comment


                            • #15
                              Hello,

                              Sorry if I wasnt clear. I am providing a full path.

                              The issue is that the command now seems to require 2 undocumented arguments, "--reason and "--scanner".

                              The "--scanner" flag only accepts "clamav" or "ai-bolit" but its not clear to me which scanner is flagging the file. Are files still submitted to the CloudLinux team for review?

                              Comment

                              Working...
                              X