Announcement

Collapse
No announcement yet.

Quarantine files

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Quarantine files

    Hello,

    Please see attachment.
    Is it possible to see/check somewhere on which account they tried to upload these files?

  • #2
    Are you using maldet or clamav to scan uploaded files? Are you scanning only files uploaded trough http or FTP aswell?

    I have made a custom rule in CWAF that does the same from before:
    SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" "log,auditlog,deny,id:99998,severity:2,phase:2,t:n one"

    Comment


    • #3
      Hello.
      Currently, you can not determine, whitch user these files belongs to. Its because apache is always running as user nobody in your configuration.

      We are working on this issue to find a way to make it possible.

      Comment


      • #4
        I also have a question about your malware scanning.

        I currently have CXS installed on the system and use their cxswatch daemon to scan files.

        When malware scanning was added to Imunify I disabled cxswatch, but noticed that CXS FTP scanning was automatically turned on.

        Today I noticed a spike in server load while a customer was uploading a bunch of files over FTP and saw that both CXS and maldet (which I assume you are using) were both scanning the files.

        Ive disabled CXS FTP scanning, which also appears to have disabled maldet scanning as well.

        Is there a way to select one or the other, or disable what you are doing and continue using the cxswatch daemon?

        Comment


        • #5
          > Ive disabled CXS FTP scanning, which also appears to have disabled maldet scanning as well.
          >
          > Is there a way to select one or the other, or disable what you are doing and continue using the cxswatch daemon?

          Probably for some reason CXS disabled our pure-ftpd scans. You can enable it back by running `imunify360-agent malware pure-scan enable` command

          Comment


          • #6
            Are you able to extend the documentation to list such commands to enable and disable certain features?

            Im finding it difficult to test Imunify360 as whenever you launch new features it often conflicts with existing applications on the server (ie. existing ModSecurity rules, existing malware scanners, etc).

            Providing more documentation and a list of commands to enable/disable such features will help us to continue testing and troubleshoot issues.

            Comment


            • #7
              Yes, we have a plans to extent ability to enable/disable features whitch can potentially be conflicting with third-party software. And we will extent documentation with these commands/actions.

              Comment

              Working...
              X