maldetect release 1.6.4

CHANGELOG

@@ -1,3 +1,72 @@
+v1.6.4 | Mar 18 2019:
+[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error
+[New] add support for slack alerts; pr #240 mostafahussein
+[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000
+[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule
+[Change] update cron.daily for ispmanager5; pr #305 yogsottot
+[Change] normalize variable naming of pr #300 , #304
+[Change] validate cron_daily_scan is set; otherwise default to 1
+[Change] update importconf for cron_daily_scan block
+[Change] don't need "find" if given a file list; pr# 303 sporks5000
+[Change] rename ambiguous internal variables related to user signatures
+[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits
+[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors
+[Change] add backward compatibility for renamed internals.conf variables
+[Change] removed legacy $verbose tagging at the end of eout() calls
+[Change] modified cleaner rules to set their own PATH scoping
+[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming
+[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls
+[Change] added inotify elapsed run time to scan report output
+[Change] adjust '-e|--report' output for etime value and spacing
+[Change] force email_ignore_clean=1 to stop the most common email requested issue
+[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319
+[Fix] typo in PR #300; missing '; then' on elif
+[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service
+[Fix] sad mail/sendmail validation logic, fix issue #316
+[Fix] normalized scan start time output in scan reports when inotify monitoring is used
+[Fix] scan report list summary to always display an etime value, even if null
+[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203
+[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000
+[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error
+[Fix] modified install.sh 'ps' execution to be BSD compliant
+[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules
+[Fix] clean function was not properly handling signature names with both underscores and periods
+[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203
+[Fix] ignore_inotify file exist/empty file negative match; issue #330
+[Fix] operator issue cron.daily #331
+[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work
+
+v1.6.3 | Sep 01 2018:
+[Fix] ensure clamscan_max_filesize is always set; pr #296
+[Fix] remove escaping from inotifywait exclude regexp; pr #246 issue #205
+[Fix] always set a value for monitor mode systemd unit; pr #257
+[Fix] quar_get_filestat variable collisions during restore operations
+[Fix] quarantine files could be prematurely deleted, during 'cron.daily/maldet', on distributions where the 'mv' command
+      preserves origin file mtime; call 'touch' on quarantined files to set current mtime post-move to quarantine path; issue #294
+[Fix] update tlog inotify tracking file before trimming to prevent rescan loop; pr #292
+[Fix] revert pruning empty lines from signature files to 1.6.1 behavior
+[Fix] usage semantics of cd'ing to a wildcard path on newer versions of Bash were causing version updates to fail; we now explicitly
+      'cd' to maldetect-${upstreamver}
+[Fix] spelling corrections; pr# 269
+[Change] update	importconf text to reflect monitor mode	on systemd behavior
+[Change] on restore actions, reset restored files to original mtime value
+[Change] increase default remote_uri timeout from 10s to 30s
+[Change] increase default remote_uri tries from 3 to 4
+[Change] added base_domain variable to internals.conf
+[Change] cleanup .tgz/.md5 files on version updates mid-flight to prevent potential 'cd: too many arguments' errors
+[Change] trim inotify log from beginning instead of end	of file; pr #292
+[Change] user mode scanning no longer scans system temporary paths; issue #283
+[Change] improve regexp of scan start time values for '-e|--list' output
+[Change] added '--beta' flag to '-d|--update-ver' to support pulling down beta release of LMD
+[Change] stage v1.6.3 release; update version and date stamps
+[Kudos] Thank you to those that contributed pull requests and issues during this release cycle. PR contributions from:
+        sporks5000
+        jsoref
+        Joshua-Snapp
+        mkubenka
+        jkronza
+        AnnopAlias
+
 v1.6.2 | Jul 13 2017:
 [Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242
 [Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237
@@ -32,7 +101,7 @@ v1.6.1 | May 28 2017:
 
 v1.6 | Mar 17 2017:
 [New] added curated set of YARA webshell & malware signatures for use with ClamAV >= 0.99b
-[New] added cleaner rule 'VistorTracker.Mob'
+[New] added cleaner rule 'VisitorTracker.Mob'
 [New] added cleaner rule 'js.inject.fakejquery02'
 [New] added support for 'froxlor' to cron.daily execution
 [New] added support for 'vestacp' to cron.daily execution
@@ -58,7 +127,7 @@ v1.6 | Mar 17 2017:
 [Change] unified all clamav selection logic for data paths, running clamd processes, clam(d)scan CLI options etc...
          into a single function, clamselector(); this will make clam behavior more predictable across all functions
 [Change] added subdomains path for ISPConfig to cron.daily
-[Change] corrected variable naming semantics for import_*_(md5|hex)_url paramters
+[Change] corrected variable naming semantics for import_*_(md5|hex)_url parameters
 [Change] monitor mode now identifies inotifywait processes based on a string pattern unique to maldet
          to avoid conflicts with any other inotifywait processes
 [Change] added wget_proxy variable for us in sysconfig and conf.maldet options
@@ -127,7 +196,7 @@ v1.6 | Mar 17 2017:
 [Fix] suppress error output to cli for customer user signature files when they do not exist
 [Fix] uninstall.sh now cleans up signature files from clamav data paths
 [Fix] corrected invalid matching against clamdscan binary when clamd was running as non-root user
-[Fix] intofiywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile
+[Fix] inotifywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile
       for better compatibility
 [Fix] conditionally test for vz container and disable use of ionice which is not support in vz containers
 [Fix] '-k|--kill-monitor' would under certain circumstances leave zombie processes
@@ -183,7 +252,7 @@ v1.5 | Sep 19 2015:
 [New] added set of defined exit codes for errored exits(1), successful runs with hits(2), successful runs with no hits(0)
 [New] added uninstall.sh script to maldetect installation path
 [New] added md5 hash verification of signature and version update downloads
-[New] added scan_cpunice option to control CPU priorty value of all scan operations such as find, clamscan etc.. (default 19)
+[New] added scan_cpunice option to control CPU priority value of all scan operations such as find, clamscan etc.. (default 19)
 [New] added scan_ionice option to control IO priority value of all scan operations such as find, clamscan etc.. (default 6)
 [New] added autoupdate_signatures/autoupdate_version options to control daily cron based signature/version updates
 [New] added autoupdate_version_hashed option to control validating hash of maldet executable against upstream version
@@ -216,7 +285,7 @@ v1.5 | Sep 19 2015:
 [Change] reordered configuration file, expanded on variable descriptions, overall attempt to simplify/streamline conf.maldet
 [Change] installer symlinks LMD signatures into known/existing ClamAV paths to ensure signatures are loaded into memory by clamd
 [Change] installer issues SIGUSR2 to any running clamd processes to force reload of signature databases
-[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of siganture databases
+[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of signature databases
 [Change] cron.daily signature/version updates sleep random interval 1-999 secs before contacting upstream rfxn.com servers to reduce cdn load
 [Change] modified clamscan database path checks to support cPanel >=11.40 RPM clamAV connector RPM's
 [Change] modified location of statistical data files from tmpdir to sessdir making tmpdir a stateless path that can be purged at anytime
@@ -368,7 +437,7 @@ v1.4.0 | Apr 17th 2011:
 [Change] wget calls now use the --referer option to broadcast local LMD version
 [Fix] replaced stray references of absolute install path with the install path variable
 [New] stage2 (HEX) scanner now supports use of named pipe (FIFO) for passing file hex contents,
-      enabled by default, provides better performance with larger depth anlaysis of files
+      enabled by default, provides better performance with larger depth analysis of files
 [New] added hex_fifo_scan & hex_fifo_depth variables to conf.maldet for fifo hex scanning
 [Change] -c|--checkout now supports directory paths
 [Change] -r|--scan-recent and -a|--scan-all now supports single file scans
@@ -458,7 +527,7 @@ v1.3.4 | May 16th 2010:
 [Fix] cleaner function was not properly executing under certain conditions
 [Change] additional error checking/output added to the cleaner function
 [Change] default status output of scans changed for better performance
-[New] added ignore_intofiy for ignoring paths from the monitor service
+[New] added ignore_inotify for ignoring paths from the monitor service
 [Change] updated ignore section of README
 [Fix] backreference errors kicking from scan_stage1 function
 [New] -d|--update-ver option added to update installed version from rfxn.com
@@ -483,13 +552,13 @@ v1.3.3 | May 15th 2010:
 [New] added quar_susp_minuid option for suspend user minimum user id
 [Fix] inotify monitor now properly acts on MODIFY,MOVE_TO,MOVE_FROM states
 [Change] inotify monitor now can take a list of paths or file for path input
-[Change] inotify monitor now has no default use, must specifiy USER|FILE|PATHS
+[Change] inotify monitor now has no default use, must specify USER|FILE|PATHS
 [Change] revised short and long usage output for new options/usage changes
 [Change] inotify monitor now spawns only one process for all monitored paths
 [Change] inotify monitor sets max_user_instances to processors*2
 [Change] inotify monitor sets max_user_watches to inotify_base_watches*users
 [Change] migrated all inotify options from internals.conf to conf.maldet
-[New] added inotify_base_watches to conf.maldet for max file wathces multiplier
+[New] added inotify_base_watches to conf.maldet for max file watches multiplier
 [New] added inotify_nice to conf.maldet for run-time prio of inotifywait
 [New] added inotify_webdir to conf.maldet for html/web root only monitoring
 [Change] extensive format change to README

CHANGELOG.RELEASE

@@ -1,31 +1,38 @@
-v1.6.2 | Jul 13 2017:
-[Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242
-[Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237
-[New] added support to send email through 'sendmail' binary as alternative to 'mail'; pr #241 & issue #238
+v1.6.4 | Mar 18 2019:
+[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error
+[New] add support for slack alerts; pr #240 mostafahussein
+[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000
+[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule
+[Change] update cron.daily for ispmanager5; pr #305 yogsottot
+[Change] normalize variable naming of pr #300 , #304
+[Change] validate cron_daily_scan is set; otherwise default to 1
+[Change] update importconf for cron_daily_scan block
+[Change] don't need "find" if given a file list; pr# 303 sporks5000
+[Change] rename ambiguous internal variables related to user signatures
+[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits
+[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors
+[Change] add backward compatibility for renamed internals.conf variables
+[Change] removed legacy $verbose tagging at the end of eout() calls
+[Change] modified cleaner rules to set their own PATH scoping
+[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming
+[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls
+[Change] added inotify elapsed run time to scan report output
+[Change] adjust '-e|--report' output for etime value and spacing
+[Change] force email_ignore_clean=1 to stop the most common email requested issue
+[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319
+[Fix] typo in PR #300; missing '; then' on elif
+[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service
+[Fix] sad mail/sendmail validation logic, fix issue #316
+[Fix] normalized scan start time output in scan reports when inotify monitoring is used
+[Fix] scan report list summary to always display an etime value, even if null
+[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203
+[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000
+[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error
+[Fix] modified install.sh 'ps' execution to be BSD compliant
+[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules
+[Fix] clean function was not properly handling signature names with both underscores and periods
+[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203
+[Fix] ignore_inotify file exist/empty file negative match; issue #330
+[Fix] operator issue cron.daily #331
+[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work
 
-v1.6.1 | May 28 2017:
-[New] added conf.maldet option cron_prune_days to configure cron.daily pruning max age of quar/sess/tmp data; issue #197
-[New] added curl support, as new default, into get_remote_file; wget support is preserved secondary to curl; issue #200
-[New] added --force option on -u|--update-sigs
-[New] added --force option on -d|--update-ver
-[New] added empty lines cleaner for runtime signatures and sorting of hdb for better performance; pr #223
-[Change] modified default prune interval of quarantine/sess/tmp data from older than 7d to 21d
-[Change] set email alerts to disabled when -z $mail / issue verbose warning on CLI; issue #220
-[Change] scan_export_filelist feature had no real need to be limited to just cron runs;
-         modified so when set, it will export find results for all '-r|--recent' scans
-[Change] updated help and README to reflect '--force' option on '-u|--update-sigs' and '-d|--update-ver'
-[Change] post-change to get_remote_file(); signature version file was truncating with tmp file for maldet-clean
-[Change] replaced all calls of wget with get_remote_file()
-[Change] refactored get_remote_file() to be more generic / not depend on wget
-[Change] increased default values for wget --timeout from 5 to 10 seconds
-[Change] replace egrep with posix 'grep -E'; direct invocation of egrep/fgrep is deprecated; pr #214
-[Fix] modified sourcing of conf files and order of precedence in mald…et.sh init script to properly
-      treat default_monitor_mode being defined in conf.maldet; issue #224
-[Fix] escape quotes within eval md5sum command as fix for issues #230 and #216
-[Fix] test condition for systemd was generating unary errors on older versions of bash; pr #36
-[Fix] systemd based systems were skipping addition of sysconfig entry; pr #36
-[Fix] install.sh find operation to prune old install backups was generating error when no previous installs existed
-[Fix] wgetopt was single quoted making the variables inside of it strings, set double quotes
-[Fix] potential out of memory issue while scanning a large set of files on native LMD scanner; pr #223
-[Fix] -f option issue with relative path message; pr #223
-[Fix] issue with checkout of relative file path for non root user; pr #223