store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Oct 26, 2014 2:57 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 37 posts ]  Go to page Previous  1, 2, 3
Author Message
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Tue Oct 18, 2011 8:16 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7943
Location: earth
Thats correct, the AV events were not tracked in 2.x. They still happened, it just didnt tell you about it.


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Tue Oct 18, 2011 8:59 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
Quote:
It is a shame osssec can't differentiate between a virus found in an email (common, harmless, dealt with, don't want to know about it) and a virus uploaded via FTP (might be an indication of compromised ftp credentials - need to know about it - level 14 at least!)


Actually it does that now. You will only get (and see) virus alerts for non-email related viruses, which means it does differentiate between a virus found in an email (common, harmless, dealt with, don't want to know about it) and a virus uploaded via FTP.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Wed Oct 19, 2011 1:49 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
"Now" as in "as of latest rules", I take it? There's no way my previous alerts were uploads.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Wed Oct 19, 2011 4:43 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
As of the 17th, when I posted this: :-)

Quote:
I just added in two new rules, 590000 and 590001 that makes qmail-scanner and clapf virus alerts level 0. So out of the box if qmail generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/qscan/tmp/eicar.com: Eicar-Test-Signature FOUND

Or clapf generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/clapf/tmp/eicar.com: Eicar-Test-Signature FOUND

You will never see that in the GUI, or in an email alert. But if clamd catches a virus somewhere else, you will see that alert.

If you want to get the alerts for email, just change the alert level on rule 590000 or 590001 depending on which one you use.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Wed Oct 19, 2011 7:30 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 10, 2008 9:12 pm
Posts: 508
Location: Southampton, UK
I ran an update last night, and now it seems to have solved the issue. I now no-longer get the Level 8 virus emails triggered by email attachments. I've gone from an email every hour of the day, down to just 5 emails in the inbox now. A vast improvement.

_________________
Matt

"Given that God is infinite, and that the universe is also infinite... would you like a toasted teacake?"

about.me/mattauckland
twitter.com/mattauckland


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Thu Oct 20, 2011 6:06 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
yay! Thanks Mike! ASL just gets better and better!

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Virus Detected Alerts
Unread postPosted: Thu Oct 20, 2011 6:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
My pleasure. And for future cases like this, we just need log examples of things you dont want to see (or want to see). You can either report the former as a False Positive (things you dont want to see), or the later as a False Negative (things you should see), or you can just create a forum thread with what you need.

If you use the FP/FN buttons, please check your cases as we generally attach notes asking for a little more information to understand your use case, such as if you dont want to see it all, maybe just make it a lower level, etc.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 37 posts ]  Go to page Previous  1, 2, 3

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group