Quarantine files
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Morten
  2. Monday, 20 March 2017
  3.  Subscribe via email
Hello,

Please see attachment.
Is it possible to see/check somewhere on which account they tried to upload these files?
Attachments (1)
Rate this post:
  1. 21.03.2017 10:03:37
  2. # 1
Morten Accepted Answer
Posts: 103
Joined: 16.04.2014
0
Votes
Undo
Are you using maldet or clamav to scan uploaded files? Are you scanning only files uploaded trough http or FTP aswell?

I have made a custom rule in CWAF that does the same from before:
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" "log,auditlog,deny,id:99998,severity:2,phase:2,t:none"
  1. 21.03.2017 10:03:09
  2. # 2
Rushan shaymardanov Accepted Answer
Posts: 0
Joined: 20.11.2019
0
Votes
Undo
Hello.
Currently, you can not determine, whitch user these files belongs to. It's because apache is always running as user nobody in your configuration.

We are working on this issue to find a way to make it possible.
  1. 25.03.2017 01:03:21
  2. # 3
Ryan Smith Accepted Answer
Posts: 32
Joined: 27.04.2016
0
Votes
Undo
I also have a question about your malware scanning.

I currently have CXS installed on the system and use their cxswatch daemon to scan files.

When malware scanning was added to Imunify I disabled cxswatch, but noticed that CXS' FTP scanning was automatically turned on.

Today I noticed a spike in server load while a customer was uploading a bunch of files over FTP and saw that both CXS and maldet (which I assume you are using) were both scanning the files.

I've disabled CXS' FTP scanning, which also appears to have disabled maldet scanning as well.

Is there a way to select one or the other, or disable what you are doing and continue using the cxswatch daemon?
  1. 27.03.2017 04:03:52
  2. # 4
Rushan Shaymardanov Accepted Answer
Posts: 0
Joined: 20.11.2019
0
Votes
Undo

I've disabled CXS' FTP scanning, which also appears to have disabled maldet scanning as well.

Is there a way to select one or the other, or disable what you are doing and continue using the cxswatch daemon?


Probably for some reason CXS disabled our pure-ftpd scans. You can enable it back by running `imunify360-agent malware pure-scan enable` command
  1. 27.03.2017 15:03:02
  2. # 5
Ryan Smith Accepted Answer
Posts: 32
Joined: 27.04.2016
0
Votes
Undo
Are you able to extend the documentation to list such commands to enable and disable certain features?

I'm finding it difficult to test Imunify360 as whenever you launch new features it often conflicts with existing applications on the server (ie. existing ModSecurity rules, existing malware scanners, etc).

Providing more documentation and a list of commands to enable/disable such features will help us to continue testing and troubleshoot issues.
  1. 31.03.2017 11:03:13
  2. # 6
Rushan Shaymardanov Accepted Answer
Posts: 0
Joined: 20.11.2019
0
Votes
Undo
Yes, we have a plans to extent ability to enable/disable features whitch can potentially be conflicting with third-party software. And we will extent documentation with these commands/actions.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.