Fine-tuning the Malware Detection / Scanner module

You are here:
Estimated reading time: 1 min
In this article

Inotify user Watches

The Inotify user watches are increased by BitNinja to 30000000. In case you need to increase the value even further, you can use the
echo 35000000 > /proc/sys/fs/inotify/max_user_watches command.

How to configure the Malware Detection/Scanner module:

  1. Open the Configuration menu on your BitNinja dashboard.
  2. Select the setting level on the left side. (server-level, server group-level, account-level)
  3. Select the Malware Detection module from the modules list.

Increase the file size limit for scanning

By default, the limit for scanned files is 1MB.
  1. Click on Advanced Settings at the bottom
  2. Modify the “Maximum file size when scanning in bytes” parameter
  3. Click on the Save button at the top.

Include directories to scan (Malware Detection)

By default, BitNinja exclusively scans the /tmp, /home, and /var/www directories, but you can add any other directories by defining new paths.
  1. In the Malware Detection menu, find the “Monitored paths” parameter
  2. Click on “+ Add new” and add the path.
  3. Then click on the Save button at the top.

Exclude Directories, NOT to scan (Malware Detection)

  1. Add the path with the “+ Add new” button under the “Directories” path
  2. Also, add the path under the “Inotify settings” with the “+ Add new” button to disable real-time malware detection.
  3. Then click on the Save button at the top.
With BitNinja version 2.27.1 or newer versions, you can exclude directories via regular expressions.
If you do not want to scan a directory in your users’ home directories, you can do that with this pattern:

/home.*?/.*?/d.NoScan/

More examples:

[whitelist]
paths[] = '/home.*?/accesslog/'
[inotify]
exclude[]='/home.*?/virtfs/'
file_path[] = '/home.*?/'
You can exclude subdirectories of the directories that are listed to scan for file changes continuously.
e.g., If /tmp is added for Malware Detection to scan it for file changes and
exclude[] = ‘^/tmp/mysql.sock$’ is added, then all of the tmp directories will be scanned except mysql.sock$

Was this article helpful?
It was not helpful
Views: 1306