Fine-tuning the Malware Detection / Scanner module

You are here:
Estimated reading time: 1 min

Inotify user Watches

The Inotify user watches are increased by BitNinja to 30000000. In case you need to increase the value even further, you can use the
echo 35000000 > /proc/sys/fs/inotify/max_user_watches command.

You can find the Malware detection config file at /etc/bitninja/MalwareDetection/config.ini. Here, you can modify the list of allow-listed directories, and you can enable or disable auto quarantine.

These settings also apply to the Malware scanner module. If a directory is on your allow list, the Malware Scanner module will also skip the directory during the scanning. If you Disable the quarantine function in the Malware detection module, the Malware scanner module won’t quarantine files either.

How to configure the Malware Detection/Scanner module:

  1. Open the Configuration menu on your BitNinja dashboard.
  2. Select the setting level on the left side. (server-level, server group-level, account-level)
  3. Select the Malware Detection module from the modules list.

Increase the file size limit for scanning

By default, the limit for scanned files is 1MB.
  1. Click on Advanced Settings at the bottom
  2. Modify the “Maximum file size when scanning in bytes” parameter
  3. Click on the Save button at the top.

Include directories to scan (Malware Detection)

By default, BitNinja exclusively scans the /tmp, /home, and /var/www directories, but you can add any other directories by defining new paths.
  1. In the Malware Detection menu, find the “Monitored paths” parameter
  2. Click on “+ Add new” and add the path.
  3. Then click on the Save button at the top.

Exclude Directories, NOT to scan (Malware Detection)

  1. Add the path with the “+ Add new” button under the “Directories” path
  2. Also, add the path under the “Inotify settings” with the “+ Add new” button to disable real-time malware detection.
  3. Then click on the Save button at the top.

Upload malware source

You can help us improve our malware signatures by enabling an option in your MalwareDetection module’s config. This will allow the BitNinja agent to upload the source codes of any malware that has been detected.
The data will be used by our developers to reduce the false positive rates and to tweak the signatures.

Enable the “Enable malware source upload to Cloud” option, then click on Apply at the top of the screen.

The source code of files matching global validating signatures will also be set up in our central database, so publishing malware signatures will be faster.
With BitNinja version 2.27.1 or newer versions, you can exclude directories via regular expressions.
If you do not want to scan a directory in your users’ home directories, you can do that with this pattern:

/home.*?/.*?/d.NoScan/

More examples:

[whitelist]
paths[] = '/home.*?/accesslog/'
[inotify]
exclude[]='/home.*?/virtfs/'
file_path[] = '/home.*?/'
You can exclude subdirectories of the directories that are listed to scan for file changes continuously.
e.g., If /tmp is added for Malware Detection to scan it for file changes and
exclude[] = ‘^/tmp/mysql.sock$’ is added, then all of the tmp directories will be scanned except mysql.sock$

Was this article helpful?
It was not helpful
Views: 915