Inotify user Watches
The Inotify user watches are increased by BitNinja to 30000000. In case you need to increase the value even further you can use theecho 35000000 > /proc/sys/fs/inotify/max_user_watches command.
These settings also apply to the Malware scanner module. If a directory is whitelisted, the Malware Scanner module will also skip the directory during the scanning.If you Disable the quarantine function in the Malware detection module the Malware scanner module won’t quarantine files either.
How to configure the Malware Detection/Scanner module:
- Open the Malware detection’s module with your preferred text editor
e.g.:nano etc/bitninja/MalwareDetection/config.ini - Modify the config file (see below)
Increase the file size limit for scanning
- Find the
scan_max_file_sizevalue in the Malware detection module’s config file. - Delete the semicolon from the beginning of the line.
- And add the new file size limit in bytes. For example: if you want to change the limit to 5 MB change the value to 5242880
After the changes the config file should look like this:
Include directories to scan (Malware Detection)
- Find this part in the text.
In nano you can find it with ctrl + W, then type in file_path - Add the path to the directory which you wish to scan continuously for file changes without a semicolon in front of the line.
file_path[] = '/Path/To/Directory'
Exclude Directories, NOT to scan (Malware Detection)
- Find this part in the text. In nano, you can find it with
ctrl + Wthen type in exclude
- Add the path to the directory which you wish to skip during the scanning process without a semicolon in front of the line.
exclude[] = '/Path/To/Directory' - To also exclude the directory from the manual scans add the same path under the
[whitelist]flag as shown below:paths[]= '/Path/To/Directory'
Upload malware source
You can help us improve our malware signatures by enabling an option in your MalwareDetection module’s config. This will allow the BitNinja agent to upload the source codes of any malware that has been detected.
The data will be used by our developers to reduce the false positive rates and to tweak the signatures.
To enable this function you need to edit the /etc/bitninja/MalwareDetection/config.ini file.
You can find the corresponding section of the .init file under the [core] section.
; Enable malware source upload to Cloud.
; This feature helps you with the malware validation process.
; Uploaded source files only visable for the server owner.
;upload_malware_source=0
Remove the semicolon from the ;upload_malware_source=0 line and change the value of the variable to 1. So it should look like this: upload_malware_source=1
Then restart BitNinja with the service bitninja restart command so that the change will take effect.
If you do not want to scan a directory in your users’ home directories you can do that with this pattern:
/home.*?/.*?/d.NoScan/More examples:
[whitelist] paths[] = '/home.*?/accesslog/'[inotify] exclude[]='/home.*?/virtfs/'file_path[] = '/home.*?/' e.g.: If
/tmp is added for the Malware Detection to scan it for file changes andexclude[] = '^/tmp/mysql.sock$' is added then all of the tmp directory will be scanned except mysql.sock$ Save changes and restart BitNinja
- Save the changes and exit the text editor.
In nano pressctrl + XthenYand then press enter.
- Restart BitNinja to make the changes take effect with
service bitninja restart