Fine-tuning the Malware Detection / Scanner module

You are here:
Estimated reading time: 1 min

Inotify user Watches

The Inotify user watches are increased by BitNinja to 30000000. In case you need to increase the value even further you can use the
echo 35000000 > /proc/sys/fs/inotify/max_user_watches command.

You can find the Malware detection’s config file at /etc/bitninja/MalwareDetection/config.iniHere you can modify the list of whitelisted directories and you can enable or disable auto quarantine.

These settings also apply to the Malware scanner module. If a directory is whitelisted, the Malware Scanner module will also skip the directory during the scanning.If you Disable the quarantine function in the Malware detection module the Malware scanner module won’t quarantine files either.

How to configure the Malware Detection/Scanner module:

  1. Open the Malware detection’s module with your preferred text editor
    e.g.: nano etc/bitninja/MalwareDetection/config.ini
  2. Modify the config file (see below)

Increase the file size limit for scanning

By default the limit for scanned files is 1MB.
  1. Find the scan_max_file_size value in the Malware detection module’s config file.
  2. Delete the semicolon from the beginning of the line.
  3. And add the new file size limit in bytes. For example: if you want to change the limit to 5 MB change the value to 5242880

After the changes the config file should look like this:

Include directories to scan (Malware Detection)

By default, BitNinja scans continuously the /tmp, /home, and /var/www directories for file changes, but you can add any other directories by defining new paths.
  1. Find this part in the text.
    In nano you can find it with ctrl + W, then type in file_path 
  2. Add the path to the directory which you wish to scan continuously for file changes without a semicolon in front of the line.
    file_path[] = '/Path/To/Directory'

Exclude Directories, NOT to scan (Malware Detection)

  1. Find this part in the text. In nano, you can find it with ctrl + W then type in exclude
  2. Add the path to the directory which you wish to skip during the scanning process without a semicolon in front of the line.
    exclude[] = '/Path/To/Directory'
  3. To also exclude the directory from the manual scans add the same path under the [whitelist] flag as shown below:
    paths[] = '/Path/To/Directory'

Upload malware source

You can help us improve our malware signatures by enabling an option in your MalwareDetection module’s config. This will allow the BitNinja agent to upload the source codes of any malware that has been detected.
The data will be used by our developers to reduce the false positive rates and to tweak the signatures.

To enable this function you need to edit the /etc/bitninja/MalwareDetection/config.ini file.
You can find the corresponding section of the .init file under the [core] section.

; Enable malware source upload to Cloud.
; This feature helps you with the malware validation process.
; Uploaded source files only visable for the server owner.
;upload_malware_source=0

Remove the semicolon from the ;upload_malware_source=0 line and change the value of the variable to 1. So it should look like this: upload_malware_source=1

Then restart BitNinja with the service bitninja restart command so that the change will take effect.

The source code of files matching global validating signatures will be also set up in our central database, so publishing malware signatures will be faster.
With BitNinja version 2.27.1 or newer versions, you can exclude directories via regular expressions
If you do not want to scan a directory in your users’ home directories you can do that with this pattern:

/home.*?/.*?/d.NoScan/

More examples:

[whitelist]
paths[] = '/home.*?/accesslog/'
[inotify]
exclude[]='/home.*?/virtfs/'
file_path[] = '/home.*?/'
You can exclude subdirectories of the directories that are listed to continuously scan for file changes.
e.g.: If /tmp is added for the Malware Detection to scan it for file changes and
exclude[] = '^/tmp/mysql.sock$' is added then all of the tmp directory will be scanned except mysql.sock$

Save changes and restart BitNinja

  1. Save the changes and exit the text editor.
    In nano press ctrl + X then Y and then press enter.
  1. Restart BitNinja to make the changes take effect with
    service bitninja restart
Views: 670