If a malware’s signature is not in our malware signature database then BitNinja can not detect the malware. But you can easily add a malware signature to the database. And You can protect all of your servers instantly from that malware which has just been added as a signature.
After you have found the Malware you can add the signature to the BitNinja malware database.
- Issue this command:
bitninjacli --module=MalwareDetection --create-signature --path=/path/to/file - Press p to proceed to create the signature and then press enter.
- Wait for the Signature to be created.
- Then press y and then enter to publish the malware signature and quarantine it on all of your servers.
bitninjacli --module=MalwareDetection --list-signature-catches --id=<signatureId> Create Snippet signature
Snippet signatures can clean files from the injected malware. At the moment snippet signatures cannot be created from the Dashboard.
At the moment the Malware detection module can detect injected codes written in PHP.
- Create a file that contains only the injected code.
- Run this command:
bitninjacli --module=malwaredetection --create-signature --path=path/to/injected/code --non-interactive --name=Name_HERE --snippet
- Check if the signature is created.
bitninjacli --module=MalwareDetection --list-signatures --type=sa-snippet --state=ANY
The signature should be in validating state.
- Make sure that the signature does not cause false positives.
Check the infected files menu on your dashboard matches should be in “log only”
You can also check matches with this command:bitninjacli --module=MalwareDetection --list-signature-catches --id=<signatureID HERE> - Publish the signature:
bitninjacli --module=MalwareDetection --publish-signature --id=<signatureID HERE>
Upload malware from the Dashboard
You can also upload files from the Dashboard to generate a malware signature. You just need to click on the + Add new Malware button at the top right at the Anti-Malware / Local malware signatures menu. The signature will be in a validating state and the signature ID and the number of matching files on your servers will be displayed within 5 minutes in the Table of malware signatures.
