Maldet – Quarantine, Clean and Replace Functions
So, now there is an AV prog on a system, what if it quarantines a file that is a system file and prevents something from working? In the short term on an important system it may be more important to keep the system up depending on the situation and virus behaviour.
This is probably why AV like Clam doesn't automatically action a file other than report it, so the Sysadmin can decide the best course of action first. Maybe there is a duplicate system that can be switched over first etc. before the infected system can be brought offline and fixed with say, known good backups – whatever.
I'm curious to know how well Maldet recovers a file from quarantine (I've already had a play, which is why I want to document this to check what I did again) and how or whether it can clean a file, with a simple test using the Eicar test file again.
In my initial experiment, I could not get it cleaned and replaced from quarantine, so I'm going to look again and show what I'm doing so others can see if I'm making mistakes or have a wrong assumption about what I think should happen.
First, I have 3 text files, one with garbage text, 1 with the Eicar string in it, and one with the Eicar string mixed with the garbage text but on a separate line, in my Linux box Downloads folder:
root@HPbox:~# ls /home/stevee/Downloads/Eicar/
CleanAnDirty.txt CleanFile.txt Dirty.txt
Now, I am presuming that a "cleaning" function is able to remove malicious code from a particular file type, such as html or php code? Seems common sense right?
I'm not talking about binary or MD5 hash ability here yet even, so hang on…
First, I'm going to run a maldet scan on the Eicar folder, which removes infected files (Dirty and CleanAnDirty.txt) in this case to show the replace function.
Now the directory list shows two files removed – only CleanFile.txt remaining as expected:
Now, to check the replace from quarantine function, use maldet –s with the SCAN ID from the last run, 040814-2225.16505:
-s, –restore FILE|SCANID
Restore file from quarantine queue to original path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135.
In this case it also restored other files to elsewhere that I've already used – I assume because the signatures from the database are the same – the Eicar string.
Seems a bit odd because those files would have had a different SCAN ID??
The main thing is that it replaced the files it removed on the last scan – Dirty.txt and CleanAnDirty.txt.
OK, fine up to now. Just what you'd expect.
But what happens when cleaning is attempted?
My presumption – maybe wrong – is that the files containing the Eicar string should be quarantined on scanning as before, then on clean and replace, they would be put back where they came from but with the Eicar string removed, leaving only harmless text, as the –n switch description indicates:
-n, –clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135
Let's see – scanning all again:
This time the report ID is 040814-2244.17307
The Dirty files have been removed again:
Using the –n option to clean and replace gives no info:
The files are not replaced:
What's wrong with this scenario?
I would have thought this was as simple a test as could be, so why can't the Eicar string be removed leaving the text on the other line intact.
They are not even mixed up but separate lines. I can still restore the original dirty files:
But they still have the Eicar string inside:
I'll research it and get back – if I don't find out what is happening maybe I'll email Ryan's blog.
Also, you can see how the restore info works – the removed files are in
<span style="color: #0000ff;">vi /usr/local/maldetect/quarantine/</span>
Hmm..seems it only has certain rules for specific malware injection?:
Other useful maldet options:
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.