Real Time Malaware scanning using Maldetect : Rejected by the approver script

Question

I have a cPanel server with apache 2.4 and Maldetect, ClamAV. I want to have realtime malware scanner on server to block hackers from uploading malicious files on server. What i meant is when someone uploads a file, apache will invoke the scanner using mod-security 2.9 and scan the uploaded file.

If it's found as malware - should get rejected. If it's found good file - should upload to correct destination.

I have tried to do this with following settings as described in https://www.rfxn.com/appdocs/README.maldetect

To enable upload scanning with mod_security2 you must set enable the public_scan option
in conf.maldet (public_scan=1) then add the following rules to your mod_security2 
configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers
or at the top of the appropraite rules file for your setup.

/usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file):
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"

If using ModSecurity >=2.9, you should set 'SecTmpSaveUploadedFiles On' before the
'SecRule FILES_TMPNAMES' line.

A restart of the Apache service is required following these changes.

But the problem is all the files are getting rejected by doing this, even good files. Is there anything wrong with the above setup?

# cat /usr/local/apache/conf/modsec2.user.conf
### UPLOAD PARAMETERS BEGIN ####
SecUploadDir /tmp
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadKeepFiles RelevantOnly
### UPLOAD PARAMETERS END  ####

SecRequestBodyAccess On
SecTmpSaveUploadedFiles On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"

Following is the error in logs

[Sun Mar 05 21:11:35.936553 2017] [:error] [pid 9800] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211135-WLxNz@kP@rKcABIc7ZF3lAAAAAM-file-SfujtQ" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxNz@kP@rKcABIc7ZF3lAAAAAM"]
[Sun Mar 05 21:11:44.511418 2017] [:error] [pid 9526] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211144-WLxN2EJsvK1FL3paCDmxrgAAAAE-file-iQx2zR" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxN2EJsvK1FL3paCDmxrgAAAAE"]

"#/usr/local/maldetect/hookscan.sh " this will work fine , but when using via apache it rejects all files :( — Bliss TV, Mar 05 '17 at 18:53
How do you upload those files? within the browser via a php script or anything similar? — Bogdan Stoica, Mar 16 '17 at 08:41
uploading via a php script, you can see it from the error. [uri "/test.php"] — Bliss TV, Mar 18 '17 at 14:21

score 0 · Answer 1 · answered Jan 11 '19 at 12:22

0

I had this issue too. Problem is this line:

SecTmpSaveUploadedFiles On

Try to remove it from the rule.

answered Jan 11 '19 at 12:22

16851556

255
3
11

Real Time Malaware scanning using Maldetect : Rejected by the approver script

1 Answers1