CXS Ignore MD5

[robotronik]

Hi, this may be my first post on this forum so a quick hello will do!

Anyway, I think this could be an important feature of CXS. So, I use CXS Watch which is great, however, if someone uploads a file called example.php and it turns out the file has no malicious intent, to restore it I have to add it to the CXS.ignore file, which is all fine. I add the entry example.php and I know that this file example.php exists in various different applications so I want to ignore it globally rather than just per user. That's that sorted, the user has their file example.php and there is no longer an issue.

Then... along comes a malicious user, uploads example.php CXS Watch sees it, sees that is has malicious content in it, looks to the CXS.ignore file and example.php is in there. Okay, so CXS watch will ignore it.. Great, a malicious file has just slipped through the gates by means of file name alteration.

What should be a possible feature is the user uploads his file example.php, it gets blocked, I go to the file and run md5sum on it, take the MD5 key and add it to CXS.ignore... In this case, only the file example.php with the correct contents (As per the md5sum) will be ignored. That's great, then the malicious user as per example 1 comes along, uploads example.php with malicious content within and CXS Watch spots it and blocks it.

This functionality should also be possible for CXS.xtra giving us the ability to determine what files are malicious and if they match the MD5Sum then we can block it, effectively the same as the current functionality uses with it's fingerprint match utility except with the ability to add our own fingerprint matches.

Possible implementation? Hope it wasn't too confusing.. I do tend to babble.

Regards,
Chris.

[Sergio]

This will be great, have my vote +1.

Sergio

[robotronik]

This will be great, have my vote +1.

Sergio

Thanks, pleased you like the idea! Hopefully the more people who like it the quicker it can be implemented

[ForumAdmin]

This was already in development from the wishlist I'm about to release a new version that includes this as a feature.

[robotronik]

When you say about, how soon do you mean?

[Sergio]

Thank you Jonathan, it is on the new release of CXS.

But I think there is a minor bug, when I added the MD5 function into my default file it was set like this:

mail=root
exploitscan=1
virusscan=1
ignore=/etc/cxs/cxs.ignore
xtra=/etc/cxs/cxs.xtra
quarantine=/backup/quarantine
options=mMOLSGcChexdnwWDR
qoptions=mMSGchexv
quiet=1
www=1
summary=1
sizemax=800000
throttle=6
deep=1
--MD5background=1

I fixed this manually to look like:

--MD5
background=1

Sergio

[chirpy]

I'll address that issue in the next cxs release.

[peterpds]

me too i like the idea. Thanks