How to quarantine specific signatures?

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
tvc
Junior Member
Posts: 9
Joined: 05 Feb 2014, 19:00

How to quarantine specific signatures?

Post by tvc »

Hi folks,
Quarantine works well enough against the clamav stuff, though question.

If I know a hacker is uploading a particular script, like one with this text I've added to extras now:
regall:POST\[\'veio\'\]

Is there a way to tell quarantine to auto quarantine files with "my" specific signatures as well?

Something like an Other Files -> etc/cxs/cxs.autoquarantine
option would sure be nice. Your thoughts?

Thanks!
Sarah
Moderator
Posts: 934
Joined: 09 Dec 2006, 22:49

Re: How to quarantine specific signatures?

Post by Sarah »

From the file /etc/cxs/cxs.xtra.example:

# To force quarantine of a file when using --quarantine, prefix the match with
# "quarantine:", e.g.:
#
# regall:quarantine:/etc/passwd
# regfile:quarantine:\.pl$
# file:quarantine:r00t.php

Also see this topic: viewtopic.php?f=26&t=8568#p24356
seguridad
Junior Member
Posts: 2
Joined: 25 Feb 2016, 18:45

Re: How to quarantine specific signatures?

Post by seguridad »

hi,

I am having a problem adding a Fingerprint. Many of the sites on the server got defaced
I have added the md5sum result to cxs.xtra
Now I am trying to run a manual scan just on that folder to see if the problem files gets quarantined, but the results of the scan show no fingerprints found. I am using this command.
/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --exploitscan --nofallback --filemax 10000 --html --options mMOefSGchxdnwZRD --qoptions Mv --quarantine /home/quarantine/ --sizemax 500000 --www --summary --sversionscan --virusscan --mail monitoreo@caracashosting.com --Wloglevel 1 --report /var/log/cxs.scan --logfile /var/log/cxs.log -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra --user xxxxx

And not move the files Fingerprint add in the cxs.xtra
Post Reply