CXS Ignore MD5
Posted: 30 Jun 2011, 08:17
Hi, this may be my first post on this forum so a quick hello will do!
Anyway, I think this could be an important feature of CXS. So, I use CXS Watch which is great, however, if someone uploads a file called example.php and it turns out the file has no malicious intent, to restore it I have to add it to the CXS.ignore file, which is all fine. I add the entry example.php and I know that this file example.php exists in various different applications so I want to ignore it globally rather than just per user. That's that sorted, the user has their file example.php and there is no longer an issue.
Then... along comes a malicious user, uploads example.php CXS Watch sees it, sees that is has malicious content in it, looks to the CXS.ignore file and example.php is in there. Okay, so CXS watch will ignore it.. Great, a malicious file has just slipped through the gates by means of file name alteration.
What should be a possible feature is the user uploads his file example.php, it gets blocked, I go to the file and run md5sum on it, take the MD5 key and add it to CXS.ignore... In this case, only the file example.php with the correct contents (As per the md5sum) will be ignored. That's great, then the malicious user as per example 1 comes along, uploads example.php with malicious content within and CXS Watch spots it and blocks it.
This functionality should also be possible for CXS.xtra giving us the ability to determine what files are malicious and if they match the MD5Sum then we can block it, effectively the same as the current functionality uses with it's fingerprint match utility except with the ability to add our own fingerprint matches.
Possible implementation? Hope it wasn't too confusing.. I do tend to babble.
Regards,
Chris.
Anyway, I think this could be an important feature of CXS. So, I use CXS Watch which is great, however, if someone uploads a file called example.php and it turns out the file has no malicious intent, to restore it I have to add it to the CXS.ignore file, which is all fine. I add the entry example.php and I know that this file example.php exists in various different applications so I want to ignore it globally rather than just per user. That's that sorted, the user has their file example.php and there is no longer an issue.
Then... along comes a malicious user, uploads example.php CXS Watch sees it, sees that is has malicious content in it, looks to the CXS.ignore file and example.php is in there. Okay, so CXS watch will ignore it.. Great, a malicious file has just slipped through the gates by means of file name alteration.
What should be a possible feature is the user uploads his file example.php, it gets blocked, I go to the file and run md5sum on it, take the MD5 key and add it to CXS.ignore... In this case, only the file example.php with the correct contents (As per the md5sum) will be ignored. That's great, then the malicious user as per example 1 comes along, uploads example.php with malicious content within and CXS Watch spots it and blocks it.
This functionality should also be possible for CXS.xtra giving us the ability to determine what files are malicious and if they match the MD5Sum then we can block it, effectively the same as the current functionality uses with it's fingerprint match utility except with the ability to add our own fingerprint matches.
Possible implementation? Hope it wasn't too confusing.. I do tend to babble.
Regards,
Chris.
I'm about to release a new version that includes this as a feature.