ConfigServer Community Forum

Hi folks,
Quarantine works well enough against the clamav stuff, though question.

If I know a hacker is uploading a particular script, like one with this text I've added to extras now:
regall:POST\[\'veio\'\]

Is there a way to tell quarantine to auto quarantine files with "my" specific signatures as well?

Something like an Other Files -> etc/cxs/cxs.autoquarantine
option would sure be nice. Your thoughts?

Thanks!

From the file /etc/cxs/cxs.xtra.example:

# To force quarantine of a file when using --quarantine, prefix the match with
# "quarantine:", e.g.:
#
# regall:quarantine:/etc/passwd
# regfile:quarantine:\.pl$
# file:quarantine:r00t.php

Also see this topic: viewtopic.php?f=26&t=8568#p24356

hi,

I am having a problem adding a Fingerprint. Many of the sites on the server got defaced
I have added the md5sum result to cxs.xtra
Now I am trying to run a manual scan just on that folder to see if the problem files gets quarantined, but the results of the scan show no fingerprints found. I am using this command.
/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --exploitscan --nofallback --filemax 10000 --html --options mMOefSGchxdnwZRD --qoptions Mv --quarantine /home/quarantine/ --sizemax 500000 --www --summary --sversionscan --virusscan --mail monitoreo@caracashosting.com --Wloglevel 1 --report /var/log/cxs.scan --logfile /var/log/cxs.log -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra --user xxxxx

And not move the files Fingerprint add in the cxs.xtra