CXS Ignore MD5

Post Reply
robotronik
Junior Member
Posts: 13
Joined: 10 Jul 2009, 20:24

CXS Ignore MD5

Post by robotronik »

Hi, this may be my first post on this forum so a quick hello will do!

Anyway, I think this could be an important feature of CXS. So, I use CXS Watch which is great, however, if someone uploads a file called example.php and it turns out the file has no malicious intent, to restore it I have to add it to the CXS.ignore file, which is all fine. I add the entry example.php and I know that this file example.php exists in various different applications so I want to ignore it globally rather than just per user. That's that sorted, the user has their file example.php and there is no longer an issue.

Then... along comes a malicious user, uploads example.php CXS Watch sees it, sees that is has malicious content in it, looks to the CXS.ignore file and example.php is in there. Okay, so CXS watch will ignore it.. Great, a malicious file has just slipped through the gates by means of file name alteration.

What should be a possible feature is the user uploads his file example.php, it gets blocked, I go to the file and run md5sum on it, take the MD5 key and add it to CXS.ignore... In this case, only the file example.php with the correct contents (As per the md5sum) will be ignored. That's great, then the malicious user as per example 1 comes along, uploads example.php with malicious content within and CXS Watch spots it and blocks it.

This functionality should also be possible for CXS.xtra giving us the ability to determine what files are malicious and if they match the MD5Sum then we can block it, effectively the same as the current functionality uses with it's fingerprint match utility except with the ability to add our own fingerprint matches.

Possible implementation? Hope it wasn't too confusing.. I do tend to babble.

Regards,
Chris.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CXS Ignore MD5

Post by Sergio »

This will be great, have my vote +1.

Sergio
robotronik
Junior Member
Posts: 13
Joined: 10 Jul 2009, 20:24

Re: CXS Ignore MD5

Post by robotronik »

Sergio wrote:This will be great, have my vote +1.

Sergio
Thanks, pleased you like the idea! Hopefully the more people who like it the quicker it can be implemented :)
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CXS Ignore MD5

Post by ForumAdmin »

This was already in development from the wishlist ;) I'm about to release a new version that includes this as a feature.
robotronik
Junior Member
Posts: 13
Joined: 10 Jul 2009, 20:24

Re: CXS Ignore MD5

Post by robotronik »

When you say about, how soon do you mean?
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CXS Ignore MD5

Post by Sergio »

Thank you Jonathan, it is on the new release of CXS.

But I think there is a minor bug, when I added the MD5 function into my default file it was set like this:
mail=root
exploitscan=1
virusscan=1
ignore=/etc/cxs/cxs.ignore
xtra=/etc/cxs/cxs.xtra
quarantine=/backup/quarantine
options=mMOLSGcChexdnwWDR
qoptions=mMSGchexv
quiet=1
www=1
summary=1
sizemax=800000
throttle=6
deep=1
--MD5background=1
I fixed this manually to look like:
--MD5
background=1
Sergio
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: CXS Ignore MD5

Post by chirpy »

I'll address that issue in the next cxs release.
peterpds
Junior Member
Posts: 1
Joined: 29 Oct 2011, 10:25

Re: CXS Ignore MD5

Post by peterpds »

me too i like the idea. Thanks
Post Reply