Improvements to –decode performance and effectiveness
New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!)
Changed “Match for fingerprint of an exploit” to “Known exploit = [Fingerprint Match]”
Changed “Match for regular expression (regex)” to “Regular expression match = [regex]”
Added ” (Hits:nn)” to the Subject line of email reports
Added new option –ulist [file] for use with the –all option to perform scans of only those users listed in [file]
Regex scanning improvements
Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add –deep to cxsftp.sh and/or cxscgi.sh
Added breakout if –decode [file] depth is > 250 to prevent looping
Fixed problem with quarantine UI to cope with a trailing slash on the –quarantine [dir] statement
Improved detection of the quarantine directory in UI
Added DNS lookups on FTP IP address reports
Allow the use of floating point numbers with –throttle [num]
Added “Ignore” option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured
Added new options –jumpfrom [user] and –jumpto [user] for use with the –all option to perform scans of only those user between the two points, both of which are inclusive
Modified FrontPage extensions check to be case-insensitive
Use of –all –mail [email] and –nosummary will now only report suspicious accounts instead of all accounts. –report [file] will still contain the full report
Removed unnecessary csf.locks during some GLOBAL list updates
Updated Copyright notice
Modified the block message for LF_MODSEC and LF_SUHOSIN to be more appropriate ( i.e. not “login failures” )
Added new block options for BIND denied requests: LF_BIND, LF_BIND_PERM, BIND_LOG. This works in the same way as the other similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have had BIND (named) requests denied more than LF_BIND times in LF_INTERVAL seconds. Currently named client denied log lines for “update” and “zone transfer” trigger the option
Modified GLOBAL_ routines to continue if retrieval for one fails instead of immediately exiting
Added IPv6 check to Server Check
Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled on single line comments (lfd.log, csf.deny, etc)
Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the respective email alerts can be disabled
