ConfigServer Services Blog

Changes:

• Modified cxs Watch so that watches are updated/created if the alternative configuration file reload method is used
• Exploit fingerprint definitions database additions
• BETA: Added a local bayes corpus so that learning and forgetting can be implemented locally
• BETA: Added new option –blearn [X|C] so that new files can be added to the local corpus as either an exploit (X) or as a clean file (C)
• BETA: Added new option –bforget [X|C] so that new files can be removed from the local corpus as either an exploit (X) or as a clean file (C). Only files previously learned should be forgotten
• BETA: Modified cxs Watch to reload the master bayes corpus on change
• BETA: Modified cxs Watch to reload the local bayes corpus, if one exists, on change
• BETA: When cxs is upgraded and the master bayes corpus exists, the latest master corpus will be automatically downloaded
• BETA: New master bayes corpus generated
• BETA: Raised bayes low/medium/high thresholds

Changes:

• A situation where Fingerprint P0452 persists was missed and is now removed

Changes:

• Fingerprint P0452 removed as it appears some legitimate scripts are using the same obfuscation technique commonly used in exploits
• BETA: Bayes corpus size decreased by a further 28% but with increased accuracy
• Exploit fingerprint definitions database additions

Changes:

• BETA: Bayes corpus format improved – if you are using this feature, download the new corpus using “cxs –bget”
• BETA: Bayes corpus memory footprint decreased by a further 20%
• BETA: Bayes corpus loading speed improvements

Changes:

• Improvements to the main decoder regex
• Improvements to decoder string extraction
• Fixed formatting of –qlocal documentation
• BETA: New Bayes corpus generated – if you are using thie feature, download the new corpus using “cxs –bget”
• BETA: Bayes corpus size decreased by 25% but with increased accuracy
• Exploit fingerprint definitions database additions

Changes:

• Added option –qlocal which provides quarantine support when using mod_ruid2 by storing quarantined files within a users account. See documentation for more information and caveats
• BETA: Bayes learning improvements (speed, memory)
• BETA: Bayes reporting improvements (speed, memory)
• BETA: New Bayes corpus generated – if you are using thie feature, download the new corpus using “cxs –bget”
• Improvements to PHP decoded script scanning efficiency

Changes:

• BETA: Bayes corpus loading speed improved by 100%
• BETA: Bayes corpus memory footprint decreased by 20%
• BETA: Increased minimum score size for Bayes reporting to help reduce false-positives

Changes:

• New option –[no]bayes (currently in BETA). Naive Bayesian probabability scanning of script files. This option uses an enhanced Naive Bayes algorithm to report a probability that a scanned script is an exploit. This is achieved through a trained corpus (database). See the cxs documentation for more details.
• Additions to main decoder regex
• Exploit fingerprint definitions database additions