General

Changes:

• Fixed –options [D] output not going to a –report [file]
• Improvement to –decode [file] variable detection
• Exploit fingerprint definitions database additions

Changes:

• Added UID check to ensure updates are only performed by root (UID=0)
• New –options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) –decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches
• Added eval(str_rot13 to –decode [file]
• Fixed –decode [file] not scanning final decoded result with regex definitions and fingerprints
• Improvements to –decode [file] detection and processing
• Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly
• Exploit regex definitions database additions
• Exploit fingerprint definitions database additions

Changes:

• Improvements to regex definitions database
• Added new ignore options for sym:, psym: and hsym: to allow ignoring of symlinks
• Modified –generate to add sym: for symlinks to ignore file
• All UI user selections modified to be dropdown lists
• Exploit regex definitions database additions
• Exploit fingerprint definitions database additions

Changes:

• Scanning speedup when using –voptions
• Improvements to –decode performance and effectiveness
• New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!)
• Changed “Match for fingerprint of an exploit” to “Known exploit = [Fingerprint Match]”
• Changed “Match for regular expression (regex)” to “Regular expression match = [regex]”

Changes:

• Fixed email ” (Hits:nn)” not totalling all accounts hits

Changes:

• Removed spurious “set to skip” message text
• Added ” (Hits:nn)” to the Subject line of email reports
• Added new option –ulist [file] for use with the –all option to perform scans of only those users listed in [file]
• Regex scanning improvements
• Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add –deep to cxsftp.sh and/or cxscgi.sh
• Exploit regex definitions database additions
• Exploit fingerprint definitions database additions

Changes:

• Added breakout if –decode [file] depth is > 250 to prevent looping
• Fixed problem with quarantine UI to cope with a trailing slash on the –quarantine [dir] statement
• Improved detection of the quarantine directory in UI
• Added DNS lookups on FTP IP address reports
• Allow the use of floating point numbers with –throttle [num]
• Added “Ignore” option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured
• Added new options –jumpfrom [user] and –jumpto [user] for use with the –all option to perform scans of only those user between the two points, both of which are inclusive
• Added jumpfrom and jumpto to UI resource choice
• Exploit regex definitions database additions
• Exploit fingerprint definitions database additions