Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Nov 30 16:58

    Maikuolan on v2

    Fix typo. (compare)

  • Nov 30 16:38

    Maikuolan on master

    Aesthetic patch. (compare)

  • Nov 30 16:38

    Maikuolan on v3

    Configuration page patch. Chan… (compare)

  • Nov 30 16:38

    Maikuolan on v2

    Configuration page patch. Chan… Aesthetic patch. (compare)

  • Nov 30 16:37

    Maikuolan on v1

    Configuration page patch. Chan… Aesthetic patch. (compare)

  • Nov 26 10:21

    Maikuolan on master

    Bump PHP-CS-Fixer workflow to P… (compare)

  • Nov 26 10:21

    Maikuolan on v3

    Add PHP 8.1 to workflows. (compare)

  • Nov 26 10:21

    Maikuolan on v2

    Add PHP 8.1 to workflows. (compare)

  • Nov 26 10:21

    Maikuolan on v1

    Add PHP 8.1 to workflows. (compare)

  • Nov 26 09:42

    Maikuolan on gh-pages

    Update PHP versions. (compare)

  • Nov 21 08:53

    Maikuolan on master

    Clean up README. Removes some … (compare)

  • Nov 21 08:52

    Maikuolan on master

    Clean up README. Removes some … (compare)

  • Nov 21 08:52

    Maikuolan on v3

    README.md update. Slightly alt… Clean up README. Removes some … (compare)

  • Nov 21 08:51

    Maikuolan on v3

    Clean up README. Removes some … (compare)

  • Nov 21 08:51

    Maikuolan on v2

    Clean up README. Removes some … (compare)

  • Nov 21 08:51

    Maikuolan on v1

    Clean up README. Removes some … (compare)

  • Nov 21 08:42

    Maikuolan on master

    Clean up README. (compare)

  • Nov 21 08:39

    Maikuolan on master

    Clean up README. (compare)

  • Nov 21 06:04

    Maikuolan on master

    Signatures update. (compare)

  • Nov 20 16:27

    Maikuolan on gh-pages

    Update versions. (compare)

Avinash
@aviket
came to know, you need to translate something
pls contact avinash@avinashketkar.com, I can do this in Hindi and Marathi
this seems php antivirus solution, sounds interesting
Caleb Mazalevskis
@Maikuolan

Definitely! That would be fantastic, and thanks for responding. :-)

I'll send you an email a little later today.

Caleb Mazalevskis
@Maikuolan
@aviket Did you receive my email?
Avinash
@aviket
@Maikuolan @Maikuolan Yea, received the mail. I have started translating readme.md in Marathi, will be sending sample and then will send pull request ;)
Caleb Mazalevskis
@Maikuolan
Awesome! :-)
emillod
@emillod
What are you guys using besides Mussel to detect malware on your websites? I'
Daniel Ruf
@DanielRuf
@emillod I use ClamAV (like my hosting provider does) with custom (YARA) rules.
Caleb Mazalevskis
@Maikuolan
Hey guys. Your input/vote appreciated here (because I'm trying to figure out what works best for everyone, before moving forward, if possible): phpMussel/phpMussel#196
Aenos85
@Aenos85
Hi,
I want to use phpMussel and installed it via composer.
But when I open the Frontend in the browser I do not found any place to install the signatures.
When I open the Section "Update" I do not see any signature or PHP Mailer Plugin.
If I instal sigtools and generatethe sigantures and copy it to the vault/signatures dir Nothing happens,
When I write all file names manually in the active conf i see some entrie under "Signature Information" but not at the Update section and if I do a test upload no files detected as virus, ...
Caleb Mazalevskis
@Maikuolan
phpmussel.png

Hi @Aenos85,

Mind having a quick look at your "Cache Data" page and letting me know what you see there? In particular, looking at the attached example screenshot, do you see anything ending with "plugins.dat" and "signatures.dat"?

I forgot to mention, sorry: Click on "Updates" page first, and then after clicking on that, check the "Cache Data" page.
This is just to confirm whether the updates page is correctly fetching the latest available information from GitHub, in order to know which signature files, components, etc to display at the updates page.
Caleb Mazalevskis
@Maikuolan
(phpMussel/Lobby deleted in favour of phpMussel2/Lobby, because we've been using this one anyway, the other had mistakes, we don't need two, etc).
Martin Francis
@classaxe

When I test with the eicar.com test file, it makes no difference whether I have any signatures enabled or not - the answer is always the same :

Fri, 08 May 2020 08:39:32 -0400 Started.

Checking 'web/eicar.com' (FN: 3642d148; FD: 6851cf3c):
-> EXE chameleon attack detected!
Fri, 08 May 2020 08:39:32 -0400 Finished.

When I test the same file with clamscan I get this result:
clamscan eicar.com
eicar.com: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6935006
Engine version: 0.102.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 15.297 sec (0 m 15 s)

So - given that clamscan takes 15 seconds to process the file and recognises that it is the EICAR test file, how can I be sure that phpMussel is actually using the signature files in its detection at all?

What I really want to know is how can I be sure that phpMussel is actually using the signature files from clamAV at all?
Given that I have access to so few files with which to test I want to make sure that real viruses will be detected and removed according to the latest rules from clamAV.

Thanks!

Caleb Mazalevskis
@Maikuolan

Hi @classaxe,

The reason that phpMussel is showing "EXE chameleon attack detected!" as the scan results for that file, is because the .com extension of the file being scanned, from phpMussel's perspective (that is, looking just at the extension, and ignoring the fact that it's an eicar file, for the moment), suggests that the file is being presented as a Windows executable file (the .com extension, much like the .exe extension, being often used to identify Windows executable files), but the file data itself lacks the "magic number" associated with such files, therefore suggesting that the file is part of a "chameleon attack" (i.e., where a file is one particular format, but obfuscated or renamed or so on in order to appear as a completely different format, which is sometimes done by an attacker in order to attempt to trick anti-virus scanners into accepting a file which they wouldn't normally accept).

(( This particular code in the phpMussel codebase, in functions.php: ))

    /** Executable chameleon attack detection. */
    if ($phpMussel['Config']['attack_specific']['chameleon_from_exe']) {
        $Chameleon = '';
        if (strpos(',acm,ax,com,cpl,dll,drv,exe,ocx,rs,scr,sys,', ',' . $xt . ',') !== false) {
            if ($twocc !== '4d5a') {
                $Chameleon = 'EXE';
            }

Of course, that this file would lack such a "magic number" makes sense, because it's the eicar file, which should generally only contain the eicar code, and therefore isn't expected to have such a "magic number" in the first place (but phpMussel won't know this yet, because the code for detecting chameleon attacks occurs earlier in the execution chain than the code which would normally be utilising the signatures necessary to detect the file as being an eicar file).

Due to the fact that PHP scripts generally need to be able to execute as quickly as possible in order to avoid timeouts, to avoid the webserver prematurely terminating the PHP process and so on, phpMussel will skip over parts of the scan process if determined to be unnecessary (i.e., if a file is flagged for some reason, and is therefore already going to be blocked, further subsequent scanning becomes a thing which would only increase the processing time required, and is therefore skipped). So in this particular case, phpMussel isn't using the signature files at all, as a direct result of the file already being identified as something to be blocked due to the chameleon attack detections.

For the purpose of ensuring that the signature files are working properly, you could temporarily disable the chameleon attack detections (therefore preventing the file from being blocked due to chameleon attack detections, therefore allowing the subsequent scanning involving signature files to occur). That way, you should see the file being blocked due to being an eicar file containing the eicar code. I would generally recommend keeping chameleon attack detection enabled at production though, as it helps to detect certain kinds of malicious files which signatures alone don't necessarily always catch. :-)

Martin Francis
@classaxe

Wow - Caleb that is an incredibly well considered and helpful response, I am so grateful that you took the time to let me know of this.

I wonder if it might be a useful thing to add to the README for the system?

Martin Francis
@classaxe

Sorry, I have a follow up.
I made changes to the config.ini file:

Line 291:
filetype_blacklist='386,acc,acm,act,apk,app,ash,asm,asx,ax,bat,bin,ccc,cgi,cmd,cpl,cpp,csh,dll,drv,elf,exe,fxp,gad,hta,htp,ico,inf,ins,inx,ipa,isu,job,js,jse,ksh,lnk,msc,msi,msp,mst,net,ocx,ops,org,osx,out,paf,php,pif,pl,prg,ps1,reg,rgs,rs,run,scr,sct,shb,shs,sql,sys,u3p,url,vb,vbe,vbs,wor,ws,wsf,xsl'
(com
was removed from the list)

Line 341:
chameleon_from_exe=false

Now when I run php loader.php to get the CLI inteface and scan eicar.com I still get the same EXE chameleon attack detected! message

Martin Francis
@classaxe

NEVER MIND - I GOT IT NOW:
When I change scan_cache_expiry to zero, the changes are now seen.
Without supplementary signatures installed the eicar.com file now shows a different result:

Wed, 13 May 2020 19:18:30 -0400 Started.

Checking 'eicar.com' (FN: 1ea79504; FD: 6851cf3c):
-> No problems found.
Wed, 13 May 2020 19:18:30 -0400 Finished.

I can now see what difference having the actual signatures will make.

Martin Francis
@classaxe

Well I added the clamav_exe.db obtained via SigTool.php into the phpmussel/vault/signatures folder and put the value 'clamav_exe.db' in the signatures entry in config.ini
The front end 'Signature Information' page now shows this:

Identified as "clamav_exe.db". 80,077
Total active signatures. 80,077

However, a test upload of eicar.com succeeds without error, and running phpmussel in cli mode with the command scan eicar.com once again gives this response:

Wed, 13 May 2020 19:51:56 -0400 Started.
Checking 'eicar.com' (FN: 1ea79504; FD: 6851cf3c):
-> No problems found.
Wed, 13 May 2020 19:51:56 -0400 Finished.

I'm stumped.

Is there a test possible where I can confirm the detection of the eicar.com test file without resorting to the built-in and non-signature-based brute force method?

I want to know that the signature files are read and have a chance to detect bad contents in files, but my confidence is somewhat shaken by my inability to see this happen with the test file.

Are you able to replicate this yourself Caleb?

Mathias Reker
@MathiasReker
I installed phpMussel on my localhost and configured it. But I have some problems running a scan by PHP. Can you give a real life example?
Martin Francis
@classaxe

I had a hard time until I disabled both the web and CLI 'front end's disabled in config.ini, I also needed to disable 'cleanup' so I could have the vbariables created still in scope to call them externally:

In config.ini

cleanup=false
disable_frontend=true
disable_cli=true

Then I made this wrapper:

<?php
$base =  realpath(dirname(__FILE__));
require($base . '/lib/vendor/phpmussel/phpmussel/loader.php');

if (!isset($argv[1])) {
    echo "Syntax:\n    php " . __FILE__ ." filename\n";
    exit(0);
}

$start = time();
$file = $argv[1];

$results = explode("\n", $phpMussel['Scan']($argv[1], true, true));
echo "Checked " . $argv[1] . " (took " . (time() - $start ) . " seconds)\n"
    . implode("\n", array_slice($results, 1, -2)) . "\n";

Then to use this in a website, you can call it like this:

$filename = "eicar.pdf"; // try eicar.png as well for a different error message
exec("php phpmussel.php $filename");
Martin Francis
@classaxe

FYI, I couldn't get the eicar.com test file to display anything other than 'Chameleon Attack' messages, even with all the available virus signatures included and referenced.

But I could get a copy of the Narilam virus (handle live viruses with great care!) which I had obtained from a virus test repository to use the virus signatures to detect bad things inside.
However, in order not to simply hit the 'blacklisted filetype' message wall and instantly quit, I had to rename it to something not recognised - I went with .exe_

The test took over 4 minutes but did confirm that the visrus signature files were indeed being used.

# php phpmussel.php test/Win32.Narilam.exe_ 
Checked test/Win32.Narilam.exe_ (took 245 seconds)
> Checking 'test/Win32.Narilam.exe_' (FN: 5ba71a41; FD: c7a527d9):
-> Detected ClamAV-Win.Downloader.Banload-78!
-> Detected ClamAV-Win.Downloader.Dadobra-31!
-> Detected ClamAV-Win.IRCBot.Petik-4!
-> EXE chameleon attack detected!

So as you can see, it got further and DID use the virus signature files, it still threw an EXE chameleon attack message, but we got something a bit more interesting this time round.

I found that this was also the only way I could call the phpmussel routines from a web page without having the page redirect to the inflexible PHP Mussel 'Virus upload detected' screen, and be able to control how I handled the message display. Hope this helps someone, I spent days trying to figure out how to do this.
Martin Francis
@classaxe

Also, if you want to install the package as a composer include, do this:
(inside composer.json)

{
    "require" : {
        "phpmussel/phpmussel": "^1.13",
        "phpMussel/SigTool": "^1.0",
    }
}

Then of course use composer install to bring all that goodness in.

... but now of course you have to mess things up by injecting a version controlled config.ini file into the phpmussel/vault folder.
I did that by creating a symlink from a config file in my version-controlled area that was part of my own project. This was I can use composer to install the libraries, but still keep configuration changes to config.ini under my control.

Also, I made a wrapper for the sigtool that would copy in the downloaded and processed files to where I needed them - namely phpmussel/vault/sigantures/like this:

<?php
$base =  realpath(dirname(__FILE__);

print "Fetching ClamAV Virus Detection Signatures\n";
print "Started at: " . date('Y-m-d h:i:s', time()) . "\n";

$cmd = "php $base/lib/vendor/phpmussel/sigtool/SigTool.php dmpx";
exec($cmd, $retArr);
print '   ' . implode("\n   ", $retArr);
print "Download complete and signatures processed\n";

print "Copying files into PHPMussel Signatures folder\n";
$cmd = "rm $base/lib/vendor/phpmussel/sigtool/clamav*.gz";
exec($cmd, $retArr);
$cmd = "cp $base/lib/vendor/phpmussel/sigtool/clamav* $base/lib/vendor/phpmussel/phpmussel/vault/signatures/";
exec($cmd, $retArr);
print '   ' . implode("\n   ", $retArr);

print "Finished at: " . date('Y-m-d h:i:s', time()) . "\n";

Lots of moving parts to get right, unfortunately NONE of this hard won information appears in the documentation.

I was literally fearful for my own job by the time I finished.

Caleb Mazalevskis
@Maikuolan
I appreciate you sharing your experience here. :-)
Also, my apologies for the delays in responding. Have been having difficulty getting to the root cause of the problem at my end (plus some other support queries sent my way via other means).
I'll see to figuring out how I could use this to improve the documentation as soon as current support/issues have been dealt with.
Martin Francis
@classaxe

Thanks Caleb, I appreciate that this program is available to us and the help you gave me earlier in making it work with our integration.

If there was a way to include the library and override certain settings - for instance to provide our own path for config.ini - that would simplify things - we wouldn't need a symlink for one thing which would have been a showstopper were we hosting in windows.

Perhaps too if you included a standalone wrapper php file (maybe similar to my own) that people could 'require' in their own code, that would simplify the process for others wanting to use what you have provided in their own integrations, while still retaining control over how the system interacted with their own platforms.

For us, having the library auto-included in every single PHP request was not going to be an acceptable solution, so an on-demand route was certainly much more preferable.

Please feel free to use the ideas above if they help. I removed everything related to the proprietary portions of our code from the implementations above.
Caleb Mazalevskis
@Maikuolan
Opinions/feedback/comments (and/or thumbs up/down) invited: phpMussel/phpMussel#218
Caleb Mazalevskis
@Maikuolan

@classaxe

for instance to provide our own path for config.ini

That will be standard for v3 (released v3.0.0-alpha2 today; not quite ready to call it "production-ready", but hoping to get to that point very soon -- everything seems to be working properly thus far, from my own local testing, but I hope to get some others to test it first, before I green-light anything). :-)

Perhaps too if you included a standalone wrapper php file (maybe similar to my own) that people could 'require' in their own code, that would simplify the process for others wanting to use what you have provided in their own integrations, while still retaining control over how the system interacted with their own platforms.

For us, having the library auto-included in every single PHP request was not going to be an acceptable solution, so an on-demand route was certainly much more preferable.

Also going to make that a standard thing from v3 onward. I plan to remove all references to "requiring" phpMussel from the docs soon (may take a while; docs are super time-consuming).

If you have some spare time (but if you're busy, no worries; it's no stress), mind taking a look at this, and letting me know what you think about it?

https://github.com/phpMussel/Examples/releases/tag/v3.0.0-alpha2

(It should work properly -- I've tested everything I can immediately think of at my end, on my local machine. But, it hasn't been tested by anyone else yet, and it's less than a few hours old, so definitely not ready for production yet).