Offload malware scan to a backup server & enable Cleaning MD5 signatures
Prerequirements
- You can find the necessary repository on the following Link
- You need to have uncompressed backups from the files on your production web servers
- You need to have bitninja installed on your production web servers
- You need to have bitninja installed on your backup server with the same user as the production web servers
Limitations
This proof of concept setup assumes that you only log malware catches on your production web servers. Cleaning of injected files is not supported yet by this proof of
concept script. Caution! If you have enabled quarantining on the production web servers and use this setup, injected files will be quarantined instead of cleaned.
This is an important limitation. Please use the PoC on your own risk. Once the proof of concept proves to be successful we will reimplement this feature in the agent.
Please contact BitNinja support after 2023 Q1 if this feature had been implemented in the agent as a production ready feature.
Only the scheduled / manual scans will be offloaded with this PoC. The realtime scans (if they are enabled) will still do the whole scan on altered or newly created files.
Installation
Follow the steps on how to offload the malware scanner load onto the backup machine. (And enable Cleaning MD5 signature)
What is this repository for?
- This repository enables you to offload the malware scan to a backup server. This will reduce load generated by BitNinja's Malware Detection on your production machines.
- The
pd_createmd5.shscript will automatically pick up new infections on the backup machine(s),
then it will create and publish a new user-level md5 signature that will quarantine the file on the production machine(s) because
bitninja can automatically distribute user created signatures across all of your servers.
How do I get set up?
- Disable the Phase 2 scan on the production machine(s)
Open the /opt/bitninja/modules/MalwareDetection/config.ini file with your favourite text editor, and edit the value of enable_deep_scan to 0
- Disable the active scan on the backup machine(s)
Log in to your dashboard and turn the MalwareDetection module off on the backup machine(s).
This will allow manual / scheduled scans to run, but active scan will be disabled.
- Deploy pd_createmd5.sh on the backup machine(s)
Copy the pd_createmd5.sh to the following directory on the backup machine(s):
/etc/bitninja/MalwareDetection/detection.conf.d
cp /path/to/repository/pd_createmd5.sh /etc/bitninja/MalwareDetection/detection.conf.d
- Set up a scheduled scan on the production machine(s)
Log in to your dashboard and navigate to the Anti-Malware > Scan settings page and schedule a malware scan for every production machine.
- Additional steps to use MD5 Cleaning signatures to further improve efficiency.
This setting allows your agent to create a new type of signature capable of cleaning files during the first phase of scan. (Without this setting only quarantining is available.)
Change the following flag in /etc/bitninja/MalwareDetection/config.ini from create_signatures_during_phase2 = 0 to create_signatures_during_phase2 = 1. (If you do not have this setting in your /etc configuration file, then please locate the [core] section and add it directly under it.)
Who do I talk to?
- Written by Mark Bacsko
- Any questions should be sent to: mark@bitninja.io