antimalware:scanning

Configure the anti-malware quarantine settings.

sentinel --task=antimalware:scanning
Option
Value Default Description
--scan_max_depth <digit> 15 The maximum directory depth that the scanner will search, a value of 10-15 is recommended. (changing this may have an impact on scan performance)
--scan_min_filesize <digit> 24 The minimum file size in bytes for a file to be included in LMD scans. (changing this may have an impact on scan performance)
--scan_max_filesize <string> 2048k The maximum file size for a file to be included in LMD scans. Accepted value formats are b, k, M. When using the clamscan engine, the max_filesize will be dynamically set based on the largest known filesize from the MD5 hash signature file. (changing this may have an impact on scan performance)
--scan_hexdepth <digit> 65536 The maximum byte depth that the scanner will search into a files content. The default signature rules expect a depth size of at least 65536 bytes. (changing this may have an impact on scan performance)
--scan_hexfifo <1|0> 1 Use named pipe (FIFO) for passing file contents hex data instead of stdin default; improved performance and greater scanning depth. This is highly recommended and works on most systems. The hexfifo will be disabled automatically if for any reason it can not be successfully utilized.
--scan_hexfifo_depth <digit> 524288 The maximum byte depth that the scanner will search into a files content when using named pipe (FIFO). Improved performance allows for greater scan depth over default scan_hexdepth value. (changing this may have an impact on scan performance)
--scan_clamscan <1|0> 1 Use clamdscan as default scan engine which provides improved scan performance on large file sets. The clamdscan engine is used in conjunction with native ClamAV signatures updated through freshclam along with LMD signatures providing additional detection capabilities. If the ClamAV daemon is not running then it will fall back to the clamscan binary instead.
--scan_tmpdir_paths <string> /tmp /var/tmp /dev/shm Include the scanning of known temporary world-writable paths.
--scan_user_access <1|0> 0 Allows non-root users to perform scans. This must be enabled when using mod_security2 upload scanning or if you want to allow users to perform scans. When enabled, this will populate "pub/" with user owned quarantine, session and temporary paths to faciliate scans.
--scan_cpunice <int> 19 Process CPU scheduling (nice) priority level for scan operations. (-19 = high prio, 19 = low prio, default = 19)
--scan_ionice <digit> 6 Process IO scheduling (ionice) priority levels for scan operations. (0 = most favorable IO, 7 = least favorable IO)
--scan_cpulimit <digit> 0 Set hard limit on CPU usage for find and clam(d)scan processes. This requires the "cpulimit" binary to be available on the server. The values are expressed as relative percentage * N cores on system. An 8 CPU core system would accept values from 0 - 800, a 12 cores system would accept 0 - 1200 etc.
--scan_ignore_root <string> 1 As a design and common use case, LMD typically only scans user space paths and as such it makes sense to ignore files that are root owned. It is recommended to leave this enabled for best performance.
--scan_ignore_user <string1,string2> Ignore specific users from scans. This option should be used with care and is not ideal for ignoring false positives. Instead, you should use one of the ignore files.
--scan_ignore_user_add <string> Add a single entry to scan_ignore_user.
--scan_ignore_user_del <string> Remove a single entry from scan_ignore_user.
--scan_ignore_group <string1,string2> Ignore specific groups from scans. This option should be used with care and is not ideal for ignoring false positives. Instead, you should use one of the ignore files.
--scan_ignore_group_add <string> Add a single entry to scan_ignore_group.
--scan_ignore_group_del <string> Remove a single entry from scan_ignore_group.
--scan_find_timeout <string> 0 The maximum amount of time, in seconds, that the "find" file list generation. will run before it is terminated. All "find" results up to the point of termination will be fully scanned. If performing a full scan of all user paths on a large server, it is reasonable to expect the find operation may take a long time to complete and as such this feature may interfere.
--scan_export_filelist <1|0> 0 The daily cron "find" operation performed by LMD detects recently created/modified user files. This "find" operation can be especially resource intensive and it may be desirable to persist the file list results so that other applications/tasks may make use of the results. When scan_export_filelist is enabled the most recent result set will be saved to "/usr/local/maldetect/tmp/find_results.last"
--default <yes> Reset all settings to their default values.
--default_option <option> Reset a specific setting to its default value.
--restart <yes> Restart the service after saving settings.

Examples

// set the scan_max_depth
sentinel --task=antimalware:scanning --scan_max_depth=20 --restart=yes

// reset scan_max_depth back to its default value
sentinel --task=antimalware:scanning --default_option=scan_max_depth --restart=yes

// reset all settings to their default values
sentinel --task=antimalware:scanning --default=yes --restart=yes