LMD v2.0.1

v2.0.1 is the largest release in the history of Linux Malware Detect. It is a foundational rewrite of the scan, monitor, alert, and packaging stacks, retains complete backward compatibility for every public CLI flag and config variable, and closes 50+ user-reported issues.

Headline changes

• Native scan engine, no Perl dependency. HEX + CSIG merged into a single batch-scanned worker pass with parallel grep workers and micro-chunked processing (scan_hex_chunk_size). 43x faster on HEX-heavy workloads. Perl runtime requirement removed.
• SHA-256 with hardware acceleration. New scan_hashtype=auto|sha256|md5|both selector; auto-detects SHA-NI on x86 / SHA2 on ARM and prefers SHA-256 transparently. Ships sha256v2.dat, custom.sha256.dat, and ClamAV .hsb integration (gated on ClamAV ≥ 0.97).
• Compound signatures (csig). Multi-pattern boolean matching with AND / OR / threshold subsigs, case-insensitive (i:), wide UTF-16LE (w:), and bounded-gap wildcards ({N-M}). New csig.dat and custom.csig.dat; scan_csig config gate.
• Scan lifecycle management. Foreground and background scans now expose --kill, --pause/--unpause, --stop/--continue, and a redesigned -L / --list-active with running, paused, stopped, and historical scans in one columnar view. Checkpoint resume is eval-free (printf -v + -co allowlist). scan.meta records per-scan state; --maintenance rotates history, compresses sessions, and archives by month.
• Inotify monitor redesign. Supervisor model replaces the legacy double-fork: graceful shutdown, crash recovery, session rotation, event filter, PID guard, and ClamAV cache integration. 12 long-standing monitor defects resolved at once. monitor_paths_extra, digest_interval, and digest_escalate_hits added. Closes #447, #454, #459.
• TSV canonical session format. 11-field structured hit records (#LMD_INDEX:v2, 14 fields total) replace plaintext session files. session_legacy_compat=auto keeps old reports readable. Powers JSON output and lifecycle list at O(1) cost per session.
• JSON report output (schema 1.2). --json-report [SCANID|list|newest] renders TSV sessions as JSON with a uniform {schema_version, scanner, host, reports[]} shape; the same envelope is used for per-scan and list output. started_epoch / stopped_epoch / completed_epoch integers for consumer-side sorting; legacy plaintext sessions emit the same shape with null fields. Closes #466.
• Email alerts reimagined. Dual HTML + text format with a {{TOKEN}} template engine, on-demand HTML rendering (no persisted .html artifacts), full SMTP relay support (smtp_relay, smtp_from, smtp_user, smtp_pass), and Outlook-compatible responsive layout. Closes #198, #265.
• Slack, Telegram, Discord. Slack migrated off the deprecated files.upload API to getUploadURLExternal/completeUploadExternal (Block Kit templates). Telegram uses MarkdownV2 with proper /bot prefix. Discord webhooks added for the first time (discord_alert, discord_webhook_url). Closes #387, #458, #461, #426.
• Native YARA stage. YARA runs as an independent scan stage when scan_yara=1 (or auto), supporting yara (4.x) and yr (YARA-X). Custom rules via custom.yara and custom.yara.d/ drop-ins; compiled rules via yarac; --scan-list batch scanning. Closes #239, #277, #392.
• RPM and DEB packaging in-tree. Full RPM (el7/el8/el9) and DEB packaging under pkg/ with FHS-compliant layout, backward-compatible symlink farm (pkg/symlink-manifest), and a dh_fixperms override that preserves project modes. pkg-postinst.sh shared across install methods. Closes #267.
• Sub-library decomposition. files/internals/functions split into 14 cohesive lmd_*.sh modules (config, init, clamav, sigs, engine, yara, quarantine, session, lifecycle, scan, hook, monitor, update, alert) sourced by a lmd.lib.sh hub with _LMD_<STEM>_LOADED source guards. Vendored shared libraries: tlog_lib, elog_lib (structured event logging with audit trail), alert_lib, pkg_lib.
• Hookscan API. Real-time scanning callable from ModSecurity, ProFTPD, Pure-FTPd, Exim, and a generic mode. Per-mode dispatch, --list/--stdin batch input, rate limiting, sig masking, on-hit escalation, deduped digests, and --report hooks with time/mode filters.
• post_scan_hook. Configurable script execution after every scan completion. args/file/json output tiers, sync/async, SIGTERM/SIGKILL timeout, min_hits threshold, scan-type filter, scan_start epoch in JSON. Closes #477.
• Position-independent CLI. Modifier flags (-x, -i, -hscan, -qd, -co, --format, --mailto) work in any order. -co uses an in-memory parser. The -co allowlist (79 vars) and _safe_source_conf close the long-standing remote-config injection class.
• CI on every push/PR. GitHub Actions smoke-test workflow, 9 OS matrix (CentOS 6/7, Rocky 8/9/10, Ubuntu 20.04/24.04, Debian 12, FreeBSD partial), 1080 BATS tests + 100-scenario UAT.

Incremental new features

• scan_clamscan and scan_yara accept auto for runtime binary detection.
• --test-alert {scan|digest} {email|slack|telegram|discord}: send a synthetic alert through the real rendering pipeline, root-only.
• -v / --version flag. Closes #451.
• Independent 6-hourly signature update job via /etc/cron.d/maldet-sigup, configurable via sigup_interval (set to 0 to disable). Plus cron.watchdog weekly fallback.
• cron.daily cPanel addon/subdomain detection via /etc/userdatadomains and Bitrix panel detection. Closes #268, #381.
• ClamAV signature validation gate (clamscan -d) before deployment; sigup() SIGUSR2 reload only on validation success. Closes #467.
• monitor_scan_owner_filters toggle. Default 0 restores v1.6.6 monitor semantics so root-owned malware drops are scanned regardless of scan_ignore_root. Closes #485.
• Two-file ignore_inotify model: LMD-managed ignore_inotify.defaults (systemd-private tmpdirs, modern MariaDB, PostgreSQL, Redis, ClamAV runtime) plus user-owned ignore_inotify; literal: per-entry escape prefix for paths with regex metacharacters. Closes #480, #484.
• Logrotate config (/etc/logrotate.d/maldet, weekly, 12 rotations) when logrotate is available.
• Symlink-farm enforcement at startup (pkg_fhs_verify_farm), FHS fallback sourcing (/usr/lib/maldet) when legacy symlinks are broken, and portable source-tree execution so maldet runs directly from git clone with no install.sh (LMD_BASEDIR env override).
• Audit log with 7 event types (purge, update, alert_failed, hookscan source/rate metadata).
• Importconf extracted from install.sh into a standalone helper for shared use.
• Package install tests verifying FHS layout, symlink farm, and explicit permissions modes.

Changes & polish

• Vendored libs synced to canonical: tlog_lib 2.0.6, alert_lib 1.0.7, elog_lib 1.0.6, pkg_lib 1.0.10.
• Alert templates: summary consolidated into headers, TOTAL prefix dropped, quarantine metrics added, aligned column spacing.
• Hook scans write to a rolling hook.hits.log instead of creating per-scan session files; genalert() suppressed for hook scans.
• Scan engine: HEX+CSIG merged into a single worker pass; scan stage reorder (strlen runs last); bulk awk HEX classifier; gensigs() awk compiler.
• _scan_progress(): plain newline output in non-TTY contexts (no ANSI), logarithmic backoff on non-native engines, watchdog semantics for engine health.
• FHS log path: /var/log/maldet/ is authoritative for all install methods; $inspath/logs is a backward-compatible symlink; install.sh migrates existing logs preserving timestamps.
• --maintenance: session compression age 1h → 30d, archive age 30d → 90d, scan_meta_cleanup_age 24h → 48h; new maint_compress_age and maint_archive_age (0 disables).
• cron.daily: runs --maintenance after sigup/versionup; hardcoded log paths replaced with $maldet_log.
• scan_workers default 0 → auto (legacy 0 still accepted).
• scan_hexdepth default 512 KB → 256 KB; covers 98.9% of HEX patterns with YARA backstop.
• Update verification prefers SHA-256 over MD5; graceful MD5 fallback when sha256sum is absent.
• maldet.service: EnvironmentFile moved to /etc/sysconfig/maldet or /etc/default/maldet; init script uses -b.
• -E/--dump-report suppressed from help; case handler retained for backward compat.
• inotify_verbose and telegram_file_caption config variables removed (dead code).
• compat.conf now maps deprecated variable names; import_custsigs_*_url → sig_import_*_url.
• Lifecycle JSON: scanid → scan_id (alias retained for one cycle, removed in v2.1.0); workers normalized to int. Closes #482.

Bug fixes (themed)

Monitor mode

• ERE semantics restored for ignore_inotify entries; literal: escape prefix added; ignore_paths uses grep -E -vf to match scan-mode semantics. Closes #484, #104, #431.
• Ownership filters no longer drop root-owned malware silently; gated behind monitor_scan_owner_filters (default off). Closes #485.
• ignore_inotify union-loaded from defaults + user overrides. Closes #480.
• Filtered-cycle event-count logging added when all events drop on tier-2 scan filter.

JSON / reporting

• --json-report list: path field parity, unified JSON escaping, dedup+escape rewrite eliminates O(N²) hang at ~20K sessions (82s → 1.7s); active[] gains lifecycle schema. Closes #482.
• reports[] globally sorted by started_epoch newest-first across TSV index + legacy passes; pass-2 glob skips legacy session.*.html artifacts (12s+ hangs on upgrades). Closes #483.
• _json_escape_string: bash parameter expansion replaces sed pipeline (FreeBSD + multi-newline fix).
• view_report(): on-demand text rendering from TSV; newest/empty SCANID resolve to most recent session. Closes #336.

Scan lifecycle

• ...

LMD v2.0.1-rc4

Bug-fix and polish candidate. Three user-reported regressions from rc1-rc3 closed, JSON report surface stabilized at schema 1.2, CHANGELOG deduped.

Fixes

• #484 (reported by @Gazoo): ignore_inotify stopped honoring regex entries after the v2.0.1 monitor redesign. Restored v1.6.6 POSIX ERE semantics so anchors and wildcards in user entries work as intended. Added literal: per-entry prefix as opt-in escape for paths that contain regex metacharacters. ignore_paths in monitor mode now uses grep -E -vf to match scan-mode semantics. Re-added curated scantemp. default for ClamAV runtime temp noise.
• #485 (reported by @Gazoo): quarantine_hits silently skipped monitor-mode hits when ownership filters dropped events. New monitor_scan_owner_filters toggle in conf.maldet. Default 0 (off) restores v1.6.6 monitor semantics so every file is scanned regardless of owner. Set 1 to re-enable ownership filters in monitor mode.
• #483 (reported by @Gazoo): --json-report list --all now merge-sorts reports[] newest-first globally, eliminating interleaving between TSV and legacy sessions. Added started_epoch (int) across active[], stopped[], reports[] for consumer-side sort. Pass-2 session glob now skips legacy .html artifacts, fixing 12s+ hangs on upgrades with pre-on-demand-HTML files.

JSON schema 1.2

• session.index field count: 11 to 14 (engine, hash_type, sig_version appended).
• --json-report list emits schema_version: \"1.2\" with top-level scanner and host blocks.
• Per-scan JSON renderers mirror the list-report shape for a uniform consumer contract.
• Header #LMD_INDEX:v2 with 11-arg back-compat reader for pre-1.2 index files.

Coverage

• Full distro matrix on anvil: 9 OS targets, 1080 tests each, 0 failures.
• UAT: 100/100 pass on Debian 12.
• Sentinel review: APPROVE, 0 MUST-FIX, 0 SHOULD-FIX.

Thanks @Gazoo for the detailed reproductions on all three issues.

1.6.6.1

v1.6.6.1 | Feb 25 2025:
[Fix] find_recentopts incorrectly escaping find options to the right of ( -mtime .. -ctime ); previously normalized by eval; issue #440, pr #442
[Fix] persist configuration value inotify_docroot between upgrades; issue #439

Full Changelog: 1.6.6...1.6.6.1

1.6.6

v1.6.6 | Feb 19 2025:
[Fix] replaced eval usage in dynamic execution to improve security; thank you for responsible disclosure from barrebas
[Fix] malware notification emails to ignore inactive siteworx users; pr #425
[New] add reporting support for telegram channel; pr #378
[New] add statistics collection and sending to ELK; pr #359
[Fix] prune ignore_paths with find -prune; pr #423, issue #433
[Fix] suppress excessive clamav temporary file inotify alerts by adding /tmp/.*scantemp.* to ignore_inotify; issue #431, #104
[Fix] consistent cron.daily file sourcing to allow configuration overrides; issue #401, #115

New Contributors

• @nexnwelch made their first contribution in #425
• @mrpk1906 made their first contribution in #378
• @fernandodebrando made their first contribution in #359

Full Changelog: 1.6.5...1.6.6

1.6.5

v1.6.5 | Mar 27 2023:
[Fix] monitor mode white space detection; issue #354
[Change] event_log/clamscan_log now record year in timestamp; issue #352
[Change] -p|--purge will now trim the inotify_log; issue #350
[New] -E|--dump-report to dump reports to stdout; pr #362
[Fix] monitor mode will now fail to start if 'ed' is not installed; issue #350
inotify_log requires in-place inode pruning to prevent exponential growth
[Fix] inotify kernel support on debian11 checking only System.map; pr #398
[Fix] human-readable path not displaying on -a|--scan-all default path scan (/home); #407
[Change] default scoped scan adjusted from /var/www/html to /var/www to make sure we scope all www content; #404
[Fix] compare md5 on ignore_sigs between monitor mode cycles and only regenerate signatures on file changes; #397
[New] add detect_control_panel function to files/internals/functions to determine installed control panel; pr #409
[New] add get_panel_contacts to files/internals/functions to discover contact emails; pr #409
[New] add configuration options for From, Subject, Reply-To headers on alert emails; pr #409
[New] add flag to enable these alerts (requires email_alert to be enabled as well); pr #409
[New] add internal configuration to set the user alert template location; pr #409
[New] add a base template that will be used to create emails to control panel contacts; pr #409
[Change] ambiguous restore error modified to include file name
[Fix] adjusted ftp.rfxn.com checkout credentials; #390
[Fix] systemd unit file not copying properly; #371, #413
[Fix] monitor mode dependency failures on 'ed' not properly logging to be captured by unit file; #395
[Fix] newer versions of cpulimit explicitly enforce the usage of '--' to define where cpulimit options end; #395

New Contributors

• @samsalisbury made their first contribution in #362
• @JamesColeman-LW made their first contribution in #402
• @erikdemarco made their first contribution in #393
• @danci1973 made their first contribution in #388
• @colindclare made their first contribution in #409

Full Changelog: 1.6.4...1.6.5

1.6.4

v1.6.4 | Mar 18 2019:
[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error
[New] add support for slack alerts; pr #240 mostafahussein
[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000
[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule
[Change] update cron.daily for ispmanager5; pr #305 yogsottot
[Change] normalize variable naming of pr #300 , #304
[Change] validate cron_daily_scan is set; otherwise default to 1
[Change] update importconf for cron_daily_scan block
[Change] don't need "find" if given a file list; pr# 303 sporks5000
[Change] rename ambiguous internal variables related to user signatures
[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits
[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors
[Change] add backward compatibility for renamed internals.conf variables
[Change] removed legacy $verbose tagging at the end of eout() calls
[Change] modified cleaner rules to set their own PATH scoping
[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming
[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls
[Change] added inotify elapsed run time to scan report output
[Change] adjust '-e|--report' output for etime value and spacing
[Change] force email_ignore_clean=1 to stop the most common email requested issue
[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319
[Fix] typo in PR #300; missing '; then' on elif
[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service
[Fix] sad mail/sendmail validation logic, fix issue #316
[Fix] normalized scan start time output in scan reports when inotify monitoring is used
[Fix] scan report list summary to always display an etime value, even if null
[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203
[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000
[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error
[Fix] modified install.sh 'ps' execution to be BSD compliant
[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules
[Fix] clean function was not properly handling signature names with both underscores and periods
[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203
[Fix] ignore_inotify file exist/empty file negative match; issue #330
[Fix] operator issue cron.daily #331
[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work

1.6.3

v1.6.3 | Sep 01 2018:
[Fix] ensure clamscan_max_filesize is always set; pr #296
[Fix] remove escaping from inotifywait exclude regexp; pr #246 issue #205
[Fix] always set a value for monitor mode systemd unit; pr #257
[Fix] quar_get_filestat variable collisions during restore operations
[Fix] quarantine files could be prematurely deleted, during 'cron.daily/maldet', on distributions where the 'mv' command preserves origin file mtime; call 'touch' on quarantined files to set current mtime post-move to quarantine path; issue #294
[Fix] update tlog inotify tracking file before trimming to prevent rescan loop; pr #292
[Fix] revert pruning empty lines from signature files to 1.6.1 behavior
[Fix] usage semantics of cd'ing to a wildcard path on newer versions of Bash were causing version updates to fail; we now explicitly 'cd' to maldetect-${upstreamver}
[Fix] spelling corrections; pr #269
[Change] update importconf text to reflect monitor mode on systemd behavior
[Change] on restore actions, reset restored files to original mtime value
[Change] increase default remote_uri timeout from 10s to 30s
[Change] increase default remote_uri tries from 3 to 4
[Change] added base_domain variable to internals.conf
[Change] cleanup .tgz/.md5 files on version updates mid-flight to prevent potential 'cd: too many arguments' errors
[Change] trim inotify log from beginning instead of end of file; pr #292
[Change] user mode scanning no longer scans system temporary paths; issue #283
[Change] improve regexp of scan start time values for '-e|--list' output
[Change] added '--beta' flag to '-d|--update-ver' to support pulling down beta release of LMD
[Change] stage v1.6.3 release; update version and date stamps
[Kudos] Thank you to those that contributed pull requests and issues during this release cycle. PR contributions from:
sporks5000
jsoref
Joshua-Snapp
mkubenka
jkronza
AnnopAlias

1.6.2

v1.6.2 | Jul 13 2017:
[Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242
[Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237
[New] added support to send email through 'sendmail' binary as alternative to 'mail'; pr #241 & issue #238

1.6.1

v1.6.1 | May 28 2017:
[New] added conf.maldet option cron_prune_days to configure cron.daily pruning max age of quar/sess/tmp data; issue #197
[New] added curl support, as new default, into get_remote_file; wget support is preserved secondary to curl; issue #200
[New] added --force option on -u|--update-sigs
[New] added --force option on -d|--update-ver
[New] added empty lines cleaner for runtime signatures and sorting of hdb for better performance; pr #223
[Change] modified default prune interval of quarantine/sess/tmp data from older than 7d to 21d
[Change] set email alerts to disabled when -z $mail / issue verbose warning on CLI; issue #220
[Change] scan_export_filelist feature had no real need to be limited to just cron runs;
[Change] updated help and README to reflect '--force' option on '-u|--update-sigs' and '-d|--update-ver'
[Change] post-change to get_remote_file(); signature version file was truncating with tmp file for maldet-clean
[Change] replaced all calls of wget with get_remote_file()
[Change] refactored get_remote_file() to be more generic / not depend on wget
[Change] increased default values for wget --timeout from 5 to 10 seconds
[Change] replace egrep with posix 'grep -E'; direct invocation of egrep/fgrep is deprecated; pr #214
[Fix] modified sourcing of conf files and order of precedence in mald…et.sh init script to properly
treat default_monitor_mode being defined in conf.maldet; issue #224
[Fix] escape quotes within eval md5sum command as fix for issues #230 and #216
modified so when set, it will export find results for all '-r|--recent' scans
[Fix] test condition for systemd was generating unary errors on older versions of bash; pr #36
[Fix] systemd based systems were skipping addition of sysconfig entry; pr #36
[Fix] install.sh find operation to prune old install backups was generating error when no previous installs existed
[Fix] wgetopt was single quoted making the variables inside of it strings, set double quotes
[Fix] potential out of memory issue while scanning a large set of files on native LMD scanner; pr #223
[Fix] -f option issue with relative path message; pr #223
[Fix] issue with checkout of relative file path for non root user; pr #223

1.6

v1.6 | Mar 17 2017:
[New] added curated set of YARA webshell & malware signatures for use with ClamAV >= 0.99b
[New] added cleaner rule 'VistorTracker.Mob'
[New] added cleaner rule 'js.inject.fakejquery02'
[New] added support for 'froxlor' to cron.daily execution
[New] added support for 'vestacp' to cron.daily execution
[New] added support for 'ispconfig3' to cron.daily execution
[New] added support for 'DTC' to cron.daily execution
[New] added '$confpath', '$varlibpath' and '$libpath' for FHS separation
[New] moved compatibility (legacy) variables out of internals.conf into compat.conf
[New] added support to pull configuration variables for cron executions from 'sysconfig/maldet'
[New] added Debian derivatives sysconfig and initd compatibility for function sourcing and subsys locking
[New] added LSB tags to init script
[New] added capability of moving public scan path with $userbasedir variable
[New] manpage added and setup default with install.sh execution
[New] added support for clamd running as an unprivileged user through clamdscan w/ --fdpass options
[New] added --wget-proxy CLI option for http(s) proxy support
[New] added clam(d)scan_extraopts variables to internals.conf for appending extra CLI options on clam(d)scan;
these values can also be defined in sysconfig or cron/exec based config files and on CLI
[New] sysconfig support through '/etc/sysconfig/maldet' or '/etc/default/maldet', system dependant, to
allow easier configuration overrides; all conf.maldet and internals.conf variables supported
[Change] file stat calls replaced with function file_stat
[Change] stat calls are now (Free|Net)BSD compatible through file_stat function
[Change] report listing, '-e|--report list', now displays scan run time
[Change] scan reports and cli outputs once again display simplified path definitions instead of expanded paths
[Change] unified all clamav selection logic for data paths, running clamd processes, clam(d)scan CLI options etc...
into a single function, clamselector(); this will make clam behavior more predictable across all functions
[Change] added subdomains path for ISPConfig to cron.daily
[Change] corrected variable naming semantics for import__(md5|hex)_url paramters
[Change] monitor mode now identifies inotifywait processes based on a string pattern unique to maldet
to avoid conflicts with any other inotifywait processes
[Change] added wget_proxy variable for us in sysconfig and conf.maldet options
[Change] YARA-LMD curated signature set will now be included with signature updates
[Change] differentiate signature hits for YARA with '{YARA}' signame prefix
[Change] inotify_docroot now accepts comma or white spaced list of paths under user root to monitor
[Change] removed absolute path usage from 'pidof'
[Change] drop unneeded usage of shebang from sourced configuration files
[Change] modified shebang usage with 'env' prefix for portability
[Change] temporary path usage now consistently using $tmpdir value
[Change] scan paths must now be absolute paths
[Change] modified init script stop function for Debian derivatives
[Change] improved history tracking with proper date stamps, more verbose quarantine history logging and storing
into more explicitly named files '$sessdir/hits.hist' and '$sessdir/quarantine.hist'
[Change] added scan_days value to cron.daily allowing customization of the date range scanned by daily cron
[Change] replaced remaining absolute calls to sigdirs with '$sigdir'
[Change] added Debian derivatives support for MONITOR_MODE checks
[Change] updated cron.daily to provide for a custom execution file and modified custom config file into
'cron/conf.maldet.cron' and 'cron/custom.cron'
[Change] install.sh cased variable on find execution
[Change] symlink hookscan.sh to modsec.sh for pre-v1.5 compat
[Change] added '^/tmp/clamav-.' to ignored paths where ownership matches clamd process
[Change] preserve custom cron configuration files on upgrade
[Change] hookscan.sh was calling LMD using legacy, deprecated, '--config-option' options
[Change] normalize installation path variable between LMD proper and installation scripts
[Change] reduced redundant path definitions
[Change] added test for main.cvd and main.cld in determining clamav signature paths
[Change] README changes to reflect new cron customization setup
[Change] added attempting passive ftp when active fails for malware checkout uploads
[Change] .ca.def configuration template renamed importconf and now copied over during installation to
'internals/importconf'
[Change] new versions of 'chown' don't support use of . (dot) to separate user and group
[Change] find option regextype is now dropped on FreeBSD for compatibility
[Change] scan.tpl reporting template handles column spacing on filenames with spaces better
[Change] CLI usage semantics of --include-regex and --exclude-regex now consistently passing to 'find' command
[Change] moved all internal field separator line break modifications to lbreakifs()
[Change] quarantine .info file is now field separated with colon symbol (:)
[Change] quarantine .info file value ordering has been modified
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
[Change] record_hits() now writes file mode and file times (a|m|c) into hits history file
[Change] 'eval' is now used as a prefix on the 'find' command to better handle the complex set of options passed to 'find'
and avoid globbing, splitting and other bash'esque semantic issues
[Change] modified mkpubpaths cronjob to execute every 5 minutes instead of 10
[Change] public mode scanning errors are now more verbose
[Change] updated README to reflect required modsec >=2.9 variable 'SecTmpSaveUploadedFiles'
for upload scanning
[Change] hookscan.sh (modsec.sh) now checks for variable override file at conf.maldet.hookscan
[Change] added use of sed flag -E for FreeBSD compatibility with GNU sed usage
[Change] clamscan will now respect scan_max_filesize value instead of hardcoded 5M
[Change] default scan_max_filesize increased from 768k to 2048k
[Change] clamscan max-scansize for archive depth set as scan_max_filesize2
[Fix] improved special character argument escaping for -a|-r options that could have caused arbitrary command
executions in environments where LMD was allowed to be called by non-root users and/or set-uid/gid wrappers
[Fix] FreeBSD calls to 'md5 -q' were being incorrectly escaped causing file names to never pass and return valid
md5 hash string; corrected by preprending 'eval' to the md5 command callouts.
[Fix] corrected typo with import_ variables causing configuration imports to fail
[Fix] suppress eout() output for certain import_() and get_remote_file() calls; this was causing
false-positive hits for modsec integration
[Fix] install.sh may not have preserved certain variables on upgrade
[Fix] clamdscan was running as a non-root user, would generate lstat errors for all file find results
leading to potential false positive hit/quarantine
[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on
startup due as a result of lstat errors on the custom user signature files stored under $tmpdir
[Fix] clamd.conf configurations containing Follow(File|Directory)Symlinks set to false results in
the rfxn./lmd.user.* links causing clamd startup failures
[Fix] suppress error output to cli for customer user signature files when they do not exist
[Fix] uninstall.sh now cleans up signature files from clamav data paths
[Fix] corrected invalid matching against clamdscan binary when clamd was running as non-root user
[Fix] intofiywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile
for better compatibility
[Fix] conditionally test for vz container and disable use of ionice which is not support in vz containers
[Fix] '-k|--kill-monitor' would under certain circumstances leave zombie processes
[Fix] monitor_cycle() could lead to memory depletion due to infinite loop cycle calls
[Fix] uninstall.sh was not shutting off monitor mode on uninstall
[Fix] legacy variable suppress_cleanhit references updated to email_ignore_clean
[Fix] email alerting broke during an iterative update due to order of precedence change of how configuration
files were loaded and compatibility (legacy) variables being set before main conf.maldet was loaded;
caused by FHS refactoring
[Fix] installation upgrade configuration importer was not properly executing after FHS refactoring during an
iterative update
[Fix] issue #167 certain variables not being preserved on importconf execution, updated 'compat.conf'
[Fix] custom signature runtime files could grow exponentially in monitor mode
[Fix] make '--mkpubpaths' option cross-platform compatible (debian, rh, bsd)
[Fix] replaced usage of 'awk' on file name sensitive variables with 'cut' and/or better scoped field separator for awk
[Fix] double quote wrapped file name variables properly on restore*() functions
[Fix] quarantine .info files were not properly recording source file atime,mtime,ctime values manual quarantine calls
[Fix] user supplied paths to CLI are now better handled if they contain special characters
[Fix] multiple user supplied paths to CLI would generate an error if the first path contained a space and
subsequent paths did not
[Fix] commit c8a1279 introduced bug where clamav could be fed zero sized signature files resulting in fatal exit
[Fix] public mode scanning will now properly error if mkpubpaths paths do not exist
[Fix] hookscan.sh (modsec.sh) will now default to not using clamav if clamd is not running
[Fix] though functional, public mode scanning would result in permission errors on console due to pathing issues with
history trac...