Add signature to panel alerts and fix some white spacing issues#426
Closed
JamesColeman-LW wants to merge 1 commit intorfxn:masterfrom
Closed
Add signature to panel alerts and fix some white spacing issues#426JamesColeman-LW wants to merge 1 commit intorfxn:masterfrom
JamesColeman-LW wants to merge 1 commit intorfxn:masterfrom
Conversation
Owner
|
@nexnwelch @JamesColeman-LW This one needs to refactor |
Owner
|
Fixed in 94829d7 — three changes:
Thank you for identifying this and providing a working implementation with test output — the approach of using |
rfxn
added a commit
that referenced
this pull request
Feb 22, 2026
…ASH_REMATCH; InterWorx empty master_domain guard; issue #426
rfxn
added a commit
that referenced
this pull request
Mar 31, 2026
… Telegram Bot API URL mi... - [New] test coverage for clean operations, ClamAV integration, cron daily, and alerting - [Fix] Telegram Bot API URL missing required /bot prefix before token; issue #461 - [Fix] clamselector() no longer overwrites user scan_max_filesize config; issue #410 - [Fix] tlog line truncation: switch byte-based to line-based tracking; issue #227 - [Fix] panel alerts include signature name; rewrite hit parsing with BASH_REMATCH; InterWorx empty master_domain guard; issue #426 - [Fix] view_report() add "newest" alias, fix email-latest-report bug, replace $EDITOR with cat; issue #336 - [New] cron.daily explicit cPanel detection with /etc/userdatadomains parsing for addon/subdomain docroots; issue #268 - [Change] cron.daily prune uses find -delete instead of xargs rm -f; issue #430 - [Fix] clamselector() warns on clamd test failure before falling back to clamscan; issue #452 - [New] native YARA scanning: scan_yara=1 enables YARA as an independent scan stage using the yara binary (or yr from YARA-X); supports custom rules via custom.yara and custom.yara.d/ drop-in directory; scan_yara_scope controls rule overlap with ClamAV YARA; compiled rules via yarac supported; issue #392, #277, #239 - [New] README.md with comprehensive markdown documentation; update usage_long() with YARA scanning section; update maldet.1 man page with YARA features, --web-proxy option, and 2026 copyright - [Fix] YARA audit fixes: --disable-warnings for YARA-X, sig count display, install.sh clamav_linksigs rfxn.yara, man page corrections, variable quoting, local declarations, Dockerfile precedence; add PLAN.md with deferred medium-priority items - [Change] scan_stage_yara() uses --scan-list for batch file scanning, reducing process invocations from O(N*M) to M+1; YARA stderr captured and logged via eout instead of discarded - [Fix] YARA audit fixes: --scan-list fallback for YARA < 4.0, stderr noise filtering, cpulimit exit code capture via sh -c wrapper, Dockerfile.yara-x with YARA-X v1.13.0 CI coverage; YARA tests accept either yara or yr - [Fix] YARA audit fixes: clean() YARA rescan, per-file fallback exit codes, YARA-X stderr filter, trap temp file cleanup, hookscan.sh scan_yara passthrough; add deferred items #11-#17 to PLAN.md - [New] cron.watchdog weekly watchdog script for independent fallback signature updates when primary cron.daily is broken or stale; install.sh installs to /etc/cron.weekly/maldet-watchdog [New] test coverage for update mechanisms: get_remote_file, sigup, lmdup, cron update integration, and watchdog (22 tests) - [Fix] scan_stage_yara() deduplicates hits against scan_session, preventing double-counted files when ClamAV and native YARA both detect the same file; usage_short() mentions YARA via -co scan_yara=1; signature count shows YARA(cav) qualifier when native YARA disabled - [Change] PLAN.md reorganized into 5 phases: correctness bugs, documentation, YARA hardening, performance/refactoring, CI/infrastructure; added new audit findings from third review cycle - [Fix] scan_stage_yara() dedup anchored with end-of-field regex to prevent substring false-positives; per-file fallback uses sh -c wrapper to capture YARA exit code through cpulimit; clean() YARA rescan skips dedup during clean verification and honors clean_check parameter - [Change] copyright headers updated to 2026 across 10 source files [Fix] CHANGELOG CI matrix corrected to 8-target (was 9-OS); added YARA-X, removed Rocky 10 and Ubuntu 22.04 not in CI; merged duplicate v2.0.1 date blocks [Fix] README.md cron_prune_days default corrected from 14 to 21 [Change] sigup() signature count uses YARA(cav) qualifier when scan_yara disabled, matching scan() display [Change] usage_short() YARA hint reformatted as sub-note under -co option [Change] legacy plain-text README replaced with pointer to README.md - [Fix] import_user_sigs() validates downloaded YARA rules with yr check or yara before installing to custom.yara; malformed rules are rejected with warning instead of silently breaking YARA scanning [Fix] scan_stage_yara() validates compiled.yarc with test scan before use; cross-engine (yarac vs yr) or corrupt compiled rules are skipped with warning instead of causing scan errors [Change] README.md documents ignore_sigs regex/substring matching behavior, hit prefix table ({MD5}/{HEX}/{SA}/{YARA}/{CAV}), YARA batch scanning, hookscan YARA config, and compiled.yarc path - [New] test coverage for YARA download validation and compiled.yarc validation (6 tests); exercises import_user_sigs() syntax checking and scan_stage_yara() compiled rules engine validation - [Change] scan_stage_yara() refactored: extract _yara_scan_rules() helper eliminating ~80 lines of duplicated text/compiled rules scan+parse code; cache YARA binary selection and --scan-list detection in globals via _yara_init_cache() to avoid repeated fork+exec every monitor cycle; filter quarantined/unreadable files from YARA file list via _yara_filter_filelist() at scan() call sites; remove unused yarac binary discovery from internals.conf - [Fix] README.md CI badge points to 2.0.1 branch instead of master; fixes "no status" display since all CI runs are on 2.0.1 - [Fix] README.md CI badge reverted to master branch; badge will be correct after 2.0.1 merges to master - [Fix] cron.daily flock lock leaked to backgrounded scans; switched to CLOEXEC command form (flock -n FILE "$0") so children never inherit the lock fd [Fix] cron.watchdog version update now runs regardless of sigup result [Fix] README.md md5v2.dat format corrected to HASH:SIZE:{MD5}sig.name.N [New] SHA-256 checksum verification for YARA-X binary in Dockerfile.yara-x [New] test coverage for clean() YARA rescan and YARA(cav) display (3 tests) [New] watchdog sigup-failure resilience test; cron CLOEXEC lock test [Change] Rocky Linux 10 added to CI matrix (9-target); Dockerfile.rocky10 fixed for rockylinux/rockylinux:10 base image and package conflicts - [Fix] cron.daily update failure logging, README.md config table, conf.maldet comment typo; add curl to Rocky 8/9 Dockerfiles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tests:
Email received:
Test with quarantine:
Email list: