Skip to content

ThisIsNotANamepng/Menoa

BranchesTags

Repository files navigation

Menoa

Menoa is a modern, scriptable security tool designed solely for Linux. Its goal is to provide robust malware detection and system monitoring, following Linux principles.. Menoa is not a vulnerability scanner, but a focused security companion for everyday system safety. It's the Linux version of Microsoft Defender, not Lynis

Utilities

It is made up of five main tools,

  • ClamAV-powered Antivirus
    • Provides a CLI and GUI frontend for ClamAV, the most popular open source antivirus*
  • Network Connection Endpoint scanning
    • Compares outgoing IP address connections against lists of known malicious endpoints*
  • Machine Learning Driven Process Classification (beta)
    • Not AI bloat, but an intelligent, lightweight way to detect running malware. Work is ongoing and is currently unusable
  • Bash Parser (beta)
    • Takes an input bash script and explains what the script does in English. Allows the input of remote scripts (aimed as install.sh scripts)
  • Binary Attestation
    • Verifies the hashes of local system binaries with an api providing known good hashes

* The threat intelligence are driven by feeds provided by open source feeds collated by Menoa

Software Principles

Menoa is made specifically for Linux, and it follows the very important principles of the OS that users demand

  • Needs to get out of the way
  • Focus on intelligent, important features and minimal bloat
  • Scriptable

To Install

Linux

  1. Install with pip: pip install menoa

  2. Install ClamAV with your package manager: sudo apt install clamav, sudo dnf install clamav, sudo pacman -S clamav

Windows

  1. Switch to Linux

  2. See the steps for Linux installation

Roadmap:

Big changes:

  • Add a clock to have Menoa run in the background (probably with systemd)
  • Add feed management to the GUI

Small changes:

  • Resolve local ip addresses connected to by processes and compare to urls distrubuted in threat feeds
  • Find a better threat feed for urls, I think they can be smaller and more specific to these needs, also I think this feeds might only be for malware distribution and not contain things like c&c servers (https://urlhaus.abuse.ch/api/#csv)
  • Should network monitoring include ipv6? Right now it doesn't
  • When clamav scanning is running, the progress % text line should be in the middle of the circle
  • Right now ClamAV just uses the official source but you can load your own yara rules, we could make our own threat feed for yara rules combining other sources
  • Add ability to run attestation after /bin and associated dirs are changed (after a package update)
  • Add ability to scan with clam using a specified feed (cli and gui)
  • Should you be able to determine how often a feed should update in the config?
  • In GUI be able to stop a scan mid scan without having to close the window
  • Any malware that tampers with a binary could also change its hash value in the database (the local database that marks a binary as attested), add a method of signing the hashes received from the api with a key from Menoa
  • Change the load template button on the command page be a button that pops up an input box for you to put a link to a bash file, it downloads and analyzes (meant for install.sh files)
  • Make the dashboard, left column, and overall qss (including unified colors and icon) better
  • Add comments, clean up code
  • Right now the attestation get package version function only uses pacman, add more package managers
  • Right now downloading versioned feeds combines the temp downloaded file and main file, it put all info on one line, so the feed file is one long line, fix it with newlines
  • Right now when downloading a versioned feed it doesn't mark the new patch version anywhere, add a place for the current patch version in the config and make it overwrite it when updated
  • Update the last_checked column in the attestation database
  • Pip doesn't automatically update, add an opt-in setting to have Menoa update itself automatically in the background
  • Get rid of quick/, standard/, and deep/ directories in favor of using the config to determine which feeds to use for each scan
  • Add option to do different types of scans in the GUI
  • Add util to completely redonwload feeds, getting rid of past feed signatures
  • Process scanning returns processes above the threshold as beningn, but only some
  • Add a status option for cli tools to see whether background work is on or off
  • Right now when the process scanning model or the attestation table isn't found it is automatically downloaded without user interact, should this stay like this?
  • Running a clam scan, the progress circle fills up and progresss says 100% before scanning is complete (files: 153, nested files: 10027), could be an error in the counting of nested files for total files to scan for progress bar
  • Make opening the gui faster
  • Across all tools, make all options available with the cli also available in the gui
  • Attestation versioning isn't working
  • Set up attestation api
  • Write more info for learn more buttons on the dashboard

Written by Jack Hagen

About

An antivirus made specifically for Linux with modern threat intelligence tools

menoa.org

Topics

linux security antivirus threat-intelligence

Resources

Readme

License

GPL-3.0 license

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages