fix setting scan_max_filesize#410
Closed
ChrisOrlando wants to merge 1 commit intorfxn:masterfrom
Closed
Conversation
the variable name $scan_max_filesize is being used to store the configuration value for the largest file size that should be scanned which is passed to find and also the largest file size in the signatures. add a new variable called $sig_max_filesize for that purpose and add a conditional check so that we don't override $scan_max_filesize if the user has set it in the configuration
Owner
|
Fixed in b8621f3 — introduced |
rfxn
added a commit
that referenced
this pull request
Feb 22, 2026
rfxn
added a commit
that referenced
this pull request
Mar 31, 2026
… Telegram Bot API URL mi... - [New] test coverage for clean operations, ClamAV integration, cron daily, and alerting - [Fix] Telegram Bot API URL missing required /bot prefix before token; issue #461 - [Fix] clamselector() no longer overwrites user scan_max_filesize config; issue #410 - [Fix] tlog line truncation: switch byte-based to line-based tracking; issue #227 - [Fix] panel alerts include signature name; rewrite hit parsing with BASH_REMATCH; InterWorx empty master_domain guard; issue #426 - [Fix] view_report() add "newest" alias, fix email-latest-report bug, replace $EDITOR with cat; issue #336 - [New] cron.daily explicit cPanel detection with /etc/userdatadomains parsing for addon/subdomain docroots; issue #268 - [Change] cron.daily prune uses find -delete instead of xargs rm -f; issue #430 - [Fix] clamselector() warns on clamd test failure before falling back to clamscan; issue #452 - [New] native YARA scanning: scan_yara=1 enables YARA as an independent scan stage using the yara binary (or yr from YARA-X); supports custom rules via custom.yara and custom.yara.d/ drop-in directory; scan_yara_scope controls rule overlap with ClamAV YARA; compiled rules via yarac supported; issue #392, #277, #239 - [New] README.md with comprehensive markdown documentation; update usage_long() with YARA scanning section; update maldet.1 man page with YARA features, --web-proxy option, and 2026 copyright - [Fix] YARA audit fixes: --disable-warnings for YARA-X, sig count display, install.sh clamav_linksigs rfxn.yara, man page corrections, variable quoting, local declarations, Dockerfile precedence; add PLAN.md with deferred medium-priority items - [Change] scan_stage_yara() uses --scan-list for batch file scanning, reducing process invocations from O(N*M) to M+1; YARA stderr captured and logged via eout instead of discarded - [Fix] YARA audit fixes: --scan-list fallback for YARA < 4.0, stderr noise filtering, cpulimit exit code capture via sh -c wrapper, Dockerfile.yara-x with YARA-X v1.13.0 CI coverage; YARA tests accept either yara or yr - [Fix] YARA audit fixes: clean() YARA rescan, per-file fallback exit codes, YARA-X stderr filter, trap temp file cleanup, hookscan.sh scan_yara passthrough; add deferred items #11-#17 to PLAN.md - [New] cron.watchdog weekly watchdog script for independent fallback signature updates when primary cron.daily is broken or stale; install.sh installs to /etc/cron.weekly/maldet-watchdog [New] test coverage for update mechanisms: get_remote_file, sigup, lmdup, cron update integration, and watchdog (22 tests) - [Fix] scan_stage_yara() deduplicates hits against scan_session, preventing double-counted files when ClamAV and native YARA both detect the same file; usage_short() mentions YARA via -co scan_yara=1; signature count shows YARA(cav) qualifier when native YARA disabled - [Change] PLAN.md reorganized into 5 phases: correctness bugs, documentation, YARA hardening, performance/refactoring, CI/infrastructure; added new audit findings from third review cycle - [Fix] scan_stage_yara() dedup anchored with end-of-field regex to prevent substring false-positives; per-file fallback uses sh -c wrapper to capture YARA exit code through cpulimit; clean() YARA rescan skips dedup during clean verification and honors clean_check parameter - [Change] copyright headers updated to 2026 across 10 source files [Fix] CHANGELOG CI matrix corrected to 8-target (was 9-OS); added YARA-X, removed Rocky 10 and Ubuntu 22.04 not in CI; merged duplicate v2.0.1 date blocks [Fix] README.md cron_prune_days default corrected from 14 to 21 [Change] sigup() signature count uses YARA(cav) qualifier when scan_yara disabled, matching scan() display [Change] usage_short() YARA hint reformatted as sub-note under -co option [Change] legacy plain-text README replaced with pointer to README.md - [Fix] import_user_sigs() validates downloaded YARA rules with yr check or yara before installing to custom.yara; malformed rules are rejected with warning instead of silently breaking YARA scanning [Fix] scan_stage_yara() validates compiled.yarc with test scan before use; cross-engine (yarac vs yr) or corrupt compiled rules are skipped with warning instead of causing scan errors [Change] README.md documents ignore_sigs regex/substring matching behavior, hit prefix table ({MD5}/{HEX}/{SA}/{YARA}/{CAV}), YARA batch scanning, hookscan YARA config, and compiled.yarc path - [New] test coverage for YARA download validation and compiled.yarc validation (6 tests); exercises import_user_sigs() syntax checking and scan_stage_yara() compiled rules engine validation - [Change] scan_stage_yara() refactored: extract _yara_scan_rules() helper eliminating ~80 lines of duplicated text/compiled rules scan+parse code; cache YARA binary selection and --scan-list detection in globals via _yara_init_cache() to avoid repeated fork+exec every monitor cycle; filter quarantined/unreadable files from YARA file list via _yara_filter_filelist() at scan() call sites; remove unused yarac binary discovery from internals.conf - [Fix] README.md CI badge points to 2.0.1 branch instead of master; fixes "no status" display since all CI runs are on 2.0.1 - [Fix] README.md CI badge reverted to master branch; badge will be correct after 2.0.1 merges to master - [Fix] cron.daily flock lock leaked to backgrounded scans; switched to CLOEXEC command form (flock -n FILE "$0") so children never inherit the lock fd [Fix] cron.watchdog version update now runs regardless of sigup result [Fix] README.md md5v2.dat format corrected to HASH:SIZE:{MD5}sig.name.N [New] SHA-256 checksum verification for YARA-X binary in Dockerfile.yara-x [New] test coverage for clean() YARA rescan and YARA(cav) display (3 tests) [New] watchdog sigup-failure resilience test; cron CLOEXEC lock test [Change] Rocky Linux 10 added to CI matrix (9-target); Dockerfile.rocky10 fixed for rockylinux/rockylinux:10 base image and package conflicts - [Fix] cron.daily update failure logging, README.md config table, conf.maldet comment typo; add curl to Rocky 8/9 Dockerfiles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
the variable name $scan_max_filesize is being used to store the configuration value for the largest file size that should be scanned which is passed to find and also the largest file size in the signatures.
add a new variable called $sig_max_filesize for that purpose and add a conditional check so that we don't override $scan_max_filesize if the user has set it in the configuration
this definitely needs some scrutiny