Malware Scanning

Security → Malware. The detection and response surface for ClamAV, Linux Malware Detect (LMD), YARA, and Tetragon. M33 and M33.2.

Detection stack

  • ClamAV — on-demand only. The clamd and freshclam daemons are masked; clamscan runs as the agent invokes it. jabali-freshclam.timer refreshes signatures daily. Rationale: on-demand keeps RAM usage predictable on small VPS instances.
  • Linux Malware Detect — opt-in real-time monitor (default off, migration 000082 added the toggle). The “apply then persist” pattern means flipping the toggle starts the monitor immediately and writes the persistent flag.
  • YARA — currently only the php.yar rule. The libclamav YARA subset rejects PMF whitelist directives, so PMF rules cannot be shipped through clamscan.
  • Tetragon — eBPF kernel-level tripwires. The sessionwatcher ingester surfaces suspicious exec events into M14 notifications (file_hit, quarantine events).
  • M33.2 mail-yara-async — async post-delivery JMAP-poll YARA scan against mailbox storage. Not a Stalwart MtaHook / MtaMilter; runs after delivery so it never blocks legitimate mail.

Page layout

  • Detector state — a row per detector: enabled, last run, hits in the last 24 h.
  • Open file-hits — every detected file currently quarantined; per-row owner, detector, signature, file path, file size, SHA-256 (M33 c2ca6ee5 added the SHA-256 + user-id enrichment).
  • Quarantine — files moved to /var/lib/jabali/quarantine/<user>/ with 0600 root:root. Per-row actions: Restore, Delete, Download (encrypted).
  • Scan now — manual full or per-user scan via jabali admin malware scan.
  • Settings — schedule, quarantine retention, notification routing for malware events.

Notification flow

A hit fires malware_file_hit (M14 event source), which:

  1. Writes an audit row.
  2. Quarantines the file (moves it out of the user’s tree).
  3. Inserts a quarantine row.
  4. Dispatches to channels configured under Notifications Routing.

The end-to-end EICAR plant → quarantine → notification flow was live-verified on 192.168.100.150.

LMD chmod scar

lmd_init.sh resets the signature directory’s permissions on every maldet run. A chmod o+rx /usr/local/maldetect/sigs is reverted; the panel uses a POSIX ACL (setfacl u:jabali:rx) that survives.

ClamAV YARA scar

clamscan rejects YARA imports (import "hash") and several functions (hash.sha1()). The PMF whitelists/*.yar set is therefore unusable through clamscan; only php.yar ships. CLI parse check is not the same as clamscan parse check; verify with clamscan --gen-mdb before shipping new YARA rules.

CLI

jabali admin malware scan --user <id>
jabali admin malware purge --older-than 30d