Release Notes: Imunify360 v.5.8 beta
We’re pleased to announce that a new beta version of Imunify360, version 5.8, is now available. The following features are new in the v.5.8 beta release:
- Overridable config
Our new overridable config feature provides an easier way to manage the whole fleet of servers by creating a set of custom configs. - Hyperscan
Hyperscan technology provides an improved speed while ensuring protection when performing a scan for malicious files. - Better infection source detection
With this feature, we can enhance our insight into the root cause for infections and place those infection sources that earlier were impossible to detect. - Control over user’s impact on server security
A flexible instrument to control user security settings to prevent users from jeopardizing server security. - Improvement of PAM module
With this feature the mechanism our PAM module uses for blocking becomes significantly more sophisticated.
This is what we’ve updated in version 5.8:
Overridable config
Recently we received a request from one of our big customers to have the ability to provision default config for the whole fleet of Imunify servers and keep the ability for fine-tuning each particular server depending on its business requirements.
When writing a set of custom configs, this feature gives users more freedom and convenience in large environments. This feature also lets users set up a granular environment by translating settings to servers and groups of servers of their choice. Finally, the new feature allows users to fine-tune each server depending on their business needs and requirements.
For your convenience we slightly modified the configs organization:
- Added a new directory for custom configs and have put there local overrides of the main config
/etc/sysconfig/imunify360/imunify360.config.d/ - Old config /etc/sysconfig/imunify360/imunify360.config now linked to imunify360.config.d/90-local.config. It contains changes made through UI as well as through CLI.
- Configs in that directory will override the imunify360-base.config and each other in lexical order. First-level "sections" (like `FIREWALL`) are merged, while second-level "options" (like `FIREWALL.TCP_IN_IPv4`) are replaced completely.
This way you can keep your local customizations, but still be able to rollout the main config.
The CLI command to check default configuration before merging with 90-local.config:
imunify360-agent config show defaults
Here is an example of custom server configuration:
imunify360-base.config Provided by Imunify installation. Contains default recommended configuration |
FIREWALL: |
imunify360.config.d/50-common.config Provisioned by server owner to the fleet of servers. |
FIREWALL: |
imunify360.config.d/90-local.config Contains local customization per server individually. |
FIREWALL: |
The resulting (merged) configuration will look like this:
FIREWALL:
TCP_IN_IPv4:
- '20'
- '22'
- '12345'
port_blocking_mode: DENY
The mechanics is as follows: first-level "sections" - for example `FIREWALL` are merged, while second-level "options" - for example `FIREWALL.TCP_IN_IPv4` are replaced completely.
Those who don’t need this type of overridable configs can continue using custom configurations in /etc/sysconfig/imunify360/imunify360.config. This feature is backward compatible.
Hyperscanexperimental
Beginning with v5.8, Imunify360 uses high-performance multiple regex matching Hyperscan library in the Malware Scanner. By scanning files with the Hyperscan library the scan speed drastically improved. Our test shows up to 10x performance improvement.
Hyperscan requires its own signatures set that will be downloaded from files.imunify360.com and compiled locally. There are few platform requirements to use this feature:
- Hyperscan supports Debian, Ubuntu, CloudLinux OS Solo and CentOS/CloudLinux 7 and later.
- SSE3 processor instructions support. It is quite common nowadays, but may be lacking in virtual environments or in some rather old servers.
By default the Hyperscan feature is in the switched off state in 5.8
To switch on the feature through the UI, tick Enable Hyperscan in Settings → Malware → Enable Hyperscan
To switch on the feature through the CLI please use the following command:
imunify360-agent config update '{"MALWARE_SCANNING": {"hyperscan": true}}'
Better infection source detection
In version 5.8, we improved collecting and reporting the source of suspicious actions using Syscall Monitor. We decided to make use of auditd logs parsing in order to correlate the actions in the logs with the discovered malware files. The resulting action lets us connect the events and locate how the malware was delivered to the system. This improves infection vector visibility and helps us develop new ways for detection of malicious actions while stopping malicious spreading. However, there are some limitations. Supported operating systems are: CentOS 6, CentOS 7, CloudLinux OS Solo, CloudLinux OS 6, and CloudLinux OS 7. For a feature to function auditd needs to be installed and auditsp plugin needs to be switched off. By default this feature is in the switched on state in 5.8.
To switch the feature on and off please use the following commands:
imunify360-agent config update '{"LOGGER":{"syscall_monitor":true}}'
imunify360-agent config update '{"LOGGER":{"syscall_monitor":false}}'
Control over user’s impact on server security
This change conceals from the end-user the ability to control:
- Proactive Defense mode
- Default action on malware detection
Unless the administrator allows the server users to do so by enforcing proper permissions settings. Additionally, the Blamer feature can’t be controlled from the user's UI anymore since it is a crucial component of Imunify360 security. But the administrator still can alter the setting in the global config.
By introducing this feature we intend to prevent users from weakening overall server security. At the same time the change is aimed at giving the administrator the way to manage users’ permissions while providing an opportunity to better control server security.
The CLI commands to operate Proactive Defense:
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": true}}'
The CLI commands to limit user's impact on server security:
imunify360-agent config update '{"PERMISSIONS": {"user_override_malware_actions": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'
In addition, we recommend forcibly enabling Blamer for all users of the server.
Improvement of PAM module
We reconsidered how our PAM module blocks users and IP’s. From now on PAM will keep the record of IP addresses and usernames that successfully logged in previously, and will exclude these users from the block list. This means that if a legitimate user attempts to access the system using the same IP as before - he will be allowed to login, even if the access is blocked for everyone else by USER_IP_LOCK pairs. There will be no more situations when legitimate users lose access because of a bruteforce attack.
Additional information
Imunify360 v5.8 includes 131 tasks and 25 bug fixes.
Internal records
DEF-16335 | Change in "Notifications" description |
DEF-16263 | Changes in interface text |
DEF-16102 | Fix for malware scanner leaving an empty file on cleanup |
DEF-14825 | Fixed 503 errors for ionCube Loader protected scripts |
DEF-16372 | Verifying the list of scanned files before running stat() function |
DEF-16419 | Change of PHP Handler for resident mode |
DEF-16318 |
Deobfuscator enhancement |
DEF-15775 | File streaming for CloudAssisted and RapidAccountScan in AI-Bolit |
DEF-15172 | Fix for blocking of legitimate requests by the PAM module |
DEF-16489 | Background scan reporting includes cases with no malware |
DEF-16519 | Imunify360 custom http config files are moved from vhosts dir |
DEF-16344 | Changing initial configuration for PAM and Malware Scan Schedule to better fit security practices |
Stay in touch
Please give our product team feedback on this version 5.8 release. Share your ideas and feature requests through feedback@imunify360.com or via our feedback form.
If you encounter any problems with this beta release, please send a comment or request to our Imunify support team via cloudlinux.zendesk.com.
How to install
To install the new Imunify360 v.5.8 beta, please follow the instructions in the documentation.
How to upgrade
To upgrade Imunify360 on CentOS/CloudLinux systems, run the command:
yum update imunify360-firewall --enablerepo=imunify360-testing
To upgrade Imunify360 on Ubuntu 16.04, run the following command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/16.04/ xenial main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall
To upgrade Imunify360 on Ubuntu 18.04, run the following command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/18.04/ bionic main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall
To upgrade Imunify360 on Ubuntu 20.04, run the following command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/20.04/ focal main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall
To upgrade Imunify360 on Debian 9, run the following command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/9/ stretch main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall
To upgrade Imunify360 on Debian 10, run the following command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/10/ buster main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall