<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

Release Notes: Imunify360 v.5.8 beta

IM-beta-release

We’re pleased to announce that a new beta version of Imunify360, version 5.8, is now available. The following features are new in the v.5.8 beta release:

  • Overridable config
    Our new overridable config feature provides an easier way to manage the whole fleet of servers by creating a set of custom configs.
  • HyperScan
    HyperScan technology provides an improved speed while ensuring protection when performing a scan for malicious files.
  • Better infection source detection
    With this feature, we can enhance our insight into the root cause for infections and place those infection sources that earlier were impossible to detect.
  • Control over user’s impact on server security
    A flexible instrument to control user security settings to prevent users from jeopardizing server security. 
  • Improvement of PAM module
    With this feature the mechanism our PAM module uses for blocking becomes significantly more sophisticated.

This is what we’ve updated in version 5.8: 

Overridable config

Recently we received a request from one of our big customers to have the ability to provision default config for the whole fleet of Imunify servers and keep the ability for fine-tuning each particular server depending on its business requirements.

When writing a set of custom configs, this feature gives users more freedom and convenience in large environments. This feature also lets users set up a granular environment by translating settings to servers and groups of servers of their choice. Finally, the new feature allows users to fine-tune each server depending on their business needs and requirements.

For your convenience we slightly modified  the configs organization:

  • Added a new directory for custom configs and have put there local overrides of the main config
    /etc/sysconfig/imunify360/imunify360.config.d/
  • Old config /etc/sysconfig/imunify360/imunify360.config now linked to imunify360.config.d/90-local.config. It contains changes made through UI as well as through CLI.
  • Configs in that directory will override the imunify360-base.config and each other in lexical order. First-level "sections" (like `FIREWALL`) are merged, while second-level "options" (like `FIREWALL.TCP_IN_IPv4`) are replaced completely.

This way you can keep your local customizations, but still be able to rollout the main config.

The CLI command to check default configuration before merging with 90-local.config: 

imunify360-agent config show defaults

Here is an example of custom server configuration:

imunify360-base.config

Provided by Imunify installation. Contains default recommended configuration

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '8880'
  port_blocking_mode: ALLOW

imunify360.config.d/50-common.config Provisioned by server owner to the fleet of servers.

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '21'
  port_blocking_mode: DENY

imunify360.config.d/90-local.config

Contains local customization per server individually.

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '22'
  - '12345'

The resulting (merged) configuration will look like this:

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '22'
  - '12345'
  port_blocking_mode: DENY

The mechanics is as follows: first-level "sections" - for example `FIREWALL` are merged, while second-level "options"  - for example `FIREWALL.TCP_IN_IPv4` are replaced completely. 

Those who don’t need this type of overridable configs can continue using custom configurations in /etc/sysconfig/imunify360/imunify360.config. This feature is backward compatible.

HyperScanexperimental

Beginning with v5.8, Imunify360  uses high-performance multiple regex matching HyperScan library in the Malware Scanner. By scanning files with the HyperScan library the scan speed drastically improved. Our test shows up to 10x performance improvement.

HyperScan requires its own signatures set that will be downloaded from files.imunify360.com and compiled locally. There are few platform requirements to use this feature:

  • HyperScan supports Debian, Ubuntu, CloudLinux OS Solo and CentOS/CloudLinux 7 and later.
  • SSE3 processor instructions support. It is quite common nowadays, but may be lacking in virtual environments or in some rather old servers.

By default the HyperScan feature is in the switched off state in 5.8

To switch on the feature through the UI, tick Enable HyperScan in Settings → Malware → Enable HyperScan

To switch on the feature through the CLI please use the following command:

imunify360-agent config update '{"MALWARE_SCANNING": {"hyperscan": true}}'

Better infection source detection

In version 5.8, we improved collecting and reporting the source of suspicious actions using Syscall Monitor. We  decided to make use of auditd logs parsing in order to correlate the actions in the logs with the discovered malware files. The resulting action lets us connect the events and locate how the malware was delivered to the system. This improves infection vector visibility and helps us develop new ways for detection of malicious actions while stopping malicious spreading. However, there are some limitations. Supported operating systems are: CentOS 6, CentOS 7, CloudLinux OS Solo, CloudLinux OS 6, and CloudLinux OS 7. For a feature to function auditd needs to be installed and auditsp plugin needs to be switched off. By default this feature is in the switched on state in 5.8.

To switch the feature on and off please use the following commands:

imunify360-agent config update '{"LOGGER":{"syscall_monitor":true}}'
imunify360-agent config update '{"LOGGER":{"syscall_monitor":false}}'

Control over user’s impact on server security

 This change conceals from the end-user the ability to control:

  • Proactive Defense mode
  • Default action on malware detection

Unless the administrator allows the server users to do so by enforcing proper permissions settings. Additionally, the Blamer feature can’t be controlled from the user's UI anymore since it is a crucial component of Imunify360 security. But the administrator still can alter the setting in the global config.

By introducing this feature we intend to prevent users from weakening overall server security. At the same time the change is aimed at giving the administrator the way to manage users’ permissions while providing an opportunity to better control server security.

The CLI commands to operate Proactive Defense:

imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": true}}'

The CLI commands to limit user's impact on server security:

imunify360-agent config update '{"PERMISSIONS": {"user_override_malware_actions": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'

In addition, we recommend forcibly enabling Blamer for all users of the server.

Improvement of PAM module

We reconsidered how our PAM module blocks users and IP’s. From now on PAM will keep the record of IP addresses and usernames that successfully logged in previously, and will exclude these users from the block list. This  means that if a legitimate user attempts to access the system using the same IP as before - he will be allowed to login, even if the access is blocked for everyone else by USER_IP_LOCK pairs. There will be no more situations when legitimate users lose access because of a bruteforce attack.

Additional information

Imunify360 v5.8 includes 131 tasks and 25 bug fixes.

Internal records

DEF-16335 Change in "Notifications" description
DEF-16263 Changes in interface text
DEF-16102 Fix for malware scanner leaving an empty file on cleanup
DEF-14825 Fixed 503 errors for ionCube Loader protected scripts
DEF-16372 Verifying the list of scanned files before running stat() function
DEF-16419 Change of PHP Handler for resident mode

DEF-16318
DEF-16345
DEF-16352
DEF-16439
DEF-16467
DEF-16486
DEF-16537

Deobfuscator enhancement
DEF-15775 File streaming for CloudAssisted and RapidAccountScan in AI-Bolit
DEF-15172 Fix for blocking of legitimate requests by the PAM module
DEF-16489 Background scan reporting includes cases with no malware
DEF-16519 Imunify360 custom http config files are moved from vhosts dir
DEF-16344 Changing initial configuration for PAM and Malware Scan Schedule to better fit security practices

Stay in touch

Please give our product team feedback on this version 5.8 release. Share your ideas and feature requests through feedback@imunify360.com or via our feedback form.

If you encounter any problems with this beta release, please send a comment or request to our Imunify support team via cloudlinux.zendesk.com.

How to install

To install the new Imunify360 v.5.8 beta, please follow the instructions in the documentation.

How to upgrade

To upgrade Imunify360 on CentOS/CloudLinux systems, run the command:

yum update imunify360-firewall --enablerepo=imunify360-testing

To upgrade Imunify360 on Ubuntu 16.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/16.04/ xenial main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Ubuntu 18.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/18.04/ bionic main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Ubuntu 20.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/20.04/ focal main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Debian 9, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/9/ stretch main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Debian 10, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/10/ buster main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

Release Notes: Imunify360 v.5.8 beta

IM-beta-release

We’re pleased to announce that a new beta version of Imunify360, version 5.8, is now available. The following features are new in the v.5.8 beta release:

  • Overridable config
    Our new overridable config feature provides an easier way to manage the whole fleet of servers by creating a set of custom configs.
  • HyperScan
    HyperScan technology provides an improved speed while ensuring protection when performing a scan for malicious files.
  • Better infection source detection
    With this feature, we can enhance our insight into the root cause for infections and place those infection sources that earlier were impossible to detect.
  • Control over user’s impact on server security
    A flexible instrument to control user security settings to prevent users from jeopardizing server security. 
  • Improvement of PAM module
    With this feature the mechanism our PAM module uses for blocking becomes significantly more sophisticated.

This is what we’ve updated in version 5.8: 

Overridable config

Recently we received a request from one of our big customers to have the ability to provision default config for the whole fleet of Imunify servers and keep the ability for fine-tuning each particular server depending on its business requirements.

When writing a set of custom configs, this feature gives users more freedom and convenience in large environments. This feature also lets users set up a granular environment by translating settings to servers and groups of servers of their choice. Finally, the new feature allows users to fine-tune each server depending on their business needs and requirements.

For your convenience we slightly modified  the configs organization:

  • Added a new directory for custom configs and have put there local overrides of the main config
    /etc/sysconfig/imunify360/imunify360.config.d/
  • Old config /etc/sysconfig/imunify360/imunify360.config now linked to imunify360.config.d/90-local.config. It contains changes made through UI as well as through CLI.
  • Configs in that directory will override the imunify360-base.config and each other in lexical order. First-level "sections" (like `FIREWALL`) are merged, while second-level "options" (like `FIREWALL.TCP_IN_IPv4`) are replaced completely.

This way you can keep your local customizations, but still be able to rollout the main config.

The CLI command to check default configuration before merging with 90-local.config: 

imunify360-agent config show defaults

Here is an example of custom server configuration:

imunify360-base.config

Provided by Imunify installation. Contains default recommended configuration

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '8880'
  port_blocking_mode: ALLOW

imunify360.config.d/50-common.config Provisioned by server owner to the fleet of servers.

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '21'
  port_blocking_mode: DENY

imunify360.config.d/90-local.config

Contains local customization per server individually.

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '22'
  - '12345'

The resulting (merged) configuration will look like this:

FIREWALL:
  TCP_IN_IPv4:
  - '20'
  - '22'
  - '12345'
  port_blocking_mode: DENY

The mechanics is as follows: first-level "sections" - for example `FIREWALL` are merged, while second-level "options"  - for example `FIREWALL.TCP_IN_IPv4` are replaced completely. 

Those who don’t need this type of overridable configs can continue using custom configurations in /etc/sysconfig/imunify360/imunify360.config. This feature is backward compatible.

HyperScanexperimental

Beginning with v5.8, Imunify360  uses high-performance multiple regex matching HyperScan library in the Malware Scanner. By scanning files with the HyperScan library the scan speed drastically improved. Our test shows up to 10x performance improvement.

HyperScan requires its own signatures set that will be downloaded from files.imunify360.com and compiled locally. There are few platform requirements to use this feature:

  • HyperScan supports Debian, Ubuntu, CloudLinux OS Solo and CentOS/CloudLinux 7 and later.
  • SSE3 processor instructions support. It is quite common nowadays, but may be lacking in virtual environments or in some rather old servers.

By default the HyperScan feature is in the switched off state in 5.8

To switch on the feature through the UI, tick Enable HyperScan in Settings → Malware → Enable HyperScan

To switch on the feature through the CLI please use the following command:

imunify360-agent config update '{"MALWARE_SCANNING": {"hyperscan": true}}'

Better infection source detection

In version 5.8, we improved collecting and reporting the source of suspicious actions using Syscall Monitor. We  decided to make use of auditd logs parsing in order to correlate the actions in the logs with the discovered malware files. The resulting action lets us connect the events and locate how the malware was delivered to the system. This improves infection vector visibility and helps us develop new ways for detection of malicious actions while stopping malicious spreading. However, there are some limitations. Supported operating systems are: CentOS 6, CentOS 7, CloudLinux OS Solo, CloudLinux OS 6, and CloudLinux OS 7. For a feature to function auditd needs to be installed and auditsp plugin needs to be switched off. By default this feature is in the switched on state in 5.8.

To switch the feature on and off please use the following commands:

imunify360-agent config update '{"LOGGER":{"syscall_monitor":true}}'
imunify360-agent config update '{"LOGGER":{"syscall_monitor":false}}'

Control over user’s impact on server security

 This change conceals from the end-user the ability to control:

  • Proactive Defense mode
  • Default action on malware detection

Unless the administrator allows the server users to do so by enforcing proper permissions settings. Additionally, the Blamer feature can’t be controlled from the user's UI anymore since it is a crucial component of Imunify360 security. But the administrator still can alter the setting in the global config.

By introducing this feature we intend to prevent users from weakening overall server security. At the same time the change is aimed at giving the administrator the way to manage users’ permissions while providing an opportunity to better control server security.

The CLI commands to operate Proactive Defense:

imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": true}}'

The CLI commands to limit user's impact on server security:

imunify360-agent config update '{"PERMISSIONS": {"user_override_malware_actions": false}}'
imunify360-agent config update '{"PERMISSIONS": {"user_override_proactive_defense": false}}'

In addition, we recommend forcibly enabling Blamer for all users of the server.

Improvement of PAM module

We reconsidered how our PAM module blocks users and IP’s. From now on PAM will keep the record of IP addresses and usernames that successfully logged in previously, and will exclude these users from the block list. This  means that if a legitimate user attempts to access the system using the same IP as before - he will be allowed to login, even if the access is blocked for everyone else by USER_IP_LOCK pairs. There will be no more situations when legitimate users lose access because of a bruteforce attack.

Additional information

Imunify360 v5.8 includes 131 tasks and 25 bug fixes.

Internal records

DEF-16335 Change in "Notifications" description
DEF-16263 Changes in interface text
DEF-16102 Fix for malware scanner leaving an empty file on cleanup
DEF-14825 Fixed 503 errors for ionCube Loader protected scripts
DEF-16372 Verifying the list of scanned files before running stat() function
DEF-16419 Change of PHP Handler for resident mode

DEF-16318
DEF-16345
DEF-16352
DEF-16439
DEF-16467
DEF-16486
DEF-16537

Deobfuscator enhancement
DEF-15775 File streaming for CloudAssisted and RapidAccountScan in AI-Bolit
DEF-15172 Fix for blocking of legitimate requests by the PAM module
DEF-16489 Background scan reporting includes cases with no malware
DEF-16519 Imunify360 custom http config files are moved from vhosts dir
DEF-16344 Changing initial configuration for PAM and Malware Scan Schedule to better fit security practices

Stay in touch

Please give our product team feedback on this version 5.8 release. Share your ideas and feature requests through feedback@imunify360.com or via our feedback form.

If you encounter any problems with this beta release, please send a comment or request to our Imunify support team via cloudlinux.zendesk.com.

How to install

To install the new Imunify360 v.5.8 beta, please follow the instructions in the documentation.

How to upgrade

To upgrade Imunify360 on CentOS/CloudLinux systems, run the command:

yum update imunify360-firewall --enablerepo=imunify360-testing

To upgrade Imunify360 on Ubuntu 16.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/16.04/ xenial main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Ubuntu 18.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/18.04/ bionic main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Ubuntu 20.04, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/20.04/ focal main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Debian 9, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/9/ stretch main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall

To upgrade Imunify360 on Debian 10, run the following command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/debian-testing/10/ buster main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify360-firewall
Subscribe to Imunify security Newsletter