Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

McAfee Antivirus for Linux deprecated [MALW-3280] #1455

Closed
vk6xebec opened this issue Feb 3, 2024 · 6 comments
Closed

McAfee Antivirus for Linux deprecated [MALW-3280] #1455

vk6xebec opened this issue Feb 3, 2024 · 6 comments
Assignees
@mboelen
Labels
enhancement good-first-issue This may be a great opportunity to get started with contributing to an open source project!

Comments

@vk6xebec
Copy link
Contributor

vk6xebec commented Feb 3, 2024

McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please see:

End of Life announcement for McAfee AntiVirus for Linux

Please modify the MALW-3280 check so that if it finds cmdagent, it throws up an error about it being deprecated; and no hardening points are assigned.
@mboelen
Copy link
Member

mboelen commented Mar 17, 2024

Hi,

Thanks for the suggestion. Sounds like a good approach. Do you want to create a pull request for that?

@mboelen mboelen self-assigned this Mar 17, 2024
@vk6xebec
Copy link
Contributor Author

I might have to learn how to do this - it may take a while as I have never done a pull request before.

@mboelen
Copy link
Member

mboelen commented Mar 28, 2024

That's totally fine. A good way to get started by trying. Just let us know if you get stuck!

@mboelen mboelen added good-first-issue This may be a great opportunity to get started with contributing to an open source project! waiting-for-pull-request Waiting for the creation of a pull request and removed needs-confirmation labels Mar 28, 2024
@vk6xebec
Copy link
Contributor Author

This is the code I have modified. Still to trying to work out how to do it...

`#!/bin/sh

#################################################################################

Lynis

------------------

Copyright 2007-2013, Michael Boelen

Copyright 2007-2021, CISOfy

Website : https://cisofy.com

Blog : http://linux-audit.com

GitHub : https://github.com/CISOfy/lynis

Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

welcome to redistribute it under the terms of the GNU General Public License.

See LICENSE file for usage of this software.

#################################################################################

Malware scanners

#################################################################################

InsertSection "${SECTION_MALWARE}"

#################################################################################

AVAST_DAEMON_RUNNING=0
AVIRA_DAEMON_RUNNING=0
BITDEFENDER_DAEMON_RUNNING=0
CLAMD_RUNNING=0
CLAMSCAN_INSTALLED=0
CROWDSTRIKE_FALCON_SENSOR_RUNNING=0
ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SENTINELONE_SCANNER_RUNNING=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0

#################################################################################

# Test        : MALW-3274
# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence McAfee VirusScan for Command Line"
    if [ -x /usr/local/uvscan/uvscan ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED
        LogText "Result: Found ${MCAFEECLBINARY}"
        MALWARE_SCANNER_INSTALLED=0
        AddHP 0 2
        LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another Anti-virus"
fi

#################################################################################

# Test        : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence chkrootkit"
    if [ -n "${CHKROOTKITBINARY}" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${CHKROOTKITBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        ROOTKIT_SCANNER_FOUND=1
        AddHP 2 2
        Report "malware_scanner[]=chkrootkit"
    else
        LogText "Result: chkrootkit not found"
    fi
fi

#################################################################################

# Test        : MALW-3276
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence Rootkit Hunter"
    if [ -n "${RKHUNTERBINARY}" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${RKHUNTERBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        ROOTKIT_SCANNER_FOUND=1
        AddHP 2 2
        Report "malware_scanner[]=rkhunter"
    else
        LogText "Result: Rootkit Hunter not found"
    fi
fi

#################################################################################

# Test        : MALW-3278
# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence LMD"
    if [ ! "${LMDBINARY}" = "" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${LMDBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        AddHP 2 2
        Report "malware_scanner[]=lmd"
    else
        LogText "Result: LMD not found"
    fi
fi

#################################################################################

# Test        : MALW-3280
# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
    FOUND=0

    # Avast (macOS)
    LogText "Test: checking process com.avast.daemon"
    if IsRunning --full "com.avast.daemon"; then
        FOUND=1
        AVAST_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Avast security product"
        Report "malware_scanner[]=avast"
    fi

    # Avira
    LogText "Test: checking process Avira daemon"
    if IsRunning "avqmd"; then
        FOUND=1
        AVIRA_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Avira security product"
        Report "malware_scanner[]=avira"
    fi

    # Bitdefender (macOS)
    LogText "Test: checking process epagd"
    if IsRunning "bdagentd" || IsRunning "epagd"; then
        FOUND=1
        BITDEFENDER_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Bitdefender security product"
        Report "malware_scanner[]=bitdefender"
    fi

    # CrowdStrike falcon-sensor
    LogText "Test: checking process falcon-sensor (CrowdStrike)"
    if IsRunning "falcon-sensor"; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found falcon-sensor service"
        CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=falcon-sensor"
    fi

    # Cylance (macOS)
    LogText "Test: checking process CylanceSvc"
    if IsRunning "CylanceSvc"; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found CylancePROTECT service"
        AVAST_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=cylance-protect"
    fi

    # ESET security products
    LogText "Test: checking process esets_daemon"
    if IsRunning "esets_daemon"; then
        FOUND=1
        ESET_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found ESET security product"
        Report "malware_scanner[]=eset"
    fi

    # Kaspersky products
    LogText "Test: checking process wdserver or klnagent (Kaspersky)"
    # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
    if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
        if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
    else
        if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
    fi
    if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found Kaspersky"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=kaspersky"
    fi

    # McAfee products
    LogText "Test: checking process cma or cmdagent (McAfee)"
    # cma is too generic to match on, so we want to ensure that it is related to McAfee first
    if [ -x /opt/McAfee/cma/bin/cma ]; then
        if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
    else
        if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
    fi
    if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found McAfee"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=mcafee"
    fi

   # SentinelOne
   LogText "Text: checking process sentineld (SentinelOne)"
   if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
   if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
   if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
   if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found SentinelOne"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=sentinelone"
    fi

    # Sophos savscand/SophosScanD
    LogText "Test: checking process savscand"
    if IsRunning "savscand"; then
        FOUND=1
        SOPHOS_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process SophosScanD"
    if IsRunning "SophosScanD"; then
        FOUND=1
        SOPHOS_SCANNER_RUNNING=1
    fi
    if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found Sophos"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=sophos"
    fi

    # Symantec rtvscand/smcd/symcfgd
    LogText "Test: checking process rtvscand"
    if IsRunning "rtvscand"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process Symantec management client service"
    if IsRunning "smcd"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process Symantec Endpoint Protection configuration service"
    if IsRunning "symcfgd"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found one or more Symantec components"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        FOUND=1
        Report "malware_scanner[]=symantec"
    fi

    # Synology Antivirus Essential
    LogText "Test: checking process synoavd"
    if IsRunning "synoavd"; then
        FOUND=1
        SYNOLOGY_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Synology Antivirus Essential"
        Report "malware_scanner[]=synoavd"
    fi

    # Trend Micro Anti Malware for Linux
    # Typically ds_agent is running as well, the Deep Security Agent
    LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
    if IsRunning "ds_am"; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Trend Micro Anti Malware component"
        FOUND=1
        MALWARE_SCANNER_INSTALLED=1
        MALWARE_DAEMON_RUNNING=1
        TRENDMICRO_DSA_DAEMON_RUNNING=1
        Report "malware_scanner[]=trend-micro-am"
    fi

    # TrendMicro (macOS)
    LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
    if IsRunning "TmccMac"; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Trend Micro component"
        FOUND=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=trend-micro-av"
    fi

    if [ ${FOUND} -eq 0 ]; then
        LogText "Result: no commercial anti-virus tools found"
        AddHP 0 3
    else
        LogText "Result: found one or more commercial anti-virus tools"
        AddHP 2 2
    fi
fi

#################################################################################

# Test        : MALW-3282
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence clamscan"
    if [ ! "${CLAMSCANBINARY}" = "" ]; then
        Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${CLAMSCANBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        CLAMSCAN_INSTALLED=1
        AddHP 2 2
    else
        LogText "Result: clamscan couldn't be found"
    fi
fi

#################################################################################

# Test        : MALW-3284
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking running ClamAV daemon (clamd)"
    if IsRunning "clamd"; then
        Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: found running clamd process"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        CLAMD_RUNNING=1
    else
        LogText "Result: clamd not running"
    fi
fi

#################################################################################

# Test        : MALW-3286
# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking running freshclam daemon"
    if IsRunning "freshclam"; then
        FRESHCLAM_DAEMON_RUNNING=1
        Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: found running freshclam process"
        AddHP 2 2
    else
        Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
        LogText "Result: freshclam is not running"
        ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
    fi
fi

#################################################################################

# Test        : MALW-3288
# Description : Check for ClamXav (macOS)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
    CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
    if [ -n "${CLAMSCANBINARY}" ]; then
        LogText "Result: Found ClamXav clamscan installed"
        Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
        MALWARE_SCANNER_INSTALLED=1
        CLAMSCAN_INSTALLED=1
        AddHP 3 3
    else
        LogText "Result: ClamXav malware scanner not found"
        AddHP 0 3
    fi
fi

#################################################################################

# Check if we found any of the ClamAV components
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
    Report "malware_scanner[]=clamav"
fi

#################################################################################

# Test        : MALW-3290
# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
    if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
        Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
    else
        Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
        if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
            Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
        else
            Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
        fi
        if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
            Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
        else
            Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
        fi
    fi
fi

#################################################################################

Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"

WaitForKeyPress

#================================================================================

Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com`

@vk6xebec
Copy link
Contributor Author

vk6xebec commented Apr 7, 2024

Hope I did it correctly: #1481

@mboelen mboelen added enhancement and removed waiting-for-pull-request Waiting for the creation of a pull request labels May 14, 2024
@mboelen
Copy link
Member

mboelen commented May 14, 2024

Related PR has been merged. Thank you!

@mboelen mboelen closed this as completed May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mboelen mboelen

Labels
enhancement good-first-issue This may be a great opportunity to get started with contributing to an open source project!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mboelen @vk6xebec