--newer is dangerous?

Question

--newer is dangerous?

jeroenvermeulen opened this issue 7 years ago · 2 comments

If I understand it correct this can happen:

RULESURL=https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.yar
RULEFILE=/var/cache/rules.yar
MAGENTO=/var/www/magento

Monday 0:00 malware X exists in $MAGENTO
Monday 0:00 malware X is not added to $RULESURL
Monday 0:10 /usr/bin/curl -s $RULESURL -o $RULEFILE
Monday 0:11 mwscan --newonly --rules $RULEFILE $MAGENTO => malware X not found
Monday 10:00 @gwillem adds a malware X to $RULESURL
Tuesday 0:10 /usr/bin/curl -s $RULESURL -o $RULEFILE
Tuesday 0:11 mwscan --newonly --rules $RULEFILE $MAGENTO => malware X not found

This is a problem right?
Or am I missing something?

A possible fix would be to add the version of the all-confirmed.yar to the path of the LAST_RUN_FILE

Answer 1 · 2017-05-13T11:39:46.000Z

Well spotted! However, the newer_than function signature is not used anymore (for the reason you state), I shall remove it. --newonly will just ignore infections found in last run, so your scenario mentioned above won't happen.

Answer 2 · 2017-05-13T11:43:27.000Z

PS. Instead of using curl you can also use mwscan -s byte (or another ruleset) which will download it for you.