Fix: Address 6 critical and high priority issues in malware scanner

CRITICAL FIXES: - Add directory restoration trap in maldet install (prevents PWD corruption) HIGH PRIORITY FIXES: - security-tools.sh: Make maldet detection consistent with other scanners - security-tools.sh: Improve ClamAV freshclam detection (add cPanel paths) - security-tools.sh: Add timeout protection to getenforce and aa-status - malware-scanner.sh: Integrate memory monitoring into ClamAV scan loop - malware-scanner.sh: Initialize memory_check_count for periodic checks SECURITY & RELIABILITY IMPROVEMENTS: - Prevents directory corruption in install functions - Better maldet detection across different installation paths - Timeout protection prevents script hangs on misconfigured systems - Periodic memory checks during long scans prevent OOM conditions All changes verified with syntax check. MALDET_ONLY flag already correctly implemented.
2026-04-22 00:17:15 -04:00
parent 076be62f99
commit 04e6df318f
2 changed files with 44 additions and 8 deletions
@@ -364,6 +364,10 @@ install_maldet_only() {
    echo "Checking available versions..."
    echo ""

+    # Save original directory and restore on exit
+    local original_dir="$PWD"
+    trap "cd '$original_dir' 2>/dev/null || true" RETURN
+
    cd /tmp || return 1

    # Try to download from sources in order with aggressive timeout handling
@@ -1965,6 +1969,7 @@ for scanner in "${available_scanners[@]}"; do
            last_size=0
            last_filename=""
            stall_counter=0
+            memory_check_count=0

            while kill -0 "$CLAM_PID" 2>/dev/null; do
                # Get current log size and file count from log
@@ -2001,6 +2006,16 @@ for scanner in "${available_scanners[@]}"; do
                    last_size=$current_size
                fi

+                # Check memory every 5 seconds (25 * 0.2s) to prevent OOM
+                if [ $((++memory_check_count)) -ge 25 ]; then
+                    if ! check_memory_during_scan; then
+                        log_message "CRITICAL: Out of memory during scan - stopping"
+                        kill "$CLAM_PID" 2>/dev/null || true
+                        break
+                    fi
+                    memory_check_count=0
+                fi
+
                sleep 0.2
            done