		malmon - MALware MONitor

------
About:
------
malmon is a small peace of software witch is very useful
for web hosting server (and not only).
It uses inotify (pyinotify) no monitor file system activity
and checks every new / movied / modified file (there's a file
size limit , so we can check only files smaller then X size).
Currently there two type of checks:
    1). md5 sum check.
	We have a db of md5 sums of some known
	malware/exploits/backdoors and stuff like that
	and we compare them to the md5 sum of the new/
	modified file.
    2). hex signature check.
	We check the file content and match it
	agains another db with known hex signatures.

---------
Features:
---------
    1). Realtime file system monitoring
	Multiple directories at once
    2). md5 sum checks
    3). hex signature based checks
    4). exclude file (supports reg expr)
    5). Auto update [md5sums & hex sigs]
	    At start and while running
    6). Check only files smaller them some
	size (size limit is set in the config)
    7). Shitlist added. A list of forbiden filenames
	This will move all files with name found in
	the shitlist, without doing any checks
    8). Add warn/paranoid mode option
	    In paranoid mode (default) we mode all
	    infections to the quarantine dir
	    In warn mode, we will only print them
	    in the log/stdout, without moving them
    9). Lower process priorit (lower resurse usage)
    10). Add/Remove directories in watch list while
	    running (throu the UNIX socket)
    11). Force update (throu the UNIX socket)
    12). New option - scan directories for malware

---------------
What's to come:
---------------
    1). Add MIME Type check.
    2). Add spam-filter like checks.
	    We will analyze the file, and match
	    any strings that are often found in
	    malware/backdoors/exploits.
	    Every sting will have factor, and
	    after the analyze is done, we check
	    what factor has the file get, and if
	    its bigger then allowed we'll add
	    warning to the log/stdout (depending
	    in what mode is the daemon running)
    4). Add multiple analazying thread for servers
	    with more file activity.

-------
Layout:
-------
/usr/local/sbin/malmon       - The daemon
/usr/local/sbin/malmon-scan  - Scanning tool
/etc/malmon                  - Configuration dir
/etc/malmon/malmon.conf      - Config file
/etc/malmon/black.list       - Backlist file (supports reg expr)
/etc/malmon/exclude.list     - Exclude list (supports reg expr)
/var/cache/malmon            - The daemon cache directory
/var/cache/malmon/infected   - Where to move all infected files
/var/run/malmon.pid          - The pidfile
/var/run/malmon.sock         - Unix socket file


-----
Deps:
-----
malmon depends only on 2 things.
1). inotify kernel support (CONFIG_INOTIFY_USER=y)
2). pyinotify module (http://pyinotify.sourceforge.net/)

If you have them both, you're good to go :]

Oh..  hashlib became part of python from version 2.6 so... if you're
using older version, you have to download hashlib for python 2.4-2.5
from python.org.. it only tested on python 2.5+ so ...tell me if it
brakes :]