Installation Linux Malware Detect (Maldet) On CentOS

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

 

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

 

Note: This guide assumes you are familiar with SSH and basic command line navigation. These instructions apply primarily to customers who have Virtual Private Servers or Dedicated servers.

 

Note: If you do not have root-level access you will not be able to make these changes

 

Installation

Installation is very straightforward:

# cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.6.4
# ./install.sh

Please ensure to change the version number above to the one you have actually downloaded.

 

After the installation has been completed succesfully, you will be presented with the following output.

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
inotifywait (C) 2019, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(6073): {sigup} performing signature update check...
maldet(6073): {sigup} local signature set is version 2013102428301
maldet(6073): {sigup} new signature set (2013102428301) available
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(6073): {sigup} signature set update completed
maldet(6073): {sigup} 10849 signatures (8981 MD5 / 1868 HEX)

 

the package inotify-tools is required if you want to enable real-time monitoring. iNotify monitoring allows for notifications via the Linux kernel. It can be installed with the command below:

# yum install -y inotify-tools

 

Update Maldet

To update the currently installed software version of Maldet enter the following:

# maldet -d

or

# maldet --update-ver

 

The virus definitions for Maldet are updated daily, but if you wish to update the virus definitions manually enter the following:

# maldet -u

 

Uninstall Maldet

Maldet can be unInstalled quickly:

# cd /usr/local/src/maldetect-1.6.4
# ./uninstall.sh

Please ensure to change the version number above to the one that is installed on your server.

 

 

Configuration

Maldet can be configured by editing the file below:

# vi /usr/local/maldetect/conf.maldet

 

The default conf.maldet configuration file looks as follows:

#
##
# Linux Malware Detect v1.6.4
#             (C) 2002-2019, R-fx Networks <proj@r-fx.org>
#             (C) 2019, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##

# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID user@domain.com'.
# [0 = disabled, 1 = enabled]
email_alert="1"

# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="youremail@domain.com"

# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"

# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures="1"

# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version="1"

# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed="1"

# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days="21"

# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan="1"

# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url=""

# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire="43200"

# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url=""
import_custsigs_hex_url=""

##
# [ SCAN OPTIONS ]
##

# The maximum directory depth that the scanner will search, a value
# of 15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth="15"

# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize="24"

# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize="2048k"

# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth="65536"

# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo="1"

# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth="524288"

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"

# Include the scanning of known temporary world-writable paths for
# -a|--al and -r|--recent scan types.
scan_tmpdir_paths="/tmp /var/tmp /dev/shm"

# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate 'pub/' with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access="0"

# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice="19"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice="6"

# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the 'cpulimit' binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
scan_cpulimit="0"

# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root="1"

# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user=""
scan_ignore_group=""

# The maximum amount of time, in seconds, that the 'find' file list generation
# will run before it is terminated. All 'find' results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# '-co|--config-option' CLI option, such as:
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout="0"


# The daily cron 'find' operation performed by LMD detects recently created/modifed
# user files. This 'find' operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist="0"

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="1"

# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="1"

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user="0"

# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid="500"

# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error="1"

##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either 'users' or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is
# present with a defined value for .
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of . The service will fail to
# start if a value is not provided.
# default_monitor_mode="users"
# default_monitor_mode="/usr/local/maldetect/monitor_paths"
default_monitor_mode=""

# The base number of files that can be watched under a path
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches="16384"

# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved
inotify_sleep="30"

# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports.
inotify_reloadtime="3600"

# The minimum userid that will be added to path monitoring when
# the USERS option is specified
inotify_minuid="500"

# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot="public_html,public_ftp"

# Process CPU scheduling (nice) priority level for monitoring process.
# [ -19 = high prio , 19 = low prio, default = 15 ]
inotify_cpunice="18"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice="6"

# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the 'cpulimit' binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
inotify_cpulimit="0"

# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your 'event_log' file, intended only for debugging purposes.
inotify_verbose="0"

##
# [ STATISTICAL ANALYSIS ]
# This is a beta feature and as such should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan="0"          # [ 0 = disabled, 1 = enabled ]
string_length="150000"          # [ max string length ]

 

You may edit the following values to configure Maldet to your needs

  • email_alert : If you would like to receive email alerts, then it should be set to 1.
  • email_subj : Set your email subject here.
  • email_addr : Add your email address to receive malware alerts.
  • email_ignore_clean : When malware alerts have been automatically cleaned (check the next two options), ignore sending email alerts. This is disabled by default. Set it to 1 to enable it, if you have set up an automated daily scan that detects and cleans the hits and you do not want to be alerted of these by mail.
  • quar_hits : The default quarantine action for malware hits, it should be set 1. Affected files will be moved to quarantine.
  • quar_clean : Cleaing detected malware injections, must set to 1.
  • quar_susp : The default suspend action for users wih hits, set it as per your requirements.
  • quar_susp_minuid : Minimum userid that can be suspended.
  • inotify_minuid : The minimum user id above which users need to be monitored. The default value is 500.
  • inotify_docroot : The web directory relative to the home directory of users. By default, it is set to public_html. If this is set, only this web directory will be monitored.

 

 

Cronjob to automate scheduled scans

During the installation of Maldet, a daily cron job script is installed in /etc/cron.daily/maldet.

The cronjob installed by Linux Malware Detect is used to perform daily update of signature files, keep the session, temp and quarantine data to no more than 14 days old and it runs a daily scan of recent file system changes.

If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware. The folder structures for the most popular control panel configurations: Ensim, Plesk, DirectAdmin, Cpanel, ISPConfig, VirtualMin, VestaCP, ISPManager and Froxlor have been included.

You should ensure compatibility with your servers' structure of homedirs and make sure it corresponds with this cron file.

Please take special note of the control panel specific sections in this cron file:

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
        $inspath/maldet --monitor-report >> /dev/null 2>&1
elif [ "$cron_daily_scan" == "1" ]; then
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public$
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev$
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var$
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /$
        elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then
                # ISPmanager
                $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/vesta" ]; then
                # VestaCP
                $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/$
        elif [ -d "/usr/share/dtc" ]; then
                # DTC
                if [ -f /var/lib/dtc/saved_install_config ]; then
                    . /var/lib/dtc/saved_install_config
                fi
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_d$
        else
                # cpanel, interworx and other standard home/user/public_html setups
                $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $sca$
        fi
fi

 

In order to activate email alerts when malware is detected, you need to open the Maldet configuration file, which is located at: /usr/local/maldetect/conf.maldet

email_alert=1
email_subj="Maldet alert from $(hostname)"
email_addr="email@domain.com"

 

 

Usage Examples

To scan a folder, for example /home you should enter:

# maldet -a /home

Perform a wildcard scan for a specific file extention only:

# maldet -a /var/www/html/*.php

Scan files that have been created/modified in the last 7 days:

# maldet -r /var/www/html/ 7

Scan all files in a path (default: /home, wildcard: ?)

# maldet -a /home/?/public_html

To execute background scans, enter the following (ideal for larger scans):

# maldet -b -r /home/username/

Examine the malware scan report by running the following command and appending the scan report ID:

# maldet --report number-xxxx.xxxxx

E-mail a scan report to a supplied e-mail address:

# maldet –report SCANID youremail@domain.com

To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning:

# maldet -q SCAN ID
# maldet –quarantine SCANID

Clean all malware results from a previous scan:

# maldet -n SCAN ID
# maldet --clean SCAN ID

Restore a file that you have already quarantined. This can be useful in case you have a false positive leading to a legitimate file being quarantined:

# maldet -s FILENAME
# maldet -s SCANID # maldet --restore FILENAME

Get a list of all reports:

# maldet -e list

Clear logs, quarantine queue, session and temporary data:

# maldet -p

Upload suspected malware to rfxn.com for review & hashing into signatures:

# maldet -c path/to/filename

View maldet log file events.

# maldet -l

Which gives on an active server a similar output:

May 26 07:39:41 hostname maldet(22671): {mon} scanned 47 new/changed files with clamav engine
May 26 07:40:19 hostname maldet(22674): {mon} scanned 50 new/changed files with clamav engine
May 26 07:40:56 hostname maldet(22674): {mon} scanned 32 new/changed files with clamav engine
May 26 07:41:33 hostname maldet(22674): {mon} scanned 24 new/changed files with clamav engine
May 26 07:42:10 hostname maldet(22674): {mon} scanned 11 new/changed files with clamav engine
May 26 07:42:47 hostname maldet(22674): {mon} scanned 8 new/changed files with clamav engine
May 26 07:43:24 hostname maldet(22674): {mon} scanned 6 new/changed files with clamav engine
May 26 07:44:00 hostname maldet(22674): {mon} scanned 25 new/changed files with clamav engine

Please note the use of the ClamAV engine. For more information refer to the ClamAV Integration section below.

 

 

iNotify Monitoring

The inotify monitoring feature in LMD is designed to monitor users in real-time for file creation / modification / move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default.

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

  • e.g: maldet --monitor users
  • e.g: maldet --monitor /root/monitor_paths
  • e.g: maldet --monitor /home/mike,/home/ashton

 

You can run maldet as a daemon as follows:

Monitor users

The users option will take the home directories of all system users who have a uid greater than inotify_minuid and monitor them. If inotify_docroot is set, the users' web directory, if it exists, will only be monitored:

# maldet --monitor users
or
# maldet -m users

 

Monitor paths

Alternately, you can monitor paths. Provide a comma separated list of paths to monitor:

# maldet --monitor /home,/var,/tmp
or
# maldet -m /home,/var,/tmp

The example below displays the output for a comma spaced list of paths that is monitored:

maldet(5330): {mon} set inotify max_user_instances to 128
maldet(5330): {mon} set inotify max_user_watches to 61440
maldet(5330): {mon} added /var to inotify monitoring array
maldet(5330): {mon} added /home/xmodulo to inotify monitoring array
maldet(5330): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(5330): {mon} inotify startup successful (pid: 4154)
maldet(5330): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

 

Monitor files

If you have believe there are problems with specific files, you have the ability to continuously monitor specific files by giving a comma-separated list of files:

# maldet --monitor FILE1,FILE2,...FILEx
or
# maldet -m  FILE1,FILE2,...FILEx

 

Track events in the monitor log file:

# tail -f /usr/local/maldetect/logs/inotify_log

 

Terminate / kill inotify monitoring service

# maldet -k

 

Start iNotify Monitoring at bootup

When starting maldet in monitoring mode, it’ll scan files as they are being modified or uploaded in the selected directories. Unfortunately, by default iNotify Monitoring won’t correctly start on system reboot.

There are three options around this:

    1. configure the Maldet service by setting up the correct paths values and monitoring mode
    2. Setup a cron job that runs at boottime and starts iNotify monitoring
    3. Create a script to be placed in the rc.local file

 

1. Configure Maldet Service

To doublecheck the current status of Maldet please enter the following:

systemctl status maldet

Which should give a similar output:

● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: failed (Result: resources) since Thu 2019-05-16 02:42:56 CEST; 1 weeks 4 days ago
   Process: 3487 ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@xxx ~]# systemctl start maldet
Job for maldet.service failed because a configured resource limit was exceeded. See "systemctl status maldet.service" and "journalctl -xe" for details.

 

Most likely you will find that the monitoring mode has failed. This is usually due to one of two reasons:

  1. The correct monitoring mode has not been defined
  2. The correct paths to monitor have not been defined

 

To resolve issue 1 (see above error message example) stop the service from running and trying to restart:

systemctl stop maldet

Edit /usr/lib/systemd/system/maldet.service and replace the line:

ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode

with

ExecStart=/usr/local/maldetect/maldet --monitor USERS

Let systemd know of the updated config file:

systemctl daemon-reload

Then restart the service:

systemctl start maldet.service

Check status of maldet. Ensure that it is no longer crashing:

systemctl status maldet.service

 

issue 2: In case the correct paths to monitor have not been defined you will get a similar error:

Process: 24473 ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths (code=exited, status=0/SUCCESS)

 

This means that you will have to define the path values in the /usr/lib/systemd/system/monitor_paths file as a comma separated list, for example:

/home,/var,/tmp

Let systemd know of the updated config file:

systemctl daemon-reload

Then restart the service:

systemctl start maldet.service

Check status of maldet. Ensure that it is no longer crashing:

systemctl status maldet.service

 

2. Setup Cron

Open crontab with following command:

crontab -e

Paste following line at the bottom:

@reboot /usr/local/sbin/maldet --monitor /home

 

Save & close the file. You’ve now successfully enabled real-time malware scanning using paths for maldet. The cron above will scan all directories under /home.

Keep in mind that you can also monitor users and individual files using the same method.  Please refer to the above examples and adjust your cron accordingly.

 

3. Setup rc.local

The script /etc/rc.local (Ubuntu / Debian) or /etc/rc.d/rc.local (CentOS, Fedora) is for use by the system administrator. It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.

To setup a rc.local startup script, we'll first create a file that includes all the directories we want to monitor.

nano /usr/local/maldetect/monitor_paths

Paste paths to all the directories you want to monitor as a comma separated list in this file.

Open the /etc/rc.local or /etc/rc.d/rc.local file using a text editor

nano /etc/rc.local (Debian / Ubuntu)
nano /etc/rc.d/rc.local (CentOS, Fedora)

Paste the following line just before the closing line exit 0

maldet --monitor /usr/local/maldetect/monitor_paths

Keep in mind that your created script must be granted execute permissions:

chmod +x /usr/local/maldetect/monitor_paths

 

 

Ignore Files

There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.

 

ignore_paths

This is a line spaced file for paths that are to be excluded from search results:

# /usr/local/maldetect/ignore_paths

 

ignore_sigs

This is a line spaced file for signatures that should be removed from file scanning:

# /usr/local/maldetect/ignore_sigs

 

ignore_inotify

This is a line spaced file for paths that are to be excluded from inotify monitoring:

# /usr/local/maldetect/ignore_inotify

 

ignore_extensions

Add the extensions of file types that you want to exclude from daily scans (one per line):

# /usr/local/maldetect/ignore_file_ext

 

 

ClamAV integration

Info! Our installation guide for the ClamAV package can be found on this page

 

ClamAV and Maldet are tightly integrated. You can use ClamAV as the scan engine for Maldet. This speeds up the scanning process and in addition the virus definitions by ClamAV are now also used when scanning.

The benefit of this integration is a faster, more effective malware scan, meaning; you're more likely to identify potential threats.

 

How to setup

        1. Ensure that ClamAV is installed
        2. Enable ClamAV in the LMD configuration file:

/usr/local/maldetect/conf.maldet

Enable ClamAV integration by setting scan_clamscan to 1

# Use with ClamAV
scan_clamscan="1"

 

cPanel/WHM

Create two symbolic links, as follows:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam

 

DirectAdmin

No action required.

 

Running a malware scan

When you run the Maldet scan, it will also include the virus definitions of ClamAV. To use you just need to run the usual commands as found under Usage Examples.

 

  • installation, centos, maldet, linux malware detect, security
  • 33 Users Found This Useful
Was this answer helpful?

Related Articles

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS

Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail...

Installation of Directadmin on CentOS

In this guide I will be explaining how to install DirectAdmin on a clean installation of Red Hat...

Installation of Directadmin on CentOS

In this guide I will be explaining how to install DirectAdmin on a clean installation of Red Hat...

Installation CSF Firewall on CentOS

The guide below is applicable to systems running CentOS5, CentOS 6 and CentOS 7. The...