You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. In this guide, we will discuss how to install and use Linux Malware Detect on Linux – CentOS / Fedora / Ubuntu / Debian / Arch e.t.c.

LMD uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Threat data can also be derived from user submissions with the LMD checkout feature and from malware community resources. The LMD signatures are MD5 file hashes and HEX pattern matches and can be easily exported to any number of detection tools such as ClamAV.

Installing Linux Malware Detect on Linux – CentOS / Fedora / Ubuntu / Debian

We will clone the project from a Github repository and run the installer script to have Linux Malware Detect working on our Linux system – CentOS / Fedora / Ubuntu / Debian / Arch e.t.c.

Step 1: Clone the project repository.

The Linux Malware Detect project is on Github. Download it using git command which is easily installable via your system package manager – apt for Debian based systems, yum/dnf for RHEL/Fedora or pacman for Arch and its derivatives.

# RHEL/CentOS
sudo yum -y install git
sudo dnf -y install git

# Ubuntu/Debian
sudo apt-get -y install git

# Arch/Manjaro
sudo pacman -S git

The clone the code from Github.

$ git clone https://github.com/rfxn/linux-malware-detect.git
Cloning into 'linux-malware-detect'...
remote: Enumerating objects: 81, done.
remote: Counting objects: 100% (81/81), done.
remote: Compressing objects: 100% (49/49), done.
remote: Total 1991 (delta 47), reused 57 (delta 32), pack-reused 1910
Receiving objects: 100% (1991/1991), 1.79 MiB | 1.56 MiB/s, done.
Resolving deltas: 100% (1446/1446), done.

Step 2: Run installer script

Once the source code is available locally, navigate to project directory and run installer script install.sh with sudo.

$ cd linux-malware-detect/
$ sudo ./install.sh 

Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(6686): {sigup} performing signature update check...
maldet(6686): {sigup} could not determine signature version
maldet(6686): {sigup} signature files missing or corrupted, forcing update...
maldet(6686): {sigup} new signature set 2019052829145 available
maldet(6686): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(6686): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(6686): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(6686): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(6686): {sigup} verified md5sum of maldet-clean.tgz
maldet(6686): {sigup} unpacked and installed maldet-clean.tgz
maldet(6686): {sigup} signature set update completed
maldet(6686): {sigup} 15519 signatures (12707 MD5 | 2035 HEX | 777 YARA | 0 USER)

Confirm version of Linux Malware Detect installed.

$ maldet --version
Linux Malware Detect v1.6.4
             (C) 2002-2019, R-fx Networks [email protected]
             (C) 2019, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2
 public scanning is currently disabled (scan_user_access=0), please contact your system administrator to enable scan_user_access in conf.maldet.

Step 3: Configure Linux Malware Detect (LMD)

The main configuration file of Linux Malware Detect is located in /usr/local/maldetect/conf.maldet.

To make changes, open the file for editing with your favorite editor.

$ sudo vim /usr/local/maldetect/conf.maldet 
-- or ---
$ sudo nano /usr/local/maldetect/conf.maldet 

To receive alerts, enable it and set email address.

email_alert="1"
email_addr="[email protected]"

Go through the whole file and configure it to fit your hankered use.

Step 4: Using Linux Malware Detect (LMD)

1 – Scan directory with Linux Malware Detect

To scan a directory for malware with Linux Malware Detect, use the command syntax:

$ sudo maldet -a /path/to/directory

The -a or –-scan-all option means scan all files in the path. If no directory is specified, it will default to /home, a wildcard can be used, e.g

maldet -a /home/?/public_html

To check all available options, use:

$ sudo maldet --help

Example:

$ sudo maldet -a /srv/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(3872): {scan} signatures loaded: 15519 (12707 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(3872): {scan} building file list for /srv/, this might take awhile...
maldet(3872): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(3872): {scan} file list completed in 1s, found 110257 files...
maldet(3872): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(3872): {scan} scan of /srv/ (110257 files) in progress...
maldet(3872): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(3872): {scan} scan completed on /srv/: files 110257, malware hits 1, cleaned hits 0, time 467s
maldet(3872): {scan} scan report saved, to view run: maldet --report 190603-1946.3872
maldet(3872): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 190603-1946.3872

View scan results by running command shown near the end.

$ sudo maldet --report 190603-1946.3872

2 – Scan files or paths defined in line spaced file

You can also specify a file with list of paths to scan.

$ cat files_to_scan.list
/srv
/var
/root
/home
/var/www/?/public_html

Then run scan.

$ maldet  -f  /root/files_to_scan.list
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4248): {scan} signatures loaded: 15519 (12707 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(4248): {scan} user supplied file list '/root/files_to_scan.list', found 5 files...
maldet(4248): {scan} scan of  (5 files) in progress...
maldet(4248): {scan} 5/5 files scanned: 0 hits 0 cleaned

maldet(4248): {scan} scan completed on : files 5, malware hits 0, cleaned hits 0, time 0s
maldet(4248): {scan} scan report saved, to view run: maldet --report 190603-0951.4248

To view generated scan, run command shown.

$ maldet --report 190603-0951.4248

3 – Only Scan files modified in last x days

If you need to only scan files created/modified in the last X days, use the -r option. If no parameter is passed, default is last 7 days.

Example below will scan /srv directory for files modified in the last 5 days.

sudo maldet -r /srv 5

Check web contents directory, last 10 days.

sudo maldet -r /var/www/?/public_html 10

4 – Update Linux Malware Detect

To update malware detection signatures from rfxn.com, run:

$ sudo maldet -u
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(6021): {sigup} performing signature update check...
maldet(6021): {sigup} local signature set is version 201906014705
maldet(6021): {sigup} latest signature set already installed

5 – Update installed version of LMD

To pull the latest release of LMD from rfxn.com, use:

$ sudo maldet -d
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(6212): {update} checking for available updates...
maldet(6212): {update} hashing install files and checking against server...
maldet(6212): {update} latest version already installed.

6 – Execute under specified user

If running scans as cron jobs or in scripts, you may need to specify a user to execute as. This is ideal for restoring from user quarantine or to view user reports. See examples below.

$ maldet --user nobody --report
$ maldet --user nobody --restore 050910-1534.21135

7 – Clear logs, quarantine queue, session and temporary data

To clear all files from aforementioned list, use -p option.

maldetect -p 

For more reading, consult the LMD documentation.

Similar articles:

Vuls – Best Vulnerability Scanner for Linux / FreeBSD / WordPress / Network

How to Install and Configure OPNSense Firewall

How To Set Up Two factor (2FA) Authentication for SSH on CentOS / RHEL 8/7

Install and Use CSF Firewall on RHEL / CentOS 8/7

Algo VPN – Setup a personal IPSEC VPN in the Cloud

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF