How to Install Linux Malware Detect on CentOS 7
How to Install Linux Malware Detect on CentOS 7 / RHEL 7 – A Malware Scanner for Linux Operating System
Linux Malware Detect (LMD) is a malware detector for Linux operating systems, released under GNU GPLv2. LMD is specially designed for shared hosting environments to clear or detect threads in users file.
In this post, we will install Linux Malware Detect with ClamAV on CentOS 7 / Debian 9 / Ubuntu 16.04.
Install LMD on CentOS 7 / RHEL 7:
LMD is not available on CentOS official repositories as a pre-built package, but it is available as a tarball from the LMD project web site. Download the latest version of LMD using the following command.
cd /tmp/ curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz
Unpack the tarball and get into the extracted directory.
tar -zxvf maldetect-current.tar.gz cd maldetect*
Run the installation script install.sh present in the extracted directory.
bash install.sh
Output:
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
(C) 2002-2017, R-fx Networks <proj@r-fx.org>
(C) 2017, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
Configure Linux Malware Detect:
The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.
vi /usr/local/maldetect/conf.maldet
Below are some of the important settings you should have it on your system for successful detection and deletion of threats.
# Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="itzgeek.web@gmail.com" # Use with ClamAV scan_clamscan="1" # Enable scanning for root owned files. Set 1 to disable. scan_ignore_root="0" # Move threats to quarantine quarantine_hits="1" # Clean string based malware injections quarantine_clean="1" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500"
Skip to scanning for malware if you do not want to use LMD with ClamAV.
Linux Malware Detect with ClamAV:
LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.
ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Install ClamAV using YUM command.
yum -y install clamav clamav-devel clamav-update inotify-tools
Now, update the ClamAV virus databases using the following command.
freshclam
No additional configuration is required with LMD as the use of ClamAV with LMD is enabled by default.
Testing Linux Malware Detect:
Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip
Now, scan the directory for malware.
maldet -a /tmp
Output:
Linux Malware Detect v1.6.2
(C) 2002-2017, R-fx Networks <proj@rfxn.com>
(C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(2004): {scan} signatures loaded: 15215 (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
maldet(2004): {scan} building file list for /tmp, this might take awhile...
maldet(2004): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2004): {scan} file list completed in 0s, found 74 files...
maldet(2004): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(2004): {scan} scan of /tmp (74 files) in progress...
maldet(2004): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(2004): {scan} scan completed on /tmp: files 74, malware hits 2, cleaned hits 0, time 11s
maldet(2004): {scan} scan report saved, to view run: maldet --report 170814-1058.2004
maldet(2004): {alert} sent scan report to itzgeek.web@gmail.com
From the output, you can see that LMD is using ClamAV scanner engine to perform the scan and resulted in finding two malware hits.
Linux Malware Detector Scan Report:
LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.
maldet --report 170808-1035.18497
Output:
SUBJECT: maldet alert from server.itzgeek.local
HOST: lmddd
SCAN ID: 170814-1058.2004
STARTED: Aug 14 2017 10:58:20 +0000
COMPLETED: Aug 14 2017 10:58:31 +0000
ELAPSED: 11s [find: 0s]
PATH: /tmp
TOTAL FILES: 74
TOTAL HITS: 2
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.491714154
{HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.506330946
===============================================
Linux Malware Detect v1.6.2 < proj@rfxn.com >
You can see that both files are now quarantined.
Update Linux Malware Detect:
Use the following command to update your LMD.
maldet -d
To update LMD signatures, run:
maldet -u
That’s All.