Skip to content

Linux Malware Detect

Linux Malware Detect (LMD) is a malware scanner for Linux distributions. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

First we install Linux Malware Detect:

sudo -s
apt update && apt install inotify-tools
cd /opt
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd maldetect-1.6.4
./install.sh

Then we configure:

nano /usr/local/maldetect/conf.maldet

Make sure the following settings are set initially. We'll set to alert only to begin with. In order to change this to clean automatically, change quarantine_hits and quarantine_clean to 1:

[To Enable eMail Alerting]
email_alert=1

[Email address for which you want to receive scan reports]
admin@example.com

[Move threats to quarantine]
quarantine_hits=0

[Clean malware injections]
quarantine_clean=0

[Enable scanning for root owned files. Set 1 to disable]
scan_ignore_root="1"

[Monitor Mode]
default_monitor_mode="/usr/local/maldetect/monitor_paths"

[Suspend user if malware found]
quarantine_suspend_user=1

[Minimum userid value that be suspended]
quarantine_suspend_user_minuid=500

[Use ClamAV engine for scans]
scan_clamscan="1"

Create the monitor_paths file and enter the paths that you want monitoring. I normally monitor web directories:

nano /usr/local/maldetect/conf.maldet

Enter the following (for example):

/var/www
/usr/share/postfixadmin
/usr/share/phpmyadmin

Perform a test scan to make sure it's working:

maldet --scan-all /opt

LMD saves scan reports under the "/usr/local/maldetect/sess/" directory. Use the maldet command with SCAN ID to see the detailed scanning report eg:

maldet --report 200512-2043.4465

To quarantine infected files:

maldet -q SCANID

To clean up infected files:

maldet -n SCANID

To update LMD:

maldet -d

To update malware detection signatures:

maldet -u

To live monitor a directory:

maldet -m /var/www

To kill the live monitor:

maldet -k

maldet also comes with a systemd service for live monitoring. The paths to monitor are first set in the file /usr/local/maldetect/monitor_paths.

To start the service:

systemctl enable maldet --now

To check the service is running:

systemctl status maldet

To scan all files modified in the last 10 days:

sudo maldet -r /var/www 10

To clear logs, quarantine queue, session and temporary data:

maldet -p

When installing LMD, it will drop the auto scan file to /etc/cron.daily/maldet, which will update daily signatures and hold sessions, temporary and quarantine data for up to 14 days. It will also run a daily scan of the latest file system changes.