How to Install Linux Malware Detect on CentOS 7 / RHEL 7 – A Malware Scanner for Linux Operating System

0

Linux Malware Detect (LMD) is a malware detector for Linux operating systems, released under GNU GPLv2. LMD is specially designed for shared hosting environments to clear or detect threats in users file.

In this post, we will install Linux Malware Detect with ClamAV on CentOS 7.

Install LMD on CentOS 7 / RHEL 7

LMD is not available on CentOS official repositories as a pre-built package, but it is available as a tarball from the LMD project web site. Download the latest version of LMD using the following command.

cd /tmp/
curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpack the tarball and get into the extracted directory.

tar -zxvf maldetect-current.tar.gz
cd maldetect*

Run the installation script install.sh present in the extracted directory.

bash install.sh

Output:

Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
 (C) 2002-2017, R-fx Networks <[email protected]>
 (C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)

Configure Linux Malware Detect

The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.

vi /usr/local/maldetect/conf.maldet

Below are some of the important settings you should have it on your system for successful detection and deletion of threats.

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="[email protected]"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found.
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Skip to scanning for malware if you do not want to use LMD with ClamAV.

Linux Malware Detect with ClamAV

LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.

ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install ClamAV using YUM command.

yum -y install clamav clamav-devel clamav-update inotify-tools

Now, update the ClamAV virus databases using the following command.

freshclam

No additional configuration is required with LMD as the use of ClamAV with LMD is enabled by default.

Testing Linux Malware Detect

Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.

cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Now, scan the directory for malware.

maldet -a /tmp

Output:

Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <[email protected]>
            (C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2004): {scan} signatures loaded: 15215 (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
maldet(2004): {scan} building file list for /tmp, this might take awhile...
maldet(2004): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2004): {scan} file list completed in 0s, found 74 files...
maldet(2004): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(2004): {scan} scan of /tmp (74 files) in progress...
maldet(2004): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(2004): {scan} scan completed on /tmp: files 74, malware hits 2, cleaned hits 0, time 11s
maldet(2004): {scan} scan report saved, to view run: maldet --report 170814-1058.2004
maldet(2004): {alert} sent scan report to [email protected]

From the output, you can see that LMD is using ClamAV scanner engine to perform the scan and resulted in finding two malware hits.

Linux Malware Detector Scan Report

LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.

maldet --report 170808-1035.18497

Output:

SUBJECT: maldet alert from server.itzgeek.local
HOST:      lmddd
SCAN ID:   170814-1058.2004
STARTED:   Aug 14 2017 10:58:20 +0000
COMPLETED: Aug 14 2017 10:58:31 +0000
ELAPSED:   11s [find: 0s]

PATH:          /tmp
TOTAL FILES:   74
TOTAL HITS:    2
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.491714154
{HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.506330946
===============================================
Linux Malware Detect v1.6.2 < [email protected] >

You can see that both files are now quarantined.

Update Linux Malware Detect

Use the following command to update your LMD.

maldet -d

To update LMD signatures, run:

maldet -u

That’s All.

You might also like