Linux, Windows, Virtualization, OpenSource & Blogging

How to Install Linux Malware Detect on CentOS 7 / RHEL 7 – A Malware Scanner for Linux Operating System


Linux Malware Detect (LMD) is a malware detector for Linux operating systems, released under GNU GPLv2. LMD is specially designed for shared hosting environments to clear or detect threads in users file.

In this post, we will install Linux Malware Detect with ClamAV on CentOS 7 / Debian 9 / Ubuntu 16.04.

Install LMD on CentOS 7 / RHEL 7:

LMD is not available on CentOS official repositories as a pre-built package, but it is available as a tarball from the LMD project web site. Download the latest version of LMD using the following command.

cd /tmp/
curl -O

Unpack the tarball and get into the extracted directory.

tar -zxvf maldetect-current.tar.gz
cd maldetect*

Run the installation script present in the extracted directory.



Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
 (C) 2002-2017, R-fx Networks <>
 (C) 2017, Ryan MacDonald <>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading
maldet(1344): {sigup} downloading
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)

Configure Linux Malware Detect:

The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.

vi /usr/local/maldetect/conf.maldet

Below are some of the important settings you should have it on your system for successful detection and deletion of threats.

# Enable Email Alerting

# Email Address in which you want to receive scan reports

# Use with ClamAV

# Enable scanning for root owned files. Set 1 to disable.

# Move threats to quarantine

# Clean string based malware injections

# Suspend user if malware found.

# Minimum userid value that be suspended

Skip to scanning for malware if you do not want to use LMD with ClamAV.

Linux Malware Detect with ClamAV:

LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.

ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.

rpm -ivh

Install ClamAV using YUM command.

yum -y install clamav clamav-devel clamav-update inotify-tools

Now, update the ClamAV virus databases using the following command.


No additional configuration is required with LMD as the use of ClamAV with LMD is enabled by default.

Testing Linux Malware Detect:

Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.

cd /tmp

Now, scan the directory for malware.

maldet -a /tmp


Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <>
            (C) 2017, Ryan MacDonald <>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2004): {scan} signatures loaded: 15215 (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
maldet(2004): {scan} building file list for /tmp, this might take awhile...
maldet(2004): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2004): {scan} file list completed in 0s, found 74 files...
maldet(2004): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(2004): {scan} scan of /tmp (74 files) in progress...
maldet(2004): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(2004): {scan} scan completed on /tmp: files 74, malware hits 2, cleaned hits 0, time 11s
maldet(2004): {scan} scan report saved, to view run: maldet --report 170814-1058.2004
maldet(2004): {alert} sent scan report to

From the output, you can see that LMD is using ClamAV scanner engine to perform the scan and resulted in finding two malware hits.

Linux Malware Detector Scan Report:

LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.

maldet --report 170808-1035.18497


SUBJECT: maldet alert from server.itzgeek.local
HOST:      lmddd
SCAN ID:   170814-1058.2004
STARTED:   Aug 14 2017 10:58:20 +0000
COMPLETED: Aug 14 2017 10:58:31 +0000
ELAPSED:   11s [find: 0s]

PATH:          /tmp

{HEX}EICAR.TEST.10 : /tmp/ => /usr/local/maldetect/quarantine/
{HEX}EICAR.TEST.10 : /tmp/ => /usr/local/maldetect/quarantine/
Linux Malware Detect v1.6.2 < >

You can see that both files are now quarantined.

Update Linux Malware Detect:

Use the following command to update your LMD.

maldet -d

To update LMD signatures, run:

maldet -u

That’s All.

You might also like