Linux, Windows, Virtualization, OpenSource & Blogging

Install Linux Malware Detect on Debian / Ubuntu / LinuxMint – A Malware Scanner for Linux Operating System

1

LMD (Linux Malware Detect) is an open source malware detector for Linux operating systems. LMD is particularly designed for shared hosting environments to detect and clear threats in users file.

In this guide, we will install Linux Malware Detect (LMD) with ClamAV on Debian 9 / Ubuntu 16.04 / LinuxMint 18.

Install Linux Malware Detect on Debian

LMD is not available on base repositories as a pre-built package, but you can get LMD as a tarball from the official project website.

Download the latest version of LMD (v1.6.2) using the following command.

cd /tmp/
curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpack the tarball using tar command.

tar -zxvf maldetect-current.tar.gz

Go to the extracted directory.

cd maldetect-1.6.2/

Run the installation script install.sh present in the extracted directory.

bash install.sh

Output:

Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service.
update-rc.d: error: unable to read /etc/init.d/maldet
Linux Malware Detect v1.6
            (C) 2002-2017, R-fx Networks <proj@r-fx.org>
            (C) 2017, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(933): {sigup} performing signature update check...
maldet(933): {sigup} local signature set is version 2017070716978
maldet(933): {sigup} new signature set (201708255569) available
maldet(933): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(933): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(933): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(933): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(933): {sigup} verified md5sum of maldet-clean.tgz
maldet(933): {sigup} unpacked and installed maldet-clean.tgz
maldet(933): {sigup} signature set update completed
maldet(933): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)

Configure Linux Malware Detect

/usr/local/maldetect/conf.maldet is the main configuration file of LMD. You can modify its parameters according to your requirements.

nano /usr/local/maldetect/conf.maldet

Below are the few settings you should have it on LMD for successful detection and deletion of malware threats.

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="you@domain.com"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

If you do not wish to use LMD with ClamAV, then skip the below part.

Linux Malware Detect with ClamAV

LMD performs better with ClamAV, especially when it comes to scanning large file sets. ClamAV (Clam Antivirus) is an open source antivirus engine to detect the virus, malware, trojans & other malicious threats.

ClamAV is available in the base repository, so you can use apt command to install it.

apt-get -y install clamav clamav-daemon clamdscan

By default, the use of ClamAV with LMD has been enabled.

Scan with Linux Malware Detect

Let us test the functionality of LMD by downloading sample virus signature from EICAR website.

cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Now, scan the /tmp directory for malware.

maldet -a /tmp

Output:

Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <proj@rfxn.com>
            (C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4209): {scan} signatures loaded: 15218 (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)
maldet(4209): {scan} building file list for /tmp, this might take awhile...
maldet(4209): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(4209): {scan} file list completed in 0s, found 4 files...
maldet(4209): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(4209): {scan} scan of /tmp (4 files) in progress...
maldet(4209): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(4209): {scan} scan completed on /tmp: files 4, malware hits 2, cleaned hits 0, time 12s
maldet(4209): {scan} scan report saved, to view run: maldet --report 171026-1103.4209

From the output, you can notice that LMD is using ClamAV scanner engine to perform the scan and succeeded in finding two malware hits.

Linux Malware Detector Scan Report

LMD stores its scan reports under /usr/local/maldetect/sess/. Use the maldet command along with SCAN ID to see the detailed scanning report.

maldet --report 171026-1103.4209

Output:

HOST:      lmd
SCAN ID:   171026-1103.4209
STARTED:   Oct 26 2017 11:03:16 +0000
COMPLETED: Oct 26 2017 11:03:28 +0000
ELAPSED:   12s [find: 0s]

PATH:          /tmp
TOTAL FILES:   4
TOTAL HITS:    2
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.296395948
{HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.418410660
===============================================
Linux Malware Detect v1.6.2 < proj@rfxn.com >

Update Linux Malware Detect

Use the below command to update your LMD.

maldet -d

To update LMD signatures, run:

maldet -u

That’s All.

 

You might also like
  • whyqaz

    Dont forget to:

    apt-get install clamav-unofficial-sigs

Install Linux Malware Detect on Debian / Ubuntu / LinuxMint – A Malware Scanner for Linux Operating System

1