LMD (Linux Malware Detect) is an open source malware detector for Linux operating systems. LMD is particularly designed for shared hosting environments to detect and clear threats in users file.
In this guide, we will install Linux Malware Detect (LMD) with ClamAV on Debian 9 / Ubuntu 16.04 / LinuxMint 18.
Install Linux Malware Detect on Debian
LMD is not available on base repositories as a pre-built package, but you can get LMD as a tarball from the official project website.
Download the latest version of LMD (v1.6.2) using the following command.
cd /tmp/ curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz
Unpack the tarball using tar command.
tar -zxvf maldetect-current.tar.gz
Go to the extracted directory.
cd maldetect-1.6.2/
Run the installation script install.sh present in the extracted directory.
bash install.sh
Output:
Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service. update-rc.d: error: unable to read /etc/init.d/maldet Linux Malware Detect v1.6 (C) 2002-2017, R-fx Networks <[email protected]> (C) 2017, Ryan MacDonald <[email protected]> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(933): {sigup} performing signature update check... maldet(933): {sigup} local signature set is version 2017070716978 maldet(933): {sigup} new signature set (201708255569) available maldet(933): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(933): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(933): {sigup} verified md5sum of maldet-sigpack.tgz maldet(933): {sigup} unpacked and installed maldet-sigpack.tgz maldet(933): {sigup} verified md5sum of maldet-clean.tgz maldet(933): {sigup} unpacked and installed maldet-clean.tgz maldet(933): {sigup} signature set update completed maldet(933): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)
Configure Linux Malware Detect
/usr/local/maldetect/conf.maldet is the main configuration file of LMD. You can modify its parameters according to your requirements.
nano /usr/local/maldetect/conf.maldet
Below are the few settings you should have it on LMD for successful detection and deletion of malware threats.
# Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="[email protected]" # Use with ClamAV scan_clamscan="1" # Enable scanning for root-owned files. Set 1 to disable. scan_ignore_root="0" # Move threats to quarantine quarantine_hits="1" # Clean string based malware injections quarantine_clean="1" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500"
If you do not wish to use LMD with ClamAV, then skip the below part.
Linux Malware Detect with ClamAV
LMD performs better with ClamAV, especially when it comes to scanning large file sets. ClamAV (Clam Antivirus) is an open source antivirus engine to detect the virus, malware, trojans & other malicious threats.
ClamAV is available in the base repository, so you can use apt command to install it.
apt-get -y install clamav clamav-daemon clamdscan
By default, the use of ClamAV with LMD has been enabled.
Scan with Linux Malware Detect
Let us test the functionality of LMD by downloading sample virus signature from EICAR website.
cd /tmp wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Now, scan the /tmp directory for malware.
maldet -a /tmp
Output:
Linux Malware Detect v1.6.2 (C) 2002-2017, R-fx Networks <[email protected]> (C) 2017, Ryan MacDonald <[email protected]> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(4209): {scan} signatures loaded: 15218 (12485 MD5 | 1954 HEX | 779 YARA | 0 USER) maldet(4209): {scan} building file list for /tmp, this might take awhile... maldet(4209): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(4209): {scan} file list completed in 0s, found 4 files... maldet(4209): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine... maldet(4209): {scan} scan of /tmp (4 files) in progress... maldet(4209): {scan} processing scan results for hits: 2 hits 0 cleaned maldet(4209): {scan} scan completed on /tmp: files 4, malware hits 2, cleaned hits 0, time 12s maldet(4209): {scan} scan report saved, to view run: maldet --report 171026-1103.4209
From the output, you can notice that LMD is using ClamAV scanner engine to perform the scan and succeeded in finding two malware hits.
Linux Malware Detector Scan Report
LMD stores its scan reports under /usr/local/maldetect/sess/. Use the maldet command along with SCAN ID to see the detailed scanning report.
maldet --report 171026-1103.4209
Output:
HOST: lmd SCAN ID: 171026-1103.4209 STARTED: Oct 26 2017 11:03:16 +0000 COMPLETED: Oct 26 2017 11:03:28 +0000 ELAPSED: 12s [find: 0s] PATH: /tmp TOTAL FILES: 4 TOTAL HITS: 2 TOTAL CLEANED: 0 FILE HIT LIST: {HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.296395948 {HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.418410660 =============================================== Linux Malware Detect v1.6.2 < [email protected] >
Update Linux Malware Detect
Use the below command to update your LMD.
maldet -d
To update LMD signatures, run:
maldet -u
That’s All.