Previously, we talked about a bunch of anti malware for GNU/Linux servers. That list essentially was for the purpose of our future guides around those softwares. Here is a step by step complete guide on how to install, configure & run malware detect (maldet) on linux server with Ubuntu server commands as example. Reader needs not much experience to get used and work.
Again – Linux Malware Detect is a malware scanner for Linux which is designed to find threats faced in shared environments, which includes cloud server. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks, threat data is also derived from user submissions and from the malware community resources. They are also easily exported to any number of detection tools such as ClamAV. We can actually integrate with ClamAV mentioned in the list linked above.
How To Install, Configure & Run Malware Detect (maldet) On Linux Server
It is actually very easy to use :
---
1 2 3 4 5 6 7 | cd ~ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzvf maldetect-current.tar.gz ls -l | grep maldetect rm maldetect-current.tar.gz cd maldetect* ./install.sh |
The configuration file of Malware Detect (maldet) is located at /usr/local/maldetect/conf.maldet. You can also read the doc at /usr/local/src/maldetect-ver.si.on/README for further instructions. Here we go :
1 | nano /usr/local/maldetect/conf.maldet |
This is an example configuration :
1 2 3 4 5 6 7 | email_alert="1" email_addr="youremail@localhost" quarantine_hits="1" quarantine_clean="1" quarantine_suspend_user="1" quarantine_suspend_user_minuid=500 scan_clamscan="1" |
quarantine_hits is the default quarantine action for malware hits where 0 value is alert only, 1 value is to move to quarantine & alert.quarantine_clean will let you decide whether you want to clean string-based malware injections.quarantine_suspend_user is the default suspend action for users with malware. It can be a compromised process.clamav_scan=1 is for configuring the attempt to detect installed ClamAV binary and use as default engine. This makes the system to do faster scan and superior analysis.
To update the library of malware detection signatures, we need to run:
1 | maldet -u |
To update Malware Detect’s malware version:
1 | maldet -d |
To scan all the files residing in a specific directory:
1 2 3 4 | maldet -a /path # example maldet -a /var/www/html/wp-content maldet --scan-all /var/www/html/wp-content |
Please note that, to scan all the files from / location will take hours to complete that is the reason why we run it in a separate screen session so that we can detach and enter to screen session any time and check the status frequently. After the scan complete. You will get a result as shown below :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks (C) 2013, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL v2 maldet(20920): {scan} signatures loaded: 11272 (9404 MD5 / 1868 HEX) maldet(20920): {scan} building file list for /, this might take awhile... /usr/bin/find: /proc/20974/task/20974/fdinfo/4: No such file or directory /usr/bin/find: /proc/20974/fdinfo/4: No such file or directory maldet(20920): {scan} file list completed, found 271615 files... maldet(20920): {scan} 271615/271615 files scanned: 12 hits 0 cleaned maldet(20920): {scan} scan completed on /: files 271615, malware hits 12, cleaned hits 0 maldet(20920): {scan} scan report saved, to view run: maldet --report 051913-1142.20920 maldet(20920): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 051913-1142.20920 |
We can run :
1 | maldet --report 051913-1142.20920 |
Take 051913-1142.20920 as SCANID. We can write the commands in this format :
1 | maldet --report SCANID |
To move all the threats that Linux Malware Detect has identified into quarantine:
1 | maldet -q SCANID |
If you want to actively monitor specific directories for malware infection as a daemon you can combine with inotify-tools to run live monitor :
1 2 | apt-get install inotify-tools maldet -m /var/www/html/wp-content |
Rest you’ll get from readme. The software itself will drop the auto scan file to /etc/cron.daily/maldet which will perform a daily update of signatures and keep the session, temp and quarantine data upto 14 days, run a daily scan of recent file system changes.
How To Integrate Malware Detect (maldet) With CalmAV
Only install CalmAV :
1 | at install calmat -y |
And configure /usr/local/maldetect/conf.maldet as written in above configuration direction.
