Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. In this guide, we will discuss how to install and use Linux Malware Detect on Linux – CentOS / Fedora / Ubuntu / Debian / Arch e.t.c.
LMD uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Threat data can also be derived from user submissions with the LMD checkout feature and from malware community resources. The LMD signatures are MD5 file hashes and HEX pattern matches and can be easily exported to any number of detection tools such as ClamAV.
Installing Linux Malware Detect on Linux – CentOS / Fedora / Ubuntu / Debian
We will clone the project from a Github repository and run the installer script to have Linux Malware Detect working on our Linux system – CentOS / Fedora / Ubuntu / Debian / Arch e.t.c.
Step 1: Clone the project repository.
The Linux Malware Detect project is on Github. Download it using git command which is easily installable via your system package manager – apt for Debian based systems, yum/dnf for RHEL/Fedora or pacman for Arch and its derivatives.
# RHEL/CentOS
sudo yum -y install vim git
sudo dnf -y install vim git
# Ubuntu/Debian
sudo apt update
sudo apt -y install vim git
# Arch/Manjaro
sudo pacman -S vim git
The clone the code from Github.
$ git clone https://github.com/rfxn/linux-malware-detect.git
Cloning into 'linux-malware-detect'...
remote: Enumerating objects: 2111, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 2111 (delta 55), reused 53 (delta 33), pack-reused 2027
Receiving objects: 100% (2111/2111), 1.84 MiB | 1.17 MiB/s, done.
Resolving deltas: 100% (1541/1541), done.
Step 2: Run installer script
Once the source code is available locally, navigate to project directory and run installer script install.sh with sudo.
$ cd linux-malware-detect/
$ sudo ./install.sh
Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(3722): {sigup} performing signature update check...
maldet(3722): {sigup} could not determine signature version
maldet(3722): {sigup} signature files missing or corrupted, forcing update...
maldet(3722): {sigup} new signature set 202301221156048 available
maldet(3722): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(3722): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(3722): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(3722): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(3722): {sigup} verified md5sum of maldet-clean.tgz
maldet(3722): {sigup} unpacked and installed maldet-clean.tgz
maldet(3722): {sigup} signature set update completed
maldet(3722): {sigup} 17368 signatures (14531 MD5 | 2054 HEX | 783 YARA | 0 USER)
Confirm version of Linux Malware Detect installed.
$ maldet --version
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
signature set: 202301221156048
usage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
[-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
[-u|--update-sigs] [-d|--update-ver]
Step 3: Configure Linux Malware Detect (LMD)
The main configuration file of Linux Malware Detect is located in /usr/local/maldetect/conf.maldet.
To make changes, open the file for editing with your favorite editor.
sudo vim /usr/local/maldetect/conf.maldet
To receive alerts, enable it and set email address.
email_alert="1"
email_addr="[email protected]"
Go through the whole file and configure it to fit your hankered use.
Step 4: Using Linux Malware Detect (LMD)
1 – Scan directory with Linux Malware Detect
To scan a directory for malware with Linux Malware Detect, use the command syntax:
sudo maldet -a /path/to/directory
The -a or –-scan-all option means scan all files in the path. If no directory is specified, it will default to /home, a wildcard can be used, e.g
maldet -a /home/?/public_html
To check all available options, use:
sudo maldet --help
Example:
$ sudo maldet -a /srv/
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(4361): {scan} signatures loaded: 17368 (14531 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(4361): {scan} building file list for /srv/, this might take awhile...
maldet(4361): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(4361): {scan} file list completed in 0s, found 2 files...
maldet(4361): {scan} scan of /srv/ (2 files) in progress...
maldet(4361): {scan} 2/2 files scanned: 0 hits 0 cleaned
maldet(4361): {scan} scan completed on /srv/: files 2, malware hits 0, cleaned hits 0, time 1s
maldet(4361): {scan} scan report saved, to view run: maldet --report 230124-1714.4361
View scan results by running command shown near the end.
sudo maldet --report 230124-1714.4361
2 – Scan files or paths defined in line spaced file
You can also specify a file with list of paths to scan.
$ cat files_to_scan.list
/srv
/var
/root
/home
/var/www/?/public_html
Then run scan.
$ maldet -f /root/files_to_scan.list
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(4248): {scan} signatures loaded: 15519 (12707 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(4248): {scan} user supplied file list '/root/files_to_scan.list', found 5 files...
maldet(4248): {scan} scan of (5 files) in progress...
maldet(4248): {scan} 5/5 files scanned: 0 hits 0 cleaned
maldet(4248): {scan} scan completed on : files 5, malware hits 0, cleaned hits 0, time 0s
maldet(4248): {scan} scan report saved, to view run: maldet --report 190603-0951.4248
To view generated scan, run command shown.
$ maldet --report 190603-0951.4248
3 – Only Scan files modified in last x days
If you need to only scan files created/modified in the last X days, use the -r option. If no parameter is passed, default is last 7 days.
Example below will scan /srv directory for files modified in the last 5 days.
sudo maldet -r /srv 5
Check web contents directory, last 10 days.
sudo maldet -r /var/www/?/public_html 10
4 – Update Linux Malware Detect
To update malware detection signatures from rfxn.com, run:
$ sudo maldet -u
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(6021): {sigup} performing signature update check...
maldet(6021): {sigup} local signature set is version 201906014705
maldet(6021): {sigup} latest signature set already installed
5 – Update installed version of LMD
To pull the latest release of LMD from rfxn.com, use:
$ sudo maldet -d
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(6212): {update} checking for available updates...
maldet(6212): {update} hashing install files and checking against server...
maldet(6212): {update} latest version already installed.
6 – Execute under specified user
If running scans as cron jobs or in scripts, you may need to specify a user to execute as. This is ideal for restoring from user quarantine or to view user reports. See examples below.
$ maldet --user nobody --report
$ maldet --user nobody --restore 050910-1534.21135
7 – Clear logs, quarantine queue, session and temporary data
To clear all files from aforementioned list, use -p option.
maldetect -p
For more reading, consult the LMD documentation.
Similar articles:
- Vuls – Best Vulnerability Scanner for Linux / FreeBSD / WordPress / Network
- How to Install and Configure OPNSense Firewall
- How To Set Up Two factor (2FA) Authentication for SSH on CentOS / RHEL 8/7
- Install and Use CSF Firewall on RHEL / CentOS 8/7
- Algo VPN – Setup a personal IPSEC VPN in the Cloud