How to Install and Configure Linux Malware Detect (LMD) on Linux

Linux operating system is not virus-free but very few malware or viruses have been reported as of today.

You may need to install these types of applications when you have a web-facing system.

For example, if one of the CMS (WordPress, Joomla, etc) websites is infected with malware, that can be easily spread to others.

You need to install Linux Malware Detect on your system to clean them.

This is an example, but it is not limited to this and can be used for other purposes as well.

What is Malware

Malware is malicious software designed to damage the computer system by collecting sensitive information, or gaining access to private computer systems.

In general, the software package is considered malware based on the intent of actual features.

Most malware in the real world is created by advertising (adware), stealing sensitive information (spyware), email spam or child pornography (zombie computers) or extortion (ransomware).

Various factors can make you computers more vulnerable to malware attacks, including flaws in operating system design.

Types of malware include adware, bots, bugs, rootkits, spyware, Trojan horses, viruses and worms.

What is Linux Malware Detect (LMD)

Linux Malware Detect (LMD) is a malware scanner for Linux distributions.

It is designed to detect threats in shared hosting environments because thousands of users share resources in a shared environment.

This is because every user uploads many things like scripts, pictures etc.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.

The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

1) How to Install Linux Malware Detect (LMD) on Linux

You must install Linux Malware Detect (LMD) on Linux by downloading the source file from the official website, as there is no official distribution repository or packages available.

Use the wget command to download the LMD archive file and perform the installation as shown below.

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.6.4
# ./install.sh

2) How to Configure Linux Malware Detect (LMD) on Linux

The configuration of the LMD is handled by the “/usr/local/maldetect/conf.maldet” file and most of the options are commented on for easy configuration.

Disables auto-quarantine of LMD files by default and you need to enable it. Also, make the following changes to your system to detect and eliminate threats successfully.

# vi /usr/local/maldetect/conf.maldet

[To Enable eMail Alerting]
email_alert=1

[Email address for which you want to receive scan reports]
[email protected]

[Move threats to quarantine]
quarantine_hits=1

[Clean malware injections]
quarantine_clean=1

[Enable scanning for root owned files. Set 1 to disable]
scan_ignore_root="0"

[Suspend user if malware found]
quarantine_suspend_user=1

[Minimum userid value that be suspended]
quarantine_suspend_user_minuid=500

3) How to Configure LMD to Use ClamAV for Malware Scan

LMD is performs better in scanning large file sets with ClamAV.

ClamAV AntiVirus is an open source anti-virus toolkit designed specifically for e-mail scanning on mail gateways

You must install ClamAV AntiVirus on your system to use this feature.

To do so, you need to enable ClamAV in the LMD configuration file as shown below.

# vi /usr/local/maldetect/conf.maldet

scan_clamscan="1"

4) How to Scan the Linux System Using LMD

You can scan using the maldet command as shown below.

For testing purposes, we will scan the “/opt” directory for malware.

# maldet --scan-all /opt

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4465): {scan} signatures loaded: 17822 (13908 MD5 / 1914 HEX / 0 USER)
maldet(4465): {scan} building file list for /opt, this might take awhile...
maldet(4465): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(4465): {scan} file list completed in 0s, found 1 files...
maldet(4465): {scan} scan of /opt (1 files) in progress...
maldet(4465): {scan} 1/1 files scanned: 0 hits 0 cleaned
maldet(4465): {scan} scan completed on /opt: files 1, malware hits 0, cleaned hits 0, time 1s
maldet(4465): {scan} scan report saved, to view run: maldet --report 200512-2043.4465

5) How to View LMD Scan Report

LMD saves scan reports under the “/usr/local/maldetect/sess/” directory. Use the maldet command with SCAN ID to see the detailed scanning report.

# maldet --report 200512-2043.4465

HOST:      2daygeek
SCAN ID:   151218-2043.4465
STARTED:   May 12 2020 20:43:23 +0530
COMPLETED: May 12 2020 20:43:24 +0530
ELAPSED:   1s [find: 0s]

PATH:          /opt
TOTAL FILES:   1
TOTAL HITS:    0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.6.4 < [email protected] >

6) How to Remove Injected Files

I didn’t get any injected file as part of this scan. If you find a file that contains malware injection on your system, use the commands below to remove them.

To quarantine infected files.

# maldet -q SCANID

To clean up infected files.

# maldet -n SCANID

77) How to Update LMD and Their Signatures

Use the commands below to update them to the latest version.

To update LMD.

# maldet -d

To update malware detection signatures.

# maldet -u

8) How to Use LMD to Live Monitor a Directory

If you want to actively monitor a specific directory for a malware infection, you need to run maldet as a daemon.

Also, it requires inotify-tools, so you need to install the inotify-tools package on your computer to run the live monitor.

# yum install inotify-tools
# dnf install inotify-tools
# apt-get install inotify-tools
# pacman install inotify-tools

Once you install the inotify-tool, it will connect to the maldet command. Run the maldet command to live monitor a directory

# maldet -m /home/daygeek
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(5814): {mon} set inotify max_user_watches to 49152
maldet(5814): {mon} added /home/daygeek to inotify monitoring array
maldet(5814): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(5814): {mon} inotify startup successful (pid: 5912)
maldet(5814): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Use the tail command with the above log file for live monitor.

9) Automatic Scan

When installing the LMD, it will drop the auto scan file to /etc/cron.daily/maldet, which will update daily signatures and hold sessions, temporary and quarantine data for up to 14 days. Also, run a daily scan of the latest file system changes.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

8 Comments on “How to Install and Configure Linux Malware Detect (LMD) on Linux”

  1. Thanks for your tutorial, this worked great for a while 🙂

    I am running into an issue here with maldet / inotify.
    My inotify_log is now 10gb.
    Is there a way to stop the continuous writing to the inotify_log?

    Hope you have any tips for me. Thanks!

    1. Use the below commands to remove old logs and keep latest for further reference.

      If you have yearly logs, like (2012, 2013, etc), use the below command and change the year as per your requirements.
      # sed -i ‘/2012/d’ inotify_log

Leave a Reply

Your email address will not be published. Required fields are marked *