Install maldetect Linux Malware Detect on CentOS/RHEL, Debian, Ubuntu

 

Download the latest release and untar it

 


# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz

 

Change to the maldetect directory and run the install script.

 


# cd maldetect-*
# ./install.sh

 

The installer will update the signature set and will install the following files

 

config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

 

To update the program version

 


# maldet --update-ver

 

The signature gets updated daily, refer the madlet file under cron.daily however if you wish to update the signature manually execute.

 


# maldet --update

 

Next lets configure email alerts and some other features of maldet like if we want it to quarantine any malware found and send us an alert.

 


# vi /usr/local/maldetect/conf.maldet

 

Make these changes according to your environment, replace email_addr to your email address.

 


email_alert=1
email_subj="maldet alert from your address mail"
email_addr="youraddressmail"
quar_hits=1
maxfilesize="10240k"

 

The maldet script under cron.daily has some default configuration that can be changed as per your environment. By default it will check for new definitions, send daily inotify alerts to the email address defined in the conf file, scan for file changes over the last 2 days on /home?/?/public_html (? being wildcard) if inotify isn’t running

 

maldet can be started as a daemon in monitor mode which will actively monitor the directories. The monitor flag can take three options.

-m, --monitor USERS|PATHS|FILE
If USERS is specified, monitor user homedirs for UID's > 500 e.g: maldet --monitor users

If FILE is specified, paths will be extracted from file, line spaced e.g: maldet –monitor /root/monitor_paths

If PATHS are specified, must be comma spaced list, NO WILDCARDS! e.g: maldet --monitor /home/mike,/home/ashton

I wish to monitor /opt, /sbin and /var/ directories so would start maldet in real time monitor mode like this

# maldet -m /opt,/var,/sbin,/home

If you get an error just like this

“{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.”

Install any of the following packages and try again.

# yum install glibc

Manual Scans and Usage

If you would like to scan user’s Home directory, then simply issue following command.

# maldet --scan-all /home

You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.

# maldet --quarantine SCANID
OR
# maldet --clean SCANID

Step 5: Daily Scans

By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.

# vim /etc/cron.daily/maldet