How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Malware, or malicious software, is the designation given to any program that aims at disrupting the normal operation of a computing system. Although the most well known forms of malware are viruses, spyware, and adware, the harm that they intend to cause may range from stealing private information to deleting personal data, and everything in between, while another classic use of malware is to control the system in order to use it to launch botnets in a (D)DoS attack.

Linux Malware Detect

Read Also: Protect Apache Against Brute Force or DDoS Attacks

In other words, you can’t afford to think, “I don’t need to secure my system(s) against malware since I’m not storing any sensitive or important data”, because those are not the only targets of malware.

For that reason, in this article we will explain how to install and configure Linux Malware Detect (aka MalDet or LMD for short) along with ClamAV (Antivirus Engine) in RHEL 7.0/6.x (where x is the version number), CentOS 7.0/6.x and Fedora 21-12.

A malware scanner released under the GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what kind of environment you’re working on.

Installing LMD on RHEL/CentOS 7.0/6.x and Fedora 21-12

LMD is not available from online repositories, but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then we need to unpack the tarball and enter the directory where its contents were extracted. Since current version is 1.4.2, the directory is maldetect-1.4.2. There we will find the installation script, install.sh.

# tar -xvf maldetect-current.tar.gz
# ls -l | grep maldetect
Download Linux Malware Detect

Download Linux Malware Detect

If we inspect the installation script, which is only 75 lines long (including comments), we will see that it not only installs the tool, but also performs a pre-check to see if the default installation directory (/usr/local/maldetect) exists. If not, the script creates the installation directory before proceeding.

Finally, after the installation is completed, a daily execution via cron is scheduled by placing the cron.daily script (refer to the image above) in /etc/cron.daily. This helper script will, among other things, clear old temporary data, check for new LMD releases, and scan the default Apache and web control panels (i.e., CPanel, DirectAdmin, to name a few) default data directories.

That being said, run the installation script as usual:

# ./install.sh
Install Linux Malware Detect in Linux

Install Linux Malware Detect in Linux

Configuring Linux Malware Detect

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to /usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:

  1. EMAIL ALERTS
  2. QUARANTINE OPTIONS
  3. SCAN OPTIONS
  4. STATISTICAL ANALYSIS
  5. MONITORING OPTIONS

Each of these sections contains several variables that indicate how LMD will behave and what features are available.

  1. Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  2. Set email_subj=”Your subject here” and [email protected] if you have previously set email_alert=1.
  3. With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  4. quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  5. quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  6. clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.

Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

email_alert=1
[email protected]
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

117 Responses

  1. Armin says:

    Thank you for this article.

    Since the last update of this article is on Feb 2015, I wonder if this is still an updated and applicable solutions or there are more recent methods to obtain security?
    Thanks

  2. Danilo says:

    Hello!! no matter what i try, i alway get this “Failed to enable unit: No such file or directory” message, which didn’t seem like a big thing, but then when i try to run maldet i get the error “bash: maldet: Comando não encontrado…” which is in Portuguese (i’m Brazilian), but it means “Command not Found“.

    Any ideas how to solve this ? (clamav is installed)

    [[email protected] maldetect-1.6.2]# ./install.sh
    Failed to enable unit: No such file or directory
    Linux Malware Detect v1.6
    (C) 2002-2017, R-fx Networks
    (C) 2017, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    imported config options from /usr/local/maldetect.last/conf.maldet
    maldet(30589): {sigup} performing signature update check…
    maldet(30589): {sigup} local signature set is version 2017070716978
    maldet(30589): {sigup} new signature set (201708255569) available
    maldet(30589): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
    maldet(30589): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
    maldet(30589): {sigup} verified md5sum of maldet-sigpack.tgz
    maldet(30589): {sigup} unpacked and installed maldet-sigpack.tgz
    maldet(30589): {sigup} verified md5sum of maldet-clean.tgz
    maldet(30589): {sigup} unpacked and installed maldet-clean.tgz
    maldet(30589): {sigup} signature set update completed
    maldet(30589): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)

    [[email protected] maldetect-1.6.2]# maldet
    bash: maldet: Comando não encontrado…
    [[email protected] maldetect-1.6.2]#

    • Ravi Saive says:

      I think the “ed” package wasn’t installed by default and I thought that this must be a bug or an error. Try to install ‘ed’ package as shown.

      For Debian based distro’s:

      # apt-get install ed
      

      For Red Hat based distro’s:

      # yum install ed
      
  3. Don Everly says:

    So you install a package outside of the repo without any integrity checking, for malware detection ?

  4. Armin says:

    When I scan eicar test files using clamscan command it finds viruses but when I use lmd –scan-all it doesn’t find anything!! I tried clamav_scan=0 and 1 in conf.maldet.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.