How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Installing ClamAV on RHEL/CentOS 7.0/6.x and Fedora 21-12

To install ClamAV in order to take advantage of the clamav_scan setting, follow these steps:

Create the repo file /etc/yum.repos.d/dag.repo:

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1

Then do:

# yum update && yum install clamd

Note: That these are only the basic instructions to install ClamAV in order to integrate it with LMD. We will not go into detail as far as ClamAV settings are concerned since as we said earlier, LMD signatures are still the basis for detecting and cleaning threats.

Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation. Instead of using real malware, we will use the EICAR test files, which are available for download from the EICAR web site.

# cd /var/www/html
# wget http://www.eicar.org/download/eicar.com 
# wget http://www.eicar.org/download/eicar.com.txt 
# wget http://www.eicar.org/download/eicar_com.zip 
# wget http://www.eicar.org/download/eicarcom2.zip 

At this point you can either wait for the next cron job to run, or execute maldet manually yourself. We’ll go with the second option:

# maldet --scan-all /var/www/

LMD also accepts wildcards, so if you want to scan only a certain type of file, (i.e. zip files, for example), you can do so:

# maldet --scan-all /var/www/*.zip
Scan Linux Malware Detect in Linux

Scan Malware in Linux

When the scanning is complete, you can either check the email that was sent by LMD or view the report with:

# maldet --report 021015-1051.3559
Linux Malware Scan Report

Linux Malware Scan Report

Where 021015-1051.3559 is the SCANID (the SCANID will be slightly different in your case).

Important: Please note that LMD found 5 hits since the eicar.com file was downloaded twice (thus resulting in eicar.com and eicar.com.1).

If you check the quarantine folder (I just left one of the files and deleted the rest), we will see the following:

# ls -l
Linux Malware Detect Quarantine Files

Linux Malware Detect Quarantine Files

You can then remove all quarantined files with:

# rm -rf /usr/local/maldetect/quarantine/*

In case that,

# maldet --clean SCANID

Doesn’t get the job done for some reason. You may refer to the following screen cast for a step-by-step explanation of the above process:

Final Considerations

Since maldet needs to be integrated with cron, you need to set the following variables in root’s crontab (type crontab -e as root and hit the Enter key) in case that you notice that LMD is not running correctly on a daily basis:

PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash

This will help provide the necessary debugging information.

Conclusion

In this article we have discussed how to install and configure Linux Malware Detect, along with ClamAV, a powerful ally. With the help of these 2 tools, detecting malware should be a rather easy task.

However, do yourself a favor and become familiar with the README file as explained earlier, and you’ll be able to rest assured that your system is being well accounted for and well managed.

Do not hesitate to leave your comments or questions, if any, using the form below.

Reference Links

LMD Homepage

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

117 Responses

  1. Armin says:

    Thank you for this article.

    Since the last update of this article is on Feb 2015, I wonder if this is still an updated and applicable solutions or there are more recent methods to obtain security?
    Thanks

  2. Danilo says:

    Hello!! no matter what i try, i alway get this “Failed to enable unit: No such file or directory” message, which didn’t seem like a big thing, but then when i try to run maldet i get the error “bash: maldet: Comando não encontrado…” which is in Portuguese (i’m Brazilian), but it means “Command not Found“.

    Any ideas how to solve this ? (clamav is installed)

    [[email protected] maldetect-1.6.2]# ./install.sh
    Failed to enable unit: No such file or directory
    Linux Malware Detect v1.6
    (C) 2002-2017, R-fx Networks
    (C) 2017, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    imported config options from /usr/local/maldetect.last/conf.maldet
    maldet(30589): {sigup} performing signature update check…
    maldet(30589): {sigup} local signature set is version 2017070716978
    maldet(30589): {sigup} new signature set (201708255569) available
    maldet(30589): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
    maldet(30589): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
    maldet(30589): {sigup} verified md5sum of maldet-sigpack.tgz
    maldet(30589): {sigup} unpacked and installed maldet-sigpack.tgz
    maldet(30589): {sigup} verified md5sum of maldet-clean.tgz
    maldet(30589): {sigup} unpacked and installed maldet-clean.tgz
    maldet(30589): {sigup} signature set update completed
    maldet(30589): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)

    [[email protected] maldetect-1.6.2]# maldet
    bash: maldet: Comando não encontrado…
    [[email protected] maldetect-1.6.2]#

    • Ravi Saive says:

      I think the “ed” package wasn’t installed by default and I thought that this must be a bug or an error. Try to install ‘ed’ package as shown.

      For Debian based distro’s:

      # apt-get install ed
      

      For Red Hat based distro’s:

      # yum install ed
      
  3. Don Everly says:

    So you install a package outside of the repo without any integrity checking, for malware detection ?

  4. Armin says:

    When I scan eicar test files using clamscan command it finds viruses but when I use lmd –scan-all it doesn’t find anything!! I tried clamav_scan=0 and 1 in conf.maldet.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.