How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Malware, or malicious software, is the designation given to any program that aims at disrupting the normal operation of a computing system. Although the most well-known forms of malware are viruses, spyware, and adware, the harm that they intend to cause may range from stealing private information to deleting personal data, and everything in between, while another classic use of malware is to control the system in order to use it to launch botnets in a (D)DoS attack.

In other words, you can’t afford to think, “I don’t need to secure my system(s) against malware since I’m not storing any sensitive or important data”, because those are not the only targets of malware.

For that reason, in this article, we will explain how to install and configure Linux Malware Detect (aka MalDet or LMD for short) along with ClamAV (Antivirus Engine) in RHEL 8/7/6 (where x is the version number), CentOS 8/7/6 and Fedora 30-32 (same instructions also works on Ubuntu and Debian systems).

A malware scanner released under the GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what kind of environment you’re working on.

Installing LMD on RHEL/CentOS and Fedora

LMD is not available from online repositories but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with wget command:

# wget

Then we need to unpack the tarball and enter the directory where its contents were extracted. Since the current version is 1.6.4, the directory is maldetect-1.6.4. There we will find the installation script,

# tar -xvf maldetect-current.tar.gz
# ls -l | grep maldetect
# cd maldetect-1.6.4/
# ls
Download Linux Malware Detect
Download Linux Malware Detect

If we inspect the installation script, which is only 75 lines long (including comments), we will see that it not only installs the tool but also performs a pre-check to see if the default installation directory (/usr/local/maldetect) exists. If not, the script creates the installation directory before proceeding.

Finally, after the installation is completed, a daily execution via cron is scheduled by placing the cron.daily script (refer to the image above) in /etc/cron.daily. This helper script will, among other things, clear old temporary data, check for new LMD releases, and scan the default Apache and web control panels (i.e., CPanel, DirectAdmin, to name a few) default data directories.

That being said, run the installation script as usual:

# ./
Install Linux Malware Detect in Linux
Install Linux Malware Detect in Linux

Configuring Linux Malware Detect

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to /maldetect-1.6.4/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:


Each of these sections contains several variables that indicate how LMD will behave and what features are available.

  1. Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  2. Set email_subj=”Your subject here” and [email protected] if you have previously set email_alert=1.
  3. With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  4. quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  5. quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  6. clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.
Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

[email protected]
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"

Installing ClamAV on RHEL/CentOS and Fedora

To install ClamAV in order to take advantage of the clamav_scan setting, follow these steps:

Enable EPEL repository.

# yum install epel-release

Then do:

# yum update && yum install clamd
# apt update && apt-get install clamav clamav-daemon  [Ubuntu/Debian]

Note: That these are only the basic instructions to install ClamAV in order to integrate it with LMD. We will not go into detail as far as ClamAV settings are concerned since as we said earlier, LMD signatures are still the basis for detecting and cleaning threats.

Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation. Instead of using real malware, we will use the EICAR test files, which are available for download from the EICAR web site.

# cd /var/www/html
# wget 
# wget 
# wget 
# wget 

At this point, you can either wait for the next cron job to run or execute maldet manually yourself. We’ll go with the second option:

# maldet --scan-all /var/www/

LMD also accepts wildcards, so if you want to scan only a certain type of file, (i.e. zip files, for example), you can do so:

# maldet --scan-all /var/www/*.zip
Scan Linux Malware Detect in Linux
Scan Malware in Linux

When the scanning is complete, you can either check the email that was sent by LMD or view the report with:

# maldet --report 021015-1051.3559
Linux Malware Scan Report
Linux Malware Scan Report

Where 021015-1051.3559 is the SCANID (the SCANID will be slightly different in your case).

Important: Please note that LMD found 5 hits since the file was downloaded twice (thus resulting in and

If you check the quarantine folder (I just left one of the files and deleted the rest), we will see the following:

# ls -l
Linux Malware Detect Quarantine Files
Linux Malware Detect Quarantine Files

You can then remove all quarantined files with:

# rm -rf /usr/local/maldetect/quarantine/*

In case that,

# maldet --clean SCANID

Doesn’t get the job done for some reason. You may refer to the following screencast for a step-by-step explanation of the above process:

Final Considerations

Since maldet needs to be integrated with cron, you need to set the following variables in root’s crontab (type crontab -e as root and hit the Enter key) in case that you notice that LMD is not running correctly on a daily basis:


This will help provide the necessary debugging information.


In this article, we have discussed how to install and configure Linux Malware Detect, along with ClamAV, a powerful ally. With the help of these 2 tools, detecting malware should be a rather easy task.

However, do yourself a favor and become familiar with the README file as explained earlier, and you’ll be able to rest assured that your system is being well accounted for and well managed.

Do not hesitate to leave your comments or questions, if any, using the form below.

Reference Links

LMD Homepage

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

121 thoughts on “How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine”

  1. i installed this on arch linux with no issues i had previously installed clam av before i installed the malware. Seems to be working fine.

  2. See the installation steps

    [[email protected] maldetect-1.5]# ./
    cat: /proc/1/comm: No such file or directory
    ./ line 85: test: =: unary operator expected
    Linux Malware Detect v1.5
    (C) 2002-2015, R-fx Networks
    (C) 2015, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    maldet(26907): {sigup} performing signature update check…
    maldet(26907): {sigup} local signature set is version 201509272848
    maldet(26907): {sigup} latest signature set already installed

    Error found in line 2 and 3, on checking script I understood that, the else condition is executed of if statement.(line 85)//I guess installation completes successfully.

    The issues is that when I scan a directory, its finding some files only.

    [[email protected] public_html]# ls | wc -l

    [[email protected] public_html]# pwd

    [[email protected] public_html]# maldet –scan-all /var/www/html/kr/public_html
    Linux Malware Detect v1.5
    (C) 2002-2015, R-fx Networks
    (C) 2015, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(28662): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
    maldet(28662): {scan} building file list for /var/www/html/kr/public_html, this might take awhile…
    maldet(28662): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    maldet(28662): {scan} scan returned zero results, please provide a new path.

    What happend here ?

    Next Scanning / directory? do you agree that / partition having only 480 files? have a look below

    [[email protected] public_html]# maldet –scan-all /
    Linux Malware Detect v1.5
    (C) 2002-2015, R-fx Networks
    (C) 2015, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(28802): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
    maldet(28802): {scan} building file list for /, this might take awhile…
    maldet(28802): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    maldet(28802): {scan} file list completed in 3s, found 480 files…
    maldet(28802): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine…
    maldet(28802): {scan} scan of / (480 files) in progress…

    maldet(28802): {scan} scan completed on /: files 480, malware hits 0, cleaned hits 0, time 4s
    maldet(28802): {scan} scan report saved, to view run: maldet –report 150928-1415.28802

    OS: Centos 5.4, maldet 1.5

  3. I entered this command: nano /etc/yum.repos.d/dag.repo
    and then I entered below lines in it and saved the file, Did I do it right?
    the clamav is installed now? don’t I need any more steps like what mentioned here:

    name=Dag RPM Repository for Red Hat Enterprise Linux

  4. Hola Gabriel, en algunas webs de wordpress, el maldet me mueve algunos archivos .min.css y .min.js a la carpeta quarantine. ¿Cómo podría evitar que el maldet revisara ciertas carpetas?

    Ese problema me acarrea que mis clientes accedan al Panel de Administración de su web en wordpress sin los estilos CSS característicos.


    English Version

    Hi Gabriel , in some wordpress sites , the maldet moves me some .min.css .min.js files and the quarantine folder. How could prevent maldet revise certain folders ?

    That problem brings me to my clients access to Administration Panel your website in wordpress without the characteristic CSS styles .

    Thank You!

  5. Hi, Thanks for this helpful tutorial. I note that you only install clamd (not clamav) — is this because only clamd is needed to interface with maldet? Or, is clamav installed as a dependency when installing clamd?

    Thanks again.

  6. Seriously, you’re asking people to install this kind of software, not from a known secure repository, but from a website with private registration?!?

    BAD IDEA. VERY VERY BAD IDEA. Even if legit, it’s like you’re missing the forest for the trees– you’re asking people to violate a very basic security protocol.

    • @Kenneth,
      Thank you for your comment, but I will have to disagree with you. First off, as you can see in this article, you can download the tarball without registration. Second, many trusted programs which are now included in official repositories started off this way. Third, if you find something in the source code or the installation script that can be considered to violate a basic security protocol, please copy and paste and another comment and we will review it carefully. Last, but not least, if you check the developers’ web site at, you will realize that there are many companies who are providing funds for this project – which IMHO would not happen if LMD was “a bad idea”.

    • @hp,
      What was the issue you ran into? I am glad to hear that you were able to solve it. But if you can take a minute or two to tell us a little bit more about your experience, we would appreciate it.


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.