[Malware Detector] Installation & Usage of maldet on Linux

This is one of the commonly using Malware detector in Linux servers. The installation and usages of Maldet is quit simple compared to others. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. By using MAldet as your Linux server malware tool, you can simply find-out the infected files from the Linux file system. At the same time we can remove or quarantine the infected file to a different location. You can refer more information from this link >> Maldet command switches <<

Installation & Usage of maldet (Malware Detect) on Linux

LMD : Linux Malware Detect is Malware scanner for server. Here I’m explaining how to install & Use this feature under a linux based server.

1. How can I install Maldet on server ?

Installation steps are very simple and easy to do. Follow the steps below to install maldet on your server.

Step I: SSH to your server
Step II: Download the tar file and install it.

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzvf maldetect-current.tar.gz
# cd maldetect-*
# sh install.sh

That’s it. Installation completed.

2. configuration file ?

The configuration file for Maldet is located under /usr/local/maldetect/conf.maldet . Other important files are:

# exec file: /usr/local/maldetect/maldet
# exec link: /usr/local/sbin/maldet
# exec link: /usr/local/sbin/lmd
# cron.daily: /etc/cron.daily/maldet

3. How to USE maldet ?

3.1 Scan

# maldet -a /path/to/scan OR maldet --scan-all /path/to/scan

Example

Selection_116

3.2 View the scan report

# maldet -e SCAN ID
# maldet --report SCAN ID

Example

Selection_117

3.3 Quarantine all malware results from a previous scan

# maldet -q SCAN ID
# maldet –quarantine SCANID

3.4 Clean on all malware results from a previous scan

# maldet -n SCAN ID
# maldet --clean SCAN ID

3.5 Restore a file that you have already quarantined

# maldet -s FILENAME
# maldet --restore FILENAME

Sometime it is not possible to restore by using the file name only. In such condition use the full path where the quarantined files stored, ie /usr/local/maldetect/quarantine

# maldet --restore /usr/local/maldetect/quarantine/FILENAME

4. How to setup Email Alert

Open the configuration file (/usr/local/maldetect/conf.maldet) using your favorite editor (vi, vim, nano etc…) and follow the setting below:

----------------Email Alert----------------
#[0 = disabled, 1 = enabled]
 email_alert=0

#The subject line for email alerts
 email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
 # [ values are comma (,) spaced ]
 email_addr="[email protected]"
--------------------------------------------

Other useful Maldet options:

quar_hits

This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean

This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp

Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid

This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

That’s it, have fun with maldet. 🙂

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

14 Responses

  1. YoungBoy says:

    When i run this command /usr/local/maldetect/conf.maldet it show Permission Denied what is wrong

    • Arun Lal says:

      It’s the configuration file for Maldet. Its doesn’t have executable permission, you can edit the configuration file using your favorite file editor.

  2. Joomla mon says:

    Hello,
    Thanks for great tutorial. Could you explain something more about quarantine options.
    For example, if malded quarantine options is set to 1, and it takes all hits that found in quarantine, are those files executable or they can not be used until they restored from quarantine to original path?
    Thank you!

    • Arun Lal says:

      The directive “quar_hits” is using for managing quarantine action.


      # The default quarantine action for malware hits
      # [0 = alert only, 1 = move to quarantine & alert]
      quar_hits=0

      The quarantined files will be moved to the directory “/usr/local/maldetect/quarantine/” and a user can’t execute them.

  3. SUpport says:

    how to disable daily cron job of Maldet, basically want to run maldet on three days interval. Your prompt response will be appreciated highly.

  4. Marko says:

    Hello,
    I’ve been using maldetect for some time now and it is great, what I’d like to know is
    how to add maldetect to automatic start after server reboots?
    OS is Ubuntu 14.10.

    Kind regards
    Marko

  5. Brix says:

    When I run the command ( # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz)
    it gives me this response

    http://www.rfxn.com/downloads/maldetect-current.tar.gz
    Resolving http://www.rfxn.com (www.rfxn.com)… 129.121.132.46
    Connecting to http://www.rfxn.com (www.rfxn.com)|129.121.132.46|:80… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: 1762295 (1.7M) [application/x-gzip]
    maldetect-current.tar.gz: Permission denied

    Any idea what i can do to get this installed?
    Thank you in advance

  6. Hi Arun,

    LMD has suspend account of user ubuntu after finding some malware..associated with this user.I am not able to login in sftp with uaername ubuntu.How to remove suspension of this acccount.

    Thanks
    Abhishek

  7. Tapan Bhanot says:

    How to set maldet to auto scan /home folder weekly etc ??

  1. February 5, 2014

    […] have already discussed the installation and some important usages of maldet. Here I am explaining all the switches/options of maldet with […]

Leave a Reply

Your email address will not be published. Required fields are marked *