[Malware Detector] Installation & Usage of Maldet on Linux

Why Maldet? This is one of the commonly using Malware detector for Linux servers. The installation and usages of Maldet is quit simple compared to other scanners.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

By using Maldet as your Linux server malware tool, you can simply find-out the infected files from the Linux file system. At the same time we can remove or quarantine the infected file to a different location automatically. Please refer to this link >> Maldet command switches << to get more ideas on how to manage Maldet via Linux CLI.

Installation & Usage of maldet (Malware Detect) on Linux

LMD : Linux Malware Detect is a Malware scanner for Linux servers. Here I’m explaining how to install & use this feature under a Linux based server.

1. How can I install Maldet on server ?

Installation steps are very simple and easy to do. Follow the steps below to install maldet on your server.

Step I: SSH to your server
Step II: Download the tar file and install it.

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzvf maldetect-current.tar.gz
# cd maldetect-*
# sh install.sh

That’s it. Installation completed.

2. configuration file ?

The configuration file for Maldet is located under /usr/local/maldetect/conf.maldet . Other important files are:

# exec file: /usr/local/maldetect/maldet
# exec link: /usr/local/sbin/maldet
# exec link: /usr/local/sbin/lmd
# cron.daily: /etc/cron.daily/maldet

3. How to USE maldet ?

3.1 Scan

# maldet -a /path/to/scan OR maldet --scan-all /path/to/scan

Example

Selection_116

3.2 View the scan report

# maldet -e SCAN ID
# maldet --report SCAN ID

Example

Selection_117

3.3 Quarantine all malware results from a previous scan

# maldet -q SCAN ID
# maldet –quarantine SCANID

3.4 Clean on all malware results from a previous scan

# maldet -n SCAN ID
# maldet --clean SCAN ID

3.5 Restore a file that you have already quarantined

# maldet -s FILENAME
# maldet --restore FILENAME

Sometime it is not possible to restore by using the file name only. In such condition use the full path where the quarantined files stored, ie /usr/local/maldetect/quarantine

# maldet --restore /usr/local/maldetect/quarantine/FILENAME

4. How to setup Email Alert on Maldet?

Open the configuration file (/usr/local/maldetect/conf.maldet) using your favorite editor (vi, vim, nano etc…) and follow the setting below:

----------------Email Alert----------------
#[0 = disabled, 1 = enabled]
 email_alert=0

#The subject line for email alerts
 email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
 # [ values are comma (,) spaced ]
 email_addr="[email protected]"
--------------------------------------------

Other useful Maldet options:

quar_hits

This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean

This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp

Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid

This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

That’s it, have fun with Maldet. 🙂

Does an average Mac user even need an anti-malware software? Does a Mac require daily maintenance? Read about cleanmymac x review

Post navigation

Arunlal A

Senior System Developer at Zeta. Linux lover. Traveller. Let's connect! Whether you're a seasoned DevOps pro or just starting your journey, I'm always eager to engage with like-minded individuals. Follow my blog for regular updates, connect on social media, and let's embark on this DevOps adventure together! Happy coding and deploying!

14 thoughts on “[Malware Detector] Installation & Usage of Maldet on Linux

    1. It’s the configuration file for Maldet. Its doesn’t have executable permission, you can edit the configuration file using your favorite file editor.

  1. Hello,
    Thanks for great tutorial. Could you explain something more about quarantine options.
    For example, if malded quarantine options is set to 1, and it takes all hits that found in quarantine, are those files executable or they can not be used until they restored from quarantine to original path?
    Thank you!

    1. The directive “quar_hits” is using for managing quarantine action.


      # The default quarantine action for malware hits
      # [0 = alert only, 1 = move to quarantine & alert]
      quar_hits=0

      The quarantined files will be moved to the directory “/usr/local/maldetect/quarantine/” and a user can’t execute them.

  2. how to disable daily cron job of Maldet, basically want to run maldet on three days interval. Your prompt response will be appreciated highly.

  3. Hello,
    I’ve been using maldetect for some time now and it is great, what I’d like to know is
    how to add maldetect to automatic start after server reboots?
    OS is Ubuntu 14.10.

    Kind regards
    Marko

  4. When I run the command ( # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz)
    it gives me this response

    http://www.rfxn.com/downloads/maldetect-current.tar.gz
    Resolving http://www.rfxn.com (www.rfxn.com)… 129.121.132.46
    Connecting to http://www.rfxn.com (www.rfxn.com)|129.121.132.46|:80… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: 1762295 (1.7M) [application/x-gzip]
    maldetect-current.tar.gz: Permission denied

    Any idea what i can do to get this installed?
    Thank you in advance

  5. Hi Arun,

    LMD has suspend account of user ubuntu after finding some malware..associated with this user.I am not able to login in sftp with uaername ubuntu.How to remove suspension of this acccount.

    Thanks
    Abhishek

Leave a Reply

Your email address will not be published. Required fields are marked *