15+ maldet command switches/options with examples – Unix/Linux

The Maldet is a commonly using malware detector for Linux based server. The installation and usage of maldet is quite simple. We have already discussed about the Maldet installation steps on Linux server. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

It would be a useful topic, if you are managing Linux based server with different domains. In some cases, the domains hosted on your server (that may be a shared one or your VPS), may affect malware threads. In normal case, it’s a hard thing to figure it out the malware infected files and directories. By using Maldet we can simply list the infected files. At the same time we can remove or quarantine the infected file to a different location.

A lot of switches and options are available with Maldet. Here I am explaining all the switches/options of maldet with example.

Syntax:

# maldet [options] /path/to/scan

Important switches of maldet:

1, -b, –background
Execute operations in the background, ideal for large scans

Example:

[[email protected] ~]# maldet -b -r /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9922): {scan} launching scan of /home/crybit/ changes in last 7d to background, see /usr/local/maldetect/event_log for progress

2, -u, –update
Update malware detection signatures from rfxn.com

3, -d, –update-ver
Update the installed version from rfxn.com
Example:

[[email protected] ~]# maldet -d
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9997): {update} checking for available updates...
maldet(9997): {update} hashing install files and checking against server...
maldet(9997): {update} version check shows latest but hash check failed, forcing update...
maldet(9997): {update} completed update v1.4.2 => v1.4.2, running signature updates...
maldet(10289): {sigup} performing signature update check...
maldet(10289): {sigup} local signature set is version 201402051649
maldet(10289): {sigup} latest signature set already installed
maldet(9997): {update} update and config import completed.

4, -m, –monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/mike,/home/ashton

Example:

[[email protected] ~]# maldet -m /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(10347): {mon} set inotify max_user_instances to 128
/usr/local/sbin/maldet: line 1162: /proc/sys/fs/inotify/max_user_instances: Permission denied
maldet(10347): {mon} set inotify max_user_watches to 0
/usr/local/sbin/maldet: line 1164: /proc/sys/fs/inotify/max_user_watches: Permission denied
maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(10347): {mon} inotify startup successful (pid: 10422)
maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

5, -k, –kill
Terminate inotify monitoring service

Example:

[[email protected] ~]# maldet -k
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(10471): {mon} sent kill to monitor service

6, -r, –scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2

7, -a, –scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html

8, -c, –checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures

9, -l, –log
View maldet log file events.
Example:

[[email protected] ~]# maldet -l
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

Feb 06 02:38:28 jishnu maldet(10347): {mon} set inotify max_user_watches to 0
Feb 06 02:38:28 jishnu maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
Feb 06 02:38:28 jishnu maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify startup successful (pid: 10422)
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log
Feb 06 02:39:43 jishnu maldet(10471): {mon} sent kill to monitor service
Feb 06 02:40:00 jishnu maldet(10347): {mon} monitoring terminated by user, inotify killed.
Feb 06 02:41:00 jishnu maldet(10550): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:00 jishnu maldet(10550): {scan} building file list for /home/crybit/ of new/modified files from last 1 days, this might take awhile...
Feb 06 02:41:00 jishnu maldet(10550): {scan} scan returned zero results, please increase days range or provide a new path.
Feb 06 02:41:11 jishnu maldet(10615): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:11 jishnu maldet(10615): {scan} building file list for /home/crybit/ of new/modified files from last 2 days, this might take awhile...
Feb 06 02:41:11 jishnu maldet(10615): {scan} scan returned zero results, please increase days range or provide a new path.

10, -e, –report SCANID email
View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address.
e.g: maldet –report
e.g: maldet –report list
e.g: maldet –report 050910-1534.21135
e.g: maldet –report SCANID [email protected]

11, -s, –restore FILE|SCANID
Restore file from quarantine queue to orginal path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135

12, -q, –quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135

13, -n, –clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135

14, -U, –user USER
Set execution under specified user, ideal for restoring from user quarantine or to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135

15, -p, –purge
Clear logs, quarantine queue, session and temporary data.

That’s it!! 🙂

Related Links:
Installation of maldet (Malware Detector)

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

10 Responses

  1. Chaitanya says:

    Hi Arun,
    I found this article to be very useful. Thanks for the information.
    I would further like to know if there is any way by which we can clean the infected files without moving or deleting those files with maldet. I would also like to know if we can run this as a daemon or something so we can avoid future attacks.

  2. michael buluma says:

    nice. Been looking for such a tool

  3. lester says:

    Pretty useless when it comes to sending alerts. I have researched this thoroughly and mail binary is active in my Centos System, all conf.maldet switches are set for sending email, yet nothing ever comes through. I can manually send a report with maldet -e “[email protected]” but don’t expect an continuity of care with getting notified automatically. Also, multiple messages to the domain owner of rfxn.com go unanswered and the emails listed in the conf.maldet file are non-deliverable. Look for another service if you need critical alerts.

  4. Jeffrey says:

    I would like to have maldet check every night but i want to turn off realtime monitoring.
    When i do maldet -k it kills maldet completely but if i change config files it still does realtime monitoring.
    Any advice on how to solve this?

    Is there any way to stop maldet from causing disk i/o going to 100%?

    Any advice on this is helpfull. I cannot find much about these issues.
    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *