How to Install and Use Linux Malware Detect (LMD)

Introduction

Malware, or malicious software, is the designation given to any program that aims at disrupting the normal operation of a computing system. Although the most well known forms of malware are viruses, spyware, and adware, the harm that they intend to cause may range from stealing private information to deleting personal data, and everything in between, while another classic use of malware is to control the system in order to use it to launch botnets in a (D)DoS attack.

In other words, you can’t afford to think, “I don’t need to secure my system(s) against malware since I’m not storing any sensitive or important data”, because those are not the only targets of malware. For that reason, in this article we will explain how to install and configure Linux Malware Detect (aka MalDet orLMD for short) along with ClamAV (Antivirus Engine) in blackPanther OS and blackPanther Server (>= 14,1)

A malware scanner released under the GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what kind of environment you’re working on.

Installing LMD on blackPanther OS / Server

LMD 1.5 is available from online official repositories ( You can use too the tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:  wget http://www.rfxn.com/downloads/maldetect-current.tar.gz )

First you need update repositories and after you can install packages:

#updating repos
#installing maldetect
#installing clamd (if this not installed)

Configuration

After the installation in the configuration file you will find the following sections, enclosed inside square brackets:

  1. EMAIL ALERTS
  2. QUARANTINE OPTIONS
  3. SCAN OPTIONS
  4. STATISTICAL ANALYSIS
  5. MONITORING OPTIONS

Each of these sections contains several variables that indicate how LMD will behave and what features are available.

  1. Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  2. Set email_subj=”Your subject here” and email_addr=username@localhost if you have previously set email_alert=1.
  3. With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  4. quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  5. quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  6. clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.

Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /etc/maldetect/maldetect.conf

email_alert=1
email_addr=gacanepa@localhost

And here: /etc/maldetect/internals.conf

email_subj=”Malware alerts for $HOSTNAME – $(date +%Y-%m-%d)”

/ only in maldet <= 1.4.x
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1 /

First run and update LMD

#maldet -u

maldet2

Run LMD on Webroot

# maldet –scan-all /var/www

maldet1

Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation. Instead of using real malware, we will use the EICAR test files, which are available for download from the EICAR web site.

# cd /var/www/html

  1. wget http://www.eicar.org/download/eicar.com
  2. wget http://www.eicar.org/download/eicar.com.txt
  3. wget http://www.eicar.org/download/eicar_com.zip
  4. wget http://www.eicar.org/download/eicarcom2.zip

At this point you can either wait for the next cron job to run, or execute maldet manually yourself. We’ll go with the second option:

# maldet --scan-all /var/www/

LMD also accepts wildcards, so if you want to scan only a certain type of file, (i.e. zip files, for example), you can do so:

# maldet --scan-all /var/www/*.zip

When the scanning is complete, you can either check the email that was sent by LMD or view the report with:

# maldet --report 021015-1051.3559

Where 021015-1051.3559 is the SCANID (the SCANID will be slightly different in your case).

Important: Please note that LMD found 5 hits since the eicar.com file was downloaded twice (thus resulting in eicar.com and eicar.com.1).

If you check the quarantine folder (I just left one of the files and deleted the rest), we will see the following:

# ls -l

You can then remove all quarantined files with:

# rm -rf /usr/lib/maldetect/quarantine/*

In case that,

# maldet --clean SCANID

Conclusion

In this article we have discussed how to install and configure Linux Malware Detect, along with ClamAV, a powerful ally. With the help of these 2 tools, detecting malware should be a rather easy task.

However, do yourself a favor and become familiar with the README file as explained earlier, and you’ll be able to rest assured that your system is being well accounted for and well managed.

Do not hesitate to leave your comments or questions, if any, using the form below.

Reference Links

LMD Homepage

This page is a Wiki! Log in or register an account to edit.
admin

About admin