Why Maldet? This is one of the commonly using Malware detector for Linux servers. The installation and usages of Maldet is quit simple compared to other scanners.
It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
By using Maldet as your Linux server malware tool, you can simply find-out the infected files from the Linux file system. At the same time we can remove or quarantine the infected file to a different location automatically. Please refer to this link >> Maldet command switches << to get more ideas on how to manage Maldet via Linux CLI.
Installation & Usage of maldet (Malware Detect) on Linux
LMD : Linux Malware Detect is a Malware scanner for Linux servers. Here I’m explaining how to install & use this feature under a Linux based server.
1. How can I install Maldet on server ?
Installation steps are very simple and easy to do. Follow the steps below to install maldet on your server.
Step I: SSH to your server
Step II: Download the tar file and install it.
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -xzvf maldetect-current.tar.gz # cd maldetect-* # sh install.sh
That’s it. Installation completed.
2. configuration file ?
The configuration file for Maldet is located under /usr/local/maldetect/conf.maldet . Other important files are:
# exec file: /usr/local/maldetect/maldet # exec link: /usr/local/sbin/maldet # exec link: /usr/local/sbin/lmd # cron.daily: /etc/cron.daily/maldet
3. How to USE maldet ?
# maldet -a /path/to/scan OR maldet --scan-all /path/to/scan
3.2 View the scan report
# maldet -e SCAN ID # maldet --report SCAN ID
3.3 Quarantine all malware results from a previous scan
# maldet -q SCAN ID # maldet –quarantine SCANID
3.4 Clean on all malware results from a previous scan
# maldet -n SCAN ID # maldet --clean SCAN ID
3.5 Restore a file that you have already quarantined
# maldet -s FILENAME # maldet --restore FILENAME
Sometime it is not possible to restore by using the file name only. In such condition use the full path where the quarantined files stored, ie /usr/local/maldetect/quarantine
# maldet --restore /usr/local/maldetect/quarantine/FILENAME
4. How to setup Email Alert on Maldet?
Open the configuration file (/usr/local/maldetect/conf.maldet) using your favorite editor (vi, vim, nano etc…) and follow the setting below:
----------------Email Alert---------------- #[0 = disabled, 1 = enabled] email_alert=0 #The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="[email protected]" --------------------------------------------
Other useful Maldet options:
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.
That’s it, have fun with Maldet. 🙂
Does an average Mac user even need an anti-malware software? Does a Mac require daily maintenance? Read about cleanmymac x review
14 thoughts on “[Malware Detector] Installation & Usage of Maldet on Linux”
When i run this command /usr/local/maldetect/conf.maldet it show Permission Denied what is wrong
It’s the configuration file for Maldet. Its doesn’t have executable permission, you can edit the configuration file using your favorite file editor.
Thanks for great tutorial. Could you explain something more about quarantine options.
For example, if malded quarantine options is set to 1, and it takes all hits that found in quarantine, are those files executable or they can not be used until they restored from quarantine to original path?
The directive “quar_hits” is using for managing quarantine action.
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
The quarantined files will be moved to the directory “/usr/local/maldetect/quarantine/” and a user can’t execute them.
how to disable daily cron job of Maldet, basically want to run maldet on three days interval. Your prompt response will be appreciated highly.
You can change the time for running CronJob on your server. Please refer this for more details >> Job Scheduling Using Crontab <<
I’ve been using maldetect for some time now and it is great, what I’d like to know is
how to add maldetect to automatic start after server reboots?
OS is Ubuntu 14.10.
When I run the command ( # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz)
it gives me this response
Resolving http://www.rfxn.com (www.rfxn.com)… 184.108.40.206
Connecting to http://www.rfxn.com (www.rfxn.com)|220.127.116.11|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1762295 (1.7M) [application/x-gzip]
maldetect-current.tar.gz: Permission denied
Any idea what i can do to get this installed?
Thank you in advance
Did you try this as root user?
LMD has suspend account of user ubuntu after finding some malware..associated with this user.I am not able to login in sftp with uaername ubuntu.How to remove suspension of this acccount.
To remove files you must first log into the server.
Ask your provider to remove suspension for temporary.
How to set maldet to auto scan /home folder weekly etc ??
This can be done by the help of CRON. Create an executable file with your maldet comment and create a CRON job to run it weekly.
Refer to the tutorial >> Job Scheduling Using Crontab <<