15+ maldet command switches and options with examples – Linux

Maldet command switches, that’s what we are discussing in this blog article. The Maldet is a commonly using malware detector for Linux based server. The installation and usage of maldet is quite simple.

We have already discussed about the Maldet installation steps on Linux server. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

It would be a useful topic, if you are managing Linux based server with different domains. In some cases, the domains hosted on your server (that may be a shared one or your VPS), may affect malware threads.

In normal case, it’s a hard thing to figure it out the malware infected files and directories.

By using Maldet we can simply list the infected files. At the same time we can remove or quarantine the infected file to a different location.

A lot of switches and options are available with Maldet. Here I am explaining all the switches/options of maldet with example.

Syntax:

# maldet [options] /path/to/scan

Important switches of maldet:

maldet command switches

1, -b, –background

Execute operations in the background, ideal for large scans

Example:

[root@crybit ~]# maldet -b -r /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9922): {scan} launching scan of /home/crybit/ changes in last 7d to background, see /usr/local/maldetect/event_log for progress

2, -u, –update

Update malware detection signatures from rfxn.com

3, -d, –update-ver

Update the installed version from rfxn.com

Example:

[root@crybit ~]# maldet -d
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9997): {update} checking for available updates...
maldet(9997): {update} hashing install files and checking against server...
maldet(9997): {update} version check shows latest but hash check failed, forcing update...
maldet(9997): {update} completed update v1.4.2 => v1.4.2, running signature updates...
maldet(10289): {sigup} performing signature update check...
maldet(10289): {sigup} local signature set is version 201402051649
maldet(10289): {sigup} latest signature set already installed
maldet(9997): {update} update and config import completed.

4, -m, –monitor USERS|PATHS|FILE

Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced. When PATHS are specified, must be comma spaced list, NO WILDCARDS!

e.g: maldet –monitor users

Other example:

e.g: maldet –monitor /root/monitor_paths

Next one:

e.g: maldet –monitor /home/mike,/home/ashton

Example:

[root@crybit ~]# maldet -m /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(10347): {mon} set inotify max_user_instances to 128
/usr/local/sbin/maldet: line 1162: /proc/sys/fs/inotify/max_user_instances: Permission denied
maldet(10347): {mon} set inotify max_user_watches to 0
/usr/local/sbin/maldet: line 1164: /proc/sys/fs/inotify/max_user_watches: Permission denied
maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(10347): {mon} inotify startup successful (pid: 10422)
maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

5, -k, –kill

Terminate inotify monitoring service

Example:

[root@crybit ~]# maldet -k
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(10471): {mon} sent kill to monitor service

6, -r, –scan-recent PATH DAYS

Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2

7, -a, –scan-all PATH

Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html

8, -c, –checkout FILE

Upload suspected malware to rfxn.com for review & hashing into signatures

9, -l, –log

View maldet log file events.

Example:

[root@crybit ~]# maldet -l
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

Feb 06 02:38:28 jishnu maldet(10347): {mon} set inotify max_user_watches to 0
Feb 06 02:38:28 jishnu maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
Feb 06 02:38:28 jishnu maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify startup successful (pid: 10422)
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log
Feb 06 02:39:43 jishnu maldet(10471): {mon} sent kill to monitor service
Feb 06 02:40:00 jishnu maldet(10347): {mon} monitoring terminated by user, inotify killed.
Feb 06 02:41:00 jishnu maldet(10550): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:00 jishnu maldet(10550): {scan} building file list for /home/crybit/ of new/modified files from last 1 days, this might take awhile...
Feb 06 02:41:00 jishnu maldet(10550): {scan} scan returned zero results, please increase days range or provide a new path.
Feb 06 02:41:11 jishnu maldet(10615): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:11 jishnu maldet(10615): {scan} building file list for /home/crybit/ of new/modified files from last 2 days, this might take awhile...
Feb 06 02:41:11 jishnu maldet(10615): {scan} scan returned zero results, please increase days range or provide a new path.

10, -e, –report SCANID email

View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address.

e.g: maldet –report

Other optio:

e.g: maldet –report list

Another example:

e.g: maldet –report 050910-1534.21135

e.g: maldet –report SCANID user@domain.com

11, -s, –restore FILE|SCANID

Restore file from quarantine queue to orginal path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135

12, -q, –quarantine SCANID

Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135

13, -n, –clean SCANID

Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135

14, -U, –user USER

Set execution under specified user, ideal for restoring from user quarantine or to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135

15, -p, –purge

Clear logs, quarantine queue, session and temporary data.

That’s it!! 🙂 These are the main maldet command switches for Linux servers.

[Malware Detector] Installation & Usage of Maldet on Linux

Why Maldet? This is one of the commonly using Malware detector for Linux servers. The installation and usages of Maldet is quit simple compared to other scanners.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Post navigation

Arunlal Ashok

Cloud Infrastructure / DevOps Engineer. I'm dealing Linux servers since 2012. I started this blog to share and discuss my ideas.

Always happy for an open discussion! Write to arun (@) crybit (dot) com. Check about me for more details. About this blog and our strong members, check The team CryBit.com

12 thoughts on “15+ maldet command switches and options with examples – Linux

  1. Hi Arun,
    I found this article to be very useful. Thanks for the information.
    I would further like to know if there is any way by which we can clean the infected files without moving or deleting those files with maldet. I would also like to know if we can run this as a daemon or something so we can avoid future attacks.

  2. Pretty useless when it comes to sending alerts. I have researched this thoroughly and mail binary is active in my Centos System, all conf.maldet switches are set for sending email, yet nothing ever comes through. I can manually send a report with maldet -e “name@domain.com” but don’t expect an continuity of care with getting notified automatically. Also, multiple messages to the domain owner of rfxn.com go unanswered and the emails listed in the conf.maldet file are non-deliverable. Look for another service if you need critical alerts.

      1. Email does work for me!
        (Maybe in your case the mailserver was turned off, misconfigured or blocked by anti-spam systems)

          1. Mail doesn’t work for me either. All the emails from the servers running maldet are relayed to our mail server. I’m not sure if it’s responsible yet, but I noticed when the manual email was sent (with maldet –report) that the received email doesn’t contain a FROM header at all.

          2. Scratch that! My apologies. Emails do arrive if maldet detects something, however emails are not sent if the scan is clean, even though email_ignore_clean=”0″

  3. I would like to have maldet check every night but i want to turn off realtime monitoring.
    When i do maldet -k it kills maldet completely but if i change config files it still does realtime monitoring.
    Any advice on how to solve this?

    Is there any way to stop maldet from causing disk i/o going to 100%?

    Any advice on this is helpfull. I cannot find much about these issues.
    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *