Linux Malware detection tool and Anti-Virus engine ClamAV installation tutorial

Linux Malware detection tool and Anti-Virus engine ClamAV installation tutorial

Malware is any software program designed to interfere with or damage the normal operation of the computing system. Although the most notorious malware include viruses, spyware, and advertising software, their attempts do not cause the same harm: Some steal private information, some delete personal data, and some are between them; another common purpose of malware is to control the system and then use it to launch a botnet to form a so-called Denial of Service (DoS) attack or Distributed Denial of Service (DDoS) attack.

Linux Malware detection tool

In other words, we cannot share this idea: "because I do not store any sensitive or important data, I do not need to protect my system from malware ", because the data is not the only target of malware.

For this reason, we will introduce RHEL 7.0/6.x( x is the version number), CentOS 7.0/6. in x and Fedora 21-12, how to install and configure Linux Malware detection tools (also known as MalDet, or LMD) and ClamAV (Anti-Virus engine ).

This is a malware scanning tool released with the GPL v2 license, designed specifically for host hosting environments. However, you will soon realize that whatever environment you are facing will benefit from MalDet.

Install LMD on RHEL/CentOS 7.0/6. x and Fedora 21-12

LMD cannot be obtained from the online software library, but is distributed from the official website of the project in the form of packaging files. The package file contains the source code of the latest version, which can always be obtained from the following links. You can use the following command to download the package:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then, we need to decompress the package and enter the directory for extracting/extracting the content. Because the current version is 1.4.2, the directory is a maldetect-1.4.2. We will find the installation script install. sh in this directory.

# tar -xvf maldetect-current.tar.gz# ls -l | grep maldetect

Download the Linux Malware detection tool

If we check the installation script, which contains only 75 lines (including comments), we will find that it not only installs the tool, but also performs a pre-check, check whether the default installation directory (/usr/local/maldetect) exists. If it does not exist, the script will first create the installation directory and then execute the next step.

Finally, after the installation is complete, you only need to put the cron. daily script (SEE) into/etc/cron. daily, you can schedule the daily execution through cron (scheduled task. This help script has many functions, including clearing the old temporary data, checking the new LMD version, and scanning the default data directories of Apache and Web Control Panel (such as CPanel and DirectAdmin.

Even so, run the installation script as usual:

# ./install.sh

Install the Linux Malware detection tool in Linux to configure the Linux Malware detection tool

The configuration of LDM is handled by/usr/local/maldetect/conf. maldet. Therefore, the options are fully commented so that configuration is quite easy. In case you get stuck, see/usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file, you will find the following parts enclosed in square brackets:

• Email alerts • quarantine options • scan options • statistical analysis • monitoring options (monitoring options)

Each part contains several variables, indicating how LMD runs and what features can be used.

• If you want to receive an email notifying you of the Malware detection result, set email_alert to 1. For the sake of simplicity, we only forward emails to local system users, but you can also explore other options, such as sending email reminders to external users.

• If you have set email_alert = 1, set email_subj = "Your subject here" and email_addr = username @ localhost.

• For quar_hits, which is the default isolation operation for malware attacks (0 = only reminder, 1 = switch to isolation and Reminder), you tell LMD what operations to perform after detecting malware.

• Quar_clean will make you decide not to want to clear string-based malware injection. Keep in mind: in itself, string features are "continuous byte sequences that may match many variants of the malware family ."

• Quar_susp, which is the default pause action for the attacked user, allows you to disable the account whose file is confirmed to be attacked.

• Clamav_scan = 1 will tell LMD to try to detect whether there is any ClamAV binary code and use it as the default scanner engine. This provides up to four times faster scanning performance and excellent hexadecimal analysis. This option only uses ClamAV as the scanner engine, and LMD features are still the basis for threat detection.

Important:

Note: quar_clean and quar_susp must be enabled (= 1 ).

In short, the rows with these variables in/usr/local/maldetect/conf. maldet should look as follows:

Email_alert = 1email_addr = gacanepa @ localhostemail_subj = "Malware alerts for $ HOSTNAME-$ (date + % Y-% m-% d) "quar_hits = 1quar_clean = 1quar_susp = 1clam_av = 1 install ClamAV to RHEL/CentOS 7.0/6. x and Fedora 21-12

To install ClamAV to make full use of clamav_scan settings, follow these steps:

Create the software library file/etc/yum. repos. d/dag. repo:

[dag]name=Dag RPM Repository for Red Hat Enterprise Linuxbaseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/gpgcheck=1gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txtenabled=1

Then run the following command:

# yum update && yum install clamd

Note: These are the basic commands for installing ClamAV to integrate it with LMD. We will not elaborate on ClamAV settings, because as described above, LMD features are still the basis for detecting and clearing threats.

Test the Linux Malware detection tool

Now we can check the LMD/ClamAV we just installed. Instead of using actual malware, we will use EICAR test files (http://www.eicar.org/86-0-Intended-use.html) that can be downloaded from the EICAR website.

# cd /var/www/html# wget http://www.eicar.org/download/eicar.com# wget http://www.eicar.org/download/eicar.com.txt# wget http://www.eicar.org/download/eicar_com.zip# wget http://www.eicar.org/download/eicarcom2.zip

At this time, you can wait for the next cron task to run, or manually execute maldet. We will adopt the second method:

# maldet --scan-all /var/www/

LMD also accepts wildcards, So if you only want to scan some types of files (such as zip files), you can do this:

# maldet --scan-all /var/www/*.zip

Scan for malware in Linux

After scanning, you can view the email sent by LMD or use the following command to view the report:

# Maldet -- report 021015-1051.3559

Linux malware scan report

Among them, 021015-1051.3559 is SCANID (SCANID is slightly different from your actual result ).

Note: The eicar.com file has been downloaded twice (resulting in eicar.com and eicar.com. 1), and LMD has discovered five attacks.

If you check the isolation folder (only one file is left and other files are deleted), we will see the following results:

# Ls-l

Linux Malware detection tools isolate files

You can then use the following command to delete all isolated files:

# rm -rf /usr/local/maldetect/quarantine/*

In that case,

# maldet --clean SCANID

Final considerations

Since maldet needs to be integrated with cron, you need to set the following variables in the root crontab (enter crontab-e as the root user and press the Enter key ), you may notice that LMD does not run properly every day:

PATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=rootHOME=/SHELL=/bin/bash

This will help provide necessary debugging information.

Conclusion

This article discusses how to install and configure the Linux Malware detection tool and ClamAV, a powerful partner. With these two tools, detecting malware should be quite easy.

However, you need to help yourself to familiarize yourself with the README files explained earlier, so that you can be sure that your system is fully supported and properly managed.