tutorial on installing malware scanning tools and antivirus engines on Linux systems

Source: Internet
Author: User
Tags zip centos eicar

Malware refers to any software program designed to interfere with or disrupt the normal operation of the computing system. Although the most notorious types of malware, such as viruses, spyware, and adware, they attempt to cause differences: Some steal private information, some delete personal data, some are somewhere between them, and another common use of malware is to control the system, and then use the system to launch zombie networks, A so-called denial of service (DoS) attack or distributed Denial of service (DDoS) attack is formed.

In other words, we must not have the idea that "because I don't store any sensitive data or important data, I don't need to protect my system from malware" because that data is not the only target of malicious software.

For this reason, we will describe in this article how to install and configure the Linux malware Detection Tool (also called Maldet, or LMD) and ClamAV in Rhel 7.0/6.x (x is version number), CentOS 7.0/6.x and Fedora 21-12 ( Anti-Virus engine).

This is a malware scanning tool issued under the GPL v2 license, designed specifically for host hosting environments. However, you will soon realize that no matter what kind of environment you are facing, you will benefit from Maldet.

Install LMD to Rhel/centos 7.0/6.x and Fedora 21-12

LMD is not available from the online software library, but is distributed in the form of a packaged file from the official website of the project. Packaged files contain the latest version of the source code and can always be obtained from the following links, which can be downloaded using the following commands:

The code is as follows:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then, we need to unpack the package file and enter the contents of the Extract/extract content. Because the current version is 1.4.2, the directory is maldetect-1.4.2. We will find the installation script install.sh in this directory.

The code is as follows:

# TAR-XVF Maldetect-current.tar.gz

# Ls-l | grep maldetect

Download Linux Malware Detection Tool if we examine the installation script, which has only 75 lines (including annotations), it will find that it not only installs the tool, but also performs a preflight test to see if the default installation directory (/usr/local/maldetect) exists. If it does not exist, the script creates the installation directory first and then executes the next step.

Finally, once the installation is complete, you can schedule daily execution through Cron (scheduled tasks) by simply putting the cron.daily script (see above) into the/etc/cron.daily. This help script has a number of features, including emptying old temporary data, checking for new LMD versions, and scanning default data directories for the defaults Apache and Web control panels (such as cpanel and DirectAdmin).

That being said, run the setup script as usual:

The code is as follows:


Installing Linux malware detection tools in Linux

Configuring the Linux Malware Detection Tool

The task of configuring LDM is handled through/usr/local/maldetect/conf.maldet, so the options are fully commented so that it is fairly easy to configure. In case you get stuck, you can also refer to/usr/local/src/maldetect-1.4.2/readme for further instructions.

In the configuration file, you'll find the following sections enclosed in square brackets:

Email ALERTS (email alert)

Quarantine options (Isolation option)

SCAN options (scan option)

Statistical analysis (statistics)

Monitoring Options (monitoring option)

Each of these sections contains several variables that show how LMD works and what features are available.

If you want to receive an email informing the results of the malware detection, set email_alert=1. For brevity, we only forward messages to local system users, but you can also explore other options, such as sending email reminders to external users.

If you have previously set the Email_alert=1, set the email_subj= "Your subject here" and Email_addr=username@localhost.

As for Quar_hits, which is the default isolation action for malware attacks (0 = just reminders, 1 = instead of isolating and alerting), you tell LMD what to do after detecting malicious software.

Quar_clean will let you decide whether you want to clean up a string based malware injection. Keep in mind that, for its part, string characteristics are "contiguous sequences of bytes that may match many variants of the malware family." ”

Quar_susp, that is, the default suspend operation for the attacked user, allows you to disable the account whose files have been identified as being attacked.

Clamav_scan=1 will tell LMD to try to detect the presence of ClamAV binary code and use it as the default scanner engine. This can get up to four times times faster scan performance and excellent hex analysis. This option uses only ClamAV as the scanner engine, and LMD features are still the basis for detecting threats.

Important NOTE:

Please note: Quar_clean and QUAR_SUSP require Quar_hits to be enabled (=1).

In summary, in/usr/local/maldetect/conf.maldet, the rows with these variables should look as follows:

The code is as follows:



email_subj= "Malware alerts for $HOSTNAME-$ (date +%y-%m-%d)"





Install ClamAV to Rhel/centos 7.0/6.x and Fedora 21-12

To install ClamAV to take full advantage of Clamav_scan settings, follow these steps:

To create a software library file/etc/yum.repos.d/dag.repo:

The code is as follows:


Name=dag RPM Repository for Red Hat Enterprise Linux





And then run the command:

The code is as follows:

# Yum Update && yum install CLAMD

Note: These are just the basic instructions for installing CLAMAV to integrate it with LMD. We do not give a detailed description of the CLAMAV setup, because as mentioned earlier, the LMD feature is still the basis for detecting and eliminating threats.

Testing Linux Malware Detection tools

Now we can check the Lmd/clamav we just installed. Instead of using actual malware, we will use the Eicar test file (http://www.eicar.org/86-0-Intended-use.html), which can be downloaded from the Eicar Web site.

The code is as follows:

# cd/var/www/html

# wget Http://www.eicar.org/download/eicar.com

# wget Http://www.eicar.org/download/eicar.com.txt

# wget Http://www.eicar.org/download/eicar_com.zip

# wget Http://www.eicar.org/download/eicarcom2.zip

At this point, you can wait for the next cron task to run, or you can manually perform the Maldet. We will adopt the second approach:

The code is as follows:

# Maldet--scan-all/var/www/

LMD also accepts wildcards, so if you only want to scan some type of file (such as a zip file), you can do this:

The code is as follows:

# Maldet--scan-all/var/www/*.zip

Scan for malware in Linux

After the scan is complete, you can check the email sent by LMD or use the following command to view the report:

The code is as follows:

# Maldet--report 021015-1051.3559

Linux Malware Scan Report

Where 021015-1051.3559 is Scanid (Scanid with your actual results will be slightly different).

Important: Note: As the eicar.com file was downloaded two times (resulting in eicar.com and eicar.com.1), LMD found 5 attacks.

If you check the Quarantine folder (I only left a file and deleted the remaining files), we will see the following results:

The code is as follows:

# ls–l

Linux Malware Detection Tool quarantine files

You can then delete all quarantined files with the following command:

The code is as follows:

# rm-rf/usr/local/maldetect/quarantine/*

In case of that,

The code is as follows:

# Maldet--clean Scanid

The last factor to consider

Since Maldet needs to be integrated with cron, you need to set the following variables in root crontab (type crontab–e as root and press ENTER), and you may notice that LMD does not run correctly every day:

The code is as follows:





This will help to provide the necessary debugging information.


We discussed in this article how to install and configure the Linux malware Detection Tool and CLAMAV, a powerful partner. Using both of these tools, detecting malware should be a fairly easy task.

However, you have to do yourself a favor and familiarize yourself with the Readme file you explained before, so you can be sure that your system is fully supported and properly managed.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.