{"id":929,"date":"2018-02-02T05:29:41","date_gmt":"2018-02-02T05:29:41","guid":{"rendered":"https:\/\/www.newdelhihosting.co.in\/blog\/?p=929"},"modified":"2024-10-22T10:52:55","modified_gmt":"2024-10-22T10:52:55","slug":"a-malware-scanner-for-linux-operating-system","status":"publish","type":"post","link":"https:\/\/www.newdelhihosting.co.in\/blog\/a-malware-scanner-for-linux-operating-system\/","title":{"rendered":"A Malware Scanner for Linux Operating System"},"content":{"rendered":"

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Linux Malware Detect (LMD)<\/strong> is a malware detector for Linux operating systems. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.<\/p>\n

Install LMD on CentOS 7:-<\/strong><\/p>\n

Download the latest version of LMD using the following command<\/p>\n

#\u00a0 cd \/usr\/local\/src\r\n# wget http:\/\/www.rfxn.com\/downloads\/maldetect-current.tar.gz\r\n# tar -zxvf maldetect-current.tar.gz\r\n# cd maldetect-1.4.2\r\n# .\/install.sh\r\n<\/pre>\n
Output:<\/p>\n
OUTPUT\r\n=======\r\nLinux Malware Detect v1.6\r\n (C) 2002-2017, R-fx Networks <proj@r-fx.org>\r\n (C) 2017, Ryan MacDonald <ryan@r-fx.org>\r\nThis program may be freely redistributed under the terms of the GNU GPL\r\n\r\ninstallation completed to \/usr\/local\/maldetect\r\nconfig file: \/usr\/local\/maldetect\/conf.maldet\r\nexec file: \/usr\/local\/maldetect\/maldet\r\nexec link: \/usr\/local\/sbin\/maldet\r\nexec link: \/usr\/local\/sbin\/lmd\r\ncron.daily: \/etc\/cron.daily\/maldet\r\nmaldet(7866): {sigup} performing signature update check...\r\nmaldet(7866): {sigup} local signature set is version 2017070716978\r\nmaldet(7866): {sigup} new signature set (2018020318436) available\r\nmaldet(7866): {sigup} downloading https:\/\/cdn.rfxn.com\/downloads\/maldet-sigpack.tgz<\/a>\r\nmaldet(7866): {sigup} downloading https:\/\/cdn.rfxn.com\/downloads\/maldet-cleanv2.tgz<\/a>\r\nmaldet(7866): {sigup} verified md5sum of maldet-sigpack.tgz\r\nmaldet(7866): {sigup} unpacked and installed maldet-sigpack.tgz\r\nmaldet(7866): {sigup} verified md5sum of maldet-clean.tgz\r\nmaldet(7866): {sigup} unpacked and installed maldet-clean.tgz\r\nmaldet(7866): {sigup} signature set update completed\r\nmaldet(7866): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)<\/pre>\n
Configure Linux Malware Detect<\/strong>
\nThe main configuration file of LMD is \/usr\/local\/maldetect\/conf.maldet and you can modify it according to your requirements.<\/p>\n
# nano \/usr\/local\/maldetect\/conf.maldet<\/pre>\n
# [ EMAIL ALERTS ]\r\n##\r\n# The default email alert toggle\r\n# [0 = disabled, 1 = enabled]\r\nemail_alert=1\r\n\r\n# The subject line for email alerts\r\nemail_subj=\"maldet alert from $(hostname)\"\r\n\r\n# The destination addresses for email alerts\r\n# [ values are comma (,) spaced ]\r\nemail_addr=\"youremail@yourdomain.com\"\r\n\r\n# Ignore e-mail alerts for reports in which all hits have been cleaned.\r\n# This is ideal on very busy servers where cleaned hits can drown out\r\n# other more actionable reports.\r\nemail_ignore_clean=0\r\n\r\n##\r\n# [ QUARANTINE OPTIONS ]\r\n##\r\n# The default quarantine action for malware hits\r\n# [0 = alert only, 1 = move to quarantine & alert]\r\nquar_hits=1\r\n\r\n# Try to clean string based malware injections\r\n# [NOTE: quar_hits=1 required]\r\n# [0 = disabled, 1 = clean]\r\nquar_clean=1\r\n\r\n# The default suspend action for users wih hits\r\n# Cpanel suspend or set shell \/bin\/false on non-Cpanel\r\n# [NOTE: quar_hits=1 required]\r\n# [0 = disabled, 1 = suspend account]\r\nquar_susp=0\r\n# minimum userid that can be suspended\r\nquar_susp_minuid=500\r\n<\/pre>\n
You may edit the following values to configure Maldet to your needs<\/p>\n
email_alert : If you would like to receive email alerts, then it should be set to 1.
\nemail_subj : Set your email subject here.
\nemail_addr : Add your email address to receive malware alerts.
\nquar_hits : The default quarantine action for malware hits, it should be set 1.
\nquar_clean : Cleaing detected malware injections, must set to 1.
\nquar_susp : The default suspend action for users with hits, set it as per your requirements.
\nquar_susp_minuid : Minimum userid that can be suspended.
\n
\nMonitoring:-<\/strong><\/p>\n
There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.<\/p>\n
e.g: maldet \u2013monitor users
\ne.g: maldet \u2013monitor \/root\/monitor_paths
\ne.g: maldet \u2013monitor \/home\/webhost,\/home\/chennai<\/p>\n
The options break down as follows:-<\/p>\n
USERS \u2013 The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
\nPATHS \u2013 A comma spaced list of paths to monitor
\nFILE \u2013 A line spaced file list of paths to monitor
\nyou can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor.<\/p>\n
# maldet -m \/var ,\/home<\/p>\n
Usage:<\/strong>
\nTo scan a folder, for example \/home you should enter:<\/p>\n
# maldet -a \/home.
\nYou can examine the malware scan report by running the following command and appending the scan report ID.<\/p>\n
# maldet –report number-xxxx.xxxxx
\nTo quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.<\/p>\n
# maldet -q SCAN ID
\n# maldet \u2013quarantine SCANID
\nClean all malware results from a previous scan<\/p>\n
# maldet -n SCAN ID
\n# maldet –clean SCAN ID
\nRestore a file that you have already quarantined<\/p>\n
# maldet -s FILENAME
\n# maldet –restore FILENAME<\/p>\n
Ignore Files:<\/strong><\/p>\n
There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.<\/p>\n
ignore_paths:<\/strong><\/p>\n
This is a line spaced file for paths that are to be excluded from search results<\/p>\n
# \/usr\/local\/maldetect\/ignore_paths
\nignore_sigs:<\/p>\n
This is a line spaced file for signatures that should be removed from file scanning<\/p>\n
# \/usr\/local\/maldetect\/ignore_sigs<\/p>\n","protected":false},"excerpt":{"rendered":"
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Linux Malware Detect (LMD) is a malware detector for Linux operating systems. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Install LMD on CentOS 7:- Download the latest version of LMD using the following command #\u00a0 cd…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[23],"tags":[],"class_list":["post-929","post","type-post","status-publish","format-standard","hentry","category-general"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/929"}],"collection":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/comments?post=929"}],"version-history":[{"count":6,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/929\/revisions"}],"predecessor-version":[{"id":981,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/929\/revisions\/981"}],"wp:attachment":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/media?parent=929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/categories?post=929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/tags?post=929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}