Comments on How to Install Linux Malware Detect (LMD) and ClamAV on CentOS 7

In this tutorial, I will show you how to install Linux Malware Detect (LMD) with Clam AntiVirus (ClamAV). I will use CentOS 7 as the operating system.

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Jack
Reply  

Hi, many thanks for this great document.

With standard install of ISPConfig on CentOS 7, mailx and epel are already installed, as well as clam but inotify is not, also you might add:

yum install -y inotify-tools

And another issue is that maldet does not find clamd:

[root@websrv logrotate.d]# tail -f  /usr/local/maldetect/logs/event_logDec 15 22:22:13 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:22:23 websrv maldet(7136): {mon} scanned 108 new/changed files with clamav engineDec 15 22:24:23 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:24:32 websrv maldet(7136): {mon} scanned 127 new/changed files with clamav engineDec 15 22:26:32 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:26:41 websrv maldet(7136): {mon} scanned 186 new/changed files with clamav engineDec 15 22:28:41 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:28:50 websrv maldet(7136): {mon} scanned 128 new/changed files with clamav engine

But it works:

[root@websrv maldetect]# ps -afe | grep clamamavis    1641     1  1 21:35 ?        00:00:58 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf --foreground=yesroot      7767     1  0 22:11 pts/1    00:00:01 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.7136 --exclude (^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql_.*\.MYD$|^/tmp/#sql_.*\.MYD$|^/var/tmp/clamav-.*|^/tmp/clamav-.*|^/usr/local/maldetect*|^/dev/pts*|^/dev/null) --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,modify

But in our case amavis is the owner of the process, maybe we should change that somewhere but I don't know.

Do you have an idea?

 

By: Rajendra Desai
Reply  

Great article!!

Can you help solving following issue:

-------------

Failed to watch /usr/local/; upper limit on inotify watches reached!

Please increase the amount of inotify watches allowed per user via `/proc/sys/fs/inotify/max_user_watches'.

-------------

how safe is to increase max_user_watches value? in /proc/sys/fs/inotify/max_user_watches??

Thanks,

By: Mitch
Reply  

did

cd /var/www/htmlwget http://www.eicar.org/download/eicar.com.txtwget http://www.eicar.org/download/eicar_com.zipwget http://www.eicar.org/download/eicarcom2.zip

did 

maldet -a /var/www/html

report said

maldet(7018): {scan} scan completed on /var/www/html: files 422, malware hits 0, cleaned hits 0, time 16s

heres output

[root@jds1 html]# maldet -a /var/www/html

Linux Malware Detect v1.6.2

            (C) 2002-2017, R-fx Networks <[email protected]>

            (C) 2017, Ryan MacDonald <[email protected]>

This program may be freely redistributed under the terms of the GNU GPL v2

 

maldet(7018): {scan} signatures loaded: 15399 (12595 MD5 | 2025 HEX | 779 YARA | 0 USER)

maldet(7018): {scan} building file list for /var/www/html, this might take awhile...

maldet(7018): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6

maldet(7018): {scan} file list completed in 0s, found 422 files...

maldet(7018): {scan} found clamav binary at /usr/local/cpanel/3rdparty/bin/clamdscan, using clamav scanner engine...

maldet(7018): {scan} scan of /var/www/html (422 files) in progress...

 

maldet(7018): {scan} scan completed on /var/www/html: files 422, malware hits 0, cleaned hits 0, time 16s

maldet(7018): {scan} scan report saved, to view run: maldet --report 180523-1213.7018

___________________________

So either there is no signature for the test files or the test files don't have malware

By: buzzin
Reply  

You're scanning root owned files so you must change the following parameter in conf.maldet file for maldet scanner detect the testing malware: scan_ignore_root="0"

By: Tanner Williamson
Reply  

I don't recommend using quarantine_clean="1" as it can break good scripts and has done it before on my servers. I think it is better to let LMD find and simly quarantine the file (without attempting to automatically clean up the file), then you yourself can manually clean the file before placing it back, or simply recover the file from your most recent daily backup.

Cheers,

Tanner Williamson

By: Larry
Reply  

Can anyone explain why do I want LMD if LMD is using ClamAV to perform the scan?  Can I just use ClamAV and run clamscan?  Does LMD to something additional?

By: till
Reply  

LMD uses ClamAV scan engine with malware specific antivirus signatures which are not included in the default ClamAV signature set.

By: Larry
Reply  

but right from the ClamAV website it has:

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

It says malware? Does LMD go beyond that?

 

 

By: till
Reply  

Yes. If it would not make sense to install it, then we would not include it in the tutorial ;) Google for 'Linux Malware Detect' if you want to learn more about what LMD is and what it is doing.