How to Install Linux Malware Detect (LMD) and ClamAV on CentOS 7

Linux Malware Detect (LMD) is malware detector and scanner for Linux, designed for shared hosting environments. LMD is released under GNU GPLV2 license, it can be installed on cPanel WHM and Linux environments with together other detection tools such as ClamAV.

Clam AntiVirus (ClamAV) is an open source antivirus solution to detect trojans, malware, viruses and other malicious software. ClamAV supports multiple platforms including Linux, Windows, and MacOS.

In this tutorial, I will show you how to install Linux Malware Detect (LMD) with Clam AntiVirus (ClamAV). I will use CentOS 7 as the operating system.

Prerequisite

  • CentOS 7
  • Root privileges

Step 1 - Install Epel repository and Mailx

Install the Epel (Extra Packages for Enterprise Linux) repository and the mailx command with yum. We need mailx installed on the system so that LMD can send the scan reports to your email address.

yum -y install epel-release

Install mailx so we can use the mail command on CentOS 7:

yum -y install mailx

Step 2 - Install Linux Malware Detect (LMD)

Linux Malware Detect is not available in CentOS or Epel repository, we need to install it manually from source.

Download LMD and extract it:

cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz

Go to the maldetect directory and run the installer script 'install.sh' as root:

cd maldetect-1.5
./install.sh

Next, make a symlink to the maldet command in the /bin/ directory:

ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r

Install Linux Malware Detect

Step 3 - Configure Linux Malware Detect (LMD)

LMD has benn installed into the '/usr/local/maldet/' directory. Go to that directory and edit the configuration file 'conf.maldet' with vim:

cd /usr/local/maldetect/
vim conf.maldet

Enable email alert by changing the value to '1' on line 16.

email_alert="1"

Type in your email address on line 21.

email_addr="[email protected]"

We will use the ClamAV clamscan binary as default scan engine because it provides a high-performance scan on large file sets.  Change value to '1' on line 114.

scan_clamscan="1"

Next, enable quarantining to move malware to the quarantine automatically during the scan process. Change value to '1' on line 180.

quarantine_hits="1"

Change value to 1 on line 185 to enable clean based malware injections.

quarantine_clean="1"

Save and exit.

Step 4 - Install ClamAV

In this step, we will install Clam AntiVirus or ClamAV to get the best scanning results of LMD. ClamAV is available in the Epel repository (that we've installed in the first step).

Install ClamAV and ClamAV devel with yum:

yum -y install clamav clamav-devel

After ClamAV has been installed, update the ClamAV virus databases with the freshclam command:

freshclam

Update ClamAV malware database with the freshclam command

Step 5 - Testing LMD and ClamAV

We will test an LMD manual scan with the maldet command. We will use the maldet command to scan the web directory '/var/www/html/'.

Go to the web root directory and download some sample malware (eicar) with wget:

cd /var/www/html
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Next, scan the web root directory with the maldet command below:

maldet -a /var/www/html

Scan a directory with Maldet

You can see that LMD is using the ClamAV scanner engine to perform the scan, and there are 'malware hits 3' and the malware files were automatically moved to the quarantine directory.

Check the scan report with the command below:

maldet --report 161008-0524.9466

SCANID = 161008-0524.9466 is found in the Maldet output.

LMD scan report

Now check the email report from LMD:

tail -f /var/mail/root

As you can see, the scan report has been sent to the destination email address.

Step 6 - Other LMD Commands

Perform a scan for specific file extention only:

maldet -a /var/www/html/*.php

Get a list of all reports:

maldet -e list

Get a list of malware reports

Scan files that have been created/modified in the last X days.

maldet -r /var/www/html/ 5

5 = the last days.

Restore files from the quarantine directory.

maldet -s SCANID

Restore file from quarantine directory

Enable monitoring of a directory.

maldet -m /var/www/html/

Check the monitor log file:

tail -f /usr/local/maldetect/logs/inotify_log

Monitor a directory with Maldet

Reference

Share this page:

0 Comment(s)

Add comment