How to Install Linux Malware Detect (LMD) and ClamAV on CentOS 7

Linux Malware Detect (LMD) is malware detector and scanner for Linux, designed for shared hosting environments. LMD is released under GNU GPLV2 license, it can be installed on cPanel WHM and Linux environments with together other detection tools such as ClamAV.

Clam AntiVirus (ClamAV) is an open source antivirus solution to detect trojans, malware, viruses and other malicious software. ClamAV supports multiple platforms including Linux, Windows, and MacOS.

In this tutorial, I will show you how to install Linux Malware Detect (LMD) with Clam AntiVirus (ClamAV). I will use CentOS 7 as the operating system.

Prerequisite

  • CentOS 7
  • Root privileges

Step 1 - Install Epel repository and Mailx

Install the Epel (Extra Packages for Enterprise Linux) repository and the mailx command with yum. We need mailx installed on the system so that LMD can send the scan reports to your email address.

yum -y install epel-release

Install mailx so we can use the mail command on CentOS 7:

yum -y install mailx

Step 2 - Install Linux Malware Detect (LMD)

Linux Malware Detect is not available in CentOS or Epel repository, we need to install it manually from source.

Download LMD and extract it:

cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz

Go to the maldetect directory and run the installer script 'install.sh' as root:

cd maldetect-1.5
./install.sh

Next, make a symlink to the maldet command in the /bin/ directory:

ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r

Install Linux Malware Detect

Step 3 - Configure Linux Malware Detect (LMD)

LMD has benn installed into the '/usr/local/maldet/' directory. Go to that directory and edit the configuration file 'conf.maldet' with vim:

cd /usr/local/maldetect/
vim conf.maldet

Enable email alert by changing the value to '1' on line 16.

email_alert="1"

Type in your email address on line 21.

email_addr="[email protected]"

We will use the ClamAV clamscan binary as default scan engine because it provides a high-performance scan on large file sets.  Change value to '1' on line 114.

scan_clamscan="1"

Next, enable quarantining to move malware to the quarantine automatically during the scan process. Change value to '1' on line 180.

quarantine_hits="1"

Change value to 1 on line 185 to enable clean based malware injections.

quarantine_clean="1"

Save and exit.

Step 4 - Install ClamAV

In this step, we will install Clam AntiVirus or ClamAV to get the best scanning results of LMD. ClamAV is available in the Epel repository (that we've installed in the first step).

Install ClamAV and ClamAV devel with yum:

yum -y install clamav clamav-devel

After ClamAV has been installed, update the ClamAV virus databases with the freshclam command:

freshclam

Update ClamAV malware database with the freshclam command

Step 5 - Testing LMD and ClamAV

We will test an LMD manual scan with the maldet command. We will use the maldet command to scan the web directory '/var/www/html/'.

Go to the web root directory and download some sample malware (eicar) with wget:

cd /var/www/html
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Next, scan the web root directory with the maldet command below:

maldet -a /var/www/html

Scan a directory with Maldet

You can see that LMD is using the ClamAV scanner engine to perform the scan, and there are 'malware hits 3' and the malware files were automatically moved to the quarantine directory.

Check the scan report with the command below:

maldet --report 161008-0524.9466

SCANID = 161008-0524.9466 is found in the Maldet output.

LMD scan report

Now check the email report from LMD:

tail -f /var/mail/root

As you can see, the scan report has been sent to the destination email address.

Step 6 - Other LMD Commands

Perform a scan for specific file extention only:

maldet -a /var/www/html/*.php

Get a list of all reports:

maldet -e list

Get a list of malware reports

Scan files that have been created/modified in the last X days.

maldet -r /var/www/html/ 5

5 = the last days.

Restore files from the quarantine directory.

maldet -s SCANID

Restore file from quarantine directory

Enable monitoring of a directory.

maldet -m /var/www/html/

Check the monitor log file:

tail -f /usr/local/maldetect/logs/inotify_log

Monitor a directory with Maldet

Reference

Share this page:

Suggested articles

9 Comment(s)

Add comment

Comments

By: Jack
Reply  

Hi, many thanks for this great document.

With standard install of ISPConfig on CentOS 7, mailx and epel are already installed, as well as clam but inotify is not, also you might add:

yum install -y inotify-tools

And another issue is that maldet does not find clamd:

[[email protected] logrotate.d]# tail -f  /usr/local/maldetect/logs/event_logDec 15 22:22:13 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:22:23 websrv maldet(7136): {mon} scanned 108 new/changed files with clamav engineDec 15 22:24:23 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:24:32 websrv maldet(7136): {mon} scanned 127 new/changed files with clamav engineDec 15 22:26:32 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:26:41 websrv maldet(7136): {mon} scanned 186 new/changed files with clamav engineDec 15 22:28:41 websrv maldet(7136): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120sDec 15 22:28:50 websrv maldet(7136): {mon} scanned 128 new/changed files with clamav engine

But it works:

[[email protected] maldetect]# ps -afe | grep clamamavis    1641     1  1 21:35 ?        00:00:58 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf --foreground=yesroot      7767     1  0 22:11 pts/1    00:00:01 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.7136 --exclude (^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql_.*\.MYD$|^/tmp/#sql_.*\.MYD$|^/var/tmp/clamav-.*|^/tmp/clamav-.*|^/usr/local/maldetect*|^/dev/pts*|^/dev/null) --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,modify

But in our case amavis is the owner of the process, maybe we should change that somewhere but I don't know.

Do you have an idea?

 

By: Rajendra Desai
Reply  

Great article!!

Can you help solving following issue:

-------------

Failed to watch /usr/local/; upper limit on inotify watches reached!

Please increase the amount of inotify watches allowed per user via `/proc/sys/fs/inotify/max_user_watches'.

-------------

how safe is to increase max_user_watches value? in /proc/sys/fs/inotify/max_user_watches??

Thanks,

By: Mitch
Reply  

did

cd /var/www/htmlwget http://www.eicar.org/download/eicar.com.txtwget http://www.eicar.org/download/eicar_com.zipwget http://www.eicar.org/download/eicarcom2.zip

did 

maldet -a /var/www/html

report said

maldet(7018): {scan} scan completed on /var/www/html: files 422, malware hits 0, cleaned hits 0, time 16s

heres output

[[email protected] html]# maldet -a /var/www/html

Linux Malware Detect v1.6.2

            (C) 2002-2017, R-fx Networks <[email protected]>

            (C) 2017, Ryan MacDonald <[email protected]>

This program may be freely redistributed under the terms of the GNU GPL v2

 

maldet(7018): {scan} signatures loaded: 15399 (12595 MD5 | 2025 HEX | 779 YARA | 0 USER)

maldet(7018): {scan} building file list for /var/www/html, this might take awhile...

maldet(7018): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6

maldet(7018): {scan} file list completed in 0s, found 422 files...

maldet(7018): {scan} found clamav binary at /usr/local/cpanel/3rdparty/bin/clamdscan, using clamav scanner engine...

maldet(7018): {scan} scan of /var/www/html (422 files) in progress...

 

maldet(7018): {scan} scan completed on /var/www/html: files 422, malware hits 0, cleaned hits 0, time 16s

maldet(7018): {scan} scan report saved, to view run: maldet --report 180523-1213.7018

___________________________

So either there is no signature for the test files or the test files don't have malware

By: buzzin
Reply  

You're scanning root owned files so you must change the following parameter in conf.maldet file for maldet scanner detect the testing malware: scan_ignore_root="0"

By: Tanner Williamson
Reply  

I don't recommend using quarantine_clean="1" as it can break good scripts and has done it before on my servers. I think it is better to let LMD find and simly quarantine the file (without attempting to automatically clean up the file), then you yourself can manually clean the file before placing it back, or simply recover the file from your most recent daily backup.

Cheers,

Tanner Williamson

By: Larry
Reply  

Can anyone explain why do I want LMD if LMD is using ClamAV to perform the scan?  Can I just use ClamAV and run clamscan?  Does LMD to something additional?

By: till
Reply  

LMD uses ClamAV scan engine with malware specific antivirus signatures which are not included in the default ClamAV signature set.

By: Larry
Reply  

but right from the ClamAV website it has:

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

It says malware? Does LMD go beyond that?

 

 

By: till
Reply  

Yes. If it would not make sense to install it, then we would not include it in the tutorial ;) Google for 'Linux Malware Detect' if you want to learn more about what LMD is and what it is doing.