2023-09-20 09:00:00
Malware, or malicious software, is the designation given to any program that aims to alter the normal functioning of a computer system. Although the most well-known forms of malware are viruses, spyware and adware, the damage they aim to cause can range from stealing private information to deleting personal data and everything in between, while another classic use of malware is to control the system to use it. to launch botnets in a (D)DoS attack.
In other words, you don’t have the luxury of thinking, “I don’t need to protect my system(s) from malware since I don’t store any sensitive or important data,” because those aren’t the only targets of malware.
For that reason, in this article, we will explain how to install and configure Linux Malware Detect (also know as MalDet o LMD for short) along with ClamAV (engine antivirus) and RHEL (where x is the version number), CentOS y Fedora (the same instructions also work on systems Ubuntu y Debian ).
A malware scanner released under GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what type of environment you are working in.
Installing LMD on RHEL/CentOS and Fedora
LMD It is not available in online repositories, but is distributed as a tar archive from the project website. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with the wget command:
# wget
Then we must unzip the tar file and enter the directory where its contents were extracted. Since the current version is 1.6.4 the directory is maldetect-1.6.4 . There we will find the installation script, install.sh .
# tar -xvf maldetect-current.tar.gz # ls -l | grep maldetect # cd maldetect-1.6.4/ # ls
Download malware detection for Linux
If we inspect the installation script, it has only 75 lines (including comments), we will see that it not only installs the tool but also pre-checks to see if the default installation directory ( /usr/local/ maldetect ) exists. Otherwise, the script creates the installation directory before continuing.
Finally, once the installation is complete, a daily run is scheduled via cron putting the script cron.daily (see image above) in /etc/cron.daily . This helper script will, among other things, clear old temporary data, check for new versions of LMD, and scan the default data directories of Apache and web control panels (i.e. CPanel, DirectAdmin, to name a few).
That said, run the installation script as usual:
# ./install.sh
Instalar Linux Malware Detect en Linux
Configuring Linux Malware Detection
LMD configuration is handled through /usr/local/maldetect/conf.maldet and all the options are well commented so that configuration is a fairly simple task. In case you get stuck, you can also refer to /maldetect-1.6.4/README for further instructions.
In the configuration file you will find the following sections, enclosed in square brackets:
EMAIL ALERTS
QUARANTINE OPTIONS
SCAN OPTIONS
STATISTICAL ANALYSIS
MONITORING OPTIONS
Each of these sections contains several variables that indicate how it will behave LMD and what features are available.
Set email_alert=1 if you would like to receive email notifications about malware inspection results. For the sake of brevity, we will only transmit mail to users on the local system, but you can also explore other options, such as sending mail alerts abroad. Set email_subj=”Your subject here” y email_addr=username@localhost if you previously set email_alert=1. With quar_hitsthe default quarantine action for malware visits (0 = alert only, 1 = go to quarantine and alert), will tell LMD what to do when malware is detected.
quar_clean will allow you to decide if you want to clean up string-based malware injections. Note that a string signature is, by definition, “a sequence of contiguous bytes that can potentially match many variants of a malware family.”
quar_susp the default suspension action for users with visits, will allow you to disable an account whose property files have been identified as visits.
clamav_scan=1 will tell LMD to try to detect the presence of the ClamAV binary and use it as the default scan engine. This produces scanning performance up to four times faster and superior hexadecimal analysis. This option only uses ClamAV as the scanning engine and LMD signatures remain the basis for detecting threats.
Important : note that quar_clean y quar_susp require that quar_hits is enabled (=1) .
In summary, the lines with these variables should look like this in /usr/local/maldetect/conf.maldet :
email_alert=1
email_addr=javier@localhost
email_subj=”Malware alerts for $HOSTNAME – $(date +%Y-%m-%d)”
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1
Installing ClamAV on RHEL/CentOS and Fedora
To install ClamAV and take advantage of the configuration clamav_scan follow these steps:
Enable the EPEL repository.
# yum install epel-release
Then do it:
# yum update && yum install clamd
# apt update && apt-get install clamav clamav-daemon [Ubuntu/Debian]
Use : These are just the basic instructions to install ClamAV to be able to integrate it with LMD. We will not go into details regarding ClamAV configuration since as we said before, LMD signatures are still the basis for detecting and cleaning threats.
Linux Malware Detection Test
Now it’s time to test our recent installation of LMD / ClamAV . Instead of using real malware, we will use lEICAR test fileswhich are available for download from the EICAR website.
# cd /var/www/html
# wget
# wget .txt
# wget
# wget
At this point, you can wait for the next job to run cron or execute slopes manually yourself. We will go with the second option:
# maldet –scan-all /var/www/
LMD also accepts wildcards, so if you want to scan only a certain type of file (i.e. zip files for example), you can do so:
# maldet –scan-all /var/www/*.zip
Scan malware on Linux
When the scan is complete, you can check the email sent by LMD or view the report with:
# slope — report 021015-1051.3559
Linux Malware Analysis Report
Where 021015-1051.3559 is he SCANID (the SCANID will be slightly different in your case).
Important – Note that LMD found 5 results since the eicar.com file was downloaded twice (resulting in eicar.com and eicar.com.1).
If you check the quarantine folder (I only left one of the files and deleted the rest), we will see the following:
# ls -l
Linux malware detects quarantined files
You can then delete (after making sure you can do so) all the quarantined files with:
# rm -rf /usr/local/maldetect/quarantine/*
If,
# maldet –clean SCANID
For some reason I didn’t do it
Final considerations
Given the slopes must be integrated with cron you must set the following variables in the root crontab (type crontab -e as root and press the key Enter ) in case you notice that LMD is not running correctly on a daily basis:
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash
This will help provide the necessary debugging information.
Conclusion
In this article, we have discussed how to install and configure Linux Malware Detect With ClamAV , a powerful ally. With the help of these 2 tools, detecting malware should be a fairly easy task.
However, do yourself a favor and familiarize yourself with the file README as explained above and you can be sure that your system is well accounted for and managed.
Please feel free to leave your comments or questions, if any, using the form below.
#install #Linux #Malware #Detect #LMD #ClamAV #antivirus #engine