Installing and configuring Maldet

Linux Malware Detect (LMD) or Maldet is a malware scanner for Linux released under the GNU GPLv2 (free, open source) license, that is designed around the threats faced in hosting environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature, threats found on the TCH network of over 30,000 hosted domains and from malware community resources.

To install Maldet

  1. Change the present working directory to /usr/local/src using the command below. You may choose any other directory of your choice, where you want the installation script to be downloaded.

    cd /usr/local/src
  2. Run the below command to download the archive file to the present working directory:

  3. Extract the files using the command:

    tar -xzf maldetect-current.tar.gz
  4. Go to the Maldet directory using the command:

    cd maldetect-*
  5. Run the installation script:

    sh ./

Sample Output:

Linux Malware Detect v1.3.4
(C) 1999-2010, R-fx Networks
(C) 2010, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern

This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
cron.daily: /etc/cron.daily/maldet
maldet(32517): {sigup} performing signature update check…
maldet(32517): {sigup} local signature set is version 2010051510029
maldet(32517): {sigup} latest signature set already installed

To configure LMD

By default, all options are fully commented in the configuration file (/usr/local/maldetect/conf.maldet). You can configure them as per your requirement. Various options are listed below:

  • email_alert: Set it to 1 to receive email alerts.

  • email_subj: Specify your email subject.

  • email_addr: Add your email address to receive malware alerts.

  • quar_hits: This is the default quarantine action for malware hits and should be set to 1.

  • quar_clean: This is the cleaning action for detected malware injections and should be set to 1.

  • quar_susp: This is the default suspend action for users with hits. Set it as per your requirement.

  • quar_susp_minuid: Minimum userid that can be suspended.

You can update Maldet, using the command:

maldet -u or maldet -d

To Scan using Maldet

  • To scan the files of a particular user, use the command:

    maldet -a /home/username/
  • To scan all users under /home/public_html, use the command:

    maldet –scan-all /home?/?/public_html
  • To attempt a clean on all malware results from a previous scan that did not have the feature enabled, use the command:

    maldet –clean SCANID