Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ How to install and use the malware detection tool LMD and ClamAV antivirus engine on Linux     - Android Touch message passing mechanism analysis (Programming)


- Bash common several configuration files (Linux)

- Linux --- process handle limit summary (Linux)

- Linux character device - automatically creates the device nodes and devices (Linux)

- Let Ubuntu 14.04 Save screen luminance value (Linux)

- Linux iptables: combat scenes (Linux)

- Ubuntu installation under Scrapy (Linux)

- Linux data redirection (Linux)

- Android code performance optimization tips (Programming)

- To repair Shell script by default open in Ubuntu (Linux)

- Learning Linux coding style (Programming)

- Packages with Snort intrusion monitoring light (Linux)

- Java environment to build a number of issues (Linux)

- The Java Properties class action (Programming)

- SUSE Firewall Configuration (Linux)

- Ubuntu users to install voice switch instructs the applet (Linux)

- OpenStack image production in the CentOS 6.2 (Linux)

- Linux platform host to prevent hacking skills (Linux)

- 256 with rich colors decorate your terminal (Linux)

  How to install and use the malware detection tool LMD and ClamAV antivirus engine on Linux
  Add Date : 2018-11-21      
  Malware refers to any computing system intended to interfere with or disrupt the normal operation of the software program. Although several of the most notorious malware such as viruses, spyware and adware, but their attempts to harm caused by different: some steal private information, delete some personal data, while others are somewhere in between; and malware another common use is to control the system, and then use the system to launch the zombie network, a so-called denial of service (DoS) attacks or distributed denial of service (DDoS) attacks.

In other words, we must not have this idea "because I do not store any sensitive data or critical data, so do not need to protect their systems from malicious software," because those data are not the only targets of malicious software.

For this reason, we will introduce in this article when RHEL 7.0 / 6.x (x is the version number), CentOS 7.0 / 6.x and Fedora 21-12, how to install and configure Linux malware detection tool (also known as MalDet or simply LMD) and ClamAV (antivirus engines).

This is the use of a malware scanning tool GPL v2 license issued specifically for hosting environments. However, you will soon realize that they face no matter what kind of environment will benefit from MalDet.

The LMD install RHEL / CentOS 7.0 / 6.x and Fedora 21-12 on

LMD not available from the online repository, but in packaged form document distribution from the project website. Package file containing the latest version of the source code is always available from the following link at the download can use the following command:

# Wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Then, we need to extract the packed files and enter the extract / unzip directory contents. Since the current version is 1.4.2, directory maldetect-1.4.2. We will find the installation script install.sh in the directory.

# Tar -xvf maldetect-current.tar.gz
# Ls -l | grep maldetect

Download Linux malware detection tool

If we examine the installation script that length of only 75 lines (including comments), you will find it not only to install the tool, also performs pre-test to see the default installation directory (/ usr / local / maldetect) Have exist. If it does not exist, the script will create the installation directory, and then the next step.

Finally, after the installation is complete, simply cron.daily script (see figure) placed in /etc/cron.daily, can be scheduled to run daily via cron (scheduled tasks) of. The helper script has many features, including emptying the old temporary data, check for new versions of LMD, and scan default Apache Web control panel (such as CPanel and DirectAdmin, etc.) the default data directory.

Having said that, still run as usual by the installation script:

# ./install.sh

Installing Linux malware detection tools in Linux

Configuring Linux malware detection tool

LDM configuration work by /usr/local/maldetect/conf.maldet to deal with, so the options were fully comment, it is fairly easy to configure. In case where you get stuck, you can also see /usr/local/src/maldetect-1.4.2/README, for further instructions.

In the configuration file, you'll find the square brackets following sections:

EMAIL ALERTS (Email Alert)
QUARANTINE OPTIONS (isolation option)
SCAN OPTIONS (Scan Options)
STATISTICAL ANALYSIS (statistical analysis)
MONITORING OPTIONS (monitoring options)
This Each section contains several variables, LMD will show how to run, what features can be used.

If you want to be notified of the results of email malware detection, is set email_alert = 1. For brevity, we will only forward mail to local users of the system, but you can also explore other options, such as e-mail alert will be sent to external users.
If you have set before you email_alert = 1, set email_subj = "Your subject here" and email_addr = username @ localhost.
As quar_hits, that is, for the default isolation Malware attacks (0 = only remind, 1 = turn isolation and remind), you tell LMD what actions after detecting malware.
quar_clean will let you decide want to clean up a string-based malware injection. Keep this in mind: In itself, the string is characterized by "continuous sequence of bytes, it is possible to match with many variants of malicious software family."
quar_susp, namely attacks against default of the user to take a pause operation, so you can disable it to your file has been identified as attacks account.
clamav_scan = 1 tells LMD trying to detect the presence or absence ClamAV binaries, and used as the default scanner engine. You can get up to four times faster scanning performance and outstanding hexadecimal analysis. Use this option only as a scanner ClamAV engine, LMD feature remains the basis of the detected threat.
important hint:

Note: quar_clean and quar_susp need quar_hits is enabled (= 1).

In short, /usr/local/maldetect/conf.maldet, there are rows of these variables should look as follows:

email_alert = 1
email_addr = gacanepa @ localhost
email_subj = "Malware alerts for $ HOSTNAME - $ (date +% Y-% m-% d)"
quar_hits = 1
quar_clean = 1
quar_susp = 1
clam_av = 1

The ClamAV install RHEL / CentOS 7.0 / 6.x and Fedora 21-12 on

I want to install ClamAV to take full advantage clamav_scan setting, follow these steps:

Create a software library file /etc/yum.repos.d/dag.repo:

name = Dag RPM RepositoryforRedHatEnterpriseLinux
baseurl = http: //apt.sw.be/RedHat/el$releasever/en/$basearch/dag/
gpgcheck = 1
gpgkey = http: //dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled = 1
Then run the command:

# Yum update && yum install clamd
Note: These are just basic instructions to install ClamAV so that it will integrate with the LMD. We will not be described in detail in terms of setting ClamAV, because, as previously described, LMD feature remains the basis to detect and remove threats.


Test Linux malware detection tool

We can now detect newly installed LMD / ClamAV up. Instead of using the actual malware, we will use the EICAR test file (http://www.eicar.org/86-0-Intended-use.html), these files are available for download from the EICAR website.

# Cd / var / www / html
# Wget http://www.eicar.org/download/eicar.com
# Wget http://www.eicar.org/download/eicar.com.txt
# Wget http://www.eicar.org/download/eicar_com.zip
# Wget http://www.eicar.org/download/eicarcom2.zip
At this time, you can wait for the next run a cron task to be performed manually own maldet. We will use the second method:

# Maldet --scan-all / var / www /
LMD also accepts wildcards, so if you want to scan only certain types of files (for example zip file), you can do this:

# Maldet --scan-all /var/www/*.zip

Linux malware scanning

After the scan is complete, you can consult LMD sent by e-mail, you can also view the report with the following command:

# Maldet --report 021015-1051.3559

Linux malware scanning report

Wherein 021015-1051.3559 is SCANID (SCANID with your actual results will be slightly different).

IMPORTANT: Please note: Due to eicar.com file downloaded twice (thus resulting eicar.com and eicar.com.1), LMD found five times the attack.

If you check the quarantine folder (I just left a file, remove the remaining files), we will see the following results:

# Ls -l

Linux malware detection tool quarantined files

You can then delete all quarantined files with the following command:

# Rm -rf / usr / local / maldetect / quarantine / *
In case that,

# Maldet --clean SCANID

Final considerations

Since maldet need to integrate with cron, you need to set the following variables in root's crontab (in as root, type crontab -e, and press Enter), you may notice the LMD does not run properly every day:

PATH = / sbin: / bin: / usr / sbin: / usr / bin
MAILTO = root
HOME = /
SHELL = / bin / bash
This will help to provide the necessary debugging information.


We discuss how to install and configure Linux and ClamAV malware detection tool this powerful partner in this article. With these two tools to detect malicious software should be fairly easy task.

However, you should do yourself a favor, before the familiar interpretation of the README file, so you can be sure your system is fully supported and managed properly.

If you have any comments or questions, please feel free to leave a message.
- Linux Network Security Tips Share (Linux)
- 10 Best Swift Tutorial examples (Programming)
- Report generation CPU, memory, and input and output ports with the sar command (Linux)
- Default permissions Linux file and directory permissions and hide - umask, chattr, lsattr, SUID, SGID, SBIT, file (Linux)
- JavaScript subarray Deduplication (Programming)
- To execute the cp command prompt type skip folder under CentOS (Linux)
- Use SocketServer write a sockets program (Programming)
- Learning OpenCV: (VS2010-openCV2.4.3-win7 configuration instructions) (Linux)
- Oracle TAF Analysis (Database)
- Four levels of intrusion on Linux server and counter-measures (Linux)
- Kali Linux virtualbox rc = Error 1908 workaround (Linux)
- Docker installation under CentOS7 (Linux)
- Linux supports serial output method (Linux)
- To obtain installation package (RPM) under RHEL6 (Linux)
- Paint with Vim (Linux)
- OpenSUSE GPG Comments (Linux)
- An Analysis of the C Algorithm for Calculating the Number of Days Between Date (Programming)
- CentOS 7 update source - the use of domestic sources 163 yum (Linux)
- Making Linux root file system problems on-link library (Programming)
- C ++: Postmodern systems programming language (Programming)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.