How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Installing LMD on RHEL/CentOS 7.0/6.x and Fedora 21-12
LMD is not available from online repositories, but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:

# wget
Then we need to unpack the tarball and enter the directory where its contents were extracted. Since current version is 1.4.2, the directory is maldetect-1.4.2. There we will find the installation script,

# tar -xvf maldetect-current.tar.gz
# ls -l | grep maldetect
Download Linux Malware Detect
Download Linux Malware Detect
If we inspect the installation script, which is only 75 lines long (including comments), we will see that it not only installs the tool, but also performs a pre-check to see if the default installation directory (/usr/local/maldetect) exists. If not, the script creates the installation directory before proceeding.

Finally, after the installation is completed, a daily execution via cron is scheduled by placing the cron.daily script (refer to the image above) in /etc/cron.daily. This helper script will, among other things, clear old temporary data, check for new LMD releases, and scan the default Apache and web control panels (i.e., CPanel, DirectAdmin, to name a few) default data directories.

That being said, run the installation script as usual:

# ./
Install Linux Malware Detect in Linux
Install Linux Malware Detect in Linux
Configuring Linux Malware Detect
The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to /usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:

Each of these sections contains several variables that indicate how LMD will behave and what features are available.

Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
Set email_subj=”Your subject here” and email_addr=username@localhost if you have previously set email_alert=1.
With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.
Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"

Make sure to update to the latest version and virus signatures:
maldet -d && maldet -u
Run the first scan manually

To scan a specific user's home directory, run the following command:
maldet -a /home/user
To launch a background scan for all user's public_html and public_ftp in all home directories, run the following command:
maldet -b --scan-all /home?/?/public_?
Verify the scan report

We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.

List all scan reports time and SCANID:
maldet --report list
Show a specific report details :
maldet --report SCANID
Show all scan details from log file:
grep "{scan}" /usr/local/maldetect/event_log

Kill Maldet
maldet -k

Was this answer helpful?

 Print this Article

Also Read

10 UNIX Command Line Mistakes

Here are a few mistakes that I made while working at UNIX prompt. Some mistakes caused me a good...

How to Install LVM on Linux and Disk Operations

How to Install LVM on Linux and Disk Operations LVM will be installed by default on Redhat Linux...

CentOS / RHEL: Install ipset Administration Tool For IP Sets and IPTables

Installation First turn on EPEL repo and type the following yum command:# yum install...