A Malware Scanner for Linux Operating System

                Linux Malware Detect (LMD) is a malware detector for Linux operating systems. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Install LMD on CentOS 7:-

Download the latest version of LMD using the following command

#  cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.4.2
# ./install.sh

Output:

OUTPUT
=======
Linux Malware Detect v1.6
 (C) 2002-2017, R-fx Networks <proj@r-fx.org>
 (C) 2017, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(7866): {sigup} performing signature update check...
maldet(7866): {sigup} local signature set is version 2017070716978
maldet(7866): {sigup} new signature set (2018020318436) available
maldet(7866): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(7866): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(7866): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(7866): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(7866): {sigup} verified md5sum of maldet-clean.tgz
maldet(7866): {sigup} unpacked and installed maldet-clean.tgz
maldet(7866): {sigup} signature set update completed
maldet(7866): {sigup} 15218 signatures (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)

Configure Linux Malware Detect
The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.

# nano /usr/local/maldetect/conf.maldet

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="youremail@yourdomain.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

You may edit the following values to configure Maldet to your needs

email_alert : If you would like to receive email alerts, then it should be set to 1.
email_subj : Set your email subject here.
email_addr : Add your email address to receive malware alerts.
quar_hits : The default quarantine action for malware hits, it should be set 1.
quar_clean : Cleaing detected malware injections, must set to 1.
quar_susp : The default suspend action for users with hits, set it as per your requirements.
quar_susp_minuid : Minimum userid that can be suspended.

Monitoring:-

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/webhost,/home/chennai

The options break down as follows:-

USERS – The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS – A comma spaced list of paths to monitor
FILE – A line spaced file list of paths to monitor
you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor.

# maldet -m /var ,/home

Usage:
To scan a folder, for example /home you should enter:

# maldet -a /home.
You can examine the malware scan report by running the following command and appending the scan report ID.

# maldet –report number-xxxx.xxxxx
To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.

# maldet -q SCAN ID
# maldet –quarantine SCANID
Clean all malware results from a previous scan

# maldet -n SCAN ID
# maldet –clean SCAN ID
Restore a file that you have already quarantined

# maldet -s FILENAME
# maldet –restore FILENAME

Ignore Files:

There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.

ignore_paths:

This is a line spaced file for paths that are to be excluded from search results

# /usr/local/maldetect/ignore_paths
ignore_sigs:

This is a line spaced file for signatures that should be removed from file scanning

# /usr/local/maldetect/ignore_sigs