How to Install and Use Linux Malware Detect (LMD) with ClamAV on CentOS 7

Try it in our public cloud & Get $5 Credit
CLAIM NOW

There is less risk of malevolent software on Linux and Unix systems compared to other operating systems, but they are not necessarily immune to the threat of malware and viruses. Linux Malware Detect (LMD) is a free, open source malware scanner for Linux designed especially for mitigating malware risks in a shared hosting environment. It is often used in conjunction with ClamAV as an antivirus engine. LMD itself is licensed under the GNU General Public License, version 2, and the source is hosted on Github.

Getting started

In order to follow this guide, you will need the following:
• 1 Node (Cloud Server or Dedicated Server) running a clean installation of CentOS 7.
• Root access to the server

Tutorial

The first step is to install LMD. You will need to install it from source, so download the installation tarball from the project’s web site.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the tarball into your /usr/src/ folder, and then make it your current working directory.

cd /usr/src
tar -xvf maldetect-current.tar.gz
cd maldetect*

You can complete the installation by using the installation script.

./install.sh

Configuring Linux Malware Detect (LMD)

LMD’s configuration is stored in conf.maldet. We’ll need to make some changes to the default setup, so open this file in an editor.

nano /usr/local/maldetect/conf.maldet

Into the file, modify these following sections:
#!/bin/bash
#
##
# Linux Malware Detect vX.X.X
[...]
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="your@email.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean="0"
[...]
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=0

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=0

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
[...]
# [ SCAN OPTIONS ]
##
[...]
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=1

And these are the most important settings to be configured:

email_alert=1
email_addr=youremail@localhost
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1

The next task is to install ClamAV and have LMD use it as the antivirus engine. To install ClamAV, you will need to add a repository to your system. Create a repo file at /etc/yum.repos.d called dag.repo.

nano /etc/yum.repos.d/dag.repo

Then copy the following into dag.repo.

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1

Once you’re done setting up the new repository, you can install clamd using yum.

yum update && yum install clamd

Conclusion

You’re now done with the installation process, and can use LMD with ClamAV to detect malware on your server. If this guide was helpful to you, kindly share it with others who may also be interested.

Here are a few commands you may find useful:

To update the LMD malware detection signatures:

maldet -u

To update the LMD malware version:

maldet -d

To scan all files located in a specific directory:

maldet -a /path

To put all detected threats into quarantine:

maldet -q SCANID

To restore files from quarantine:

maldet –s SCANID