Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Linux Malware Detect is compatible with RHEL based systems: CentOS, Almalinux, RockyLinux, Oracle Linux and Red Hat Linux. Debian based systems are supported with Debian, Ubuntu with it's derivatives.

Note: This guide assumes you are familiar with SSH and basic command line navigation. These instructions apply primarily to customers who have Virtual Private Servers or Dedicated servers.

Installation

Installation is very straightforward:

# cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.6.5
# ./install.sh

Please ensure to change the version number above to the one you have actually downloaded.

After the installation has been completed succesfully, you will be presented with the following output.

Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks 
            (C) 2023, Ryan MacDonald 
inotifywait (C) 2023, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(6073): {sigup} performing signature update check...
maldet(6073): {sigup} local signature set is version 2013102428301
maldet(6073): {sigup} new signature set (2013102428301) available
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(6073): {sigup} signature set update completed
maldet(6073): {sigup} 10849 signatures (8981 MD5 / 1868 HEX)

iNotify Monitoring

the package inotify-tools is required if you want to enable real-time monitoring. iNotify monitoring allows for notifications via the Linux kernel. It can be installed with the command below:

CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Red Hat Enterprise Linux

# yum install -y inotify-tools

Debian, Ubuntu

sudo apt-get install inotify-tools 

Required dependencies for CentOS 8, AlmaLinux 8/9, RockyLinux 8/9, Oracle Linux 8/9.

# yum install -y ed

Updating Maldet

To update the currently installed software version of Maldet enter the following:

# maldet -d

or

# maldet --update-ver

The virus definitions for Maldet are updated daily, but if you wish to update the virus definitions manually enter the following:

# maldet -u

Uninstalling Maldet

Maldet can be unInstalled quickly:

# cd /usr/local/src/maldetect-1.6.5
# ./uninstall.sh

Please ensure to change the version number above to the one that is installed on your server.

Configuration

Maldet can be configured by editing the conf.maldet file:

# nano /usr/local/maldetect/conf.maldet

The default conf.maldet configuration file looks as follows:

#
##
# Linux Malware Detect v1.6.5
#             (C) 2002-2023, R-fx Networks <proj@r-fx.org>
#             (C) 2023, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##

# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID user@domain.com'.
# [0 = disabled, 1 = enabled]
email_alert="1"

# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="youremail@domain.com"

# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"

# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures="1"

# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version="1"

# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed="1"

# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days="21"

# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan="1"

# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url=""

# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire="43200"

# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url=""
import_custsigs_hex_url=""

##
# [ SCAN OPTIONS ]
##

# The maximum directory depth that the scanner will search, a value
# of 15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth="15"

# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize="24"

# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize="2048k"

# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth="65536"

# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo="1"

# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth="524288"

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"

# Include the scanning of known temporary world-writable paths for
# -a|--al and -r|--recent scan types.
scan_tmpdir_paths="/tmp /var/tmp /dev/shm"

# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate 'pub/' with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access="0"

# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice="19"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice="6"

# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the 'cpulimit' binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
scan_cpulimit="0"

# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root="1"

# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user=""
scan_ignore_group=""

# The maximum amount of time, in seconds, that the 'find' file list generation
# will run before it is terminated. All 'find' results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# '-co|--config-option' CLI option, such as:
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout="0"


# The daily cron 'find' operation performed by LMD detects recently created/modifed
# user files. This 'find' operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist="0"

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="1"

# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="1"

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user="0"

# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid="500"

# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error="1"

##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either 'users' or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is
# present with a defined value for .
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of . The service will fail to
# start if a value is not provided.
# default_monitor_mode="users"
# default_monitor_mode="/usr/local/maldetect/monitor_paths"
default_monitor_mode=""

# The base number of files that can be watched under a path
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches="16384"

# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved
inotify_sleep="30"

# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports.
inotify_reloadtime="3600"

# The minimum userid that will be added to path monitoring when
# the USERS option is specified
inotify_minuid="500"

# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot="public_html,public_ftp"

# Process CPU scheduling (nice) priority level for monitoring process.
# [ -19 = high prio , 19 = low prio, default = 15 ]
inotify_cpunice="18"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice="6"

# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the 'cpulimit' binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
inotify_cpulimit="0"

# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your 'event_log' file, intended only for debugging purposes.
inotify_verbose="0"

##
# [ STATISTICAL ANALYSIS ]
# This is a beta feature and as such should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan="0"          # [ 0 = disabled, 1 = enabled ]
string_length="150000"          # [ max string length ]

You may edit the following values to configure Maldet to your needs

• email_alert : If you would like to receive email alerts, then it should be set to 1.
• email_subj : Set your email subject here.
• email_addr : Add your email address to receive malware alerts.
• email_ignore_clean : When malware alerts have been automatically cleaned (check the next two options), ignore sending email alerts. This is disabled by default. Set it to 1 to enable it, if you have set up an automated daily scan that detects and cleans the hits and you do not want to be alerted of these by mail.
• quar_hits : The default quarantine action for malware hits, it should be set 1. Affected files will be moved to quarantine.
• quar_clean : Cleaing detected malware injections, must set to 1.
• quar_susp : The default suspend action for users wih hits, set it as per your requirements.
• quar_susp_minuid : Minimum userid that can be suspended.
• inotify_minuid : The minimum user id above which users need to be monitored. The default value is 500.
• inotify_docroot : The web directory relative to the home directory of users. By default, it is set to public_html. If this is set, only this web directory will be monitored.

In order to activate email alerts when malware is detected, you need to open the Maldet configuration file, which is located at: /usr/local/maldetect/conf.maldet

email_alert=1
email_subj="Maldet alert from $(hostname)"
email_addr="email@domain.com"

Cronjob for scheduled scans

During the installation of Maldet, a daily cron job script is installed in /etc/cron.daily/maldet.

The cronjob installed by Linux Malware Detect is used to perform daily update of signature files, keep the session, temp and quarantine data to no more than 14 days old and it runs a daily scan of recent file system changes.

If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware. The folder structures for the most popular control panel configurations: Ensim, Plesk, DirectAdmin, Cpanel, ISPConfig, VirtualMin, VestaCP, ISPManager and Froxlor have been included.

You should ensure compatibility with your servers' structure of homedirs and make sure it corresponds with this cron file.

Please take special note of the control panel specific sections in this cron file:

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
        $inspath/maldet --monitor-report >> /dev/null 2>&1
elif [ "$cron_daily_scan" == "1" ]; then
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public$
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev$
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var$
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /$
        elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then
                # ISPmanager
                $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/vesta" ]; then
                # VestaCP
                $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/$
        elif [ -d "/usr/share/dtc" ]; then
                # DTC
                if [ -f /var/lib/dtc/saved_install_config ]; then
                    . /var/lib/dtc/saved_install_config
                fi
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_d$
        else
                # cpanel, interworx and other standard home/user/public_html setups
                $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $sca$
        fi
fi

Usage Examples

To scan a folder, for example /home you should enter:

# maldet -a /home

To scan a folder with a wildcard, for example all folders in /home beginning with an r you should enter:

# maldet -a /home/r?

Perform a wildcard scan for a specific file extention only:

# maldet -a /var/www/html/*.php

Scan files that have been created/modified in the last 7 days:

# maldet -r /var/www/html/ 7

Scan all files in a path (default: /home, wildcard: ?)

# maldet -a /home/?/public_html

To execute background scans, enter the following (ideal for larger scans):

# maldet -b -r /home/username/

Examine the malware scan report by running the following command and appending the scan report ID:

# maldet --report number-xxxx.xxxxx

E-mail a scan report to a supplied e-mail address:

# maldet –report SCANID youremail@domain.com

To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning:

# maldet -q SCAN ID
# maldet –quarantine SCANID

Clean all malware results from a previous scan:

# maldet -n SCAN ID
# maldet --clean SCAN ID

Restore a file that you have already quarantined. This can be useful in case you have a false positive leading to a legitimate file being quarantined:

# maldet -s FILENAME
# maldet -s SCANID
# maldet --restore FILENAME

Get a list of all reports:

# maldet -e list

Clear logs, quarantine queue, session and temporary data:

# maldet -p

Upload suspected malware to rfxn.com for review & hashing into signatures:

# maldet -c path/to/filename

View maldet log file events.

# maldet -l

Which gives on an active server a similar output:

May 26 07:39:41 hostname maldet(22671): {mon} scanned 47 new/changed files with clamav engine
May 26 07:40:19 hostname maldet(22674): {mon} scanned 50 new/changed files with clamav engine
May 26 07:40:56 hostname maldet(22674): {mon} scanned 32 new/changed files with clamav engine
May 26 07:41:33 hostname maldet(22674): {mon} scanned 24 new/changed files with clamav engine
May 26 07:42:10 hostname maldet(22674): {mon} scanned 11 new/changed files with clamav engine
May 26 07:42:47 hostname maldet(22674): {mon} scanned 8 new/changed files with clamav engine
May 26 07:43:24 hostname maldet(22674): {mon} scanned 6 new/changed files with clamav engine
May 26 07:44:00 hostname maldet(22674): {mon} scanned 25 new/changed files with clamav engine

Please note the use of the ClamAV engine. For more information refer to the ClamAV Integration section below.

iNotify Monitoring

The inotify monitoring feature in LMD is designed to monitor users in real-time for file creation / modification / move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default.

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

• e.g: maldet --monitor users
• e.g: maldet --monitor /root/monitor_paths
• e.g: maldet --monitor /home/mike,/home/ashton

You can run maldet as a daemon in one of three monitoring modes as follows:

Monitor users

The users option will take the home directories of all system users who have a uid greater than inotify_minuid and monitor them. If inotify_docroot is set, the users' web directory, if it exists, will only be monitored:

# maldet --monitor users
or
# maldet -m users

Monitor paths

Alternately, you can monitor paths. Provide a comma separated list of paths to monitor:

# maldet --monitor /home,/var,/tmp
or
# maldet -m /home,/var,/tmp

The example below displays the output for a comma spaced list of paths that is monitored:

maldet(5330): {mon} set inotify max_user_instances to 128
maldet(5330): {mon} set inotify max_user_watches to 61440
maldet(5330): {mon} added /var to inotify monitoring array
maldet(5330): {mon} added /home/xmodulo to inotify monitoring array
maldet(5330): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(5330): {mon} inotify startup successful (pid: 4154)
maldet(5330): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

Monitor files

If you have believe there are problems with specific files, you have the ability to continuously monitor specific files by giving a comma-separated list of files:

# maldet --monitor FILE1,FILE2,...FILEx
or
# maldet -m  FILE1,FILE2,...FILEx

Terminate monitoring with inotify

To Terminate / kill inotify monitoring service, enter:

# maldet -k

Logging

Events are logged in the inotify_log file:

# tail -f /usr/local/maldetect/logs/inotify_log

Ignore paths

Maldet scans by default the temporary files created by MySQL or MariaDb. These can be excluded from inotify monitoring by editing /usr/local/maldetect/ignore_inotify and by adding the following two entries:

DirectAdmin:

^/tmp/systemd.*/tmp/#sql-.*\.MAD$
^/tmp/systemd.*/tmp/#sql-.*\.MAI$

cPanel:

^/tmp/#sql_..MAD$
^/tmp/#sql_..MAI$

Verify that these paths are correct by checking the inotify log file: /usr/local/maldetect/logs/inotify_log

Start iNotify Monitoring at bootup

When starting maldet in monitoring mode, it’ll scan files as they are being modified or uploaded in the selected directories. Unfortunately, by default iNotify Monitoring won’t correctly start on system reboot.

There are three options around this:

1. configure the Maldet service by setting up the correct paths values and monitoring mode
2. Setup a cron job that runs at boottime and starts iNotify monitoring
3. Create a script to be placed in the rc.local file

1. Configure Maldet Service

To doublecheck the current status of Maldet please enter the following:

systemctl status maldet

Which should give a similar output:

● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: failed (Result: resources) since Thu 2019-05-16 02:42:56 CEST; 1 weeks 4 days ago
   Process: 3487 ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@xxx ~]# systemctl start maldet
Job for maldet.service failed because a configured resource limit was exceeded. See "systemctl status maldet.service" and "journalctl -xe" for details.

Most likely you will find that the monitoring mode has failed. This is usually due to one of two reasons:

1. The correct monitoring mode has not been defined
2. The correct paths to monitor have not been defined

issue 1 (see above error message example) can be resolved by stopping the service from running:

systemctl stop maldet

Followed by editing /usr/lib/systemd/system/maldet.service and by replacing the line:

ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode

with

ExecStart=/usr/local/maldetect/maldet --monitor USERS

Let systemd know of the updated config file:

systemctl daemon-reload

Then restart the service:

systemctl start maldet.service

Check status of maldet. Ensure that it is no longer crashing:

systemctl status maldet.service

issue 2: In case the correct paths to monitor have not been defined you will get a similar error:

Process: 24473 ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths (code=exited, status=0/SUCCESS)

This means that you will have to define the path values in the /usr/lib/systemd/system/monitor_paths file as a comma separated list, for example:

/home,/var,/tmp

Let systemd know of the updated config file:

systemctl daemon-reload

Then restart the service:

systemctl start maldet.service

Check status of maldet. Ensure that it is no longer crashing:

systemctl status maldet.service

2. Setup Cron

Open crontab with following command:

crontab -e

Paste following line at the bottom:

@reboot /usr/local/sbin/maldet --monitor /home

Save & close the file. You’ve now successfully enabled real-time malware scanning using paths for maldet. The cron above will scan all directories under /home.

Keep in mind that you can also monitor users and individual files using the same method.  Please refer to the above examples and adjust your cron accordingly.

3. Setup rc.local

The script /etc/rc.local (Ubuntu / Debian) or /etc/rc.d/rc.local (CentOS, Fedora) is for use by the system administrator. It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.

To setup a rc.local startup script, we'll first create a file that includes all the directories we want to monitor.

nano /usr/local/maldetect/monitor_paths

Paste paths to all the directories you want to monitor as a comma separated list in this file.

Open the /etc/rc.local or /etc/rc.d/rc.local file using a text editor

nano /etc/rc.local (Debian / Ubuntu)
nano /etc/rc.d/rc.local (CentOS, Fedora)

Paste the following line just before the closing line exit 0

maldet --monitor /usr/local/maldetect/monitor_paths

Keep in mind that your created script must be granted execute permissions:

chmod +x /usr/local/maldetect/monitor_paths

Ignore Files

There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.

ignore_paths

This is a line spaced file for paths that are to be excluded from search results:

# /usr/local/maldetect/ignore_paths

ignore_sigs

This is a line spaced file for signatures that should be removed from file scanning:

# /usr/local/maldetect/ignore_sigs

ignore_inotify

This is a line spaced file for paths that are to be excluded from inotify monitoring:

# /usr/local/maldetect/ignore_inotify

ignore_extensions

Add the extensions of file types that you want to exclude from daily scans (one per line):

# /usr/local/maldetect/ignore_file_ext

ClamAV integration

ClamAV and Maldet are tightly integrated. You can use ClamAV as the scan engine for Maldet. This speeds up the scanning process and in addition the virus definitions by ClamAV are now also used when scanning.

The benefit of this integration is a faster, more effective malware scan, meaning; you're more likely to identify potential threats.

How to setup

1. Ensure that ClamAV is installed
2. Enable ClamAV in the LMD configuration file:

/usr/local/maldetect/conf.maldet

Enable ClamAV integration by setting scan_clamscan to 1

# Use with ClamAV
scan_clamscan="1"

cPanel/WHM

Create two symbolic links, as follows:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam

DirectAdmin

You may run into problems with ClamAV permissions. To verify if this is the case perform a scan and check for errors or check /usr/local/maldet/clamscan.log.

To resolve ensure that ClamAV is running as the root user:

nano /etc/clamd/scan.conf

User root

Running a malware scan

When you run the Maldet scan, it will also include the virus definitions of ClamAV. To use you just need to run the usual commands as found under Usage Examples.

Troubleshooting

Excessive size inotify_log

In some cases the inotify_log may grow to excessive sizes (upwards of 100Gb for servers with lots of questionable traffic). One can set the maxfilesize directive to avoid this becoming an issue but this does not appear to function on all systems. A workaround is to set logrotate to rotate the files in question.

Create the following file and copy the content below: /etc/logrotate.d/maldet_inofity

/usr/local/maldetect/logs/event_log {
daily
rotate 7
size=100M
missingok
notifempty
nocompress
create 0644 root root
}

/usr/local/maldetect/logs/clamscan_log
/usr/local/maldetect/logs/inotify_log {
daily
rotate 7
size=100M
missingok
notifempty
nocompress
create 0640 root root
postrotate
/bin/systemctl condrestart maldet.service > /dev/null 2>/dev/null || true
endscript
}