How to Install Linux Malware Detect (LMD) with ClamAV

Installation and Usage of Linux Malware Detect with ClamAV as Antivirus Engine

There are many malware or a malicious software, such as viruses, spyware, and adware is a program that aims at disrupting the normal operation of a computing system.They steal private information, delete personal data and result in other adverse effects. This tutorial teaches you how to install and configure Linux Malware Detect with ClamAV in RHEL/CentOS 7.0/6.x and Fedora.

Installation of LMD on RHEL/CentOS 7.0/6.x and Fedora

LMD is not available from the repositories in online, but is distributed as a tarball. The tarball containing the source code of the new version is available in the following link

[root@linuxhelp Desktop]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2016-04-16 05:02:35--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com... 129.121.132.46
Connecting to www.rfxn.com|129.121.132.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1135369 (1.1M) [application/x-gzip]
Saving to: maldetect-current.tar.gz

100%[===================================================================================================================> ] 1,135,369    268K/s   in 4.1s    

2016-04-16 05:02:40 (268 KB/s) - maldetect-current.tar.gz saved [1135369/1135369]

Unpack the tarball and enter its contents in the directory, were it was extracted. Since current version is 1.5, the directory is maldetect-1.5.

Then we need to unpack the tarball and enter the directory where its contents were extracted. Since its current version is 1.5, the directory is maldetect-1.5.and there we will find the installation script, install.sh.

[root@linuxhelp Desktop]# tar -xvf maldetect-current.tar.gz 
maldetect-1.5/
maldetect-1.5/CHANGELOG
maldetect-1.5/cron.daily
maldetect-1.5/CHANGELOG.VARIABLES
...
...
maldetect-1.5/cron.d.pub
maldetect-1.5/COPYING.GPL
maldetect-1.5/CHANGELOG.RELEASE
maldetect-1.5/.ca.def

To run the installation script

Once the tar package is extracted run the installaion script.

[root@linuxhelp maldetect-1.5]# ls -l
total 112
-rw-r--r-- 1 root root 27878 Sep 27  2015 CHANGELOG
-rw-r--r-- 1 root root 15069 Sep 27  2015 CHANGELOG.RELEASE
-rw-r--r-- 1 root root  1491 Sep 10  2013 CHANGELOG.VARIABLES
-rw-r--r-- 1 root root 18093 Sep 10  2013 COPYING.GPL
-rwxr-xr-x 1 root root  2672 Sep 27  2015 cron.daily
-rw-r--r-- 1 root root    77 Sep 10  2013 cron.d.pub
drwxr-xr-x 7 root root  4096 Apr  6 07:18 files
-rwxr-xr-x 1 root root  5298 Sep 27  2015 install.sh
-rw-r--r-- 1 root root 23957 Aug 10  2015 README

[root@linuxhelp maldetect-1.5]# sh install.sh 
Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks < proj@r-fx.org> 
            (C) 2015, Ryan MacDonald < ryan@r-fx.org> 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(41581): {sigup} performing signature update check...
maldet(41581): {sigup} local signature set is version 2016040521114
maldet(41581): {sigup} latest signature set already installed

Configure the Linux Malware Detect

The main configuration of LMD is /usr/local/maldetect/conf.maldet and you can also check out /usr/local/src/maldetect-1.5/README for further instructions.
In the configuration file you will find the following sections

-> EMAIL ALERTS
-> QUARANTINE OPTIONS
-> SCAN OPTIONS
-> STATISTICAL ANALYSIS
-> MONITORING OPTIONS

Each of the above sections contain several variables that indicate the behavior of LMD

-> Set email_alert=1 if you wish to receive email notifications of malware inspection results.
-> Set email_subj= ” Your subject here ”  and email_addr=username@localhost if you have earlier set email_alert=1.
-> quar_hits, tells the LMD what to perform when malware is detected.
-> quar_susp, is the default suspend action for users with hits.

quar_clean and quar_susp require quar_hits be enabled (=1).

The above variables should look as follows in /usr/local/maldetect/conf.maldet:

email_alert=" 1" 
email_addr=linuxhelp@gmail.com
email_subj=" Malware alerts for $linuxhelp - $(date +%Y-%m-%d)" 
quar_hits=" 1" 
quar_clean=" 1" 
quar_susp=" 1" 
clam_av=" 1"

Install ClamAV on RHEL/CentOS 7.0/6.x and Fedora

Follow the below steps, to install ClamAV and take the advantage of clamav_scan setting:

Create the repo file /etc/yum.repos.d/dag.repo:

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1
Next

LMD signatures are required for the basis for detecting and cleaning threats.

yum update & &  yum install clamd

[root@linuxhelp maldetect-1.5]# yum install clamd
Loaded plugins: aliases, changelog, fastestmirror, kabi, presto, refresh-packagekit, security, tmprepo, verify, versionlock
Loading support for CentOS kernel ABI
Setting up Install Process
Loading mirror speeds from cached hostfile
...
...
Installed:
  clamd.x86_64 0:0.98.4-1.el6.rf                                                                                                                             

Dependency Installed:
  clamav.x86_64 0:0.98.4-1.el6.rf                                             clamav-db.x86_64 0:0.98.4-1.el6.rf                                            

Complete!

Testing Linux Malware Detect

EICAR test files is required to test our recent LMD / ClamAV installation, which can be download from the EICAR web site.

[root@linuxhelp maldetect-1.5]# cd /var/www/html/
[root@linuxhelp html]# wget http://www.eicar.org/download/eicar.com
--2016-04-16 05:24:40--  http://www.eicar.org/download/eicar.com
Resolving www.eicar.org... 188.40.238.250
Connecting to www.eicar.org|188.40.238.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: eicar.com

100%[===================================================================================================================> ] 68          --.-K/s   in 0s      

2016-04-16 05:24:41 (11.3 MB/s) - eicar.com saved [68/68]

Now download the .txt file from the same website.

[root@linuxhelp html]# wget http://www.eicar.org/download/eicar.com.txt
--2016-04-16 05:24:59--  http://www.eicar.org/download/eicar.com.txt
Resolving www.eicar.org... 188.40.238.250
Connecting to www.eicar.org|188.40.238.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: eicar.com.txt

100%[===================================================================================================================> ] 68          --.-K/s   in 0s      

2016-04-16 05:25:00 (11.5 MB/s) - eicar.com.txt saved [68/68]

After the .txt file we need to download the zip file.

[root@linuxhelp html]# wget http://www.eicar.org/download/eicar.com.zip
--2016-04-16 05:25:29--  http://www.eicar.org/download/eicar.com.zip
Resolving www.eicar.org... 188.40.238.250
Connecting to www.eicar.org|188.40.238.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13082 (13K) [text/html]
Saving to: eicar.com.zip

100%[===================================================================================================================> ] 13,082      31.7K/s   in 0.4s    

2016-04-16 05:25:30 (31.7 KB/s) - eicar.com.zip saved [13082/13082]

To execute maldet manually

Run the following command to execute the maldet in the terminal. 

[root@linuxhelp html]# maldet --scan-all /var/www/
Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks < proj@rfxn.com> 
            (C) 2015, Ryan MacDonald < ryan@rfxn.com> 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(42488): {scan} signatures loaded: 10824 (8909 MD5 / 1915 HEX / 0 USER)
maldet(42488): {scan} building file list for /var/www/, this might take awhile...
maldet(42488): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(42488): {scan} scan returned zero results, please provide a new path

Check the email that was sent by LMD after the scanning completes

To remove all quarantined files

This command is used to remove all the quarantined files in the root. 

[root@linuxhelp html]# rm -rf /usr/local/maldetect/quarantine/*

You need to set the following variables in root’ s crontab to integrate maldet with cron:
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash

This will provide you with necessary debugging information.

Tag : Linux Malware Detect
FAQ
Q
What is the mirrors.dat file in ClamAV?
A
A file called mirrors.dat is used by freshclam to keep track of broken mirrors.
Q
What are the dependency packages to be installed for Linux Malware Detect (LMD)?
A
For Debian based distro’s:

# apt-get install ed

For Red Hat based distro’s:

# yum install ed
Q
Where to set the email alert for malware detection?
A
Change the settings under "/usr/local/maldetect/conf.maldet" for enabling email alert.
Q
How to scan Linux Malware Detect (LMD) under a particular directory?
A
Use the command maldet --scan-all /path/to/directory/ for acheiving this.
Q
How often do I keep my virus database up to date in ClamAV?
A
ClamAV has a Freshclam, a tool which periodically checks for new database releases and keeps your database up to date.