Features & Configuring of Linux Malware Detect

Linux Malware Detect

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Features of Linux Malware Detect:

1) Install Linux Malware Detect.
2) Scan specified directories.
3) Scan the document root of all accounts in the server.
4) View previous scan reports.
5) Manage directories to be ignored from scans.
6) Manage file extensions to be exempted from scans.
7) Enable email alert for malware detections.
8) Enable automatic quarantine/cleaning of malware detections.
9) Manually quarantine malware detections based on scan reports.
10) Enable automatic monitoring of user directories or specific folders.

Configuring of Linux Malware Detect:

The configuration of LMD is handled through/usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to/usr/local/src/maldetect-1.4.2/README for further instructions.

1) email_alert :

If you would like to receive email alerts, then it should be set to

2) email_subj :

Set your email subject.

3) email_addr :

This is a comma spaced list of e-mail addresses that should receive alerts.

4) quar_hits :

The default quarantine action for malware hits, it should be set

5) quar_clean :

This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

6) quar_susp :

The default suspend action for users wih hits, set it as per your requirements.

7) quar_susp_minuid :

This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.Minimum userid that can be suspended.

8) Usage & Manual Scans

The first thing most users are looking to do when they get LMD installed is to scan a certain path or series of paths.

The configuration file for Maldet is located under /usr/local/maldetect/conf.maldet . Other important files are:

# exec file: /usr/local/maldetect/maldet
# exec link: /usr/local/sbin/maldet
# exec link: /usr/local/sbin/lmd
# cron.daily: /etc/cron.daily/maldet