Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Post Reply
User avatar
hiccup
Site Admin
Posts: 21
Joined: Sat Aug 01, 2015 8:44 pm

Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

Post by hiccup » Tue Aug 25, 2015 10:28 am

In this article we will explain how to install and configure Linux Malware Detect (aka MalDet or LMD for short) along with ClamAV (Antivirus Engine) in RHEL 7.0/6.x (where x is the version number), CentOS 7.0/6.x and Fedora 21-12.


Installing LMD on RHEL/CentOS 7.0/6.x and Fedora 21-12

LMD is not available from online repositories, but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:

Code: bash Select all

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Now extract it and run install.sh

Code: bash Select all

tar -xf maldetect-current.tar.gz
./install.sh
Configuring Linux Malware Detect

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to /usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:
  1. EMAIL ALERTS
  2. QUARANTINE OPTIONS
  3. SCAN OPTIONS
  4. STATISTICAL ANALYSIS
  5. MONITORING OPTIONS
Each of these sections contains several variables that indicate how LMD will behave and what features are available.
  • Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  • Set email_subj=”Your subject here” and [email protected] if you have previously set email_alert=1.
  • With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  • quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  • quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  • clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.
Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

Code: Select all

email_alert=1
[email protected]
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1
Installing ClamAV on RHEL/CentOS 7.0/6.x and Fedora 21-12

To install ClamAV in order to take advantage of the clamav_scan setting, follow these steps:

Create the repo file /etc/yum.repos.d/dag.repo:

Code: Select all

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1
then:

Code: bash Select all

yum update && yum install clamd
Scan Manually with ClamAV:

Code: Select all

clamscan -r -i /home
Note: That these are only the basic instructions to install ClamAV in order to integrate it with LMD. We will not go into detail as far as ClamAV settings are concerned since as we said earlier, LMD signatures are still the basis for detecting and cleaning threats.

Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation. Instead of using real malware, we will use the EICAR test files, which are available for download from the EICAR web site.

Code: bash Select all

cd /var/www/html
wget http://www.eicar.org/download/eicar.com 
wget http://www.eicar.org/download/eicar.com.txt 
wget http://www.eicar.org/download/eicar_com.zip 
wget http://www.eicar.org/download/eicarcom2.zip
At this point you can either wait for the next cron job to run, or execute maldet manually yourself. We’ll go with the second option.
To Scan Manually:

Code: bash Select all

maldet --scan-all /var/www/
LMD also accepts wildcards, so if you want to scan only a certain type of file, (i.e. zip files, for example), you can do so:

Code: bash Select all

maldet --scan-all /var/www/*.zip
When the scanning is complete, you can either check the email that was sent by LMD or view the report with:

Code: bash Select all

maldet --report 021015-1051.3559
Where 021015-1051.3559 is the SCANID (the SCANID will be slightly different in your case).

Important: Please note that LMD found 5 hits since the eicar.com file was downloaded twice (thus resulting in eicar.com and eicar.com.1).

If you check the quarantine folder (I just left one of the files and deleted the rest), we will see the following:

Code: bash Select all

ls -l
You can then remove all quarantined files with:

Code: bash Select all

rm -rf /usr/local/maldetect/quarantine/*
In case that,

Code: bash Select all

maldet --clean SCANID
Doesn’t get the job done for some reason. You may refer to the following screen cast for a step-by-step explanation of the above process:
YouTube

Final Considerations

Since maldet needs to be integrated with cron, you need to set the following variables in root’s crontab (type crontab -e as root and hit the Enter key) in case that you notice that LMD is not running correctly on a daily basis:

Code: bash Select all

PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash
This will help provide the necessary debugging information.

LMD Homepage
Source

Post Reply