How to Install and Configure Linux Malware Detect in AlmaLinux

Posted on March 31, 2023 by Mohammed Noufal

Category: Tutorials | Tags: AlmaLinux, AntiVirus, ClamAV, Linux Malware Detect, Tutorial

Reading Time: 5 minutes

Linux Malware Detect (LMD) is a utility for scanning, detecting, and removing malware from a Linux system. On Linux, you can utilize the LMD as a backdoor scanner. You can learn more about Linux Malware Detect installation and configuration in AlmaLinux with the help of this article.

Requirements

AlmaLinux is running on the server. For this tutorial, the server runs AlmaLinux 8.7.
Sudo or root privileges are required.
You need the git command line utility and the text editor of your choice. For this tutorial, the Vim text editor is used. If you directly follow this tutorial and the git and vim packages are not installed on the server, run the following command to install them.

[root@lwalmalinux ~]# yum install vim git -y

Install and Configure Linux Malware Detect in AlmaLinux

You can perform the Linux Malware Detect installation and configuration in AlmaLinux by following the below steps.

Step 1: Update and Upgrade the Server

Before Linux Malware Detect installation, you must configure and install the necessary packages on AlmaLinux by executing the following commands.

[root@lwalmalinux ~]# yum update -y && yum upgrade -y

Step 2: Change the Current Working Directory

You can download the Linux Malware Detect package in a separate location. Use the cd command followed by the directory path to change the current working directory. Confirm the current directory with the pwd command.

[root@lwalmalinux ~]# cd /usr/local/src
[root@lwalmalinux src]# pwd
/usr/local/src

Step 3: Clone the Linux Malware Detect project repository.

The Linux Malware Detect project is hosted on GitHub. With the git command, you can clone the Linux Malware Detect project repository from GitHub.

git clone https://github.com/rfxn/linux-malware-detect.git

Here is the output.

[root@lwalmalinux src]# git clone https://github.com/rfxn/linux-malware-detect.git
Cloning into 'linux-malware-detect'...
remote: Enumerating objects: 2111, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 2111 (delta 55), reused 53 (delta 33), pack-reused 2027
Receiving objects: 100% (2111/2111), 1.84 MiB | 10.31 MiB/s, done.
Resolving deltas: 100% (1541/1541), done.
[root@lwalmalinux src]#

Step 4: Access the Linux Malware Detect Directory.

Use the following command to change the working directory to the Linux Malware Detect directory.

cd linux-malware-detect

Here you see the output as well as a list of the files in the directory using the ll command.

[root@lwalmalinux src]# ll
total 4
drwxr-xr-x. 4 root root 4096 Mar  8 05:47 linux-malware-detect
[root@lwalmalinux src]# cd linux-malware-detect
[root@lwalmalinux linux-malware-detect]# ll
total 120
-rw-r--r--. 1 root root 47227 Mar  8 05:47 CHANGELOG
-rw-r--r--. 1 root root  4006 Mar  8 05:47 CHANGELOG.RELEASE
-rw-r--r--. 1 root root  1491 Mar  8 05:47 CHANGELOG.VARIABLES
-rw-r--r--. 1 root root 18093 Mar  8 05:47 COPYING.GPL
-rwxr-xr-x. 1 root root  3814 Mar  8 05:47 cron.daily
-rw-r--r--. 1 root root    76 Mar  8 05:47 cron.d.pub
drwxr-xr-x. 6 root root  4096 Mar  8 05:47 files
-rwxr-xr-x. 1 root root  6100 Mar  8 05:47 install.sh
-rw-r--r--. 1 root root 24443 Mar  8 05:47 README
[root@lwalmalinux linux-malware-detect]#

Step 5: Install Linux Malware Detect in AlmaLinux

You can run the Linux Malware Detect installation script by executing the following command from the LMD directory.

[root@lwalmalinux linux-malware-detect]# sh install.sh

How to Configure Linux Malware Detect

The core Linux Malware Detect configuration file is in /usr/local/maldetect/conf.maldet.

Step 1: Open the Configuration File.

Open the configuration file using the text editor of your choice. This tutorial uses Vim. To open the Linux Malware Detect configuration file in the Vim text editor, run the following command.

[root@lwalmalinux ~]# vim /usr/local/maldetect/conf.maldet

Step 2: Update the Configuration File

The Linux Malware Detect configuration file contains the following lines, which need to be updated as indicated below. This setup assists Linux Malware Detect in detecting and removing malware threats.
To enable the email notification, set the email_alert value to 1.

email_alert="1"

To receive the scan reports to your email address, add the appropriate email address here.

email_addr="you@domain.com"

To enable the LMD signature auto-update, set the autoupdate_signatures value to 1.

autoupdate_signatures="1"

To scan with ClamAV, you can set the scan_clamscan value to 1.

scan_clamscan="1"

To enable the automatic updates of the LMD installation, set the autoupdate_version value to 1.

autoupdate_version="1"

To enable the daily automatic scanning, set the cron_daily_scan value to 1.

cron_daily_scan="1"

To clean string-based malware injections, set the quarantine_clean value to 0.

quarantine_clean="0"

You can suspend the user if malware is detected by setting the quarantine_suspend_user value to 1.

quarantine_suspend_user="1"

To set the minimum user ID value suspended, set the quarantine_suspend_user_minuid value to 500.

quarantine_suspend_user_minuid="500"

To allow non-root users to perform scans, set the scan_user_access value to 1.

scan_user_access="1"

To move hits to quarantine and alert, set the quarantine_hits value to 1.

quarantine_hits="1"

To enable scanning for root-owned files, set the scan_ignore_root value to 0 or set it to 1 to disable.

scan_ignore_root="0"

Step 3: Save Changes and Exit the File

Save the changes and exit the file. For Vim users, type :wq and press Enter.

Running a Linux Malware Detect Scan in AlmaLinux

Here is the syntax to scan a directory for malicious files.

maldet -a <directory_path>

To scan the remote-files folder in the root directory, the command is maldet -a /root/remote-files. Here are the command and the output.

[root@lwalmalinux ~]# maldet -a /root/remote-files
Linux Malware Detect v1.6.5

This program may be freely redistributed under the terms of the GNU GPL v2
maldet(36424): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(36424): {scan} building file list for /root/remote-files, this might take awhile...
maldet(36424): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(36424): {scan} file list completed in 0s, found 3 files...
maldet(36424): {scan} scan of /root/remote-files (3 files) in progress...
maldet(36424): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(36424): {scan} scan completed on /root/remote-files: files 3, malware hits 1, cleaned hits 0, time 23s
maldet(36424): {scan} scan report saved, to view run: maldet --report 230308-0741.36424
maldet(36424): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230308-0741.36424.

Once the scan is completed, you can check the report. Here is the syntax for checking the LMD report.

maldet --report <SCAN-ID>

Using the scan ID from the previous output, the command is maldet --report 230308-0741.36424. Here is the command and subsequent output.

[root@lwalmalinux ~]# maldet --report 230308-0741.36424
HOST:      noufal-almalinux
SCAN ID:   230308-0741.36424
STARTED:   Mar  8 2023 07:41:05 +0000
COMPLETED: Mar  8 2023 07:41:28 +0000
ELAPSED:   23s [find: 0s]
PATH:          /root/remote-files
TOTAL FILES:   3
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 230308-0741.36424
FILE HIT LIST:
{HEX}EICAR.TEST.3 : /root/remote-files/eicar.com.txt
===============================================
Linux Malware Detect v1.6.5 < proj@rfxn.com >

If you set quarantine_hits to 1, the malware files in the list will be quarantined to the selected directory. You can also manually quarantine the malware files using the following syntax.

/usr/local/sbin/maldet -q <SCAN-ID>

Again, using the previous scan ID, the command is /usr/local/sbin/maldet -q 230308-0741.36424.

To run the maldet scan on a specific directory in the background, execute a command with the following syntax.

maldet -b -a <directory_path>

You can execute the following command to check all the maldet arguments you can use with all their options and features.

maldet -help

Conclusion

Linux Malware Detect is a powerful tool for removing malware infections. Protecting the compromised user or website should be a top priority to prevent suspicious activity. With the help of this article, you can efficiently perform Linux Malware Detect installation and configuration in AlmaLinux and help mitigate risk.

If you haven’t set up your AlmaLinux server and set up LMD, Liquid Web can help. AlmaLinux is available for VPS Hosting, Cloud Dedicated Servers, and Dedicated Servers, among other options. Contact the sales team to get set up today.