How to Install Linux Malware Detect in Ubuntu 20.04

Reading Time: 10 minutes

Linux Malware Detect (LMD) or maldet is an open-source malware detector for Linux operating systems. It is used to scan malware on servers, and also monitor and read the system parameters to detect unusual activities.

Requirements

  • A Linux server running Ubuntu 20.04.
  • Root access to the server.

How to Install Linux Malware Detect in Ubuntu 20.04

Step 1: Update and Upgrade the Server

You will need to set up and install the required packages on the Ubuntu 20.04 server before the Linux Malware Detect installation.

To update and upgrade the Ubuntu 20.04 server, run the following commands.

root@noufserver:~# sudo apt update && sudo apt upgrade -y

Install the wget packages (if it is not installed on the server) by using the following command.

root@noufserver:~# sudo apt install wget -y

Step 2:  Change the Current Working Directory

The pwd command gives you the entire file path of your current directory.

To change the current working directory, use the cd command followed by the file path of the desired directory.

root@noufserver:~# pwd
/root
root@noufserver:~# cd /tmp/
root@noufserver:/tmp# pwd
/tmp
root@noufserver:/tmp#

Step 3: Download the Latest Linux Malware Detect Package

To download the latest Linux Malware Detect package, run the following command.

root@noufserver:/tmp# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Here is the output.

root@noufserver:/tmp# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2022-01-27 04:47:28--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com (www.rfxn.com)... 172.67.144.156, 104.21.28.71, 2606:4700:3034::6815:1c47, ...
Connecting to www.rfxn.com (www.rfxn.com)|172.67.144.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1549126 (1.5M) [application/x-gzip]
Saving to: 'maldetect-current.tar.gz'

maldetect-current.tar.gz                   100%[=====================================================================================>]   1.48M  1.34MB/s    in 1.1s    

2022-01-27 04:47:30 (1.34 MB/s) - 'maldetect-current.tar.gz' saved [1549126/1549126]

Step 4:  Uncompress the .tar File

To uncompress the .tar file, run the following command.

root@noufserver:/tmp# tar xfz maldetect-current.tar.gz

After the file is uncompressed, you are returned to the directory. Using the 11 command from the directory displays the files in that directory.

root@noufserver:/tmp# tar xfz maldetect-current.tar.gz
root@noufserver:/tmp# 
root@noufserver:/tmp# ll
drwxr-xr-x  3 root root    4096 Jun 20  2019 maldetect-1.6.4/
-rw-r--r--  1 root root 1549126 Jul  6  2019 maldetect-current.tar.gz

Step 5:  Change the Current Working Directory to the Extracted File

To change the current working directory to the extracted file, use the following command.

root@noufserver:/tmp# cd maldetect-1.6.4

Here is the complete output of the command, including the pwd command to confirm the directory and the 11 command to view the files in the directory.

root@noufserver:/tmp# cd maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# pwd
/tmp/maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# ll
total 128
drwxr-xr-x  3 root root  4096 Jun 20  2019 ./
drwxrwxrwt 13 root root  4096 Jan 27 04:48 ../
lrwxrwxrwx  1 root root    26 Jul  1  2016 .ca.def -> files/internals/importconf
-rw-r--r--  1 root root 46407 Apr 15  2019 CHANGELOG
-rw-r--r--  1 root root  3186 Apr 15  2019 CHANGELOG.RELEASE
-rw-r--r--  1 root root  1491 Sep 10  2013 CHANGELOG.VARIABLES
-rw-r--r--  1 root root 18093 Sep 10  2013 COPYING.GPL
-rw-r--r--  1 root root 24188 Mar 16  2019 README
-rw-r--r--  1 root root    76 Jan  8  2017 cron.d.pub
-rwxr-xr-x  1 root root  3777 Apr 15  2019 cron.daily*
drwxr-xr-x  8 root root  4096 Jul  6  2019 files/
-rwxr-xr-x  1 root root  6100 Mar 27  2019 install.sh*

Step 6: Run the Linux Malware Detect Install Script

Execute the Linux Malware Detect installation script by running the following command.

root@noufserver:/tmp/maldetect-1.6.4# ./install.sh

Here is the output.

root@noufserver:/tmp/maldetect-1.6.4# ./install.sh
Linux Malware Detect v1.6.4

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
imported config options from /usr/local/maldetect.last/conf.maldet
maldet(89728): {sigup} performing signature update check...
maldet(89728): {sigup} local signature set is version 201907043616
maldet(89728): {sigup} new signature set 20220122476998 available
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(89728): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(89728): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(89728): {sigup} verified md5sum of maldet-clean.tgz
maldet(89728): {sigup} unpacked and installed maldet-clean.tgz
maldet(89728): {sigup} signature set update completed
maldet(89728): {sigup} 17264 signatures (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)

The syntax of the maldet command is as follows.

maldet [OPTION] [Directory Path]

The available maldet options are as follows.

-a (--scan-all <path>) -  To scan all files in the path
 
-b (--background)      - To execute operations in the background.

-c (--checkout <file>) -  To upload suspected malware file to rfxn.com for review and hashing into signatures

-d (--update-ver)      -  To update the installed version.

-e (--report <scan ID> <email address> - To view the most recent scan or a particular scan ID and email scan report to the provided e-mail address

-h (--help)            -  To list all available maldet help options. 

-l (--log)             -  To view maldet log file events.

-n (--clean <scan ID>  - To clean & restore malware hits from the report.

-p (--purge)           -  To clear logs, session, and temporary data.

-q (--quarantine <scan ID> -  To quarantine all malware from the report.

-r (--scan-recent <path> <days> - To scan the file those are created or modified in the last X days ( 7 days by default and ? for wildcard) 

-s (--restore <file> or <scan ID> -  To restore the quarantined file from the quarantine queue to the original path or restore all quarantined files from a particular scan ID 

-u (--update)          -  To update malware detection signatures.

How to Configure Linux Malware Detect in Ubuntu 20.04

Now that Linux Malware Detect is installed, you will need to configure the Linux Malware Detect configuration file for better performance. The Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet. Follow these steps to configure Linux Malware Detect.

Step 1: Open the Configuration File

Use the following command to open the Linux Malware Detect configuration file.

root@noufserver:~# vim /usr/local/maldetect/conf.maldet

Step 2: Update the Configuration File

Find the following lines in the Linux Malware Detect configuration file and update them as shown below. This configuration will help Linux Malware Detect successfully detect and delete malware threats.

# To enable the email notification.
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="you@domain.com"

# Enable the LMD signature autoupdate.
autoupdate_signatures="1"

# Use with ClamAV
scan_clamscan="1"

# Enable the automatic updates of the LMD installation.
autoupdate_version="1"

# Enable the daily automatic scanning.
cron_daily_scan="1"

# Clean string based malware injections.
quarantine_clean="0"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

# Allows non-root users to perform scans.
scan_user_access="1"

# Move hits to quarantine & alert
quarantine_hits="1"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

Step 3: Save Changes and Exit the File

Save the changes and exit the file by typing :wq and then press Enter.

Using Linux Malware Detect with ClamAV in Ubuntu 20.04

Linux Malware Detect is compatible and performs better with ClamAV (Clam Antivirus), especially when scanning large file sets. ClamAV is an open-source antivirus engine to detect viruses, malware, & other common security issues.

Use the apt command to install ClamAV, as it is available in the base repository. 

To install ClamAV, use the following syntax.

root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y

Here is the output.

root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  clamav-base clamav-freshclam libclamav9 libtfm1
Suggested packages:
  libclamunrar clamav-docs daemon libclamunrar9
The following NEW packages will be installed:
  clamav clamav-base clamav-daemon clamav-freshclam clamdscan libclamav9 libtfm1
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.

Once ClamAV is installed, you will need to update the ClamAV database before using the clamscan command to scan a file or data for vulnerabilities. You will also need to stop the clamav-freshclam service (if it is running) before updating the ClamAV database. Use the following command to stop the clamav-freshclam service.

root@noufserver:~# sudo systemctl stop clamav-freshclam

To update your ClamAV definition database by the following terminal command.

root@noufserver:~# sudo freshclam

Here is the output.

root@noufserver:~#sudo freshclam
Thu Jan 27 05:21:11 2022 -> ClamAV update process started at Thu Jan 27 05:21:11 2022
Thu Jan 27 05:21:11 2022 -> daily.cvd database is up-to-date (version: 26434, sigs: 1972740, f-level: 90, builder: raynman)
Thu Jan 27 05:21:11 2022 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Jan 27 05:21:11 2022 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Once the ClamAV definition database is updated, you can start clamav-freshclam service using the following command.

root@noufserver:~# sudo systemctl start clamav-freshclam

To enable ClamAV on boot, which can increase your security stance by booting the service automatically for you, use the following command.

root@noufserver:~# sudo systemctl enable clamav-freshclam

Here is the output.

root@noufserver:~# sudo systemctl enable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable clamav-freshclam

To disable ClamAV on boot, use the following command.

root@noufserver:~# sudo systemctl disable clamav-freshclam

Here is the output.

root@noufserver:~# sudo systemctl disable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable clamav-freshclam
Removed /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service.

Running a Linux Malware Detect Scan in Ubuntu 20.04

Check test functionality of Linux Malware Detect by downloading sample virus signatures from the EICAR website

Step 1: Download Sample Virus Signatures

Change the current working directory to /tmp and download the sample virus signatures from the EICAR website.

root@noufserver:~# cd /tmp
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar_com.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicarcom2.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com.txt
root@noufserver:~#

Here is the output.

root@noufserver:~# cd /tmp
root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com
--2022-01-27 06:31:33--  https://secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/x-msdownload]
Saving to: 'eicar.com'

eicar.com                                  100%[=====================================================================================>]      68  --.-KB/s    in 0s      

2022-01-27 06:31:34 (4.09 MB/s) - 'eicar.com' saved [68/68]

root@noufserver:/tmp# wget https://secure.eicar.org/eicar_com.zip
--2022-01-27 06:31:42--  https://secure.eicar.org/eicar_com.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 184 [application/zip]
Saving to: 'eicar_com.zip'

eicar_com.zip                              100%[=====================================================================================>]     184  --.-KB/s    in 0s      

2022-01-27 06:31:43 (23.0 MB/s) - 'eicar_com.zip' saved [184/184]

root@noufserver:/tmp# wget https://secure.eicar.org/eicarcom2.zip
--2022-01-27 06:31:50--  https://secure.eicar.org/eicarcom2.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 308 [application/zip]
Saving to: 'eicarcom2.zip'

eicarcom2.zip                              100%[=====================================================================================>]     308  --.-KB/s    in 0s      

2022-01-27 06:31:51 (12.1 MB/s) - 'eicarcom2.zip' saved [308/308]

root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2022-01-27 06:31:59--  https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: 'eicar.com.txt'

eicar.com.txt                              100%[=====================================================================================>]      68  --.-KB/s    in 0s      

2022-01-27 06:31:59 (7.91 MB/s) - 'eicar.com.txt' saved [68/68]

root@noufserver:/tmp#

Step 2: Scan for Malicious Files

To scan the /tmp folder for malicious files, run the following command.

root@noufserver:~# maldet -a /tmp

Here is the output.

root@noufserver:~# maldet -a /tmp
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(16224): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(16224): {scan} building file list for /tmp, this might take awhile...
maldet(16224): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(16224): {scan} file list completed in 0s, found 96 files...
maldet(16224): {scan} scan of /tmp (96 files) in progress...
maldet(16224): {scan} 96/96 files scanned: 12 hits 0 cleaned

maldet(16224): {scan} scan completed on /tmp: files 96, malware hits 12, cleaned hits 0, time 17s
maldet(16224): {scan} scan report saved, to view run: maldet --report 220127-0714.16224
maldet(16224): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220127-0714.16224

Once the scan is completed, check the scan report by using the following command.

maldet --report <ID>

Here is the appropriate syntax of the command.

root@noufserver:~# maldet --report 220127-0714.16224

Here is the output.

HOST: noufserver
SCAN ID:   220127-0714.16224
STARTED:   Jan 27 2022 07:14:56 +0000
COMPLETED: Jan 27 2022 07:15:13 +0000
ELAPSED:   17s [find: 0s]

PATH:          /tmp
TOTAL FILES:   96
TOTAL HITS:    12
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 220127-0714.16224

FILE HIT LIST:
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

If you set quarantine_hits=1, the listed malware files will quarantine to the specified directory. So, the output is the same as below.

root@noufserver:~# maldet -q 220127-0714.16224
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/sigs/rfxn.yara' to '/usr/local/maldetect/quarantine/rfxn.yara.283112035'
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.3214322411'
maldet(18389): {quar} malware quarantined from '/tmp/eicar_com.zip' to '/usr/local/maldetect/quarantine/eicar_com.zip.357324939'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com' to '/usr/local/maldetect/quarantine/eicar.com.1660021592'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com.txt' to '/usr/local/maldetect/quarantine/eicar.com.txt.2853016306'
maldet(18389): {quar} malware quarantined from '/tmp/eicarcom2.zip' to '/usr/local/maldetect/quarantine/eicarcom2.zip.2220119630'

Scan the Directory with Maldet in the Background

If the file or directory size is large, run the maldet scan process in the background. For example, if you want to run the maldet scan on the /tmp directory in the background, use the following command.

root@noufserver:~# maldet -b -a /tmp

Here is the output.

root@noufserver:~# maldet -b -a /tmp
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress

To check the status of the background maldet scan, view the log file /usr/local/maldetect/logs/event_log by using the following command.

root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log

Here is the output.

root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} building file list for /tmp, this might take awhile...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} executed eval /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find "/tmp" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f  -size +24c -size -6947618c  -not -perm 000     
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} file list completed in 0s, found 84 files...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} no $mail or $sendmail binaries found, e-mail alerts disabled.
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} scan of /tmp (84 files) in progress...
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan completed on /tmp: files 84, malware hits 0, cleaned hits 0, time 16s
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan report saved, to view run: maldet --report 220127-0732.18831

Use the following command to clear logs, quarantine queue, and session and temporary data from the previous maldet scan.

root@noufserver:~# maldet -p

Here is the output.

root@noufserver:~# maldet -p
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19989): {glob} logs and quarantine data cleared by user request (-p)

To confirm if the log data is removed or not, use the following command.

root@noufserver:~# maldet -l

Here is the output.

root@noufserver:~# maldet -l
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

Viewing last 50 lines from /usr/local/maldetect/logs/event_log:
Jan 27 07:35:51 noufserver maldet(19989): {glob} logs and quarantine data cleared by user request (-p)

Using the following command, update the malware detection signature.

root@noufserver:~# maldet -u

Here is the output.

root@noufserver:~# maldet -u
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(20133): {sigup} performing signature update check...
maldet(20133): {sigup} local signature set is version 20220122476998
maldet(20133): {sigup} latest signature set already installed

The following command helps you check the maldet version.

root@noufserver:~# maldet -d

Here is the output.

root@noufserver:~# maldet -d
Linux Malware Detect v1.6.4

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(20239): {update} checking for available updates...
maldet(20239): {update} hashing install files and checking against server...
maldet(20239): {update} latest version already installed.

Wrapping Up

Linux Malware Detect is an effective way to clean malware infections. However, securing the compromised user or website is still necessary to avoid suspicious activities and should be an important task before using Linux Malware Detect. Prevent suspicious activities from occurring in the first place with proper security mitigation strategies.

If you are looking for assistance to secure your site or server or purchase a server for your site, Liquid Web is the right choice for you. At Liquid Web, we offer Dedicated Server and Managed VPS Hosting options. In addition, our skilled team provides 24/7/365 support and monitoring services so that you can focus on your websites. Contact our team today to learn more.

About the Author: Mohammed Noufal

Mohammed Noufal has worked as a senior server administrator for 8+ years. He can be found on LinkedIn to know more or connect.

Latest Articles

Select a MySQL Database on Linux via Command Line

Read Article

Select a MySQL Database on Linux via Command Line

Read Article

What is Cloud Automation?

Read Article

What is the Default Password for PostgreSQL?

Read Article

How to Create Custom Error Pages in cPanel

Read Article