Set up malware scanner LMD Maldet and ClamAV on a RunCloud instance

How to set up a malware scanner with LMD Maldet and ClamAV on a RunCloud server instance.

One of the popular and open source malware scanners is an app called Linux Malware Detect and works well scanning any Linux web server, it keeps a daily updated database of known malware exploits from an updated registry of which it scans against.

The Linux Malware Detect tool can also integrate with Clam AV Scanner which can speed up file scanning.

How to install Linux Malware Detect

SSH into your server as the root user and cd to /root

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract It

tar -xvf maldetect-current.tar.gz

Remove the Archive

rm maldetect-current.tar.gz

Move in and Run the Installer

cd maldetect-1.6.5/
./install.sh

… this will download the latest hash registry databases, the installation adds maldetect to /usr/local/ …. now to configure

Configure Linux Malware Detect

Using nano…

nano /usr/local/maldetect/conf.maldet

Set up Email Alerts

# [ EMAIL ALERTS ]

##
# The default email alert toggle

# [0 = disabled, 1 = enabled]

email_alert=0



# The subject line for email 
alerts
email_subj="maldet alert from $(hostname)"



# The destination addresses for email alerts

# [ values are comma (,) spaced ]

email_addr="[email protected]"

For the email alert swap the email_alert toggle to 1, adjust the subject line email_subj if desired, add in your email address email_addr.

In order for email alerts to work you will need the postfix app on the server configured to send outgoing emails.

Manual Malware Scans On RunCloud Webapps

You can run a manual scan for a user account on a specific webapp or on all webapps :

maldet -a /home/runcloud/webapps/<webapp_name>/

Or all webapps belonging to the same user,  using a wildcard – ?:

maldet -a /home/runcloud/webapps/?/

Or on all users and webapps using multiple wildcards

maldet -a /home/?/webapps/?/

Automatic Daily Malware Scans

When installed LMD (Linux Malware Detect) adds a cron job to the daily folder:

/etc/cron.daily/maldet

This cron job will update the malware registry it initially downloaded including any new malware threats and also scan all updated and modified files in home directories on the server. If anything is found you will get an email about it telling you the path to the offending file.

The cron has a number of webroot paths for popular control panels but RunClouds does not fit in with one of the existing paths so you need to add it into the cron file script, open the cron file

nano /etc/cron.daily/maldet

Find the else statement below and add in the RunCloud webroot document path /home/?/webapps/?/ in…

 
	
else		
# cpanel, interworx and other standard home/user/public_html setups
	        $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/,/home/?/webapps/?/ $scan_days >> /dev/null 2>&1	
fi

A good way to scan files is to do a whole scan on the server initially, then let maldetect run the daily scan for modified files after.

If you rather the maldet scan run weekly instead move the maldet cron into cron.weekly directory instead:

mv /etc/cron.daily/maldet /etc/cron.weekly/

Dealing With Malware Files

Once (…if) you get a file hit on malware you can access your webserver and open the file and clean the malware code out. Then progress to how it got in in the first place – software patching, updating passwords etc

You can also opt to have LMD quarantine any file it finds – this is done back in the config file conf.maldet under the Email Alert section:

# [ QUARANTINE OPTIONS ]

##
# The default quarantine action for malware hits

# [0 = alert only, 1 = move to quarantine & alert]

quar_hits=0



# Try to clean string based malware injections

# [NOTE: quar_hits=1 required]

# [0 = disabled, 1 = clean]

quar_clean=1

The default is just to alert, but you can opt to remove the file from the filing system and have LMD also try and remove the malware code – then you just need to inspect and restore the file.

Maldet Log

You can check all maldet activity with the log command which will show you any latest scans and maldet updates, run it…

maldet --log

For a scan report, you can email it, in the log it appears as…

{scan} scan report saved, to view run: maldet --report 200618-0628.16436

Email it…

maldet --report 200618-0628.16436 [email protected]

Further Options

Check further usage with:

maldet --help

or official documentation

Adding ClamAV

You can use the ClamAV as the scanner engine which speeds up the scanning process a lot (almost double) but it will consume the cpu and memory resources whilst running but this reduces over days as less files are scanned if not modified.

I would recommend not using it on a busy server with less than 2GB of ram, each case may be different, you can always try and see the results with a top command while and if too much resources you can remove it.

ClamAV installs both a binary and a daemon, as LMD uses the clamscan binary but not the daemon you can remove the daemon.

Setting up Clam AV

apt-get install clamav clamav-daemon

This will install ClamAV and put it here…

/usr/bin/clamscan

The above directory is where LMD will look for the Clamscan binary and use it when it scans the file system

If performance is still affected on the server (as suggested in the comments) you can try removing the ClamAV daemon which is more used for email instant on scanning and loads a bunch of malware registry signatures into RAM.

Remove Clamscan Daemon

systemctl disable clamav-daemon.service

systemctl stop clamav-daemon.service

Test Malware Files

You can test that LMD is working properly and that email reports are being sent on file hits with some test malware files which are not malware but will show in a scan, download and use files below to test in a directory that you scan:

wget http://www.eicar.org/download/eicar.com 
wget http://www.eicar.org/download/eicar.com.txt 
wget http://www.eicar.org/download/eicar_com.zip 
wget http://www.eicar.org/download/eicarcom2.zip

Using LMD as a monitoring app

LMD also allows for it to be a monitoring daemon application that can watch files in real time for modification and location changes.

You need to set either home user dirs, paths or files as a source to be monitored.

You need to install an additional app called inotify tools, in Ubuntu the command is:

apt install inotify-tools

If you decide later to remove use:

apt-get remove --auto-remove inotify-tools 

I typically do not use monitoring mode, but if you would like to find out more about it then check the reference links below plus the regular maldet docs and conf files.

Uninstall LMD and ClamAV

To Completely Remove LMD and Clam AV

If you want to remove these apps…

To remove ClamAV

apt-get remove clamav

To Remove Maldet LMD – run the uninstall script…

/usr/local/maldetect/uninstall.sh

More info on LMD

References

  • https://www.theurbanpenguin.com/linux-malware-detection-with-maldet/
  • https://www.woktron.com/secure/knowledgebase/145/Installation-Linux-Malware-Detect-Maldet-On-CentOS.html

7 Comments

  1. Ovidiu on May 3, 2021 at 7:41 am

    btw. it looks like you can safely stop the clamav-daemon as it eats up RAM like candy and maldet actually does seem to use the binary not the daemon.

    So I just did this:

    systemctl disable clamav-daemon.service
    systemctl stop clamav-daemon.service

    and maldet seems to work just fine with clamav =>

    maldet(117044): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine…

    • Ovidiu on May 15, 2021 at 3:05 pm

      not quite:

      May 14 06:24:03 host maldet(738): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120s
      May 14 06:22:03 host maldet(738): {mon} scanned 3 new/changed files with clamav engine

  2. Ovidiu on April 20, 2021 at 7:23 am

    Should I care about this error:

    update-rc.d: error: unable to read /etc/init.d/maldet

    root@host:~/maldetect-1.6.4# ./install.sh
    update-rc.d: error: unable to read /etc/init.d/maldet
    Linux Malware Detect v1.6.4
    (C) 2002-2019, R-fx Networks
    (C) 2019, Ryan MacDonald
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet

    • Neil Gowran on April 21, 2021 at 7:48 am

      I have not come across that error when I have installed it, if the scanner works it should be ok, the error seems to relate to a RunCloud update

      • Ovidiu on April 23, 2021 at 3:13 pm

        Thanks. One more question for you: manual scans work but apparently the cron job always results in this error:

        “scan returned empty file list; check that path exists, contains files in days range or files in scope of configuration.”

        Its all configured exactly as you described here in this post.

        A few days after installation I checked its logs with maldet -l and found this problem. Any ideas?

  3. Peter on July 28, 2020 at 3:21 pm

    hello,

    Thanks for the great tutorial but the Code seems to be a little screwed up, als it is missing line breaks en shows in one line.

    • Neil Gowran on July 30, 2020 at 12:18 am

      Thanks for letting me know – updated.

Leave all Comment