How To Install and Configure LMD in Linux

In this article, we want to teach you How to install and configure LMD in Linux.

LMD which stands for Linux Malware Detect is a malware scanner for Linux released under the GNU GPLv2 license.

It uses a variety of tools to identify and remove malware. such as viruses, spyware, and adware.

Also, we use ClamAV as an antivirus engine for LMD.

How To Install and Configure LMD in Linux

In this part, we want to show you how to install and configure LMD on RPM packages for Centos, RedHat, AlmaLinux, etc., and DEB packages for Debian, Ubuntu, etc.

This instruction will work on all distros.

We run commands as a root user, if you log in as a non-root user to your server you need to have sudo privileges to execute the commands.

How To Install LMD in Linux

LMD is not available in default repositories but is distributed as a tarball from the project’s website. You can always get the latest version with the following link.

You can use the wget command to download the LMD. run the following command:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Now you need to extract the archive with the following command:

tar -xvf maldetect-current.tar.gz

To check that the archive has been extracted, use the following command:

ls -l | grep maldetect
Output
drwxr-xr-x 3 root root 4096 Jun 20 2019 maldetect-1.6.4
-rw-r--r-- 1 root root 1549126 Jul 5 2019 maldetect-current.tar.gz

Now, go to the “maldetect-1.6.4″ directory:

cd maldetect-1.6.4/

List files in this directory:

ls
Output
CHANGELOG CHANGELOG.VARIABLES cron.daily files README
CHANGELOG.RELEASE COPYING.GPL cron.d.pub install.sh

At this point, you need to execute the installation script to install LMD with the following command:

./install.sh
Output
Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /lib/systemd/system/maldet.service.
update-rc.d: error: unable to read /etc/init.d/maldet
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@r-fx.org>
(C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(144252): {sigup} performing signature update check...
maldet(144252): {sigup} local signature set is version 201907043616
maldet(144252): {sigup} new signature set 202109102420138 available
maldet(144252): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(144252): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(144252): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(144252): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(144252): {sigup} verified md5sum of maldet-clean.tgz
maldet(144252): {sigup} unpacked and installed maldet-clean.tgz
maldet(144252): {sigup} signature set update completed
maldet(144252): {sigup} 17258 signatures (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)

When you are done with the installation, you can start to configure LMD in Linux.

How To Configure LMD in Linux

To modify the LMD configuration file, use the following command to open the file, You can use your favorite text editor:

vi /usr/local/maldetect/conf.maldet

Then, find the lines below and set them to these:

email_alert="1" 
email_addr="user@domain.com" 
autoupdate_signatures="1" 
autoupdate_version="1"
cron_daily_scan="1" 
scan_user_access="1" 
quarantine_hits="1" 
quarantine_clean="0" 
quarantine_suspend_user="1" 
quarantine_suspend_user_minuid="500"
scan_clamscan="1" 
scan_ignore_root="0"

Now you need to create the correct paths for the logged-in user with the following command:

/usr/local/sbin/maldet --mkpubpaths

At this point, you need to update the LMD virus definitions database with the following command:

maldet -u
Output
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(144975): {sigup} performing signature update check...
maldet(144975): {sigup} local signature set is version 202109102420138
maldet(144975): {sigup} latest signature set already installed

You can check for the newer version of LMD with the following command:

maldet -d
Output
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(145079): {update} checking for available updates...
maldet(145079): {update} hashing install files and checking against server...
maldet(145079): {update} latest version already installed.

Here you need to install ClamAV as an antivirus engine for LMD.

Install ClamAV on AlmaLinux/Centos/RHEL

first, you need to enable the EPEL repository with the following command:

yum install epel-release

Then, you should update the system and install ClamAV with the following command:

yum update && yum install clamd

Intall ClamAV on Debian/Ubuntu

On Debian/Ubuntu servers use the following command to install ClamAV:

apt update && apt-get install clamav clamav-daemon

Note: In this article, we don’t get into details about ClamAV, LMD signatures are still the basis for detecting and cleaning threats. to know more about ClamAV you can visit this article about How to install and configure ClamAV in Linux.

Now, you can start to scan with maldet.

How to scan with maldet in Linux

You can test whether the maldet is working correctly or not. you can download a sample virus signature from the EICAR website.

Run the commands below:

cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Then, execute the maldet command to scan the temp directory:

maldet -a /tmp

Here “-a” option means it will scan all files in the path.

Output
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(155409): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(155409): {scan} building file list for /tmp, this might take awhile...
maldet(155409): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(155409): {scan} file list completed in 0s, found 4 files...
maldet(155409): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(155409): {scan} scan of /tmp (4 files) in progress...
maldet(155409): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(155409): {scan} scan completed on /tmp: files 4, malware hits 2, cleaned hits 0, time 34s
maldet(155409): {scan} scan report saved, to view run: maldet --report 210911-0603.155409
maldet(155409): {alert} sent scan report to olivia@orcacore.com

To get maldet scan reports you can use the following command with scan ID that you get in the above output:

maldet --report 210911-0603.155409
Output
HOST: debian
SCAN ID: 210911-0603.155409
STARTED: Sep 11 2021 06:03:17 -0400
COMPLETED: Sep 11 2021 06:03:51 -0400
ELAPSED: 34s [find: 0s]
PATH: /tmp
TOTAL FILES: 4
TOTAL HITS: 2
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.1357913224
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.2679130470
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

With this command, you will be taken to a pop-up report in a text editor (nano) as in the example above.

Conclusion

At this point, you learn how to install and configure LMD in Linux and use the basics on a webserver to scan infected files. you can use this guide in all distros like AlmaLinux, Centos 7, Ubuntu20.04, Debian 11, etc.

Hope you enjoy this part of the Security Tutorials.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!