Share your love
How To Install and Configure LMD in Linux
In this article, we want to teach you How to install and configure LMD in Linux.
LMD which stands for Linux Malware Detect is a malware scanner for Linux released under the GNU GPLv2 license.
It uses a variety of tools to identify and remove malware. such as viruses, spyware, and adware.
Also, we use ClamAV as an antivirus engine for LMD.
How To Install and Configure LMD in Linux
In this part, we want to show you how to install and configure LMD on RPM packages for Centos, RedHat, AlmaLinux, etc., and DEB packages for Debian, Ubuntu, etc.
This instruction will work on all distros.
We run commands as a root user, if you log in as a non-root user to your server you need to have sudo privileges to execute the commands.
How To Install LMD in Linux
LMD is not available in default repositories but is distributed as a tarball from the project’s website. You can always get the latest version with the following link.
You can use the wget command to download the LMD. run the following command:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Now you need to extract the archive with the following command:
tar -xvf maldetect-current.tar.gz
To check that the archive has been extracted, use the following command:
ls -l | grep maldetect
Output drwxr-xr-x 3 root root 4096 Jun 20 2019 maldetect-1.6.4 -rw-r--r-- 1 root root 1549126 Jul 5 2019 maldetect-current.tar.gz
Now, go to the “maldetect-1.6.4″ directory:
cd maldetect-1.6.4/
List files in this directory:
ls
Output CHANGELOG CHANGELOG.VARIABLES cron.daily files README CHANGELOG.RELEASE COPYING.GPL cron.d.pub install.sh
At this point, you need to execute the installation script to install LMD with the following command:
./install.sh
Output Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /lib/systemd/system/maldet.service. update-rc.d: error: unable to read /etc/init.d/maldet Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@r-fx.org> (C) 2019, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(144252): {sigup} performing signature update check... maldet(144252): {sigup} local signature set is version 201907043616 maldet(144252): {sigup} new signature set 202109102420138 available maldet(144252): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(144252): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(144252): {sigup} verified md5sum of maldet-sigpack.tgz maldet(144252): {sigup} unpacked and installed maldet-sigpack.tgz maldet(144252): {sigup} verified md5sum of maldet-clean.tgz maldet(144252): {sigup} unpacked and installed maldet-clean.tgz maldet(144252): {sigup} signature set update completed maldet(144252): {sigup} 17258 signatures (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
When you are done with the installation, you can start to configure LMD in Linux.
How To Configure LMD in Linux
To modify the LMD configuration file, use the following command to open the file, You can use your favorite text editor:
vi /usr/local/maldetect/conf.maldet
Then, find the lines below and set them to these:
email_alert="1" email_addr="user@domain.com" autoupdate_signatures="1" autoupdate_version="1" cron_daily_scan="1" scan_user_access="1" quarantine_hits="1" quarantine_clean="0" quarantine_suspend_user="1" quarantine_suspend_user_minuid="500" scan_clamscan="1" scan_ignore_root="0"
Now you need to create the correct paths for the logged-in user with the following command:
/usr/local/sbin/maldet --mkpubpaths
At this point, you need to update the LMD virus definitions database with the following command:
maldet -u
Output
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(144975): {sigup} performing signature update check...
maldet(144975): {sigup} local signature set is version 202109102420138
maldet(144975): {sigup} latest signature set already installed
You can check for the newer version of LMD with the following command:
maldet -d
Output
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(145079): {update} checking for available updates...
maldet(145079): {update} hashing install files and checking against server...
maldet(145079): {update} latest version already installed.
Here you need to install ClamAV as an antivirus engine for LMD.
Install ClamAV on AlmaLinux/Centos/RHEL
first, you need to enable the EPEL repository with the following command:
yum install epel-release
Then, you should update the system and install ClamAV with the following command:
yum update && yum install clamd
Intall ClamAV on Debian/Ubuntu
On Debian/Ubuntu servers use the following command to install ClamAV:
apt update && apt-get install clamav clamav-daemon
Note: In this article, we don’t get into details about ClamAV, LMD signatures are still the basis for detecting and cleaning threats. to know more about ClamAV you can visit this article about How to install and configure ClamAV in Linux.
Now, you can start to scan with maldet.
How to scan with maldet in Linux
You can test whether the maldet is working correctly or not. you can download a sample virus signature from the EICAR website.
Run the commands below:
cd /tmp wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Then, execute the maldet command to scan the temp directory:
maldet -a /tmp
Here “-a” option means it will scan all files in the path.
Output Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@rfxn.com> (C) 2019, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(155409): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER) maldet(155409): {scan} building file list for /tmp, this might take awhile... maldet(155409): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(155409): {scan} file list completed in 0s, found 4 files... maldet(155409): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine... maldet(155409): {scan} scan of /tmp (4 files) in progress... maldet(155409): {scan} processing scan results for hits: 2 hits 0 cleaned maldet(155409): {scan} scan completed on /tmp: files 4, malware hits 2, cleaned hits 0, time 34s maldet(155409): {scan} scan report saved, to view run: maldet --report 210911-0603.155409 maldet(155409): {alert} sent scan report to olivia@orcacore.com
To get maldet scan reports you can use the following command with scan ID that you get in the above output:
maldet --report 210911-0603.155409
Output
HOST: debian
SCAN ID: 210911-0603.155409
STARTED: Sep 11 2021 06:03:17 -0400
COMPLETED: Sep 11 2021 06:03:51 -0400
ELAPSED: 34s [find: 0s]
PATH: /tmp
TOTAL FILES: 4
TOTAL HITS: 2
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.1357913224
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.2679130470
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >
With this command, you will be taken to a pop-up report in a text editor (nano) as in the example above.
Conclusion
At this point, you learn how to install and configure LMD in Linux and use the basics on a webserver to scan infected files. you can use this guide in all distros like AlmaLinux, Centos 7, Ubuntu20.04, Debian 11, etc.
Hope you enjoy this part of the Security Tutorials.