Install Linux Malware Detect (LMD) with ClamAV Centos 6.7

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license.

1. Installing LMD

First step is download and install the maldetect current version.
[root@www ~]# wget
[root@www ~]# tar -xvf maldetect-current.tar.gz
[root@www ~]# cd maldetect-1.5/
[root@www maldetect-1.5]# ls
[root@www maldetect-1.5]#
[root@www maldetect-1.5]# ./
Linux Malware Detect v1.5
(C) 2002-2016, R-fx Networks <>
(C) 2016, Ryan MacDonald <>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
imported config options from /usr/local/maldetect.last/conf.maldet
maldet(48317): {sigup} performing signature update check...
maldet(48317): {sigup} local signature set is version 201608309492
maldet(48317): {sigup} latest signature set already installed

[root@www maldetect-1.5]#

2. Configuring Linux Malware Detect

After we installed, we need to configure, the configuration of LMD is handled through /usr/local/maldetect/conf.maldet.
In the configuration file you will find the following sections :
[root@www maldetect-1.5]# nano /usr/local/maldetect/conf.maldet
# alerts as well as automated/manual scan reports (e-mail alerts).
# The destination e-mail addresses for automated/manual scan reports
# will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine.
# The default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
# Will let you decide whether you want to clean string-based malware injections.
# The default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.

And then save and exit with type ctrl+x and type Y

3. Installing ClamAV

The next step is install Installing ClamAV.
[root@www maldetect-1.5]# yum install -y epel-release && yum install -y clamav
After the installation is complete, you should now review the following configuration files and customise
nano /etc/clamd.conf
nano /etc/freshclam.conf
By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/freshclam.conf.
[root@www maldetect-1.5]# nano /etc/freshclam.conf
# Number of database checks per day, Default: 12 (every two hours) so please change #Checks 24 to Checks 1
Checks 1
# That mean, check for new database 1 times a day
And then save and exit with type ctrl+x and type Y

To do a manual update of the virus definitions, you can execute:
[root@www maldetect-1.5]# freshclam -v

Enable notify and schedule the scan
We create the file /root/
[root@www maldetect-1.5]# nano /root/
And insert the following code :
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
DIRTOSCAN="/var/www /home/albennet";

for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

echo "Starting a daily scan of "$S" directory.
Amount of data to be scanned is "$DIRSIZE".";

clamscan -ri "$S" >> "$LOGFILE";

# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
# using heirloom-mailx below
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";

exit 0
And then save and exit with type ctrl+x and type Y
And change the permission as follows:
[root@www maldetect-1.5]# nano /root/
Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:
[root@www maldetect-1.5]# ln /root/ /etc/cron.daily/clamscan_daily
And then the daemons can be started with
[root@www maldetect-1.5]# chkconfig clamd on
[root@www maldetect-1.5]# /etc/init.d/clamd start

4. Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation
[root@www maldetect-1.5]# maldet --scan-all /home/albennet
When the scanning is complete, you can either check the email that was sent by LMD
If you want to check the quarantine folder, you can use the following:
[root@www maldetect-1.5]# ls -l /usr/local/maldetect/quarantine/
You can then remove all quarantined files with:
[root@www maldetect-1.5]# rm -rf /usr/local/maldetect/quarantine/*
List all scan reports time and SCANID:
[root@www maldetect-1.5]# maldet --report list
Show a specific report details :
[root@www maldetect-1.5]# maldet --report SCANID
[root@www maldetect-1.5]# maldet --report 160831-1948.49720
Clean the malicious files, by default the quarantine is disabled. You will have to launch it manually.
[root@www maldetect-1.5]# maldet -q SCANID
[root@www maldetect-1.5]# maldet -q 160831-1948.49720
To clean infected files
[root@www maldetect-1.5]# maldet -n SCANID
[root@www maldetect-1.5]# maldet -n 160831-1948.49720
Update the installed version from
[root@www maldetect-1.5]# maldet -d
Update malware detection signatures from
[root@www maldetect-1.5]# maldet -u

5. Automatic Scan

While installing LMD, it will drop the auto scan file to /etc/cron.daily/maldet which will perform a daily update of signatures and keep the session, temp and quarantine data upto 14 days. Also run a daily scan of recent file system changes.

Similar Preventive :

Install Advanced Policy Firewall In Linux
Tutorial Install mod_evasive In Centos Tutorial Install Lynis in Linux Tutorial How to Install RkHunter In Linux

Preventing Better Than Fixing