Install Linux Malware Detect (LMD) with ClamAV Centos 6.7

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
https://www.clamav.net/
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license.
https://www.rfxn.com/projects/linux-malware-detect/

1. Installing LMD

First step is download and install the maldetect current version.
[root@www ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
[root@www ~]# tar -xvf maldetect-current.tar.gz
[root@www ~]# cd maldetect-1.5/
[root@www maldetect-1.5]# ls
CHANGELOG CHANGELOG.RELEASE CHANGELOG.VARIABLES COPYING.GPL cron.daily cron.d.pub files install.sh README
[root@www maldetect-1.5]#
[root@www maldetect-1.5]# ./install.sh
Linux Malware Detect v1.5
(C) 2002-2016, R-fx Networks <proj@r-fx.org>
(C) 2016, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
imported config options from /usr/local/maldetect.last/conf.maldet
maldet(48317): {sigup} performing signature update check...
maldet(48317): {sigup} local signature set is version 201608309492
maldet(48317): {sigup} latest signature set already installed

[root@www maldetect-1.5]#

2. Configuring Linux Malware Detect

After we installed, we need to configure, the configuration of LMD is handled through /usr/local/maldetect/conf.maldet.
In the configuration file you will find the following sections :
[root@www maldetect-1.5]# nano /usr/local/maldetect/conf.maldet
# alerts as well as automated/manual scan reports (e-mail alerts).
email_alert="1"
# The destination e-mail addresses for automated/manual scan reports
email_addr="yourmail@yourdomain.com"
# will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine.
clamav_scan="1"
# The default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
quar_hits="1"
# Will let you decide whether you want to clean string-based malware injections.
quar_clean="1"
# The default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
quar_susp="1"

And then save and exit with type ctrl+x and type Y

3. Installing ClamAV

The next step is install Installing ClamAV.
[root@www maldetect-1.5]# yum install -y epel-release && yum install -y clamav
After the installation is complete, you should now review the following configuration files and customise
nano /etc/clamd.conf
nano /etc/freshclam.conf
By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/freshclam.conf.
[root@www maldetect-1.5]# nano /etc/freshclam.conf
# Number of database checks per day, Default: 12 (every two hours) so please change #Checks 24 to Checks 1
Checks 1
# That mean, check for new database 1 times a day
And then save and exit with type ctrl+x and type Y

To do a manual update of the virus definitions, you can execute:
[root@www maldetect-1.5]# freshclam -v

Enable notify and schedule the scan
We create the file /root/clamscan_daily.sh
[root@www maldetect-1.5]# nano /root/clamscan_daily.sh
And insert the following code :
============================================================================
#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="youremail@yourdomain.com";
EMAIL_TO="youremail@yourdomain.com";
DIRTOSCAN="/var/www /home/albennet";

for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

echo "Starting a daily scan of "$S" directory.
Amount of data to be scanned is "$DIRSIZE".";

clamscan -ri "$S" >> "$LOGFILE";

# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
# using heirloom-mailx below
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
fi
done

exit 0
============================================================================
And then save and exit with type ctrl+x and type Y
And change the permission as follows:
[root@www maldetect-1.5]# nano /root/clamscan_daily.sh
Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:
[root@www maldetect-1.5]# ln /root/clamscan_daily.sh /etc/cron.daily/clamscan_daily
And then the daemons can be started with
[root@www maldetect-1.5]# chkconfig clamd on
[root@www maldetect-1.5]# /etc/init.d/clamd start

4. Testing Linux Malware Detect

Now it’s time to test our recent LMD / ClamAV installation
[root@www maldetect-1.5]# maldet --scan-all /home/albennet
When the scanning is complete, you can either check the email that was sent by LMD
If you want to check the quarantine folder, you can use the following:
[root@www maldetect-1.5]# ls -l /usr/local/maldetect/quarantine/
You can then remove all quarantined files with:
[root@www maldetect-1.5]# rm -rf /usr/local/maldetect/quarantine/*
List all scan reports time and SCANID:
[root@www maldetect-1.5]# maldet --report list
Show a specific report details :
[root@www maldetect-1.5]# maldet --report SCANID
[root@www maldetect-1.5]# maldet --report 160831-1948.49720
Clean the malicious files, by default the quarantine is disabled. You will have to launch it manually.
[root@www maldetect-1.5]# maldet -q SCANID
[root@www maldetect-1.5]# maldet -q 160831-1948.49720
To clean infected files
[root@www maldetect-1.5]# maldet -n SCANID
[root@www maldetect-1.5]# maldet -n 160831-1948.49720
Update the installed version from rfxn.com
[root@www maldetect-1.5]# maldet -d
Update malware detection signatures from rfxn.com
[root@www maldetect-1.5]# maldet -u

5. Automatic Scan

While installing LMD, it will drop the auto scan file to /etc/cron.daily/maldet which will perform a daily update of signatures and keep the session, temp and quarantine data upto 14 days. Also run a daily scan of recent file system changes.




Similar Preventive :

Install Advanced Policy Firewall In Linux
Tutorial Install mod_evasive In Centos Tutorial Install Lynis in Linux Tutorial How to Install RkHunter In Linux

Preventing Better Than Fixing


 

Copyright Albenet Hosting Sunday 22-Oct-2017 All rights reserved.