Skip to main content
rfxn
LMDGPL v2v1.6.6.1Since 2005
1,386

Linux Malware Detect

Order-of-magnitude faster shell-native malware scanning for Linux

Linux Malware Detect (LMD) is a high-performance malware scanner for Linux designed around the threats faced in shared hosted environments. v2.0.1 represents a complete architectural overhaul, introducing a batch-parallel scanning engine that delivers order-of-magnitude performance gains over traditional security tools.

The scanner leverages hardware-accelerated SHA-256 (SHA-NI) and Aho-Corasick string matching to identify web shells, injected backdoors, and obfuscated payloads at wire speed. By short-circuiting matches at the hash layer, LMD avoids unnecessary content scanning, providing a massive reduction in I/O and CPU overhead.

By using threat intelligence derived from network edge intrusion detection systems, LMD generates signatures for malware that is actively being used in real-world attacks. These signatures are easily exported to ClamAV, providing a layered defense-in-depth approach for production Linux servers.

WikipediaGitHubDownloadChangelogDocs
Stars

1,386

Forks

245

Last Push

Apr 9, 2026

Latest Release
1.6.6.1
Project Downloads & Supporting Files

62.8k

3d

108.4k

7d

501.4k

30d

1.46M

90d

5.75M

1y

Apr 6 — Apr 9

Features

Detection Engine

  • Batch-parallel Aho-Corasick engine for rapid HEX pattern matching
  • Hardware-accelerated SHA-256 (SHA-NI) and MD5 hashing
  • Native YARA-X integration for complex polymorphic threats
  • Statistical analysis for detection of obfuscated threats (base64, gzinflate)
  • Unified signature updates with ClamAV auto-export support

Real-time & Hooks

  • Kernel-based inotify real-time monitoring with dynamic watch tuning
  • HTTP upload scanning via ModSecurity2 inspectFile hook
  • Aho-Corasick wildcard support (??, (aa|bb), *, nibble) in native engine
  • Background scanner option for unattended high-throughput operations

Alerting & Integration

  • Reimagined HTML+Text email alerts with unified RFXN design
  • Native Discord, Slack (Block Kit), and Telegram (MarkdownV2) webhooks
  • ELK Stack integration for centralized threat telemetry and dashboards
  • SMTP relay support with TLS/SSL for secure alert delivery

Response & Compliance

  • Quarantine queue with zero-permission storage and audit logging
  • Surgical cleaner rules for removing injected malware strings
  • Fully auditable shell-native source with zero-dependency design
  • NIST, NATO, and AWS trusted security architecture

Installation

bash
$ git clone https://github.com/rfxn/linux-malware-detect.git
$ cd linux-malware-detect
$ sudo ./install.sh

Verify Download

MD5 Signature Verification

Always verify the integrity of downloaded packages before installation.

bash
$ wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
$ wget https://www.rfxn.com/downloads/maldetect-current.tar.gz.md5
$ md5sum -c maldetect-current.tar.gz.md5

Downloads & Resources

Download Latest Tarball

maldetect-current.tar.gz

MD5 Checksum

maldetect-current.tar.gz.md5

Changelog

Full version history on GitHub

Documentation

Usage guides and configuration

Issue Tracker

Report bugs and request features

Community & Publications

Notable

Wikipedia — Linux Malware Detect

Wikipedia

LPIC-3 Exam 303 Objectives — Host Intrusion Detection (maldet)

Linux Professional Institute

LPI Learning Materials — Malware (023.3)

Linux Professional Institute

Mastering Linux Security and Hardening (Packt / O'Reilly)

O'Reilly Media

HandWiki — Linux Malware Detect

HandWiki

ArchWiki — Security Applications

ArchWiki

AUR Package — maldet

Arch User Repository

Gentoo Portage — app-antivirus/maldet

Gentoo Overlays

Puppet Forge — nexcess/maldet

Puppet Forge

GridPane Security Suite — maldet + ClamAV

GridPane

Tutorials & Articles

Community

More from R-fx Networks

APFAdvanced Policy FirewallBFDBrute Force DetectionIRSYNCIncremental RsyncLESLinux Environment SecurityLSMLinux Socket Monitor