Linux Malware Detect
Malware scanner built from real hosting threat data
Linux Malware Detect (LMD) is a malware scanner for Linux designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.
The signatures that LMD uses are MD5 file hashes and HEX pattern matches, which are also easily exported to any number of detection tools such as ClamAV.
The driving force behind LMD is that there is currently limited availability of open source tools for Linux that focus on malware detection — many AV products that perform malware detection on Linux have a very poor track record of detecting threats targeted at shared hosted environments, where the threat landscape is unique from OS-level trojans and rootkits, focusing instead on the increasing variety of malware at the user account level.
81.4k
3d
140.5k
7d
649.9k
30d
1.89M
90d
7.45M
1y
Feb 18 — Feb 21
Features
Detection
- MD5 file hash detection for quick threat identification
- HEX-based pattern matching for identifying threat variants
- Statistical analysis for detection of obfuscated threats (e.g. base64)
- Integrated ClamAV scanner engine for improved performance
Scanning
- Scan-recent option to scan only files added/changed in X days
- Full path-based scan-all option
- Daily cron-based scanning of all changes in last 24h in user homedirs
- Kernel-based inotify real-time file scanning of created/modified/moved files
- Inotify monitor with dynamic sysctl limits for optimal performance
- HTTP upload scanning through mod_security2 inspectFile hook
- Background scanner option for unattended scan operations
Response
- Quarantine queue that stores threats safely with no permissions
- Quarantine batching, restore, and suspend account options
- Cleaner rules to attempt removal of injected strings including base64 and gzinflate
- Checkout option to upload suspected malware to rfxn.com for review and hashing
Reporting & Updates
- Full reporting system to view current and previous scan results
- E-mail alert reporting after every scan execution
- Path, extension, and signature-based ignore options
- Integrated signature update feature with -u|--update
- Integrated version update feature with -d|--update-ver
Installation
$ git clone https://github.com/rfxn/linux-malware-detect.git
$ cd linux-malware-detect
$ sudo ./install.shVerify Download
MD5 Signature Verification
Always verify the integrity of downloaded packages before installation.
$ wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
$ wget https://www.rfxn.com/downloads/maldetect-current.tar.gz.md5
$ md5sum -c maldetect-current.tar.gz.md5Downloads & Resources
Community & Publications
Notable
Wikipedia — Linux Malware Detect
Wikipedia
LPIC-3 Exam 303 Objectives — Host Intrusion Detection (maldet)
Linux Professional Institute
LPI Learning Materials — Malware (023.3)
Linux Professional Institute
Mastering Linux Security and Hardening (Packt / O'Reilly)
O'Reilly Media
HandWiki — Linux Malware Detect
HandWiki
ArchWiki — Security Applications
ArchWiki
AUR Package — maldet
Arch User Repository
Gentoo Portage — app-antivirus/maldet
Gentoo Overlays
Puppet Forge — nexcess/maldet
Puppet Forge
GridPane Security Suite — maldet + ClamAV
GridPane
Tutorials & Articles
- Essential Linux Tools for Malware Scanning— LinuxSecurity.com
- Integrate LMD and ClamAV for Automated Malware Detection— TechRepublic
- Install LMD with ClamAV as Antivirus Engine— TecMint
- 5 Tools to Scan Linux for Malware and Rootkits— TecMint
- An Introduction to Securing Your Linux VPS— DigitalOcean
- Install LMD and ClamAV on CentOS 7— HowToForge
- Install Linux Malware Detect on Ubuntu 20.04— Liquid Web
- Install and Use Linux Malware Detect— ComputingForGeeks
- How to Detect and Clean Malware from a Linux Server— Make Tech Easier
- Introduction to Maldet and ClamAV Scanning— GridPane
- Easily Integrate Linux Malware Detect with ClamAV— kifarunix
- Install and Configure LMD on Linux— UbuntuPit
Community
- cPanel WHM Addon for Maldet— GitHub
- Ansible Role — cloudweeb.maldet— GitHub
- LPIC-3 Security 303-300 Study Guide (maldet)— GitHub
- Centmin Mod — Maldet Addon Discussion— Centmin Mod Forums
- Linux Malware Detect on DirectAdmin— DirectAdmin Forums
- WordPress Security: Securing Multiple Banking Websites— GridPane