Applies To: CENTOS DEBIAN UBUNTU


Linux Malware Detect (also known as Maldet) is a free malware scanner for Linux available under the GNU GPLv2 license. The data Linux Malware Detect uses is threat data that comes from edge intrusion detection systems to find malware which is actively being used in attacks and it generates unique signatures which it then uses to detect these malware threats in Linux.

What are Malware Signatures?

These are the fingerprints of the Malware. Malware signatures are made up of unique code, pattern, data or even architecture. These signatures help Maldet find Malware on the system.

The signature databases are updated frequently with new additions being added so that it can detect new and emerging threats that have just been discovered.

Before You Install Maldet

  • Maldet has a very high resource footprint. Over time it starts requiring more RAM as the signatures get bigger it needs more RAM. If Installed on a server with low memory i.e. 2 vCPU and 2 GB of RAM that will highly likely cause Out of Memory (OOM) issues and cause Maldet to crash.
  • Our recommended minimum specification is to Install Maldet on a server with at least 4 (v)CPU and 4 GB of RAM to avoid Out of Memory issues or causing Performance Degregation.
  • Maldet will only detect and quarantine what it has in its Malware signature database. Anything not available in its database will be ignored by Maldet.
  • You should not rely on Maldet scanner's results alone to detmine if your server is Infected or not, However it is a great starting point and can remove/detect common malware very easily.

How to Install Maldet

Step 1: Connect to the Linux Server via SSH (Secure Shell Access)

You will need access to the Linux Server via SSH with suitable privileges to install files (e.g. root or a user with sudo permissions).

Connecting to a Server via SSH

More details on how to connect to a Linux Server via SSH, for MacOS and Linux users can be found here, and for Windows Users here.

Step 2: Download the Current Maldet Release

From your SSH Session run the following command to Download the Current Release of Maldet

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
CODE

You can also change the location of the file in a specific folder by changing the wget command for example: 

wget -P /home/download link.tar.gz
CODE

Step 3: Extracting the Maldet Release

From your SSH session, within the directory that Maldet was downloaded to, run the below command to extract the Maldet files;

tar -xzf maldetect-current.tar.gz
CODE

Now that the files have been extracted, change your working directory to the "maldetect" releases folder;

cd maldetect-*
CODE

Step 4: Installing Maldet

Run the below command in your terminal to install Maldet:

./install.sh
CODE

Working Directory

Make sure to be in the correct directory where you have extracted the file and then run the above ./install.sh script otherwise it will not work.

How to use Maldet Scanner to Scan your Linux Server

Scan Specific Files or Folders

Use the below commands to scan specific paths or folders on your Linux server:

maldet -a /path/example/folder
CODE

You can change "/path/example/folder" to any directory you wish to scan on your server, e.g. "/home" or "/home/myaccount/public_html/uploads"

If you want to scan the entire contents of the server you can provide the root of the filesystem, e.g;

maldet -a /
CODE

This will scan the entire server. Note: Depending on the Size of your File System and the Number of Files, this can take a significantly long time to complete.

Check your Scan Results from Maldet

Once Maldet is finished scanning your server it will provide you with a scan report with all the results it has product by scanning your Linux server.

Below are the commands to view your scan reports (Replace <SCAN-ID> with the Scan ID from your reports):

maldet -e <SCAN-ID>

maldet -report <SCAN-ID>
CODE

Remove all detected Malware based on a Scan Report

The below commands show you how you can quarantine all the malware detected in a scan report in Maldet (Replace <SCAN-ID> with the Scan ID from your reports):

maldet -q <SCAN-ID>

maldet -quarantine <SCAN-ID>
CODE

Restoring a File you accidentally removed with Maldet

maldet -s Folder/File

maldet -restore Folder/File
CODE

Useful Maldet Syntax and Options

Below is the general syntax used for a Maldet Command and how any options can be supplied to Maldet for additional features, typically the syntax would be;

maldet (options) /your/path/to/folder
CODE

You can see all the available arguments and options available to use with Maldet by running the following command:

maldet --help
CODE

Below is a table which includes a summary of the available arguments and options;

OptionsPurpose
-k or -killThis option kills the monitoring service "inotify".
-b or -backgroundAllows for scans to be run in backgroud, useful when running large scans.
-l or -logShows you all the maldet scanner logs.
-a or -scanThis option scans all the files located the path provided
-p or -purgeThis option clears the quarantine queue, logs, temporary data and session data.
-n or -clean SCAN IDThis options restores and cleans malware detection from a specific SCAN ID
-c or -checkout FILE/FOLDERIf you suspect a file is a malware that hasn't been detected by Maldet you can manually upload it to their signature database for review where it will be hashed into signatures.
-m or -monitor USERS/PATH/FILEThis will allow you to run a maldet scan with kernel level file create, modify and monitor permissions. 

-s or -restore SCAN ID or FILE

This will allow you to restore a file back from the quarantine queue if you do not want it to be removed and believe it is a false positive.
-U or -userThis allows you to run Maldet execution under a specific user.
-u or -updateUpdates the malware signatures to the latest version.
-d or update-ver
Updates the Maldet scanner to the latest version available from rfxn.com.
-q or quarantineThis option allows you to remove/quarantine all the malware from a specific scan report.

-r or scan-recent X DAYS

This option allows you to only scan files created in the recent days, X needs to be replaced with # of days.
The information in the table above is correct as of writing but may have been updated since. Always double check the options available on your installed version, before running the command.