Installing and Using Maldet on a Linux Server
Applies To: CENTOS DEBIAN UBUNTU
Linux Malware Detect (also known as Maldet) is a free malware scanner for Linux available under the GNU GPLv2 license. The data Linux Malware Detect uses is threat data that comes from edge intrusion detection systems to find malware which is actively being used in attacks and it generates unique signatures which it then uses to detect these malware threats in Linux.
What are Malware Signatures?
These are the fingerprints of the Malware. Malware signatures are made up of unique code, pattern, data or even architecture. These signatures help Maldet find Malware on the system.
The signature databases are updated frequently with new additions being added so that it can detect new and emerging threats that have just been discovered.
Before You Install Maldet
- Maldet has a very high resource footprint. Over time it starts requiring more RAM as the signatures get bigger it needs more RAM. If Installed on a server with low memory i.e. 2 vCPU and 2 GB of RAM that will highly likely cause Out of Memory (OOM) issues and cause Maldet to crash.
- Our recommended minimum specification is to Install Maldet on a server with at least 4 (v)CPU and 4 GB of RAM to avoid Out of Memory issues or causing Performance Degregation.
- Maldet will only detect and quarantine what it has in its Malware signature database. Anything not available in its database will be ignored by Maldet.
- You should not rely on Maldet scanner's results alone to detmine if your server is Infected or not, However it is a great starting point and can remove/detect common malware very easily.
How to Install Maldet
Step 1: Connect to the Linux Server via SSH (Secure Shell Access)
You will need access to the Linux Server via SSH with suitable privileges to install files (e.g. root or a user with sudo permissions).
Connecting to a Server via SSH
More details on how to connect to a Linux Server via SSH, for MacOS and Linux users can be found here, and for Windows Users here.
Step 2: Download the Current Maldet Release
From your SSH Session run the following command to Download the Current Release of Maldet
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
You can also change the location of the file in a specific folder by changing the wget command for example:
wget -P /home/download link.tar.gz
Step 3: Extracting the Maldet Release
From your SSH session, within the directory that Maldet was downloaded to, run the below command to extract the Maldet files;
tar -xzf maldetect-current.tar.gz
Now that the files have been extracted, change your working directory to the "maldetect" releases folder;
cd maldetect-*
Step 4: Installing Maldet
Run the below command in your terminal to install Maldet:
./install.sh
Working Directory
Make sure to be in the correct directory where you have extracted the file and then run the above ./install.sh script otherwise it will not work.How to use Maldet Scanner to Scan your Linux Server
Scan Specific Files or Folders
Use the below commands to scan specific paths or folders on your Linux server:
maldet -a /path/example/folder
You can change "/path/example/folder" to any directory you wish to scan on your server, e.g. "/home" or "/home/myaccount/public_html/uploads"
If you want to scan the entire contents of the server you can provide the root of the filesystem, e.g;
maldet -a /
This will scan the entire server. Note: Depending on the Size of your File System and the Number of Files, this can take a significantly long time to complete.
Check your Scan Results from Maldet
Once Maldet is finished scanning your server it will provide you with a scan report with all the results it has product by scanning your Linux server.
Below are the commands to view your scan reports (Replace <SCAN-ID> with the Scan ID from your reports):
maldet -e <SCAN-ID>
maldet -report <SCAN-ID>
Remove all detected Malware based on a Scan Report
The below commands show you how you can quarantine all the malware detected in a scan report in Maldet (Replace <SCAN-ID> with the Scan ID from your reports):
maldet -q <SCAN-ID>
maldet -quarantine <SCAN-ID>
Restoring a File you accidentally removed with Maldet
maldet -s Folder/File
maldet -restore Folder/File
Useful Maldet Syntax and Options
Below is the general syntax used for a Maldet Command and how any options can be supplied to Maldet for additional features, typically the syntax would be;
maldet (options) /your/path/to/folder
You can see all the available arguments and options available to use with Maldet by running the following command:
maldet --help
Below is a table which includes a summary of the available arguments and options;
Options | Purpose |
---|---|
-k or -kill | This option kills the monitoring service "inotify". |
-b or -background | Allows for scans to be run in backgroud, useful when running large scans. |
-l or -log | Shows you all the maldet scanner logs. |
-a or -scan | This option scans all the files located the path provided |
-p or -purge | This option clears the quarantine queue, logs, temporary data and session data. |
-n or -clean SCAN ID | This options restores and cleans malware detection from a specific SCAN ID |
-c or -checkout FILE/FOLDER | If you suspect a file is a malware that hasn't been detected by Maldet you can manually upload it to their signature database for review where it will be hashed into signatures. |
-m or -monitor USERS/PATH/FILE | This will allow you to run a maldet scan with kernel level file create, modify and monitor permissions. |
-s or -restore SCAN ID or FILE | This will allow you to restore a file back from the quarantine queue if you do not want it to be removed and believe it is a false positive. |
-U or -user | This allows you to run Maldet execution under a specific user. |
-u or -update | Updates the malware signatures to the latest version. |
-d or update-ver | Updates the Maldet scanner to the latest version available from rfxn.com. |
-q or quarantine | This option allows you to remove/quarantine all the malware from a specific scan report. |
-r or scan-recent X DAYS | This option allows you to only scan files created in the recent days, X needs to be replaced with # of days. |