How to install and scan using Maldet

How to install and scan using Maldet

In this documentation, we can learn how to install maldet in Linux servers and its configuration. Linux Malware Detect (LMD) is a malware scanner for server under the GNU GPLv2 license. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Using maldet in Linux server malware tool, it can simply find-out the infected files from the Linux file system and we can remove the file to a different location.

Installation

1) SSH to the server

2) Download the tar file

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

3) Extract the file.

# tar -xzf maldetect-current.tar.gz

4) Go to the maldet folder

 # cd maldetect-*

5) To install maldet, run the below command

# sh ./install.sh

Now the installation is completed.

How to use maldet in a server

1)  To can scan file or folder.

# maldet -a /path/to/scan OR

# maldet –scan-all /path/to/scan

2) View the scan report.

# maldet -e SCAN ID

# maldet –report SCAN ID

3) Update.

# maldet -u OR

# maldet -d

4) Quarantine all malware results from a previous scan

# maldet -q SCAN ID

# maldet –quarantine SCAN ID

5) Restore a file that you have already quarantined

# maldet -s FILENAME

# maldet –restore FILENAME

6) Clean on all malware results from a previous scan

# maldet –clean SCANID

Maldet Options

1) quar_hits – The default quarantine action for malware hits, it should be set 1.

2) quar_clean – Cleaning detected malware injections, must set to 1.

3) quar_susp – The default suspend action for users with hits, set it as per your requirements.

4) quar_susp_minuid – Minimum userid that can be suspended.

Important Maldet Options

General syntax is:

# maldet [options] /path/to/scan

1) -b, –background – Execute operations in the background, ideal for large scans.

2) -u, –update – Update malware detection signatures from rfxn.com.

3) -l, –log – View maldet log file events.

4) -d, –update-ver – Update the installed version from rfxn.com.

5) -k, –kill – Terminate inotify monitoring service.

6) -a, –scan-all PATH – Scan all files in path.

7) -r, –scan-recent PATH DAYS – Scan files created/modified in the last X days.

8) -p, –purge – Clear logs, quarantine queue, session and temporary data.

9)  -q, –quarantine SCAN ID – Quarantine all malware from report SCAN ID.

10)  -n, –clean SCAN ID – Clean & restore malware hits from report SCAN ID.

11) -c, –checkout FILE – Upload suspected malware to rfxn.com for review & hashing into signatures.

12) -m, –monitor USERS|PATHS|FILE – Run maldet with kernel level file create/modify monitoring.

13) -s, –restore FILE|SCAN ID – Restore file from quarantine queue to original path.

14) -U, –user USER – Set execution under specified user, ideal for restoring from user quarantine.

If you need any further assistance please reach our support department.