Linux Malware Detect (LMD) is a signature-based security scanner which can detect and quarantine malware on Linux systems. LMD supports two modes of operations: one-time and real-time. This post is about the former, specifically how to run LMD as a daily cronjob.
In case you are curious, when operating in real-time, LMD monitors targets continuously, triggering a new scan anytime a file is created, changed or moved.
Environment
- Platform: Debian 10.7
- Package: maldetect 1.6.4
Download
Get the latest package from either gitbub or their website.
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
Install
Unpack the package and run the install script
tar zxvf maldetect-current.tar.gz
cd maldetect-1.6.4/ && ./install.sh
The installation process creates the directory /usr/local/maldet
and copies almost all the package files over.
Configure
To simplify our configuration, we will concentrate on modification of only two files
1. /usr/local/maldet/conf.maldet
conf.maldet
happens to be the main configuration file. At a minimum, consider the following parameters
email_alert="1"
email_addr="recipient@example.com"
quarantine_hits="0"
scan_ignore_root="0"
In addition to sending email alerts, LMD can quarantine infected files. We will leave this option off for the momnet out of concern for false positive scan results.
2. /etc/cron.daily/maldet
This is the stripped-down version of the original cronfile bundled with LMD. It is smaller because configuration pertaining to shared hosted environments have been removed
#!/usr/bin/env bash
#
# File: /us/local/maldet/conf.maldet
#
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"
# scan only files added/changed in last 48 hours
scan_days=2
scan_targets='/home,/var/www'
# ensure internals/internals.conf exists
if [ -f "$intcnf" ]
then
source $intcnf
else
echo "\$intcnf not found."
exit 1
fi
# ensure conf.maldet exists
if [ -f "$cnf" ]
then
source $cnf
if [ -f "$compatcnf" ]
then
source $compatcnf
fi
else
echo "could not find \$cnf, fatal error, bye."
exit 1
fi
if [ "$find" ]
then
tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub"
for dir in $tmpdirs
do
if [ -d "$dir" ]
then
$find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
fi
done
fi
if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]
then
# sleep for random 1-999s interval to better distribute upstream load
sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
if [ "$autoupdate_version" == "1" ]
then
# check for new release version
$inspath/maldet -d >> /dev/null 2>&1
fi
if [ "$autoupdate_signatures" == "1" ]
then
# check for new definition set
$inspath/maldet -u >> /dev/null 2>&1
fi
fi
$inspath/maldet -b -r $scan_targets $scan_days >> /dev/null 2>&1
Before going on to test our setup, the real-time mode of operation, initiated by the LMD service, needs to be disabled
systemctl disable maldet.service
Test
We will download the EICAR pseudo-virus to make our testing more realistic.
wget -o /home/eicar.com https://secure.eicar.org/eicar.com
Run the crontab from command-line
/etc/cron.daily/maldet
The script does some house-keeping routines before starting the scanner in the background.
Observe
You can view the logs anytime to see what LMD is up to
maldet --log
A report is available once the scan has finished
maldet --report
Check your mail messages. There should be a copy of the report in your mailbox.
Enhance
To improve performance and detection capabilities, LMD automatically switches to ClamAV’s scanner if it is available on the system
apt install clamdscan
Scan
As per our configuration, the cronjob scans only those files created or changed within the past two days. Run a manual scan on all targets to confirm older files are clean
maldet --scan-all /home,/var/www
- About the author
- Jamshid is an IT professional who is active in Linux, network and cloud administration. You can reach him at blog@zaminit.com.