Main menu

Malware scanning with maldet examples

Maldet is a widely used malware detection program for Linux based OS and servers. I already wrote a article for commonly used malware detection program but in this article we will check in depth knowledge of maldet program and Malware scanning with maldet

I’m using maldet for a very long time for my LAMP server for malware scanning. maldet is pretty good on identifying the PHP based malwares.

Let’s see maldat in action and Malware scanning with maldet

Download and Installing LMD in Linux

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Installing maldet

# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# chmod +x ./install.sh
# ./install.sh

Configure maldet scan options

 # vi /usr/local/maldetect/conf.maldet
 #enable email alert in maldet
email_alert=1
email_addr=yourname@youremail.com
email_subj="Malware alerts for $HOSTNAME"
# Move to quarantine and alert (1 enable quarantine, 0 disable)
quar_hits=1
# Clean the code injections (1 enable, 0 disable)
quar_clean=1
# suspend user account or not (1 enable, 0 disable)
quar_susp=0
# Use Clam AV scan engine (1 enable, 0 disable)
clam_av=1

Update maldet malware signature

# maldet -u

Scan whole var directory

# maldet -a /var

Maldet monitoring user or directories

# maldet –monitor username
# maldet –monitor /your/path
# maldet –monitor /your/paths, /your/paths,

Killing the monitoring

# maldet -k

Scan files modified or created x days (default is 7 days)

# maldet -r /your/path 5

Upload malware to  rfxn.com for review and signature updates

# maldet -c /your/file

Restore quarantine files

# maldet –restore /usr/local/maldetect/quarantine/malware.php.304412645

Purge all data (logs, reports, quarantine files)

# maldet -p

Change scan parameter in daily maldet scan

# vi /etc/cron.daily/maldet 

Maldet checking the event logs

# maldet -l

Maldet reports list, check specific scan and email the reports.

# maldet -e
# maldet -e list
# maldet -e <scan id>
# maldet -e <scan id> <your@email.address>

Creating exception in maldet : Maldet provides some files you can edit for creating the exception of paths, file types, signature and monitoring.

maldet exception files.

i.e. : Ignore the paths /usr/local/maldetect/ignore_paths

i.e : Ignore the file types /usr/local/maldetect/ignore_file_ext

i.e : Ignore the signature /usr/local/maldetect/ignore_sigs like  base64.inject.unclassed

i.e : Ignore files and directory from monitoring : /usr/local/maldetect/ignore_inotify like  ^/home/user$

There are lot more information available on rfxn.com https://www.rfxn.com/appdocs/README.maldetect

  • Hasa Ghu

    Hey,

    I usually scan the whole home directory in cpanel server but there are few accounts with 150 GB data, i want those users to be ignored by maldat scan, how can do this?
    write down the correct command or what changes i need to make in config with config path?

FacebookTwitterGoogle+RSS