Easily Integrate Linux Malware Detect with ClamAV

Follow through this guide to learn how you can integrate Linux Malware Detect with ClamAV. Linux Malware Detect (LMD), can be configured to use ClamAV as scanner engine for improved performance on large file sets. The clamscan engine is used in conjunction with native ClamAV signatures updated through freshclam along with LMD signatures providing additional detection capabilities.

Integrate Linux Malware Detect with ClamAV

Our previous tutorials discussed how to install Linux Malware Detect and ClamAV on various Linux distros;

Install Linux Malware Detect on Ubuntu 22.04/Ubuntu 20.04

Install ClamAV on Ubuntu 22.04/Ubuntu 20.04

Install ClamAV on Debian 11

So assuming that you have both LMD and ClamAV installed, how can you integrate the two to work together?

It is very easy to integrate Linux Malware Detect with ClamAV. All you have to do is to onfigure Linux Malware Detect (LMD) to use ClamAV Engine

Thus, open LMD configuration file, /usr/local/maldetect/conf.maldet, and update the value of the scan_clamscan parameter form 0 to 1 to enable (if it is not already configured so).

grep scan_clamscan /usr/local/maldetect/conf.maldet

Sample output;

scan_clamscan="1"

In my setup, it is already enabled.

If it is set to 0 from in your setup, simply run the command below to enable it;

sed -i '/scan_clamscan/s/0/1/' /usr/local/maldetect/conf.maldet

Next, stop ClamAV Daemon;

systemctl disable --now clamav-daemon.service

Similarly, update ClamAV database;

systemctl stop clamav-freshclam.service

freshclam

Once the update is done, start Freshclam service;

systemctl start clamav-freshclam.service

You can also update LMD signatures;

maldet -u

Scanning Linux System Directories using LMD with ClamAV

Now that you have integrated Linux Malware Detect with ClamAV, you can then run the scans.

For example, to scan default directories/paths (/tmp, /var/tmp, /dev/shm, /var/fcgi_ipc);

maldet -a

Sample scan output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(63051): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(63051): {scan} building file list for , this might take awhile...
maldet(63051): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(63051): {scan} file list completed in 2s, found 330 files...
maldet(63051): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(63051): {scan} scan of  (330 files) in progress...
maldet(63051): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(63051): {scan} scan completed on : files 330, malware hits 1, cleaned hits 0, time 33s
maldet(63051): {scan} scan report saved, to view run: maldet --report 220324-2252.63051
maldet(63051): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220324-2252.63051

From the output, you will notice that LMD uses ClamAV engine, see the line ({scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine…).

You can see more LMD command line options;

maldet -h

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 20220322840957
usage /usr/local/sbin/maldet [ OPTION ]
    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update-sigs [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -f, --file-list
       Scan files or paths defined in line spaced file
       e.g: maldet -f /root/scan_file_list

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -i, --include-regex REGEX
       Include paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To include only paths named wp-content and files ending in .php:
       --include-regex ".*/wp-content/.*|.*.php$"

    -x, --exclude-regex REGEX
       Exclude paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To exclude paths containing 'wp-content/w3tc/' and core files:
       --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"

    -m, --monitor USERS|PATHS|FILE|RELOAD
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill-monitor
       Terminate inotify monitoring service

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID [email protected]

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option [email protected],quarantine_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

    --web-proxy IP:PORT
       Enable use of HTTP/HTTPS proxy for all remote URL calls.

And that is how you can easily integrate Linux Malware Detect with ClamAV.

Other Tutorials

Install and Setup Nessus Scanner on Ubuntu 20.04

Install WPScan on Ubuntu 20.04