Install Linux Malware Detect on Ubuntu 22.04/Ubuntu 20.04

Follow through this tutorial to learn how to install Linux Malware Detect on Ubuntu 22.04/Ubuntu 20.04. Linux Malware Detect, LMD, is an opensource malware scanner for Linux designed to be used in shared hosted environments.

Install Linux Malware Detect on Ubuntu 22.04/Ubuntu 20.04

LMD utilizes data from network edge IDS devices, user submissions or malware community resources to extract malware that is actively being used in attacks and generates signatures for detection.

Some of the notable features for LMD include;

• MD5 file hash detection for quick threat identification
• HEX based pattern matching for identifying threat variants
• statistical analysis component for detection of obfuscated threats (e.g: base64)
• integrated detection of ClamAV to use as scanner engine for improved performance
• integrated signature update feature with -u|–update
• integrated version update feature with -d|–update-ver
• scan-recent option to scan only files that have been added/changed in X days
• scan-all option for full path based scanning
• checkout option to upload suspected malware to rfxn.com for review / hashing
• full reporting system to view current and previous scan results
• quarantine queue that stores threats in a safe fashion with no permissions
• quarantine batching option to quarantine the results of a current or past scans
• quarantine restore option to restore files to original path, owner and perms
• quarantine suspend account option to Cpanel suspend or shell revoke users
• cleaner rules to attempt removal of malware injected strings
• cleaner batching option to attempt cleaning of previous scan reports
• cleaner rules to remove base64 and gzinflate(base64 injected malware
• daily cron based scanning of all changes in last 24h in user homedirs
• daily cron script compatible with stock RH style systems, Cpanel & Ensim
• kernel based inotify real time file scanning of created/modified/moved files
• kernel inotify monitor that can take path data from STDIN or FILE
• kernel inotify monitor convenience feature to monitor system users
• kernel inotify monitor can be restricted to a configurable user html root
• kernel inotify monitor with dynamic sysctl limits for optimal performance
• kernel inotify alerting through daily and/or optional weekly reports
• e-mail alert reporting after every scan execution (manual & daily)
• path, extension and signature based ignore options
• background scanner option for unattended scan operations
• verbose logging & output of all actionsMD5 file hash detection for quick threat identification
• HEX based pattern matching for identifying threat variants
• statistical analysis component for detection of obfuscated threats (e.g: base64)
• integrated detection of ClamAV to use as scanner engine for improved performance
• integrated signature update feature with -u|–update
• integrated version update feature with -d|–update-ver
• scan-recent option to scan only files that have been added/changed in X days
• scan-all option for full path based scanning
• checkout option to upload suspected malware to rfxn.com for review / hashing
• full reporting system to view current and previous scan results
• quarantine queue that stores threats in a safe fashion with no permissions
• quarantine batching option to quarantine the results of a current or past scans
• quarantine restore option to restore files to original path, owner and perms
• quarantine suspend account option to Cpanel suspend or shell revoke users
• cleaner rules to attempt removal of malware injected strings
• cleaner batching option to attempt cleaning of previous scan reports
• cleaner rules to remove base64 and gzinflate(base64 injected malware
• daily cron based scanning of all changes in last 24h in user homedirs
• daily cron script compatible with stock RH style systems, Cpanel & Ensim
• kernel based inotify real time file scanning of created/modified/moved files
• kernel inotify monitor that can take path data from STDIN or FILE
• kernel inotify monitor convenience feature to monitor system users
• kernel inotify monitor can be restricted to a configurable user html root
• kernel inotify monitor with dynamic sysctl limits for optimal performance
• kernel inotify alerting through daily and/or optional weekly reports
• e-mail alert reporting after every scan execution (manual & daily)
• path, extension and signature based ignore options
• background scanner option for unattended scan operations
• verbose logging & output of all actions

So how to do you install Linux Malware Detect on Ubuntu?

First of all, LMD is not available on the default Ubuntu repositories. Thus, you have to build it from source.

Download LMD Source Tarball

You can download current release version of LMD tarball by running the command below;

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Install Linux Malware Detect

Once the download is complete, extract the source code;

tar xzf maldetect-current.tar.gz

Next, navigate ti the source code directory and run install.sh script to install Linux Malware Detect on Ubuntu;

cd maldetect-1.6.4/

sudo ./install.sh

Sample installation output;

Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /lib/systemd/system/maldet.service.
update-rc.d: error: unable to read /etc/init.d/maldet
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(12260): {sigup} performing signature update check...
maldet(12260): {sigup} local signature set is version 201907043616
maldet(12260): {sigup} new signature set 20220322840957 available
maldet(12260): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(12260): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(12260): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(12260): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(12260): {sigup} verified md5sum of maldet-clean.tgz
maldet(12260): {sigup} unpacked and installed maldet-clean.tgz
maldet(12260): {sigup} signature set update completed
maldet(12260): {sigup} 17272 signatures (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)

LMD will be installed as binary, maldet.

which maldet

/usr/local/sbin/maldet

It is also installed as lmd.

which lmd

/usr/local/sbin/lmd

So you can use either lmd or maldet command for scanning.

Basic LMD Command Line Syntax

The basic maldet command line syntax is;

maldet [OPTION]

For example, to get the LMD command line command options help information, just run;

sudo maldet -h

Sample command output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 20220322840957
usage /usr/local/sbin/maldet [ OPTION ]
    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update-sigs [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -f, --file-list
       Scan files or paths defined in line spaced file
       e.g: maldet -f /root/scan_file_list

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -i, --include-regex REGEX
       Include paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To include only paths named wp-content and files ending in .php:
       --include-regex ".*/wp-content/.*|.*.php$"

    -x, --exclude-regex REGEX
       Exclude paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To exclude paths containing 'wp-content/w3tc/' and core files:
       --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"

    -m, --monitor USERS|PATHS|FILE|RELOAD
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill-monitor
       Terminate inotify monitoring service

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID [email protected]

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option [email protected],quarantine_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

    --web-proxy IP:PORT
       Enable use of HTTP/HTTPS proxy for all remote URL calls.

Check Linux Malware Detect Version Information

If you want to check the version of the currently installed LMD, just run;

sudo maldet

Sample output. Version is shown on the first line;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 20220322840957
usage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
      [-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
      [-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]
      [-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
      [-u|--update-sigs] [-d|--update-ver]

Updating LMD to Current Release Version

You can always update your LMD to the current release version by executing the command below;

 sudo maldet -u

Sample command output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(15005): {sigup} performing signature update check...
maldet(15005): {sigup} local signature set is version 20220322840957
maldet(15005): {sigup} latest signature set already installed

Configure LMD on Ubuntu

LMD uses /usr/local/maldetect/conf.maldet as its default configuration file.

The default configurations are shown below;

cat /usr/local/maldetect/conf.maldet

##
# Linux Malware Detect v1.6.4
#             (C) 2002-2019, R-fx Networks 
#             (C) 2019, Ryan MacDonald 
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##

# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID [email protected]'.
# [0 = disabled, 1 = enabled]
email_alert="0"

# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="[email protected]"

# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"

# Enable or disable slack alerts, this will upload the scan report as a file
# into one or more slack channels
# [0 = disabled, 1 = enabled]
slack_alert="0"

# The file name of the file that will be uploaded to slack channel(s)
slack_subj="maldet alert from $(hostname)"

# Slack authentication token.
# Requires scope: files:write:user
# more information https://api.slack.com/methods/files.upload
slack_token="AUTH_TOKEN"

# Comma-separated list of channel names or IDs
# where the scan report will be shared.
slack_channels="maldetreports"

# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures="1"

# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version="1"

# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed="1"

# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days="21"

# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan="1"

# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url=""

# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire="43200"

# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url=""
import_custsigs_hex_url=""

##
# [ SCAN OPTIONS ]
##

# The maximum directory depth that the scanner will search, a value
# of 10-15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth="15"

# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize="24"

# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize="2048k"

# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth="65536"

# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo="1"

# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth="524288"

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"

# Include the scanning of known temporary world-writable paths for
# -a|--al and -r|--recent scan types.
scan_tmpdir_paths="/tmp /var/tmp /dev/shm /var/fcgi_ipc"

# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate 'pub/' with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access="0"

# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice="19"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice="6"

# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the 'cpulimit' binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
scan_cpulimit="0"

# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root="1"

# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user=""
scan_ignore_group=""

# The maximum amount of time, in seconds, that the 'find' file list generation
# will run before it is terminated. All 'find' results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# '-co|--config-option' CLI option, such as:
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout="0"

# The '-r|--recent' 'find' operation performed by LMD detects recently created/modifed
# user files. This 'find' operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist="0"

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="0"

# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="0"

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user="0"

# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid="500"

# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error="1"

##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either 'users' or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is
# present with a defined value for $MONITOR_MODE.
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of $default_monitor_mode. The service will fail to
# start if a value is not provided.
default_monitor_mode="users"
# default_monitor_mode="/usr/local/maldetect/monitor_paths"

# The base number of files that can be watched under a path,
# this ends up being a relative value per-user in user mode.
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches="16384"

# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved.
inotify_sleep="15"

# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports and user signatures.
inotify_reloadtime="3600"

# The minimum userid that will be added to path monitoring when
# the USERS option is specified.
inotify_minuid="500"

# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot="public_html,public_ftp"

# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
inotify_cpunice="18"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice="6"

# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the 'cpulimit' binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
inotify_cpulimit="0"

# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your 'event_log' file, intended only for debugging purposes.
inotify_verbose="0"

##
# [ STATISTICAL ANALYSIS ]
# This is an EXPERIMENTAL feature and should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
string_length="150000"		# [ max string length ]

The file is highly commented to make it easy for you to read through the various configuration options and update them to suit your needs.

Running LMD for Malware Detection

Once you have configured your LMD as you see fit, you can then run either on command or as a service to detect malware in your system.

To run LMD on command line, use either lmd or maldet commands.

For example, to scan a specific directory to detect malware threats, simply execute;

sudo maldet -a /PATH/TO/SCAN

Replace /PATH/TO/SCAN with the path/directory that you want to scan.

For example, to scan entire home directory (default);

sudo maldet -a

or

sudo lmd -a

NOTE: By default this will also include the following paths;

scan_tmpdir_paths="/tmp /var/tmp /dev/shm /var/fcgi_ipc"

Sample scan outout;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19833): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(19833): {scan} building file list for , this might take awhile...
maldet(19833): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(19833): {scan} file list completed in 0s, found 162 files...
maldet(19833): {scan} scan of  (162 files) in progress...
maldet(19833): {scan} 162/162 files scanned: 0 hits 0 cleaned

maldet(19833): {scan} scan completed on : files 162, malware hits 1, cleaned hits 0, time 12s
maldet(19833): {scan} scan report saved, to view run: maldet --report 220323-2127.19833
maldet(19833): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220323-2127.19833

To scan specific path, you need to specify the path;

sudo lmd -a /home/janoedoe

Sample scan output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(33932): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(33932): {scan} building file list for /home/janedoe/, this might take awhile...
maldet(33932): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(33932): {scan} file list completed in 0s, found 161 files...
maldet(33932): {scan} scan of /home/janedoe/ (161 files) in progress...
maldet(33932): {scan} 161/161 files scanned: 0 hits 0 cleaned

maldet(33932): {scan} scan completed on /home/janedoe/: files 161, malware hits 0, cleaned hits 0, time 11s
maldet(33932): {scan} scan report saved, to view run: maldet --report 220323-2143.33932

Viewing and Reading LMD Scan Reports

LMD generate report based on scan date and time. For example the above report is named 220323-2133.30630.

You can view the generated reports by passing the option -e/--report list to either lmd or maldet command.

For example;

sudo lmd -e list

Sample output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

Mar  23  2022  21:43:45  |  SCANID:  220323-2143.33932  |  RUNTIME:  11s  |  FILES:  161  |  HITS:  0  |  CLEANED:  0
Mar  23  2022  21:33:01  |  SCANID:  220323-2133.30630  |  RUNTIME:  11s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0
Mar  23  2022  21:32:01  |  SCANID:  220323-2132.27967  |  RUNTIME:  11s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0
Mar  23  2022  21:30:15  |  SCANID:  220323-2130.25302  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0
Mar  23  2022  21:28:55  |  SCANID:  220323-2128.22489  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0
Mar  23  2022  21:27:08  |  SCANID:  220323-2127.19833  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0
Mar  23  2022  21:24:18  |  SCANID:  220323-2124.16311  |  RUNTIME:  20s  |  FILES:  206  |  HITS:  3  |  CLEANED:  0

To read a report;

sudo lmd -e SCANID

For example;

sudo lmd -e 220323-2143.33932

LMD will open the report using your default text editor;

Sample report;

HOST:      ubuntu2204
SCAN ID:   220323-2143.33932
STARTED:   Mar 23 2022 21:43:45 +0300
COMPLETED: Mar 23 2022 21:43:56 +0300
ELAPSED:   11s [find: 0s]

PATH:          /home/janedoe/
TOTAL FILES:   161
TOTAL HITS:    0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.6.4 < [email protected] >

Detecting Threats with LMD

You can test the efficiency of LMD to detect malicious threats by downloading anti-malware EICAR test file to your specific system directory.

wget -P /tmp https://secure.eicar.org/eicar_com.zip

Next, run the scan (by default /tmp, /var/tmp, /dev/shm, var/fcgi_ipc are included in the scan);

sudo lmd -a

Sample output;

Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(36978): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(36978): {scan} building file list for , this might take awhile...
maldet(36978): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(36978): {scan} file list completed in 0s, found 323 files...
maldet(36978): {scan} scan of  (323 files) in progress...
maldet(36978): {scan} 323/323 files scanned: 0 hits 0 cleaned

maldet(36978): {scan} scan completed on : files 323, malware hits 1, cleaned hits 0, time 23s
maldet(36978): {scan} scan report saved, to view run: maldet --report 220323-2145.36978
maldet(36978): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220323-2145.36978

Reading the report;

sudo maldet --report 220323-2145.36978

Sample output;

HOST:      ubuntu2204
SCAN ID:   220323-2145.36978
STARTED:   Mar 23 2022 21:45:47 +0300
COMPLETED: Mar 23 2022 21:46:10 +0300
ELAPSED:   23s [find: 0s]

PATH:
TOTAL FILES:   323
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 220323-2145.36978

FILE HIT LIST:
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
===============================================
Linux Malware Detect v1.6.4 < [email protected] >

Configure LMD to run as a Service

When installed, LMD creates a systemd service, maldet.service.

By default, it is configured monitor paths defined by the variable, $default_monitor_mode;

cat /lib/systemd/system/maldet.service

[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
EnvironmentFile=/usr/local/maldetect/conf.maldet
ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

You need to define the path to the file that contains the default paths (new line seperated) to monitor in the colf.maldet.

Take for example, to monitor /home and /etc;

echo -e '/home\n/etc' | sudo tee -a /usr/local/maldetect/monitor_paths

Next, the value of default_monitor_mode to above file path on conf.maldet. By default, it is set to users.

sudo sed -i '/="users"/s/^/# /;/monitor_paths/s/^# //' /usr/local/maldetect/conf.maldet

The Maldet service also requires, inotify-tools, which can be installed by running the command;

sudo apt install inotify-tools -y

Reload Systemd configs and start and enable LMD to run on system boot;

sudo systemctl daemon-reload

systemctl enable --now maldet

Checking the status;

systemctl status maldet

Sample command output;

● maldet.service - Linux Malware Detect monitoring - maldet
     Loaded: loaded (/lib/systemd/system/maldet.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-03-23 23:23:24 EAT; 4s ago
    Process: 45479 ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode (code=exited, status=0/SUCCESS)
   Main PID: 45584 (inotifywait)
      Tasks: 3 (limit: 2306)
     Memory: 4.5M
        CPU: 223ms
     CGroup: /system.slice/maldet.service
             ├─45584 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.45479 --exclude "(^/var/tmp/mysql.sock\$|^/tmp/mysql.sock\$|^/var/cache/buagent/md0.cache.dat>
             ├─45597 bash /usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
             └─45604 sleep 15

Mar 23 23:23:22 ubuntu2204 maldet[45479]: Linux Malware Detect v1.6.4
Mar 23 23:23:22 ubuntu2204 maldet[45479]:             (C) 2002-2019, R-fx Networks 
Mar 23 23:23:22 ubuntu2204 maldet[45479]:             (C) 2019, Ryan MacDonald 
Mar 23 23:23:22 ubuntu2204 maldet[45479]: This program may be freely redistributed under the terms of the GNU GPL v2
Mar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} added /home to inotify monitoring array
Mar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} added /etc to inotify monitoring array
Mar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} starting inotify process on 2 paths, this might take awhile...
Mar 23 23:23:24 ubuntu2204 maldet[45479]: maldet(45479): {mon} inotify startup successful (pid: 45584)
Mar 23 23:23:24 ubuntu2204 maldet[45479]: maldet(45479): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Mar 23 23:23:24 ubuntu2204 systemd[1]: Started Linux Malware Detect monitoring - maldet.

Go through LMD help page to see more command line options and how to use them.

And that is it on how to install Linux Malware Detect on Ubuntu.

Other Related Tutorials

Install ClamAV on Ubuntu 22.04

Install Nikto Web Scanner on Rocky Linux 8

Install and Setup Nessus Scanner on Ubuntu 20.04