How to Run Malware Scan on Linux

There are many available malware scanning tools, but the easiest to install, configure, and use is Maldet.

CentOS Install Instructions

To begin your installation, simply copy the below text as is, and paste into your SSH client.

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd maldetect-1.4.2
./install.sh

Once this completes, update to the latest virus signatures and update:

maldet -u or maldet -d

It is recommended to install ClamAV with Maldet to improve the overall scan ability as well as speed. To install on CentOS, you first need to add the epel repo:

yum install epel-release

Next, you will install the package with:

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-system clamav-devel clamav-lib clamav-server-systemd

Now your Maldet scans will run much more quickly, and no additional configuration is needed to connect ClamAV and Maldet.

Ubuntu/Debian Installation Instructions

To install to Ubuntu, you first need to download the installation package:

cd /tmp/
curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz

You then need to extract the installation files:

tar -zxvf maldetect-current.tar.gz

Go to the extracted directory and install:

cd maldetect-1.6.2/
bash install.sh

It is recommended to install ClamAV with Maldet to improve the overall scan ability as well as speed. To install ClamAV you need to run its install package:

apt-get -y install clamav clamav-daemon clamdscan

Now your Maldet scans will run much more quickly, and no additional configuration is needed to connect ClamAV and Maldet.

Configuration

The following portion is identical for both CentOS and Ubuntu/Debian.

To configure, locate the conf file and open it with your preferred text editor, in this example, we are using nano:

nano /usr/local/maldetect/conf.maldet

From here, you can set the quarantine options and set up emails so you can scan results as soon as completed.

• email_alert : To receive email alerts, set this value to 1.
• email_subj : Set your email subject here.
• email_addr : Add your email address to receive notifications by email.
• quar_hits : The default quarantine action for malware hits, should be set 1.
• quar_clean : Cleaning detected malware injections, this should be set to 1.
• quar_susp : The default suspends action for users with hits, generally not recommended.
• quar_susp_minuid : Minimum userid that can be suspended can be left at default.

You can also automate the scanning process by creating a cron job to run the scan once a day.

Performing Malware Scans Manually

You can run a scan at any time, and the user couldn't be simpler. While in SSH, you can either run a scan in the background(you won't see this on screen, and if you added your email in the configuration file noted above, you would get an email notification once completed with the results). The background scan is performed as:

maldet -b /directory/to/scan

You can also run a scan in the foreground, which will output your results on screen. This is called with:

maldet -a /directory/to/scan