How to Install Maldet (Linux Malware Detect) on Debian 11 Bullseye

Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. Maldet is quite popular amongst sysadmins and website devs due to its focus on the detection of PHP backdoors, dark mailers, and many other malicious files that can be uploaded on a compromised website using threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In the following tutorial, you will learn how to install and use Maldet on Debian 11 Bullseye Desktop or Server.

Prerequisites

Update Operating System

Update your Debian operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@debian~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Debian.

To use the root account, use the following command with the root password to log in.

su

The tutorial will utilize the terminal for the installation found in Activities > Show Applications > Terminal.

Example:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

Install Maldet on Debian 11 Bullseye

To install Maldet, you will need their package archive, which can be found on the official download page. However, when upgrades occur, they do not change the file URL, so luckily, the download link will not change often.

At the time of this tutorial, version (1.6.4) is the latest; however, in time, this will change. To download the latest version now and in the future, type the following command:

cd /tmp/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

In the next part, you will need to extract the archive, which you can do with the following command:

tar xfz maldetect-current.tar.gz

Now you have confirmed the archive is extracted correctly, you will (CD) into the directory and execute the installation script to install Maldet with the following command:

cd maldetect-1.6.4 && sudo ./install.sh

The installation should be complete in a matter of seconds.

Example:

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(19874): {sigup} performing signature update check...
maldet(19874): {sigup} local signature set is version 201907043616
maldet(19874): {sigup} new signature set 202201013942939 available
maldet(19874): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(19874): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(19874): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(19874): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(19874): {sigup} verified md5sum of maldet-clean.tgz
maldet(19874): {sigup} unpacked and installed maldet-clean.tgz
maldet(19874): {sigup} signature set update completed
maldet(19874): {sigup} 17264 signatures (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)

Configure Maldet on Debian 11 Bullseye

Now that you have successfully finished the installation script, you can modify the configuration file using your preferred text editor. Below are some examples of some popular settings and practices using (nano) text editor:

First, open the (conf.maldet) file:

sudo nano /usr/local/maldetect/conf.maldet

Next, find the following lines and edit them to as below:

# To enable the email notification.
email_alert="1"

# Specify the email address on which you want to receive an email notification.
email_addr="user@domain.com"

# Enable the LMD signature autoupdate.
autoupdate_signatures="1"

# Enable the automatic updates of the LMD installation.
autoupdate_version="1"

# Enable the daily automatic scanning.
cron_daily_scan="1"

# Allows non-root users to perform scans.
scan_user_access="1"
 
# Move hits to quarantine & alert
quarantine_hits="1"

# Clean string based malware injections.
quarantine_clean="0"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="you@domain.com"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

Note, all settings here are optional, and you can set your own as there are no right or wrong answers here.

How to Update Maldet Virus Definitions & Software

Firstly, you will need to make sure scan_user_access=”1″ is on in the configuration file mentioned previously to continue.

Next, run the following command to create the correct paths for the logged-in user; you may have issues updating without doing this.

sudo /usr/local/sbin/maldet --mkpubpaths

If you fail to do this, you will get the following error. Alternatively, you can use the sudo command and skip this altogether.

public scanning is enabled (scan_user_access=1) but paths do not exist, please contact your system administrator to run '/usr/local/sbin/maldet --mkpubpaths' or wait for cron.pub to execute in ~10 minutes.

To update the Maldet virus definitions database, execute the following command:

sudo maldet -u

Example output:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

Secondly, to check for newer versions of the existing software, type the following command:

sudo maldet -d

Example output:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

Optional – Install ClamAV

One of the best parts about using Maldet is its compatibility with ClamAV, which can increase the scanning capability of Maldet by a lot.

To install ClamAV, you can do so by executing the following command:

sudo apt install clamav -y

Next, stop the freshclam service, your auto-updates, and manually run an update to ensure the definitions are up to date.

sudo systemctl stop clamav-freshclam

Now run the freshclam update command.

sudo freshclam

Example output:

Mon Jan  3 15:25:06 2022 -> daily.cvd database is up-to-date (version: 26410, sigs: 1967941, f-level: 90, builder: raynman)
Mon Jan  3 15:25:06 2022 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Jan  3 15:25:06 2022 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Do not forget to restart the service once you have finished updating.

sudo systemctl start clamav-freshclam

Scanning with Maldet – Examples

Firstly, you should get familiar with the Maldet syntax. All commands start with maldet then are followed by option and directory path, for example, maldet [OPTION] [DIRECTORY PATH].

Below covers most of the syntax examples with Maldet:

  • -b : Execute operations in the background.
  • -u : Update malware detection signatures.
  • -l : View maldet log file events.
  • -d : Update the installed version.
  • -a : Scan all files in the path.
  • -p : Clear logs, session and temporary data.
  • -q : Quarantine all malware from the report.
  • -n : Clean & restore malware hits from the report.

To test out Maldet and make sure it is working correctly, you can test the functionality of LMD by downloading a (sample virus signature) from the EICAR website.

cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Next, you will execute the (maldet) command to scan the (tmp) directory as follows:

sudo maldet -a /tmp

The scan will now show infected files hits.

Example:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

As you may have noticed, the tutorial is not set automatically to quarantine for our configuration. Sometimes, false positives and removing files on live servers can cause more issues than it solves. A good sysadmin or server owner will continuously be checking constantly to check the results and verify.

Also, from the output, you can see that in our test server, we have installed ClamAV and that Maldet is using the ClamAV scanner engine to perform the scan and succeeded in finding malware hits.

Some other commands you can do is target your server file extensions; PHP files are often the target of many attacks. To scan .php files, use the following:

sudo maldet -a /var/www/html/*.php

This is ideal for larger websites or servers with lots of files to scan, and smaller servers would benefit from scanning the entire directory.

Maldet Scan Reports

Maldet stores the scan reports under the directory location (/usr/local/maldetect/sess/). You can use the following command along with the (Scan ID) to see a detailed report as follows:

sudo maldet --report {report number}

Example:

sudo maldet --report 220103-1532.20745

Example output:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

Next, you will be taken to a pop-up report in a text editor (nano) as the example below:

As you can see, the full report of the hit list and details surrounding the files are for further review and investigation.

The file is already saved (CTRL+X) to exit once done reviewing.

Optionally, if you want to quarantine the infected files afterward from the report quickly, run the following command:

sudo maldet -q {report number}

Example:

sudo maldet -q 220103-1532.20745

Example output:

How to Install Linux Malware Detect (Maldet) on Debian 11 Bullseye

Comments and Conclusion

In the following tutorial, you have learned how to install Maldet on Debian 11 Bullseye and use the basics on a webserver to scan infected files. Overall, the software is an effective means to clean the infections and is quite good at it, however securing the compromised user or website is still necessary to avoid re-infection and should be the first point before using Maldet, as good security protocols and configuration will nearly always prevent infections occurring in the first place.

If you want to know more about Maldet commands, visit the official documentation page.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!