Featured Maldet - Linux Malware Detect Addon (discussion)

just try later

---

 

problem is epel repo only has 0.98.4 and other repos 0.98.6 breaks clamav usage as it doesn't have some files/tools that 0.98.4 has. I have no problems with 0.98.4 it's just the clam update mirror you are getting is down or slow for your geographical location

you can turn off quarantine and clean but that defeats purpose of using maldet

Code:

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

 

then disable cleaning

Code:

quar_clean=0

 

in 1st post

 

see first post links all info you need is there

Links

• Official Linux Malware Detect web site Linux Malware Detect | R-fx Networks. Readme athttp://www.rfxn.com/appdocs/README.maldetect has alot of juicy info to chew and digest
• 15 maldet commands and switch examples

hint see

Code:

ls -lAhrt /usr/local/maldetect/quarantine/

as is the help file

Code:

 maldet -h
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 201504037673
usage /usr/local/sbin/maldet [ OPTION ]
    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update
       Update malware detection signatures from rfxn.com

    -d, --update-ver
       Update the installed version from rfxn.com

    -m, --monitor USERS|PATHS|FILE
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill
       Terminate inotify monitoring service

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID user@domain.com

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option email_addr=you@domain.com,quar_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

 

also for excluding files see readme section 8

Code:

.: 8 [ IGNORE OPTIONS ]

There are four ignore files available and they break down as follows:

/usr/local/maldetect/ignore_paths

A line spaced file for paths that are to be execluded from search results
Sample ignore entry:

/home/user/public_html/cgi-bin

/usr/local/maldetect/ignore_file_ext

A line spaced file for file extensions to be excluded from search results
Sample ignore entry:
.js
.css

/usr/local/maldetect/ignore_sigs

A line spaced file for signatures that should be removed from file scanning
Sample ignore entry:

base64.inject.unclassed

/usr/local/maldetect/ignore_inotify

A line spaced file for regexp paths that are excluded from inotify monitoring
Sample ignore entry:

^/home/user$
^/var/tmp/#sql_.*\.MYD$

 

same thing if you read the docs

 

Malware & Virus Scan FTP Uploaded Files

One thing that Pure-FTPD users can do is configure automatic malware and virus scans on uploaded files done through Pure-FTPD. Be aware this may potentially increase your cpu and memory usage requirements - especially for large file uploads. To implement automatic malware and virus scanning on uploaded files via Pure-FTPD you need

1. To install Linux Malware Detect (maldet) and ClamAV scanner via Centmin Mod maldet.sh addon which is available in Centmin Mod .08+ beta03 and higher addons/maldet.sh directory path. Details at Maldet - Linux Malware Detect Addon (discussion) | Centmin Mod Community
2. Then on Centmin Mod .08+ beta03 and higher you should already have Pure-FTPD support.

Once maldet.sh addon is installed and with running Pure-FTPD service, you enable pure-ftpd CallUploadScript support and setup the the called shell script clamscan.sh which is invoked each time a file is uploaded via Pure-FTPD virtual FTP user.

Create a file named setup-callupload.sh and place in file the contents. This script properly sets up what is needed to enable CallUploadScript in pure-ftpd.conf, setup the clamscan.sh shell script which runs each time files are uploaded and runs the pure-uploadscript in background. Any infections are reported in /var/log/clamscan-pureftpd.log and normal uploads are logged in /var/log/pureftpd.log.

Code:

#!/bin/bash

sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf

cat >/etc/pure-ftpd/clamscan.sh<< EOF
#!/bin/bash
/usr/bin/clamdscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
EOF

chmod +x /etc/pure-ftpd/clamscan.sh

pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh

echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local

service pure-ftpd restart

then chmod +x and run script

Code:

chmod +x setup-callupload.sh
./setup-callupload.sh

 

Added a note to Addons page at Centmin Mod Addons - CentminMod.com LEMP Nginx web stack for CentOS regarding higher resource usage with maldet + ClamAV

 

you could be it will magnitudes slower from the earlier posts in this thread without clamav, maldet was 533x times slower !

probably better just to add more memory

 

Yup bug looks like the default config now wraps value in double quotes which my sed replace didn't catch at centminmod/maldet.sh at master · centminmod/centminmod · GitHub

will fix.. thanks for yet another bug report !

you can fix it manually using command

Code:

sed -i 's/email_alert=\"0\"/email_alert=\"1\"/g' /usr/local/maldetect/conf.maldet

edit fixed in stable and beta branch code update addons/maldet.sh addon · centminmod/centminmod@1b68785 · GitHub

 

can you check if your config file has

Code:

quar_hits=1

or

Code:

quar_hits="1"