Want to subscribe to topics you're interested in?
Become a Member

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    disable what maldet + clamav ? or disable clamav part of it ? without clamav, maldet is 100s of times slower to run !

    i'd skip this script setup it's broken as it sometimes prevents pure-ftpd from restart/starting up.
     
  2. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    4:25 AM
    I am thinking of disabling and unintstalling both in concern of the higher resource it needs. I am running with 1cpu and 2RAM on DO. Maybe leave the virus scan to external server or so. Thanks.
     
  3. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For maldet there's a native uninstall.sh script at /svr-setup/maldetect-1.6.2/files/uninstall.sh
    Code (Text):
    cd /svr-setup/maldetect-*
    cd files
    ./uninstall.sh
    

    example
    Code (Text):
    ./uninstall.sh 
    This will completely remove Linux Malware Detect from your server including all quarantine data!
    Would you like to proceeed? [y/n] y
    Removed symlink /etc/systemd/system/multi-user.target.wants/maldet.service.
    Linux Malware Detect has been uninstalled.
    

    for clamav you can undo the yum install for them via yum history

    so get yum history list first and for me I see yum install clamav on yum history id = 34
    Code (Text):
    yum history list
    Loaded plugins: fastestmirror, priorities, versionlock
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        34 | -y install clamav clamav | 2018-03-05 03:10 | Install        |    6   
        33 | -y update ImageMagick6 I | 2018-03-02 21:18 | Update         |    5   
        32 | -q -y install GraphicsMa | 2018-03-02 21:17 | Install        |    1   
        31 | -y install jq            | 2018-02-28 04:54 | Install        |    2   
        30 | -y install redis --enabl | 2018-02-25 05:26 | Install        |    1   
        29 | update --disableplugin=p | 2018-02-25 03:41 | Update         |    2 EE
        28 | -q -y install pure-ftpd  | 2018-02-25 03:34 | Install        |    3   
        27 | -y install ImageMagick6  | 2018-02-25 03:34 | Install        |    8   
        26 | -q -y install libmemcach | 2018-02-25 03:33 | Install        |    2   
        25 | -q -y install postfix-pe | 2018-02-25 03:32 | Install        |    4   
        24 | -q -y install libtidy li | 2018-02-25 03:28 | Install        |    2   
        23 | -q -y install libicu lib | 2018-02-25 03:28 | Install        |    2   
        22 | -q -y install libxslt li | 2018-02-25 03:28 | Install        |    4   
        21 | -q -y install fio --disa | 2018-02-25 03:28 | Install        |   11   
        20 | -y install mytop         | 2018-02-25 03:27 | Install        |    1   
        19 | -y install net-snmp --di | 2018-02-25 03:27 | Install        |    1   
        18 | -y install postfix --dis | 2018-02-25 03:27 | Install        |    1   
        17 | -q -y install perl-DBD-M | 2018-02-25 03:27 | Install        |    1   
        16 | -y install MariaDB-clien | 2018-02-25 03:27 | Install        |    7 EE
        15 | -y remove mariadb-libs   | 2018-02-25 03:26 | Erase          |    4 EE
    

    then run yum history undo 34 where that is your history list id which will differ for each person's install
    Code (Text):
    yum history undo 34
    

    example
    Code (Text):
    yum history undo 34
    Loaded plugins: fastestmirror, priorities, versionlock
    Undoing transaction 34, from Mon Mar  5 03:10:52 2018
        Install     clamav-0.99.3-4.el7.x86_64            @epel
        Dep-Install clamav-data-0.99.3-4.el7.noarch       @epel
        Dep-Install clamav-filesystem-0.99.3-4.el7.noarch @epel
        Dep-Install clamav-lib-0.99.3-4.el7.x86_64        @epel
        Install     clamav-server-0.99.3-4.el7.x86_64     @epel
        Install     clamav-update-0.99.3-4.el7.x86_64     @epel
    Resolving Dependencies
    --> Running transaction check
    ---> Package clamav.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-data.noarch 0:0.99.3-4.el7 will be erased
    ---> Package clamav-filesystem.noarch 0:0.99.3-4.el7 will be erased
    ---> Package clamav-lib.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-server.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-update.x86_64 0:0.99.3-4.el7 will be erased
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                            Arch                                                    Version                                                          Repository                                              Size
    ==========================================================================================================================================================================================================================================================
    Removing:
     clamav                                                             x86_64                                                  0.99.3-4.el7                                                     @epel                                                  2.4 M
     clamav-data                                                        noarch                                                  0.99.3-4.el7                                                     @epel                                                  155 M
     clamav-filesystem                                                  noarch                                                  0.99.3-4.el7                                                     @epel                                                  0.0 
     clamav-lib                                                         x86_64                                                  0.99.3-4.el7                                                     @epel                                                   11 M
     clamav-server                                                      x86_64                                                  0.99.3-4.el7                                                     @epel                                                  241 k
     clamav-update                                                      x86_64                                                  0.99.3-4.el7                                                     @epel                                                  213 k
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Remove  6 Packages
    
    Installed size: 169 M
    Is this ok [y/N]: y
    Downloading packages:
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Erasing    : clamav-server-0.99.3-4.el7.x86_64                                                                                                                                                                                                      1/6 
      Erasing    : clamav-0.99.3-4.el7.x86_64                                                                                                                                                                                                             2/6 
      Erasing    : clamav-update-0.99.3-4.el7.x86_64                                                                                                                                                                                                      3/6 
      Erasing    : clamav-lib-0.99.3-4.el7.x86_64                                                                                                                                                                                                         4/6 
      Erasing    : clamav-data-0.99.3-4.el7.noarch                                                                                                                                                                                                        5/6 
    warning: /var/lib/clamav/daily.cvd saved as /var/lib/clamav/daily.cvd.rpmsave
      Erasing    : clamav-filesystem-0.99.3-4.el7.noarch                                                                                                                                                                                                  6/6 
      Verifying  : clamav-filesystem-0.99.3-4.el7.noarch                                                                                                                                                                                                  1/6 
      Verifying  : clamav-server-0.99.3-4.el7.x86_64                                                                                                                                                                                                      2/6 
      Verifying  : clamav-lib-0.99.3-4.el7.x86_64                                                                                                                                                                                                         3/6 
      Verifying  : clamav-data-0.99.3-4.el7.noarch                                                                                                                                                                                                        4/6 
      Verifying  : clamav-update-0.99.3-4.el7.x86_64                                                                                                                                                                                                      5/6 
      Verifying  : clamav-0.99.3-4.el7.x86_64                                                                                                                                                                                                             6/6 
    
    Removed:
      clamav.x86_64 0:0.99.3-4.el7       clamav-data.noarch 0:0.99.3-4.el7       clamav-filesystem.noarch 0:0.99.3-4.el7       clamav-lib.x86_64 0:0.99.3-4.el7       clamav-server.x86_64 0:0.99.3-4.el7       clamav-update.x86_64 0:0.99.3-4.el7     
    
    Complete!
    
     
    • Like Like x 1
  4. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    4:25 AM
    • Like Like x 1
  5. pamamolf

    pamamolf Well-Known Member

    3,108
    294
    83
    May 31, 2014
    Ratings:
    +529
    Local Time:
    11:25 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    What's the difference for yum remove clamv and yum undo?
     
  6. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you're welcome
    basically both do the same thing though undo is cleaner if you only have those related yum packages in that transaction so you can see there are several yum packages undone. If you didn't know that there were several packages to remove, manual yum remove would of removed only some packages and not all. Also not ideal if you have other unrelated yum packages within that transaction as they will be undone/removed too.

    Also as per How to use yum history to roll back an update in Red Hat Enterprise Linux 6 , 7? - Red Hat Customer Portal there's some requirements for undo

    So undo might not work if prior to running undo transaction one of the grouped packages due for removal was already removed manually within a previous yum transaction/command run (via yum remove).
     
    • Like Like x 1
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  8. Meirami

    Meirami Member

    78
    8
    8
    Dec 21, 2017
    Ratings:
    +27
    Local Time:
    11:25 PM
    Code (Text):
    systemctl status maldet.service -l
    * maldet.service - Linux Malware Detect monitoring - maldet
       Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; v
    endor preset: disabled)
       Active: failed (Result: resources) since Sat 2018-07-14 15:32:22 U
    TC; 35s ago
      Process: 30572 ExecStart=/usr/local/maldetect/maldet --monitor /usr
    /local/maldetect/monitor_paths (code=exited, status=0/SUCCESS)
    
    Jul 14 15:32:21 myVPS systemd[1]: Starting Linux Malware Detect moni
    toring - maldet...
    Jul 14 15:32:22 myVPS maldet[30572]: Linux Malware Detect v1.6.2
    Jul 14 15:32:22 myVPS systemd[1]: PID file /usr/local/maldetect/tmp/
    inotifywait.pid not readable (yet?) after start.
    Jul 14 15:32:22 myVPS maldet[30572]: (C) 2002-2017, R-fx Networks <p
    [email protected]>
    Jul 14 15:32:22 myVPS maldet[30572]: (C) 2017, Ryan MacDonald <[email protected]
    rfxn.com>
    Jul 14 15:32:22 myVPS maldet[30572]: This program may be freely redi
    stributed under the terms of the GNU GPL v2
    Jul 14 15:32:22 myVPS maldet[30572]: maldet(30572): {mon} could not
    find inotifywait command, install yum package inotify-tools or downlo
    ad from https://github.com/rvoicilas/inotify-tools/wiki/
    Jul 14 15:32:22 myVPS systemd[1]: Failed to start Linux Malware Dete
    ct monitoring - maldet.
    Jul 14 15:32:22 myVPS systemd[1]: Unit maldet.service entered failed
     state.
    Jul 14 15:32:22 myVPS systemd[1]: maldet.service failed.


    I think I followed the guide exactly. After boot I noticed that maldet service wasn't running. According to status, I need to install inotify-tools. Should it be in guide?

    When I run maldet and clamscan manually, like in the guide, I got cpu% and mem% quite high, but still ok. At night cron started scan and I think it kept my vps frozen until I booted in the morning. Can it be because of inotify or is it just because low cpu power? Vps panel showed very high cpu usage in the morning.
    I just installed virus scan.
     
  9. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    maldet isn't a service it runs via a cronjob in cron.daily so doesn't need a service running
    Code (Text):
    ls -lah /etc/cron.daily/
    total 32K
    drwxr-xr-x  2 root root 4.0K Jul  6 19:02 .
    drwxr-xr-x 76 root root 4.0K Jul 14 10:30 ..
    -rwxr-xr-x  1 root root  979 May 10  2017 cyrus-imapd
    -rwxr-xr-x  1 root root 2.1K Jun 20 11:14 diskalert
    -rwx------  1 root root  219 Apr 11 00:51 logrotate
    -rwxr-xr-x  1 root root 4.2K Jul  6 19:02 maldet
    -rwx------  1 root root  208 Apr 10 20:32 mlocate
    
     
    • Like Like x 1
  10. robert syputa

    robert syputa Member

    35
    8
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +22
    Local Time:
    4:25 PM
    latest
    10
    Reviews of Linux server antivirus and malware show poor results for clamav. That may be due to the lack of a commercial version - the cost of maintaining an up-to-date signature database needs to be paid for somehow.

    A few reviews show alternatives from commercial suppliers of AV who offer free versions for Linux desktops or servers.

    Sophos comes up as a leading free AV that achieves respectably high ratings for screening of virus and malware on Linux servers and also those aimed at windows that may reside on a Linux server.
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:25 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that is true.. always looking for linux alternatives. Thought alternatives would need to be capable of automated installation unattended for Centmin Mod users heh

    seems Sophos might slow computers down The 8 Best Free Anti-Virus Programs for Linux so not sure.
     
    Last edited: Jul 20, 2018 at 5:38 AM
..