Welcome to Centmin Mod Community
Register Now

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    disable what maldet + clamav ? or disable clamav part of it ? without clamav, maldet is 100s of times slower to run !

    i'd skip this script setup it's broken as it sometimes prevents pure-ftpd from restart/starting up.
     
  2. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    6:58 AM
    I am thinking of disabling and unintstalling both in concern of the higher resource it needs. I am running with 1cpu and 2RAM on DO. Maybe leave the virus scan to external server or so. Thanks.
     
  3. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For maldet there's a native uninstall.sh script at /svr-setup/maldetect-1.6.2/files/uninstall.sh
    Code (Text):
    cd /svr-setup/maldetect-*
    cd files
    ./uninstall.sh
    

    example
    Code (Text):
    ./uninstall.sh 
    This will completely remove Linux Malware Detect from your server including all quarantine data!
    Would you like to proceeed? [y/n] y
    Removed symlink /etc/systemd/system/multi-user.target.wants/maldet.service.
    Linux Malware Detect has been uninstalled.
    

    for clamav you can undo the yum install for them via yum history

    so get yum history list first and for me I see yum install clamav on yum history id = 34
    Code (Text):
    yum history list
    Loaded plugins: fastestmirror, priorities, versionlock
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        34 | -y install clamav clamav | 2018-03-05 03:10 | Install        |    6   
        33 | -y update ImageMagick6 I | 2018-03-02 21:18 | Update         |    5   
        32 | -q -y install GraphicsMa | 2018-03-02 21:17 | Install        |    1   
        31 | -y install jq            | 2018-02-28 04:54 | Install        |    2   
        30 | -y install redis --enabl | 2018-02-25 05:26 | Install        |    1   
        29 | update --disableplugin=p | 2018-02-25 03:41 | Update         |    2 EE
        28 | -q -y install pure-ftpd  | 2018-02-25 03:34 | Install        |    3   
        27 | -y install ImageMagick6  | 2018-02-25 03:34 | Install        |    8   
        26 | -q -y install libmemcach | 2018-02-25 03:33 | Install        |    2   
        25 | -q -y install postfix-pe | 2018-02-25 03:32 | Install        |    4   
        24 | -q -y install libtidy li | 2018-02-25 03:28 | Install        |    2   
        23 | -q -y install libicu lib | 2018-02-25 03:28 | Install        |    2   
        22 | -q -y install libxslt li | 2018-02-25 03:28 | Install        |    4   
        21 | -q -y install fio --disa | 2018-02-25 03:28 | Install        |   11   
        20 | -y install mytop         | 2018-02-25 03:27 | Install        |    1   
        19 | -y install net-snmp --di | 2018-02-25 03:27 | Install        |    1   
        18 | -y install postfix --dis | 2018-02-25 03:27 | Install        |    1   
        17 | -q -y install perl-DBD-M | 2018-02-25 03:27 | Install        |    1   
        16 | -y install MariaDB-clien | 2018-02-25 03:27 | Install        |    7 EE
        15 | -y remove mariadb-libs   | 2018-02-25 03:26 | Erase          |    4 EE
    

    then run yum history undo 34 where that is your history list id which will differ for each person's install
    Code (Text):
    yum history undo 34
    

    example
    Code (Text):
    yum history undo 34
    Loaded plugins: fastestmirror, priorities, versionlock
    Undoing transaction 34, from Mon Mar  5 03:10:52 2018
        Install     clamav-0.99.3-4.el7.x86_64            @epel
        Dep-Install clamav-data-0.99.3-4.el7.noarch       @epel
        Dep-Install clamav-filesystem-0.99.3-4.el7.noarch @epel
        Dep-Install clamav-lib-0.99.3-4.el7.x86_64        @epel
        Install     clamav-server-0.99.3-4.el7.x86_64     @epel
        Install     clamav-update-0.99.3-4.el7.x86_64     @epel
    Resolving Dependencies
    --> Running transaction check
    ---> Package clamav.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-data.noarch 0:0.99.3-4.el7 will be erased
    ---> Package clamav-filesystem.noarch 0:0.99.3-4.el7 will be erased
    ---> Package clamav-lib.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-server.x86_64 0:0.99.3-4.el7 will be erased
    ---> Package clamav-update.x86_64 0:0.99.3-4.el7 will be erased
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                            Arch                                                    Version                                                          Repository                                              Size
    ==========================================================================================================================================================================================================================================================
    Removing:
     clamav                                                             x86_64                                                  0.99.3-4.el7                                                     @epel                                                  2.4 M
     clamav-data                                                        noarch                                                  0.99.3-4.el7                                                     @epel                                                  155 M
     clamav-filesystem                                                  noarch                                                  0.99.3-4.el7                                                     @epel                                                  0.0 
     clamav-lib                                                         x86_64                                                  0.99.3-4.el7                                                     @epel                                                   11 M
     clamav-server                                                      x86_64                                                  0.99.3-4.el7                                                     @epel                                                  241 k
     clamav-update                                                      x86_64                                                  0.99.3-4.el7                                                     @epel                                                  213 k
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Remove  6 Packages
    
    Installed size: 169 M
    Is this ok [y/N]: y
    Downloading packages:
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Erasing    : clamav-server-0.99.3-4.el7.x86_64                                                                                                                                                                                                      1/6 
      Erasing    : clamav-0.99.3-4.el7.x86_64                                                                                                                                                                                                             2/6 
      Erasing    : clamav-update-0.99.3-4.el7.x86_64                                                                                                                                                                                                      3/6 
      Erasing    : clamav-lib-0.99.3-4.el7.x86_64                                                                                                                                                                                                         4/6 
      Erasing    : clamav-data-0.99.3-4.el7.noarch                                                                                                                                                                                                        5/6 
    warning: /var/lib/clamav/daily.cvd saved as /var/lib/clamav/daily.cvd.rpmsave
      Erasing    : clamav-filesystem-0.99.3-4.el7.noarch                                                                                                                                                                                                  6/6 
      Verifying  : clamav-filesystem-0.99.3-4.el7.noarch                                                                                                                                                                                                  1/6 
      Verifying  : clamav-server-0.99.3-4.el7.x86_64                                                                                                                                                                                                      2/6 
      Verifying  : clamav-lib-0.99.3-4.el7.x86_64                                                                                                                                                                                                         3/6 
      Verifying  : clamav-data-0.99.3-4.el7.noarch                                                                                                                                                                                                        4/6 
      Verifying  : clamav-update-0.99.3-4.el7.x86_64                                                                                                                                                                                                      5/6 
      Verifying  : clamav-0.99.3-4.el7.x86_64                                                                                                                                                                                                             6/6 
    
    Removed:
      clamav.x86_64 0:0.99.3-4.el7       clamav-data.noarch 0:0.99.3-4.el7       clamav-filesystem.noarch 0:0.99.3-4.el7       clamav-lib.x86_64 0:0.99.3-4.el7       clamav-server.x86_64 0:0.99.3-4.el7       clamav-update.x86_64 0:0.99.3-4.el7     
    
    Complete!
    
     
    • Like Like x 1
  4. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    6:58 AM
    • Like Like x 1
  5. pamamolf

    pamamolf Well-Known Member

    3,112
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    1:58 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    What's the difference for yum remove clamv and yum undo?
     
  6. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you're welcome
    basically both do the same thing though undo is cleaner if you only have those related yum packages in that transaction so you can see there are several yum packages undone. If you didn't know that there were several packages to remove, manual yum remove would of removed only some packages and not all. Also not ideal if you have other unrelated yum packages within that transaction as they will be undone/removed too.

    Also as per How to use yum history to roll back an update in Red Hat Enterprise Linux 6 , 7? - Red Hat Customer Portal there's some requirements for undo

    So undo might not work if prior to running undo transaction one of the grouped packages due for removal was already removed manually within a previous yum transaction/command run (via yum remove).
     
    • Like Like x 1
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  8. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:58 AM
    Code (Text):
    systemctl status maldet.service -l
    * maldet.service - Linux Malware Detect monitoring - maldet
       Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; v
    endor preset: disabled)
       Active: failed (Result: resources) since Sat 2018-07-14 15:32:22 U
    TC; 35s ago
      Process: 30572 ExecStart=/usr/local/maldetect/maldet --monitor /usr
    /local/maldetect/monitor_paths (code=exited, status=0/SUCCESS)
    
    Jul 14 15:32:21 myVPS systemd[1]: Starting Linux Malware Detect moni
    toring - maldet...
    Jul 14 15:32:22 myVPS maldet[30572]: Linux Malware Detect v1.6.2
    Jul 14 15:32:22 myVPS systemd[1]: PID file /usr/local/maldetect/tmp/
    inotifywait.pid not readable (yet?) after start.
    Jul 14 15:32:22 myVPS maldet[30572]: (C) 2002-2017, R-fx Networks <p
    [email protected]>
    Jul 14 15:32:22 myVPS maldet[30572]: (C) 2017, Ryan MacDonald <[email protected]
    rfxn.com>
    Jul 14 15:32:22 myVPS maldet[30572]: This program may be freely redi
    stributed under the terms of the GNU GPL v2
    Jul 14 15:32:22 myVPS maldet[30572]: maldet(30572): {mon} could not
    find inotifywait command, install yum package inotify-tools or downlo
    ad from https://github.com/rvoicilas/inotify-tools/wiki/
    Jul 14 15:32:22 myVPS systemd[1]: Failed to start Linux Malware Dete
    ct monitoring - maldet.
    Jul 14 15:32:22 myVPS systemd[1]: Unit maldet.service entered failed
     state.
    Jul 14 15:32:22 myVPS systemd[1]: maldet.service failed.


    I think I followed the guide exactly. After boot I noticed that maldet service wasn't running. According to status, I need to install inotify-tools. Should it be in guide?

    When I run maldet and clamscan manually, like in the guide, I got cpu% and mem% quite high, but still ok. At night cron started scan and I think it kept my vps frozen until I booted in the morning. Can it be because of inotify or is it just because low cpu power? Vps panel showed very high cpu usage in the morning.
    I just installed virus scan.
     
  9. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    maldet isn't a service it runs via a cronjob in cron.daily so doesn't need a service running
    Code (Text):
    ls -lah /etc/cron.daily/
    total 32K
    drwxr-xr-x  2 root root 4.0K Jul  6 19:02 .
    drwxr-xr-x 76 root root 4.0K Jul 14 10:30 ..
    -rwxr-xr-x  1 root root  979 May 10  2017 cyrus-imapd
    -rwxr-xr-x  1 root root 2.1K Jun 20 11:14 diskalert
    -rwx------  1 root root  219 Apr 11 00:51 logrotate
    -rwxr-xr-x  1 root root 4.2K Jul  6 19:02 maldet
    -rwx------  1 root root  208 Apr 10 20:32 mlocate
    
     
    • Like Like x 1
  10. robert syputa

    robert syputa Member

    39
    8
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +22
    Local Time:
    6:58 PM
    latest
    10
    Reviews of Linux server antivirus and malware show poor results for clamav. That may be due to the lack of a commercial version - the cost of maintaining an up-to-date signature database needs to be paid for somehow.

    A few reviews show alternatives from commercial suppliers of AV who offer free versions for Linux desktops or servers.

    Sophos comes up as a leading free AV that achieves respectably high ratings for screening of virus and malware on Linux servers and also those aimed at windows that may reside on a Linux server.
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that is true.. always looking for linux alternatives. Thought alternatives would need to be capable of automated installation unattended for Centmin Mod users heh

    seems Sophos might slow computers down The 8 Best Free Anti-Virus Programs for Linux so not sure.
     
    Last edited: Jul 20, 2018
  12. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:58 AM
    Is the maldet running longer than cron.daily thinks? Sometimes I got really high cpu usage when cron.daily runs and I've been thinking it's mlocate. I read logs and saw these time stamps. Maldet is running after it's finished and maybe together with mlocate cpu usage get's high..?

    journalctl
    Code:
    Aug 06 03:19:58 vps run-parts(/etc/cron.daily)[32084]: finished maldet
    and mlocate starts

    maldetect event_log
    Code:
    Aug 06 03:19:54 vps maldet(30642): {update} checking for available updates...
    Aug 06 03:19:56 vps maldet(30642): {update} downloaded https://cdn.rfxn.com/downloads/maldet.current.ver
    Aug 06 03:19:56 vps maldet(30642): {update} hashing install files and checking against server...
    Aug 06 03:19:56 vps maldet(30642): {update} downloaded https://cdn.rfxn.com/downloads/maldet.current.hash
    Aug 06 03:19:56 vps maldet(30642): {update} latest version already installed.
    Aug 06 03:19:56 vps maldet(30778): {sigup} performing signature update check...
    Aug 06 03:19:56 vps maldet(30778): {sigup} local signature set is version 2018070518685
    Aug 06 03:19:57 vps maldet(30778): {sigup} downloaded https://cdn.rfxn.com/downloads/maldet.sigs.ver
    Aug 06 03:19:57 vps maldet(30778): {sigup} latest signature set already installed
    Aug 06 03:19:57 vps maldet(30987): {scan} launching scan of /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:57 vps maldet(31068): {scan} launching scan of /usr/local/nginx/html changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:57 vps maldet(31173): {scan} launching scan of /var/www/html changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:57 vps maldet(31309): {scan} launching scan of /home/nginx/domains/?/public changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:58 vps maldet(31437): {scan} launching scan of /boot changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:58 vps maldet(31068): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(31068): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(30987): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(31068): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31173): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(30987): {scan} building file list for  of new/modified files from last 1 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(31068): {scan} executed eval /bin/nice -n 19 /bin/find "/usr/local/nginx/html" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31173): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(31309): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(30987): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31309): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(31173): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31309): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31309): {scan} executed eval /bin/nice -n 19 /bin/find "/home/nginx/domains/demodomain.com/public" "/home/nginx/domains/domain.name/public" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31437): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(31437): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(30987): {scan} executed eval /bin/nice -n 19 /bin/find "/home\*/\*/public_html/" "/var/www/html/" "/usr/local/apache/htdocs/" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -1 -o -ctime -1 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31173): {scan} executed eval /bin/nice -n 19 /bin/find "/var/www/html" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31437): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31437): {scan} executed eval /bin/nice -n 19 /bin/find "/boot" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31576): {scan} launching scan of /etc changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:58 vps maldet(31926): {scan} launching scan of /usr changes in last 2d to background, see /usr/local/maldetect/logs/event_log for progress
    Aug 06 03:19:58 vps maldet(31576): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(31576): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(31576): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31576): {scan} executed eval /bin/nice -n 19 /bin/find "/etc" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(31926): {scan} signatures loaded: 17085 (14276 MD5 | 2030 HEX | 779 YARA | 0 USER)
    Aug 06 03:19:58 vps maldet(31926): {scan} building file list for  of new/modified files from last 2 days, this might take awhile...
    Aug 06 03:19:58 vps maldet(31926): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    Aug 06 03:19:58 vps maldet(31926): {scan} executed eval /bin/nice -n 19 /bin/find "/usr" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -2 -o -ctime -2 \) -size +24c -size -6947618c  -not -perm 000   -not -uid 0 -not -gid 0
    Aug 06 03:19:58 vps maldet(30987): {scan} file list completed in 0s, found 489 files...
    Aug 06 03:19:58 vps maldet(31437): {scan} file list completed in 0s, found 489 files...
    Aug 06 03:19:58 vps maldet(31068): {scan} file list completed in 0s, found 489 files...
    Aug 06 03:19:58 vps maldet(31173): {scan} file list completed in 0s, found 489 files...
    Aug 06 03:19:58 vps maldet(31437): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:19:58 vps maldet(30987): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:19:58 vps maldet(31068): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:19:58 vps maldet(31173): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:19:58 vps maldet(31437): {scan} scan of  (489 files) in progress...
    Aug 06 03:19:58 vps maldet(30987): {scan} scan of  (489 files) in progress...
    Aug 06 03:19:58 vps maldet(31068): {scan} scan of  (489 files) in progress...
    Aug 06 03:19:58 vps maldet(31173): {scan} scan of  (489 files) in progress...
    Aug 06 03:19:58 vps maldet(31576): {scan} file list completed in 0s, found 490 files...
    Aug 06 03:19:58 vps maldet(31576): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:19:58 vps maldet(31576): {scan} scan of  (490 files) in progress...
    Aug 06 03:20:04 vps maldet(31309): {scan} file list completed in 6s, found 491 files...
    Aug 06 03:20:04 vps maldet(31309): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:20:04 vps maldet(31309): {scan} scan of  (491 files) in progress...
    Aug 06 03:20:39 vps maldet(31926): {scan} file list completed in 40s, found 489 files...
    Aug 06 03:20:39 vps maldet(31926): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    Aug 06 03:20:39 vps maldet(31926): {scan} scan of  (489 files) in progress...
    Aug 06 03:23:34 vps maldet(31437): {scan} scan completed on : files 489, malware hits 0, cleaned hits 0, time 214s
    Aug 06 03:23:34 vps maldet(31437): {scan} scan report saved, to view run: maldet --report 180806-0319.31437
    Aug 06 03:23:50 vps maldet(30987): {scan} scan completed on : files 489, malware hits 0, cleaned hits 0, time 233s
    Aug 06 03:23:50 vps maldet(30987): {scan} scan report saved, to view run: maldet --report 180806-0319.30987
    Aug 06 03:23:50 vps maldet(31309): {scan} scan completed on : files 491, malware hits 0, cleaned hits 0, time 233s
    Aug 06 03:23:50 vps maldet(31309): {scan} scan report saved, to view run: maldet --report 180806-0319.31309
    Aug 06 03:23:50 vps maldet(31068): {scan} scan completed on : files 489, malware hits 0, cleaned hits 0, time 233s
    Aug 06 03:23:50 vps maldet(31068): {scan} scan report saved, to view run: maldet --report 180806-0319.31068
    Aug 06 03:23:50 vps maldet(31576): {scan} scan completed on : files 490, malware hits 0, cleaned hits 0, time 232s
    Aug 06 03:23:50 vps maldet(31576): {scan} scan report saved, to view run: maldet --report 180806-0319.31576
    Aug 06 03:23:51 vps maldet(31173): {scan} scan completed on : files 489, malware hits 0, cleaned hits 0, time 234s
    Aug 06 03:23:51 vps maldet(31173): {scan} scan report saved, to view run: maldet --report 180806-0319.31173
    Aug 06 03:23:58 vps maldet(31926): {scan} scan completed on : files 489, malware hits 0, cleaned hits 0, time 240s
    Aug 06 03:23:58 vps maldet(31926): {scan} scan report saved, to view run: maldet --report 180806-0319.31926
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Cron only triggers maldet. How long it then runs, is up to how many files it has to scan and speed of your server
     
  14. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:58 AM
    So is it actually launching all executables at the same time in the cron.daily directory?
    According to journalctl command, there are 1. executable started and later 1. executable stopped. After that comes 2. executable started and so on. There may be other jobs (not cron.daily) between start and stop. I just thought the stop actually means the job is done, because different jobs runs different times...
     
  15. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Cronjob only starts maldet scan as with any other cronjobs when they stop is up to the program or script that is started
     
  16. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:58 AM
    That's the part I understand.
    I don't understand why Journalctl logs that cron.daily maldet stopped at Aug 06 03:19:58 and in the Maldetect event_log you can see that first scan completed at Aug 06 03:23:34. 3 and a half minute later.
     
  17. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:58 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Hard to know when maldet reports finish could be when it found clamav binary and passed the scan over to clamav binary
     
    • Informative Informative x 1
..