Install and configure LMD and Clam AntiVirus on CentOS 7

LMD and Clam Antivirus

Introduction

Linux Malware Detect is a malware detector and scanner for GNU/Linux, designed particularly for shared hosting environments. It is released under the GNU GPLv2 license, and it supports installation on cPanel WHM and GNU/Linux environments concurrently with other detection softwares like ClamAV.
This one is an open source antivirus solution to detect trojans, malware, viruses and other malicious software that supports multiple platforms, including Windows, MacOS, and GNU/Linux.
This tutorials explains how to install LMD and Clam Antivirus on a CentOS 7 server.

Getting started – EPEL repository and Mailx

First of all, install the EPEL repository and

mailx

. The last one is a mail processing system, based on Berkeley Mail 8.1, and provides enhanced features for interactive use, such as caching and disconnected operation for IMAP, message threading, scoring, and filtering. It is also usable as a mail batch language, both for sending and receiving mail.
First, install EPEL:

# yum install epel-release

and then Mailx:

# yum install mailx

In this scenario, Mailx will be used by LMD for sending scan reports to your email address.

Install LMD

The package is not available in CentOS or EPEL, so a manual installation is required.
Download LMD and extract it:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzvf maldetect-current.tar.gz

As root, run the installer script

install.sh

present in extracted directory:

# cd maldetect-x.x
# ./install.sh

Next, make a link to the maldet command in

/bin

:

# ln -s /usr/local/maldetect/maldet /bin/maldet
# hash -r

Configure LMD

LMD has been installed into

/usr/local/maldet/

. In that directory, there is a configuration file – we’re going to modify it:

# $EDITOR /usr/local/maldetect/conf.maldet

Enable email alerts by changing the value to 1 on line 16.

email_alert="1"

Then, search for the email address line, and modify it as follow:

email_addr="root@mydomain.me"
ClamAV clamscan binary will be used as default scan engine; that's because it provides a high-performance scan on large file sets.  To allow this, search and edit following line:
scan_clamscan="1"

Next, it’s possible to enable quarantining to move malware to the quarantine during the scan process. To do this, change the following line:

quarantine_hits="1"

Next, enable clean based malware injections by changing:

quarantine_clean="1"

That’s all for LMD configuration.

Install ClamAV

Now that LMD is correctly installed and configured, let’s install Clam AntiVirus to get the best scanning results. ClamAV is available in the EPEL repository.
So, using yum:

#yum install clamav clamav-devel

After ClamAV has been installed, update the ClamAV virus databases with

freshclam<code>:

# freshclam

Testing LMD and ClamAV

Now it’s possible to test LMD with a manual scan. To accomplish this task, execute

maldet

. With this command, scan

/var/www/html/

.
In the web root directory, download some sample malware with wget:

# cd /var/www/html
# wget http://www.eicar.org/download/eicar.com.txt
# wget http://www.eicar.org/download/eicar_com.zip
# wget http://www.eicar.org/download/eicarcom2.zip

Next, it’s possible to scan the web root directory, as previously said, with

maldet

:

# maldet -a /var/www/html

During this process, it’s possible to see that LMD is using the ClamAV scanner engine to perform the scan: it will find three malware hits.
Check the report with the following command:

# maldet --report SCANID

SCANID is a numerical value found in the Maldet output.

Next, verify that there is an email containing the report:

# tail -f /var/mail/root

If everything was well configured, that email should contain all the required information.

It’s also possible to acquire a list of all reports:

# maldet -e list

Or “filter” files to scan. For instance, to scan files modified in the last 10 days:

# maldet -r /var/www/html 10

For more information, just call the help with:

# maldet --help

that contains all options recognized by LMD.

There you go! That’s one great way to protect from web server infections on a GNU/Linux system.