Install ClamAV and Linux Malware Detect (Maldet)
Maldet is a great tool which can scan your Linux NVMe VPS server or dedicated server for Malware. Just like your antivirus program on your computer, Maldet scans all of the files on your server. If a rogue file is found Maldet will place the file into a quarantine folder and notify you about the issue. It’s a good idea to install ClamAV on Linux Server.
Not only does Maldet scan the server regally it also scans all uploaded files via the file manager on a cPanel Server. If any malicious files are found Maldet removes them to the quarantine folder which is a great tool to have in the fight against malicious users.
In this guide, we’re also going to install ClamAV which will assist in searching the files of your server. This is not needed to run Maldet but, ClamAV does make the program more responsive.
Install ClamAV/Maldet Linux Server
First, as the root user issue the below commands inside an SSH console. Maldet will be downloaded, you need to be a user with root privileges.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
Configure ClamAV/Maldet
Now you have installed Maldet in Linux you need to configure the software. But you only need some of the options. First, open up the Maldet configuration file in a text editor like Nano.
nano /usr/local/maldetect/conf.maldet
The first thing to add is your email address, reports will be sent here. We advise you to create an email account which is located on the server that has Maldet installed on.
[0 = disabled, 1 = enabled]
email_alert=0
The subject line for email alerts
email_subj="maldet alert from $(hostname)"
The destination addresses for email alerts
[ values are comma (,) spaced ]
email_addr="[email protected]"
Also in the configuration file, you should enable the below additional options.
quar_hits
This tells LMD that it should move malware content into the quarantine folder and strip it of all permissions. Files are fully restorable to the original path, owner and permission by using the –restore FILE option.
quar_clean
This tells LMD that it should try to clean malware that it has cleaner rules for. Maldet Files that are cleaned are automatically restored to the original path, owner and permission but files that are not cleaned remain in quaratine.
quar_susp (Optional)
Enabling this option allows LMD to suspend a user account that malware is found residing under. So, on cPanel systems, this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.
quar_susp_minuid (Optional)
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.
How to scan a Linux VPS or Dedicated Server with Maldet
As the root user, you can issue the below command to use Maldet but ensure you have fully configured the software before you run your first scan.
maldet --scan-all /path/to/scan
maldet -a /path/to/scan
Quarantine all malware results from a previous scan
maldet -q SCAN ID
maldet –quarantine SCAN ID
Clean on all malware results from a previous scan
maldet -n SCAN ID
maldet --clean SCAN ID
Restore a file that you have already quarantined
maldet -s FILENAME
maldet --restore FILENAME
Install ClamAV On cPanel Servers
Now you have the basics with Maldet it’s time to install ClamAV, this will help with the time it takes Maldet to scan your cPanel server and for added security, we are also going to tell Exim to scan all emails as they are received by the server and sent by the server. So, to install ClamAV ;
- Login to WHM and type ClamAV in the search bar, select “Manage Plugins” and click to install ClamAV
Or via SSH;
yum install -y epel-release && yum -y install clamav
So the default settings for ClamAV should be fine for most users so we will leave the settings as they are. The next thing is to tell Exim to scan all emails for viruses. In WHM go to;
Exim Configuration Manager > Basic Editor > Security
Enable the Scan messages for malware from authenticated senders (exiscan) option and the Scan outgoing messages for malware. Exim will now use ClamAV to scan for v