Linux has its own share of antivirus suites like Clam or AVG. But speaking of malware, the drawback from which these suites suffer is they concentrate primarily on OS level trojans, rootkits and traditional file-infecting viruses; user account level malwares are missed. The fact is, malware are on the rise.

Linux Malware Detect (LMD) is a project by R-fx Networks that aims at detecting and cleansing malware using information from several sources. The project was driven by the data on malware detection rate by 30 major antivirus products. They ran an analysis on these AV products with 5,393 core malware MD5 hashes. 81% remained undetected and there’s only 48% detection rate for the rest of the 19%!

LMD targets shared hosted environments where malware threats are more. It uses a signature based detection mechanism and receives its data from 4 sources:

Network Edge IPS: Daily abuse events on (over 35K) web servers logged by network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and finally that malware is retrieved, reviewed, classified and signatures generated.

Community Data: Data aggregated from community malware websites such as clean-mx and malwaredomainlist.

ClamAV: The HEX & MD5 detection signatures from ClamAV.

User Submission: LMD has a checkout feature that allows users to submit suspected malware for review.

LMD 1.4.0 has a total of 7,241 (5393 MD5 / 1848 HEX) signatures (before updates).

Features

MD5 file hash detection for quick threat identification

HEX based pattern matching for identifying threat variants

statistical analysis component for detection of obfuscated threats (e.g: base64)

integrated detection of ClamAV to use as scanner engine for improved performance

integrated signature update feature with -u|–update

integrated version update feature with -d|–update-ver

scan-recent option to scan only files that have been added/changed in X days

scan-all option for full path based scanning

checkout option to upload suspected malware to rfxn.com for review / hashing

full reporting system to view current and previous scan results

quarantine queue, batching, restore, suspend

cleaner rules to attempt removal of malware injected strings

cleaner batching option to attempt cleaning of previous scan reports

cleaner rules to remove base64 and gzinflate(base64 injected malware

daily cron based scanning of all changes in last 24h in user homedirs

daily cron script compatible with stock RH style systems, Cpanel & Ensim

kernel based inotify real time file scanning of created/modified/moved files

kernel inotify monitor that can take path data from STDIN or FILE

kernel inotify monitor convenience feature to monitor system users

kernel inotify monitor can be restricted to a configurable user html root

kernel inotify monitor with dynamic sysctl limits for optimal performance

kernel inotify alerting through daily and/or optional weekly reports

HTTP upload scanning through mod_security2 inspectFile hook

e-mail alert reporting after every scan execution (manual & daily)

path, extension and signature based ignore options

background scanner option for unattended scan operations

verbose logging & output of all actions

Installation

To install LMD, run the following:

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz $ tar -zxvf maldetect-current.tar.gz $ cd maldetect* $ ./install.sh

Usage

LMD adds itself as a cron job which is used to update signatures daily, keep the session, temp and quarantine data to no more than 14 days old and run a daily scan of recent file system changes.

The configuration file for LMD is /usr/local/maldetect/conf.maldet. The file is well documented within to understand the options. By default public scanning is disabled. To check the options of LMD, run:

$ sudo maldet --help

Updates to the product are not performed automatically at the time of writing. To do a manual update (if available), run:

$ sudo maldet -d

By default LMD has the auto-quarantine of files disabled, this will mean that YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the ‘-q’ option to batch quarantine the results. This can be changed by setting quar_hits=1 in conf.maldet.

The inotify monitoring feature is designed to monitor users in real-time for file creation/modify/move operations. There are three monitoring modes (USERS / PATHS / FILES). E.g.:

$ sudo maldet --monitor users $ sudo maldet --monitor /root/monitor_paths $ sudo maldet --monitor /home/mike,/home/ashton

Webpage: Linux Malware Detect

Similar software