Malware detection on Plesk systems

Malware detection on Plesk systems using maldet and clamav

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV..

ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates..

Together they make a great option for your linux servers – you can add some protection to mailboxes, web hosting and user home directories. linux malware detection using maldet and clamav on Plesk systems is possible, but you will need to install and configure using the command-line.

Installing LMD maldet

get the maldet source, extract and install

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
./install.sh

Configure LMD

 vim /usr/local/maldetect/conf.maldet

set the following:
email_alert : Set this to 1 to receive email alerts.
email_addr : Set this to your email address.
quar_hits : Set this to 1 to automatically quarantine malware.
quar_clean : Set this to 1 for automatic cleaning of detected malware.
scan_clamscan : Set this to 1 to enable scans using the clamAV engine.


Install Clamav

yum install clamav clamav-devel

once installed, update the definitions

freshclam

create a cron job to update definitions every hour, at 30 minutes past the hour

crontab -e
30 * * * * freshclam

Testing

Download the following (WARNING, these are malware files) from the European Institute for Computer Anti-Virus Research (eicar.org)

pick a nice location on your system

cd /path/to/scan
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Run a manual scan on the folder we downloaded the test files

maldet -a /path/to/scan

At this point you should see that maldet detects and quarantines files. You can view detailed report information using the following command

 maldet--report <ID of report>

Sources:

https://www.clamav.net
https://www.rfxn.com/projects/linux-malware-detect/