Malware detection on Plesk systems using maldet and clamav
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.
It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV..
ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates..
Together they make a great option for your linux servers – you can add some protection to mailboxes, web hosting and user home directories. linux malware detection using maldet and clamav on Plesk systems is possible, but you will need to install and configure using the command-line.
Installing LMD maldet
get the maldet source, extract and install
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
./install.sh
Configure LMD
vim /usr/local/maldetect/conf.maldet
set the following:
email_alert : Set this to 1 to receive email alerts.
email_addr : Set this to your email address.
quar_hits : Set this to 1 to automatically quarantine malware.
quar_clean : Set this to 1 for automatic cleaning of detected malware.
scan_clamscan : Set this to 1 to enable scans using the clamAV engine.
Install Clamav
yum install clamav clamav-devel
once installed, update the definitions
freshclam
create a cron job to update definitions every hour, at 30 minutes past the hour
crontab -e
30 * * * * freshclam
Testing
Download the following (WARNING, these are malware files) from the European Institute for Computer Anti-Virus Research (eicar.org)
pick a nice location on your system
cd /path/to/scan
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip
Run a manual scan on the folder we downloaded the test files
maldet -a /path/to/scan
At this point you should see that maldet detects and quarantines files. You can view detailed report information using the following command
maldet--report <ID of report>
Sources:
https://www.clamav.net
https://www.rfxn.com/projects/linux-malware-detect/