Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to install and use malware scanning tools and anti-virus engines in Linux systems". The explanation in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian and study and learn "how to install and use malware scanning tools and anti-virus engines in Linux systems" together!

Malware is any software program designed to interfere with or disrupt the proper functioning of a computing system. While some of the most notorious types of malware are viruses, spyware and adware, they attempt to cause harm ranging from stealing private information to deleting personal data to something in between, while another common use of malware is to take control of a system and then use it to launch botnets known as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

In other words, we should never think that because I don't store any sensitive or important data, I don't need to protect my system from malware, because that data isn't the only target of malware.

For this reason, in this article we will describe how to install and configure Linux Malware Detection Tools (aka MalDet, or LMD) and ClamAV(Antivirus) in RHEL 7.0/6.x(x is the version number), CentOS 7.0/6.x, and Fedora 21-12.

This is a malware scanning tool released under the GPL v2 license and designed specifically for hosting environments. However, you will soon realize that you will benefit from MalDet no matter what circumstances you face.

Install LMD on RHEL/CentOS 7.0/6.x and Fedora 21-12

The LMD is not available from the online software repository, but is distributed as a packaged file from the official project website. The package file contains the latest version of the source code, which is always available at the following link and can be downloaded using the following command:

The code is as follows:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then, we need to unzip the package file and go to the directory where the extracted/unzipped content is located. Since the current version is 1.4.2, the directory is maldetect-1.4.2. We will find the installation script install.sh in this directory.

The code is as follows:

# tar -xvf maldetect-current.tar.gz

# ls -l | grep maldetect

Download Linux Malware Detection Tools If we examine the installation script, which is only 75 lines long (including comments), we find that it not only installs the tool, but also performs a pre-detection to see if the default installation directory (/usr/local/maldetect) is present. If it doesn't exist, the script creates the installation directory first, and then proceeds to the next step.

Finally, once the installation is complete, you can schedule daily executions via cron(scheduled tasks) by simply placing the cron.daily script (see above) in/etc/cron.daily. This help script has many functions, including clearing old temporary data, checking for new LMD versions, and scanning default Apache and Web control panel default data directories such as CPpanel and DirectAdmin.

Having said that, run the installation script as usual:

The code is as follows:

# ./ install.sh

Installing Linux Malware Detection Tools in Linux

Configuring Linux Malware Detection Tools

The job of configuring LDM is handled through/usr/local/maldetect/conf.maldet, so the options are well annotated to make it fairly easy to configure. In case you get stuck somewhere, see/usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file, you will find the following sections enclosed in square brackets:

EMAIL ALERTS

QUARANTINE OPTIONS

SCAN OPTIONS

STATISTICAL ANALYSIS

MONITORING OPTIONS

Each of these sections contains several variables that indicate how LMD will function and what features are available.

If you want to receive an email notification of malware detection results, set email_alert=1. For simplicity, we will only forward mail to local system users, but you can also explore other options, such as sending email alerts to external users.

If you previously set email_alert=1, set email_subj="Your subject here" and email_addr=username@localhost.

As for quar_hits, the default quarantine action for malware attacks (0 = alert only, 1 = quarantine and alert instead), you tell the LMD what to do when malware is detected.

quar_clean will let you decide if you want to clean up string-based malware injections. Keep in mind that strings, by themselves, are characterized as "sequential sequences of bytes, potentially matching many variants of the malware family. "

quar_susp, the default suspend action for compromised users, lets you disable accounts whose files have been identified as compromised.

Clamav_scan=1 tells the LMD to try to detect the presence or absence of ClamAV binary code and serves as the default scanner engine. This results in up to four times faster scan performance and excellent hex analysis. This option uses only ClamAV as the scanner engine, and the LMD signature remains the basis for detecting threats.

Important Note:

Note: quar_clean and quar_susp require quar_hits to be enabled (=1).

In summary, in/usr/local/maldetect/conf.maldet, the line with these variables should look like this:

The code is as follows:

email_alert=1

email_addr=gacanepa@localhost

email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"

quar_hits=1

quar_clean=1

quar_susp=1

clam_av=1

Install ClamAV on RHEL/CentOS 7.0/6.x and Fedora 21-12

To install ClamAV to take full advantage of the clamav_scan setting, follow these steps:

Create the software library file/etc/yum.repos.d/dag.repo:

The code is as follows:

[dag]

name=Dag RPM Repository for Red Hat Enterprise Linux

baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/

gpgcheck=1

gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

enabled=1

Then run the command:

The code is as follows:

# yum update && yum install clamd

Note: These are just basic instructions for installing ClamAV in order to integrate it with LMD. We won't go into detail about Clamp AV settings because, as mentioned earlier, LMD signatures are still the basis for detecting and eliminating threats.

Testing Linux Malware Detection Tools

Now we can test the LMD / ClamAV we just installed. Instead of using actual malware, we will use EICAR test files (http://www.eacar.org/86-0-Intended-use.html), which are available for download from the EICAR website.

The code is as follows:

# cd /var/www/html

# wget http://www.eicar.org/download/eicar.com

# wget http://www.eicar.org/download/eicar.com.txt

# wget http://www.eicar.org/download/eicar_com.zip

# wget http://www.eicar.org/download/eicarcom2.zip

At this point, you can wait for the next cron task to run, or you can manually execute maldet. We will use the second method:

The code is as follows:

# maldet --scan-all /var/www/

LMD also accepts wildcards, so if you only want to scan certain types of files (e.g. zip files), you can do this:

The code is as follows:

# maldet --scan-all /var/www/*.zip

Scan Linux for malware

After the scan is complete, you can review the email sent by LMD or view the report with the following command:

The code is as follows:

# maldet --report 021015-1051.3559

Linux Malware Scan Report

Where 021015-1051.3559 is SCANID(SCANID may differ slightly from your actual results).

Important: Please note that LMD detected 5 attacks due to two downloads of the eacar.com file (resulting in eacar.com and eacar.com.1).

If you check the quarantine folder (I left only one file and deleted the rest), we see the following results:

The code is as follows:

# ls –l

Linux Malware Detection Tools Quarantine Files

You can then delete all quarantined files with the following command:

The code is as follows:

# rm -rf /usr/local/maldetect/quarantine/*

In that case,

The code is as follows:

# maldet --clean SCANID

Final considerations

Since maldet needs to be integrated with cron, you need to set the following variables in the crontab of root (type crontab-e as root and press Enter), and you may notice that LMD does not work correctly every day:

The code is as follows:

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

SHELL=/bin/bash

This will help provide the necessary debugging information.

Thank you for reading, the above is "how to install and use malware scanning tools and anti-virus engine in Linux system" content, after learning this article, I believe everyone on how to install and use malware scanning tools and anti-virus engine in Linux system This problem has a deeper understanding, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.