How To Analyze & Remove Malware in Linux with Maldet
How to install, analyze and eliminate malware on Linux systems with the Maldet tool.
What is malware?
securely and straightforwardly we clarify what malware or malicious software means, and this is considered as an annoying or harmful type of software which has been created with the purpose of accessing any device without being warned and without the user perceiving it.
Some types of malware include spyware, adware, phishing, viruses, trojans, worms, rootkits, ransomware and browser hijackers affecting the security and privacy of the system.
What is Maldet?
Maldet or Linux Malware Detect (LMD), is a malware scanner for Linux which was developed to handle threats that are common in shared hosted environments.
GNU GPLv2 licenses it, and the signatures that are used in LMD are hashes of MD5 files and HEX pattern matches, which can also be easily exported to any number of detection tools such as ClamAV.
How to Install Maldet on Linux
The first step is to download the file ar.gz from the official site using wget, for this we will execute the following in the terminal:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Now we will extract the contents of the downloaded file by running the following:
tar -xvf maldetect-current.tar.gz
Next, we will access the directory where the content has been extracted, in this case, it will be:
cd maldetect-1.6.2
Once we are inside the directory we will execute the installation script using the following line:
sudo ./install.sh
How to Configure Maldet in Linux
Once the installation is correct, it is time to configure Maldet using the conf.maldet file which was created automatically, we will access it using the desired editor:
sudo nano /usr/local/maldetect/conf.maldet
There we can change the following settings at the notification level:
- If we want to receive a notification when malware is detected, we will set the value of the email_alert field to one (1).
- In the field email_addr, we will enter the email address where we will be notified.
- In the email_ignore_clean field, we can set its value to one (1) if we do not want to be notified when the malware is automatically cleaned.
On the same file we can change the following values at the quarantine level:
- on the field quarantine_hits, we will define the value 1 so that the affected files are automatically quarantined.
- In the quarantine_clean field we can define the value 1 to clean the affected files automatically, if you set this value to 0, you can first inspect the files before cleaning them.
- Setting 1 to the quarantine_suspend_use field will suspend users whose accounts are affected, while the “quarantine_suspend_user_minuid” parameter sets the minimum user ID that should be suspended. This is set to 500 by default.
Once these parameters are defined, we save the changes using the keys Ctrl + O, and we exit the editor using Ctrl + X.
How to Analyze Malware with Maldet
To carry out the analysis in search of malware we will execute the following syntax:
sudo maldet --scan-all /path_to_scan
During the Maldet installation process, a cronjob function will also be installed in:
/etc/cron.daily/maldet
This task will scan the home directories, as well as all the files or folders.
With Maldet we have a simple tool for malware analysis in Linux environments in a secure and straightforward way.
