Linux Malware Detect and ClamAV are two effective tools to easily scan for malware and viruses on a VPS server. In this article, we are going to install both programs on CentOS. These steps will work on both CentOS 6 and 7.
Install Linux Malware Detect from the official website. At the time of writing, the current version is maldetect-1.4.2.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvf maldetect-current.tar.gz cd maldetect-1.4.2 ./install.sh
Once the installation finishes, Linux Malware Detect will automatically create a daily cronjob task.
All configuration settings of Linux Malware Detect are stored in the file
/usr/local/maldetect/conf.maldet. Configure the following subset of options:
email_alert=1 email_addr=youremail@localhost email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)" quar_hits=1 quar_clean=1 clam_av=1
For the values below,
email_alert=1: If you want to receive notifications via email.
email_addr=youremail@localhost: Enter your email address.
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)": Email subject of the notification.
quar_hits=1: Move the malware to quarantine.
quar_clean=1: Delete any malware detected.
clamav_scan=1: Use ClamAV's malware library to scan.
Installing ClamAV helps Linux Malware Detect to scan processes faster and more effectively. First, we need to install the EPEL repo:
yum install epel-release
Then, we install ClamAV with the following command:
yum update && yum install clamav
After finishing the installation process, you are able to use Linux Malware Detect to scan for malware.
To scan a folder, use this command:
maldet --scan-all /home/domain.com/public_html
If you only want to scan some specified file types (
.php for example), you can use the following command:
maldet --scan-all /home/domain.com/public_html/*.php
To view a scanning report, use the following command. Replace
14715-1421.3219 with the scan ID.
maldet --report 14715-1421.3219
You can update Linux Malware Detect by running:
To delete all quarantined files:
rm -rf /usr/local/maldetect/quarantine/*