Scan for Malware and Viruses on CentOS using ClamAV and Linux Malware Detect

Updated on August 13, 2015
Scan for Malware and Viruses on CentOS using ClamAV and Linux Malware Detect header image

Linux Malware Detect and ClamAV are two effective tools to easily scan for malware and viruses on a VPS server. In this article, we are going to install both programs on CentOS. These steps will work on both CentOS 6 and 7.

1. Install Linux Malware Detect

Install Linux Malware Detect from the official website. At the time of writing, the current version is maldetect-1.4.2.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvf maldetect-current.tar.gz
cd maldetect-1.4.2
./install.sh

Once the installation finishes, Linux Malware Detect will automatically create a daily cronjob task.

2. Configure Linux Malware Detect

All configuration settings of Linux Malware Detect are stored in the file /usr/local/maldetect/conf.maldet. Configure the following subset of options:

email_alert=1
email_addr=youremail@localhost
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
clam_av=1

For the values below, 1=true and 0=false.

  1. email_alert=1: If you want to receive notifications via email.
  2. email_addr=youremail@localhost: Enter your email address.
  3. email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)" : Email subject of the notification.
  4. quar_hits=1: Move the malware to quarantine.
  5. quar_clean=1 : Delete any malware detected.
  6. clamav_scan=1: Use ClamAV's malware library to scan.

3. Install ClamAV

Installing ClamAV helps Linux Malware Detect to scan processes faster and more effectively. First, we need to install the EPEL repo:

yum install epel-release

Then, we install ClamAV with the following command:

yum update && yum install clamav

4. How To Use Linux Malware Detect

After finishing the installation process, you are able to use Linux Malware Detect to scan for malware.

To scan a folder, use this command:

maldet --scan-all /home/domain.com/public_html

If you only want to scan some specified file types (.php for example), you can use the following command:

maldet --scan-all /home/domain.com/public_html/*.php

To view a scanning report, use the following command. Replace 14715-1421.3219 with the scan ID.

maldet --report 14715-1421.3219

You can update Linux Malware Detect by running:

maldet -u

To delete all quarantined files:

rm -rf /usr/local/maldetect/quarantine/*