Archive for November, 2016


You may be familiar with ClamAV and Maldet (aka Linux Malware Detect). They’re widely known as two excellent choices for identifying malware. You may be not noticed that both can be used together. The benefit of doing this is a faster, more effective malware scan meaning you’re more likely to identify potential threats.

 

Installing ClamAV via WHM

1) Login to WHM (Web Host Manager) as the root user
2) Navigate to: Home » cPanel » Manage Plugins
3) Tick the Install and keep updated box
4) Click on Save

Installing ClamAV via SSH

This command tells the system that we want ClamAV to be listed as installed by the local RPM system:

/scripts/update_local_rpm_versions –edit target_settings.clamav installed

This command is the one responsible for installing the ClamAV RPM on your server:
/scripts/check_cpanel_rpms –fix –targets=clamav

Installing Maldet

1) Login to SSH as the root user
2) Execute the below commands:

cd /usr/local/src/
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
sh ./install.sh

 

Linking the two together

If you were to run a Linux Malware Detect scan now, it would run with no problem, however, it would not include ClamAV’s definitions, therefore slowing down the scan completion time and threat detection ratio. To solve this, we must create two symbolic links, as follows:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam

Updating the applications

Let’s ensure both applications are up-to-date now:

maldet -d
maldet -u
freshclam

 

Running a malware scan

Now, when you run a Maldet scan, you’ll have the best of both worlds (think of it as ClamAV and Linux Malware Detect teaming up). Say you wanted to run a malware scan of /home/username/public_html, you could do so with:

maldet -a /home/?/public_html (? means all username)

root@server [~]# maldet -a /home/?/public_html
Linux Malware Detect v1.5
(C) 2002-2016, R-fx Networks <proj@rfxn.com>
(C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(3095): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(3095): {scan} building file list for /home/*/public_html, this might take awhile…
maldet(3095): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(3095): {scan} file list completed in 6s, found 156734 files…
maldet(3095): {scan} found clamav binary at /usr/local/cpanel/3rdparty/bin/clamdscan, using clamav scanner engine…
maldet(3095): {scan} scan of /home/*/public_html (156734 files) in progress…