Configure maldet to detect malware infected files
In the last article, we install maldet. We learn how to configure maldet today. Again, I want to mention maldet is free and only for Linux server. Let us begin the configuration, assuming you have installed maldet successfully.
For setting up maldet, the configuration file at /usr/local/maldet/conf.maldet has to make sure you be modified.
The next are some of the general options that you will may just want to set.
If you will want to be notified of the existence of malware by email, set the following selections.
email_alert : If you want to get email alerts whenever a suspect file is detected, then it should be set to 1.
email_addr : The email address to which notifications should be directed. This is used in combination with the email_alert option.
email_ignore_clean : When malware notifications have been automatically cleaned out (check the next two options), ignore dispatching email notifications. This is disabled by default. Set it to 1 to allow it, if you have decide to put up an automated daily scan that picks up and cleans the hits and you do not want to be notified of these by email.
What action will need to be used on the infected files? The following alternatives can be placed to quarantine (to push the affected files to a secure and protected area where they are unable to create any damage) the files.
quarantine_hits : The default value is 0. Set this to 1 and so that the infected files will be relocated to quarantine.
quarantine_clean : The default value is 0. This is used once quarantine_hits is set to 1. Do you want the program to further clean the files? Set this to 1 if you will want the program to try to clean the malware injections. Maintain this as zero if you want to check before cleaning.
In a multi-user conditions, the following choices may become useful.
quarantine_suspend_user : By default, the following is disabled and set to 0. If you set this to 1, the accounts of users who have got hits will be suspended. For this to function, quarantine_hits should be 1.
quarantine_suspend_user_minuid : The lowest user id which can be suspended. This is set to 500 by default.
inotify_minuid : The lowest user id above which users need to be watched. The default value is 500.
inotify_docroot : The web directory relative to the home directory of users. By default, it is set to public_html. If this is set, only this web directory will be checked.
Save and close the configuration file.
A simple scan
For a simple scan, run maldet with the –scan-all option with a path as an argument. It first builds a list of files for almost all the directories and sub-directories in that path. Then it reads through all any files and gives the number of hits. It also provides a report which you can easily view to examine the files that are suspicious. Help to make sure that you provide the full path and not the relative path.
sudo maldet –scan-all /home/username/public_html/
A notice of warning, though. The setting scan_ignore_root in the configuration file is set to 1 by default. This triggers files that are owned by root to be ignored in the file list that maldet builds. The default value is more efficient, but the assumption is that your root password has not been compromised and malware are not injected into root-owned files. Change this setting to 0 if you want root-owned files also to be scanned. This might slow down the scan. So, use it judiciously.
You can view the files that are affected by opening the report file mentioned.
Quarantine affected files
When quarantine_hits is set to 1, maldet not only scans for malware, but also moves the hits to quarantine so that your users do not have access to these files. So, your malware scan may produce results as below. In this case, quarantine_clean is set to 0.
If you view the report, you can see the affected files and their quarantine location. You can inspect the files and then decide on whether you want to clean them.
If you scan with the quarantine_hits set to 0, you need not set it to 1 and redo the scan. Instead, you could quarantine all malware results from the previous scan with
sudo maldet -quarantine SCANID
Quarantine and clean affected files
When quarantine_clean is set to 1, it moves the affected files to quarantine, maldet tries to clean them.
If you did a scan with the quarantine_hits or quarantine_clean set to 0, you can do a clean with the following option.
sudo maldet -clean SCANID
Restore a file
If you want to restore a file which was false positive as a malicious and quarantined, or if you have cleaned the file and want it back in its proper location,
sudo maldet -restore FILENAME
Alternately, give the complete path of the quarantined file.
sudo maldet -restore /usr/local/maldetect/quarantine/FILENAME
You can also make use of wildcards in your scan path. ? is the wildcard character.
sudo maldet –scan-all /home/?/public_html/
This will check all directories inside /home and if any of them had a public_html sub-directory, then that directory will be scanned completely.
If you want to check the same path as a previous scan, but only those files created or modified in the recent past, you have to run maldet with the –scan-recent option and the number of days n
sudo maldet –scan-recent /home/username/public_html/
A weekly incremental check will be done by doing such a recent scan for 7 days.
Automate periodic scan
You can automate daily scans using the cronjob feature. During installation, LMD installs a cronjob at /etc/cron.daily/maldet.
This cronjob will update signatures, include new malware threats in its registry and perform a daily check of all the home directories and recent changes on the server. Whenever, it detects some malware, it will notify you specified in the configuration.
The inotify monitor can be used to monitor users real-time for file creation, modification or movement. Monitoring can be done with one or more of the three options available,
The users option will take the home directories of all users in the system who have UID greater than inotify_minuid and monitor them. If inotify_docroot is set, the users’ web directory, if it exists, will only be monitored.
sudo maldet –monitor users
Alternately, you can monitor paths. Give a comma-separated path with the –monitor option.
sudo maldet –monitor PATH1,PATH2,…
For example,sudo maldet –monitor /tmp,/home,/var
If you have concerns about specific files, you can monitor specific files by giving a comma-separated list of files.
sudo maldet –monitor FILE1,FILE2,..
Exclude files or paths
Certain paths or files can be excluded from the scan, by using the ignore files.
Add files or paths to be excluded from daily scan in /usr/local/maldetect/ignore_paths
Add signatures to be excluded from daily scan in /usr/local/maldetect/ignore_sigs
Add files or paths to be excluded from inotify monitoring in /usr/local/maldetect/ignore_inotify.
Add the extensions of file types that you want to exclude from daily scans (one per line) in /usr/local/maldetect/ignore_file_ext. Sample entries in file could be
Check out more options like running maldet in the background and other finer settings by using the help option.
sudo maldet –help
If you run a self-hosted website, at some point or the other, it is possible for malicious hackers to inject malware into your system. Before that happens, get your system secure and install maldet to keep ahead of such attacks.