stevepedwards.com/DebianAdmin linux mint IT admin tips info

Linux Anti Virus 2 – LMD – Linux Malware Detect

https://www.virustotal.com/
"You can submit the file to Virustotal to have it scanned by over 30 different malware scanners. If the report indicates that several of these scanners think the file is infected, take their word for it. If only one or very few of the scanners report an infection in the file, then two things are possible: it really is a false positive or it is malware that is so new it's not yet being picked up by the majority of antivirus scanners."

Linux Anti Virus 2 – LMD – Linux Malware Detect

"Description
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV."
Manual:
https://www.rfxn.com/appdocs/README.maldetect

".: 7 [ CONFIGURATION ]

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet
and all options are well commented for ease of configuration.

By default LMD has the auto-qurantine of files disabled, this will mean that
YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the '-q'
option to batch quarantine the results. To change this please set quar_hits=1
in conf.maldet."

https://www.rfxn.com/projects/linux-malware-detect/

I followed the install commands at:

http://www.tecmint.com/install-linux-malware-detect-lmd-in-rhel-centos-and-fedora/

without problems:

# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh

root@LinuxLaptop:/tmp/maldetect-1.4.2# ./install.sh

Linux Malware Detect v1.4.1

(C) 2002-2013, R-fx Networks <proj@r-fx.org>

(C) 2013, Ryan MacDonald <ryan@r-fx.org>

inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>

This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect

config file: /usr/local/maldetect/conf.maldet

exec file: /usr/local/maldetect/maldet

exec link: /usr/local/sbin/maldet

exec link: /usr/local/sbin/lmd

cron.daily: /etc/cron.daily/maldet

maldet(13394): {sigup} performing signature update check...

maldet(13394): {sigup} local signature set is version 201205035915

maldet(13394): {sigup} new signature set (2014032030449) available

maldet(13394): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat

maldet(13394): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat

maldet(13394): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb

maldet(13394): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb

maldet(13394): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz

maldet(13394): {sigup} signature set update completed

maldet(13394): {sigup} 11651 signatures (9765 MD5 / 1886 HEX)

root@LinuxLaptop:/tmp/maldetect-1.4.2#

Edit:

vi /usr/local/maldetect/conf.maldet


email_alert : If you would like to receive email alerts, then it should be set to 1.


email_subj : Set your email subject here.


email_addr : Add your email address to receive malware alerts.


quar_hits : The default quarantine action for malware hits, it should be set 1.


quar_clean : Cleaing detected malware injections, must set to 1.


quar_susp : The default suspend action for users wih hits, set it as per your requirements.


quar_susp_minuid : Minimum userid that can be suspended.

e.g:

# Ignore e-mail alerts for reports in which all hits have been cleaned.

# This is ideal on very busy servers where cleaned hits can drown out

# other more actionable reports.

email_ignore_clean=1

##

# [ QUARANTINE OPTIONS ]

##

# The default quarantine action for malware hits

# [0 = alert only, 1 = move to quarantine & alert]

quar_hits=1

# Try to clean string based malware injections

# [NOTE: quar_hits=1 required]

# [0 = disabled, 1 = clean]

quar_clean=1

# The default suspend action for users with hits

# Cpanel suspend or set shell /bin/false on non-Cpanel

# [NOTE: quar_hits=1 required]

# [0 = disabled, 1 = suspend account]

quar_susp=0

# minimum userid that can be suspended

quar_susp_minuid=500

Try a test run with the Eicar test file from the last Post:

This detected Eicar, so is working.

Also it says it sent a report to my email because this option is set to 1, (configured in /usr/local/maldetect/conf.maldet) but I can't receive it as there is no mail server (e.g. Exim) setup on this machine to send it.

There are a lot of useful answers and insight to how the app works from Ryan on his blog page Q+A:

http://archive.is/AHKu

File changes can be monitored recursively also if you install:

apt-get install inotify-tools

To see a post scan report:

maldet --report

As seen in the prior Post for clamscan recursively checking subdirectories beginning with A, where I hid an Eicar file various levels deep, it found it - but did NOT remove it - using:

clamscan –vr /Storebird/A*/

This is also possible with LMD but using a "?" for a wildcard:

maldet –v /Storebird/A?/

Once started, the wildcard path searched is then shown in usual linux fashion with a "*" - and the file found:

Again, this states no cleaning done, but the file IS removed to the quarantine directory, when the directory /Acer/Camera_Suyin.../ is searched manually in Windows:

Linux also can't find it as it has been removed:

Note the difference between delete, clean and quarantine in AV terms:
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

"If your antivirus encounters an infected file, there are generally three options available: clean, quarantine, or delete. If the wrong option is selected, the results can be catastrophic."

NOTE: You need to have a working MTA set up before the email reports from root can be sent - see next Post Exim4

Uploading Suspect Files for Checking

I accidentally uploaded my Eicar test files to RXFN by using the -c switch instead of the -n switch for "clean" a file, so thought I'd put the FTP info here anyway...I wondered what was going on for a sec there! Sorry Ryan...

root@HPbox:~# maldet -c /home/stevee/Downloads/Eicar
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks (C) 2013, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

Connected to rfxn.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 10:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
Interactive mode on.
250 OK. Current directory is /incoming
Local directory now /root
200 TYPE is now 8-bit binary
local: /home/stevee/Downloads/Eicar/cleanFile2.txt remote: 26026.9654.bin
200 PORT command successful
150 Connecting to port 32774
226-File successfully transferred
226 0.137 seconds (measured here), 247.69 bytes per second
34 bytes sent in 0.02 secs (2.0 kB/s)
200 TYPE is now ASCII
local: /home/stevee/Downloads/Eicar/cleanFile2.txt remote: 14460.9654.ascii
200 PORT command successful
150 Connecting to port 32775
226-File successfully transferred
226 0.120 seconds (measured here), 265.57 bytes per second
36 bytes sent in 0.00 secs (732.4 kB/s)
221-Goodbye. You uploaded 1 and downloaded 0 kbytes.
221 Logout.
Connected to rfxn.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 10:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
Interactive mode on.
250 OK. Current directory is /incoming
Local directory now /root
200 TYPE is now 8-bit binary
local: /home/stevee/Downloads/Eicar/cleanFile1.txt remote: 24696.9654.bin
200 PORT command successful
150 Connecting to port 32776
226-File successfully transferred
226 0.127 seconds (measured here), 94.47 bytes per second
12 bytes sent in 0.01 secs (1.8 kB/s)
200 TYPE is now ASCII
local: /home/stevee/Downloads/Eicar/cleanFile1.txt remote: 31264.9654.ascii
200 PORT command successful
150 Connecting to port 32777
226-File successfully transferred
226 0.120 seconds (measured here), 91.67 bytes per second
13 bytes sent in 0.00 secs (288.5 kB/s)
221-Goodbye. You uploaded 1 and downloaded 0 kbytes.
221 Logout.
Connected to rfxn.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 10:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
Interactive mode on.
250 OK. Current directory is /incoming
Local directory now /root
200 TYPE is now 8-bit binary
local: /home/stevee/Downloads/Eicar/Vir.txt remote: 3322.9654.bin
200 PORT command successful
150 Connecting to port 32778
226-File successfully transferred
226 0.128 seconds (measured here), 0.52 Kbytes per second
68 bytes sent in 0.01 secs (10.1 kB/s)
200 TYPE is now ASCII
local: /home/stevee/Downloads/Eicar/Vir.txt remote: 32031.9654.ascii
200 PORT command successful
150 Connecting to port 32779
226-File successfully transferred
226 0.122 seconds (measured here), 0.55 Kbytes per second
68 bytes sent in 0.00 secs (1355.2 kB/s)
221-Goodbye. You uploaded 1 and downloaded 0 kbytes.
221 Logout.

Comments are closed.

Post Navigation