opened image

How to check for viruses Linux server

To ensure anti-virus protection of a server with a Linux operating system (in this article we will talk about most distribution options), there are software products that can work standalone or be built into the server control panel. We will look at installing and configuring a standalone Linux Malware Detect (Maldet) virus scanner.

 

Features and functionality:

 

Maldet is an antivirus scanner with the following features:

 

1. Scan the entire server (or individual folders) for suspicious files;

 

2. Disinfect infected files and/or send them to quarantine. This is an important feature that ensures that the virus does not spread throughout the server;

 

3. Check only those files that were created a certain time ago. This feature allows you to effectively use the antivirus without loading the server during daily scheduled scans;

 

4. Monitor certain folders on an ongoing basis, as well as correctly handle exceptions previously described by the administrator.

 

Installation

 

Let's run the commands to install Maldet on the server:

 

Let's go to the installation folder:

cd /usr/local/src/

 

Download the installation scripts to the server from the official site:

 

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

 

 

Unzip the resulting archive

 

tar -zxvf maldetect-current.tar.gz

 

 

go to the folder with the installation scripts and run the installation of Maldet

 

cd maldetect-*/

 

bash install.sh

 

 

The program (executable file) is placed by the installation script in the /usr/local/maldetect/maldet folder and a symlink is created to this file in the /usr/local/sbin/maldet folder.

 

In addition, a task is immediately created in the /etc/cron.daily/maldet scheduler for daily antivirus checks. If you do not need daily checks on the server, you can move or delete this file.

 

How to use Maldet.

 

We strongly recommend that before you start checking the server for viruses, especially if the "cure" option is enabled (described below), create a snapshot (relevant for virtual server services).

 

Let's consider the basic, most necessary commands for working with Maldet antivirus.

 

1. Update the virus signature databases (although, immediately after installing the antivirus, everything is up to date)

 

maldet -u

 

2. Start scanning a specific directory

 

maldet -a /home/admin/web

 

 

After the scan is completed, the antivirus will provide a report and a unique ID of this report, which can be used later in useful functions.

 

maldet(27233): {scan} scan report saved, to view run: maldet --report 125478-0205.34521

 

3. Move all detected suspicious files to quarantine

 

maldet -q 125478-0205.34521

 

4. Clean up quarantined infected files

 

maldet -n 125478-0205.34521

 

If the "treatment" is successful, the file will be automatically moved from the quarantine

 

It should be noted that an antivirus can not always correctly "cure" a file from malicious code. Use this feature carefully.

 

5. Restore all quarantined files of a specific report

 

maldet -s 125478-0205.34521

 

or restore only one file

 

maldet -s /home/admin/web/mysite.com/p[ublic_html/index.php

 

6. You can also view a list of previously created reports

 

maldet -e list

 

 

or open one of the reports

 

maldet -e 125478-0205.34521

 

Configuring Maldet Antivirus

 

All the necessary settings are in one file /usr/local/maldetect/conf.maldet, thematically structured. there is a description of each parameter. In addition, the team

 

maldet -h

 

displays hints for the program

 

 

In the configuration file, in the General Options section, you can specify whether to send reports to the administrator by email after the scan is completed.

 

An important option, which must be enabled carefully (default - disabled)

 

quarantine_clean

 

It allows you to "cure" infected objects during scanning. Changes in files after disinfection cannot be rolled back.

 

Also in the same configuration file there are options that allow you to fine-tune the operation of the scanner: for example, specify scan exclusions for files or folders, which folders to include in constant monitoring, or whether only folders of server users should be checked.

 

In general, we recommend using Maldet as a scanner to detect potential threats on the server.