To ensure anti-virus protection of a server with a Linux operating system (in this article we will talk about most distribution options), there are software products that can work standalone or be built into the server control panel. We will look at installing and configuring a standalone Linux Malware Detect (Maldet) virus scanner.
Features and functionality:
Maldet is an antivirus scanner with the following features:
1. Scan the entire server (or individual folders) for suspicious files;
2. Disinfect infected files and/or send them to quarantine. This is an important feature that ensures that the virus does not spread throughout the server;
3. Check only those files that were created a certain time ago. This feature allows you to effectively use the antivirus without loading the server during daily scheduled scans;
4. Monitor certain folders on an ongoing basis, as well as correctly handle exceptions previously described by the administrator.
Installation
Let's run the commands to install Maldet on the server:
Let's go to the installation folder:
cd /usr/local/src/
Download the installation scripts to the server from the official site:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Unzip the resulting archive
tar -zxvf maldetect-current.tar.gz
go to the folder with the installation scripts and run the installation of Maldet
cd maldetect-*/
bash install.sh
The program (executable file) is placed by the installation script in the /usr/local/maldetect/maldet folder and a symlink is created to this file in the /usr/local/sbin/maldet folder.
In addition, a task is immediately created in the /etc/cron.daily/maldet scheduler for daily antivirus checks. If you do not need daily checks on the server, you can move or delete this file.
How to use Maldet.
We strongly recommend that before you start checking the server for viruses, especially if the "cure" option is enabled (described below), create a snapshot (relevant for virtual server services).
Let's consider the basic, most necessary commands for working with Maldet antivirus.
1. Update the virus signature databases (although, immediately after installing the antivirus, everything is up to date)
maldet -u
2. Start scanning a specific directory
maldet -a /home/admin/web
After the scan is completed, the antivirus will provide a report and a unique ID of this report, which can be used later in useful functions.
maldet(27233): {scan} scan report saved, to view run: maldet --report 125478-0205.34521
3. Move all detected suspicious files to quarantine
maldet -q 125478-0205.34521
4. Clean up quarantined infected files
maldet -n 125478-0205.34521
If the "treatment" is successful, the file will be automatically moved from the quarantine
It should be noted that an antivirus can not always correctly "cure" a file from malicious code. Use this feature carefully.
5. Restore all quarantined files of a specific report
maldet -s 125478-0205.34521
or restore only one file
maldet -s /home/admin/web/mysite.com/p[ublic_html/index.php
6. You can also view a list of previously created reports
maldet -e list
or open one of the reports
maldet -e 125478-0205.34521
Configuring Maldet Antivirus
All the necessary settings are in one file /usr/local/maldetect/conf.maldet, thematically structured. there is a description of each parameter. In addition, the team
maldet -h
displays hints for the program
In the configuration file, in the General Options section, you can specify whether to send reports to the administrator by email after the scan is completed.
An important option, which must be enabled carefully (default - disabled)
quarantine_clean
It allows you to "cure" infected objects during scanning. Changes in files after disinfection cannot be rolled back.
Also in the same configuration file there are options that allow you to fine-tune the operation of the scanner: for example, specify scan exclusions for files or folders, which folders to include in constant monitoring, or whether only folders of server users should be checked.
In general, we recommend using Maldet as a scanner to detect potential threats on the server.