{"id":11920,"date":"2022-03-24T23:13:11","date_gmt":"2022-03-24T20:13:11","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11920"},"modified":"2022-03-24T23:13:20","modified_gmt":"2022-03-24T20:13:20","slug":"easily-integrate-linux-malware-detect-with-clamav","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/easily-integrate-linux-malware-detect-with-clamav\/","title":{"rendered":"Easily Integrate Linux Malware Detect with ClamAV"},"content":{"rendered":"\n<p>Follow through this guide to learn how you can integrate Linux Malware Detect with ClamAV. <a href=\"https:\/\/www.rfxn.com\/projects\/linux-malware-detect\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux Malware Detect<\/a> (LMD), can be configured to use ClamAV as scanner engine for improved performance on large file sets. The clamscan engine is used in conjunction with native ClamAV signatures updated through freshclam along with LMD signatures providing additional detection capabilities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrate Linux Malware Detect with ClamAV<\/h2>\n\n\n\n<p>Our previous tutorials discussed how to install Linux Malware Detect and ClamAV on various Linux distros;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-linux-malware-detect-on-ubuntu-22-04-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Linux Malware Detect on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-clamav-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ClamAV on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-clamav-on-debian-11\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ClamAV on Debian 11<\/a><\/p>\n\n\n\n<p>So assuming that you have both LMD and ClamAV installed, how can you integrate the two to work together?<\/p>\n\n\n\n<p>It is very easy to integrate Linux Malware Detect with ClamAV. All you have to do is to onfigure Linux Malware Detect (LMD) to use ClamAV Engine<\/p>\n\n\n\n<p>Thus, open LMD configuration file, <code>\/usr\/local\/maldetect\/conf.maldet<\/code>, and update the value of the <code>scan_clamscan<\/code> parameter form 0 to 1 to enable (if it is not already configured so).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep scan_clamscan \/usr\/local\/maldetect\/conf.maldet<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>scan_clamscan=\"1\"<\/code><\/pre>\n\n\n\n<p>In my setup, it is already enabled.<\/p>\n\n\n\n<p>If it is set to 0 from in your setup, simply run the command below to enable it;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/scan_clamscan\/s\/0\/1\/' \/usr\/local\/maldetect\/conf.maldet<\/code><\/pre>\n\n\n\n<p>Next, stop ClamAV Daemon;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl disable --now clamav-daemon.service<\/code><\/pre>\n\n\n\n<p>Similarly, update ClamAV database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop clamav-freshclam.service<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>freshclam<\/code><\/pre>\n\n\n\n<p>Once the update is done, start Freshclam service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start clamav-freshclam.service<\/code><\/pre>\n\n\n\n<p>You can also update LMD signatures;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>maldet -u<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Scanning Linux System Directories using LMD with ClamAV<\/h3>\n\n\n\n<p>Now that you have integrated Linux Malware Detect with ClamAV, you can then run the scans.<\/p>\n\n\n\n<p>For example, to scan default directories\/paths (<strong><code>\/tmp, \/var\/tmp, \/dev\/shm, \/var\/fcgi_ipc<\/code><\/strong>);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>maldet -a<\/code><\/pre>\n\n\n\n<p>Sample scan output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nmaldet(63051): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)\nmaldet(63051): {scan} building file list for , this might take awhile...\nmaldet(63051): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6\nmaldet(63051): {scan} file list completed in 2s, found 330 files...\n<strong>maldet(63051): {scan} found clamav binary at \/usr\/bin\/clamscan, using clamav scanner engine...<\/strong>\nmaldet(63051): {scan} scan of  (330 files) in progress...\nmaldet(63051): {scan} processing scan results for hits: 1 hits 0 cleaned\nmaldet(63051): {scan} scan completed on : files 330, malware hits 1, cleaned hits 0, time 33s\nmaldet(63051): {scan} scan report saved, to view run: maldet --report 220324-2252.63051\nmaldet(63051): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220324-2252.63051\n<\/code><\/pre>\n\n\n\n<p>From the output, you will notice that LMD uses ClamAV engine, see the line (<strong><code>{scan} found clamav binary at \/usr\/bin\/clamscan, using clamav scanner engine\u2026<\/code><\/strong>).<\/p>\n\n\n\n<p>You can see more LMD command line options;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>maldet -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nsignature set: 20220322840957\nusage \/usr\/local\/sbin\/maldet [ OPTION ]\n    -b, --background\n      Execute operations in the background, ideal for large scans\n      e.g: maldet -b -r \/home\/?\/public_html 7\n\n    -u, --update-sigs [--force]\n       Update malware detection signatures from rfxn.com\n\n    -d, --update-ver [--force]\n       Update the installed version from rfxn.com\n\n    -f, --file-list\n       Scan files or paths defined in line spaced file\n       e.g: maldet -f \/root\/scan_file_list\n\n    -r, --scan-recent PATH DAYS\n       Scan files created\/modified in the last X days (default: 7d, wildcard: ?)\n       e.g: maldet -r \/home\/?\/public_html 2\n\n    -a, --scan-all PATH\n       Scan all files in path (default: \/home, wildcard: ?)\n       e.g: maldet -a \/home\/?\/public_html\n\n    -i, --include-regex REGEX\n       Include paths\/files from file list based on supplied posix-egrep regular\n       expression.\n       e.g: To include only paths named wp-content and files ending in .php:\n       --include-regex \".*\/wp-content\/.*|.*.php$\"\n\n    -x, --exclude-regex REGEX\n       Exclude paths\/files from file list based on supplied posix-egrep regular\n       expression.\n       e.g: To exclude paths containing 'wp-content\/w3tc\/' and core files:\n       --exclude-regex \".*wp-content\/w3tc\/.*|.*core.[0-9]+$\"\n\n    -m, --monitor USERS|PATHS|FILE|RELOAD\n       Run maldet with inotify kernel level file create\/modify monitoring\n       If USERS is specified, monitor user homedirs for UID's > 500\n       If FILE is specified, paths will be extracted from file, line spaced\n       If PATHS are specified, must be comma spaced list, NO WILDCARDS!\n       e.g: maldet --monitor users\n       e.g: maldet --monitor \/root\/monitor_paths\n       e.g: maldet --monitor \/home\/mike,\/home\/ashton\n\n    -k, --kill-monitor\n       Terminate inotify monitoring service\n\n    -c, --checkout FILE\n       Upload suspected malware to rfxn.com for review & hashing into signatures\n\n    -l, --log\n       View maldet log file events\n\n    -e, --report SCANID email\n       View scan report of most recent scan or of a specific SCANID and optionally\n       e-mail the report to a supplied e-mail address\n       e.g: maldet --report\n       e.g: maldet --report list\n       e.g: maldet --report 050910-1534.21135\n       e.g: maldet --report SCANID user@domain.com\n\n    -s, --restore FILE|SCANID\n       Restore file from quarantine queue to orginal path or restore all items from\n       a specific SCANID\n       e.g: maldet --restore \/usr\/local\/maldetect\/quarantine\/config.php.23754\n       e.g: maldet --restore 050910-1534.21135\n\n    -q, --quarantine SCANID\n       Quarantine all malware from report SCANID\n       e.g: maldet --quarantine 050910-1534.21135\n\n    -n, --clean SCANID\n       Try to clean & restore malware hits from report SCANID\n       e.g: maldet --clean 050910-1534.21135\n\n    -U, --user USER\n       Set execution under specified user, ideal for restoring from user quarantine or\n       to view user reports.\n       e.g: maldet --user nobody --report\n       e.g: maldet --user nobody --restore 050910-1534.21135\n\n    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE\n       Set or redefine the value of conf.maldet config options\n       e.g: maldet --config-option email_addr=you@domain.com,quarantine_hits=1\n\n    -p, --purge\n       Clear logs, quarantine queue, session and temporary data.\n\n    --web-proxy IP:PORT\n       Enable use of HTTP\/HTTPS proxy for all remote URL calls.\n<\/code><\/pre>\n\n\n\n<p>And that is how you can easily integrate Linux Malware Detect with ClamAV.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-nessus-scanner-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Nessus Scanner on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wpscan-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install WPScan on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this guide to learn how you can integrate Linux Malware Detect with ClamAV. Linux Malware Detect (LMD), can be configured to use ClamAV<\/p>\n","protected":false},"author":1,"featured_media":11923,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34],"tags":[169,4734,4736,4737,4726,4735,4732,4733],"class_list":["post-11920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-security","tag-clamav","tag-configure-lmd-to-use-clamav","tag-integrate-linux-malware-detect-with-clamav","tag-integrate-lmd-with-clamav","tag-lmd","tag-scan_clamscan","tag-setup-linux-malware-detect-with-clamav","tag-setup-lmd-with-clamav","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11920"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11920"}],"version-history":[{"count":2,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11920\/revisions"}],"predecessor-version":[{"id":11922,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11920\/revisions\/11922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11923"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}