How to integrate Linux Malware Detection and ClamAV to automatically detect malware on Linux servers

System administrators face all kinds of problems on a daily basis. For example, suppose Linux has been deployed as a server in a datacenter due to the reliability and security part of the open source platform; contrary to popular belief, using Linux is not the ultimate solution to your security issues. In other words, any computer connected to the network is vulnerable, regardless of operating system.

In these environments many users always converge with different levels of access and employing these servers for various purposes. Regardless of the use of the server, it is important that administrators implement the security mechanisms needed to prevent potential security risks.

This time, malware analysis specialists from the International Institute of Cyber Security (IICS) will show you a method to add an additional layer of protection, integrating Linux Malware Detection (LMD) and ClamAV. This combination uses LMMD as functionality for malware detection and ClamAV as an antivirus engine.

Malware analysis experts mention that configuring these combined tools can protect Linux servers against most known security threats.

Installing and configuring LMD

The first thing we’ll do is install LMD. To do this, go to your server and download the latest version using the following command:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Once the download is complete, unzip the file using the command:

tar xvzf maldetect-current.tar.gz

Install the software using the following command:

sudo ./install.sh

After installing LMD, we need to configure it to work with ClamAV, which will be installed later, the malware analysis experts point out.

Open the configuration file with the following command:

sudo nano /usr/local/maldetect/conf.maldet

Ensure that the following configuration parameters are set in this file:

email_alert = 1
email_addr = EMAIL
email_subj = "Malware alerts for $ HOSTNAME - $ (date +% Y-% m-% d)"
quarantine_hits = 1
quarantine_clean = 1
quarantine_susp = 1
scan_clamscan = "1"

Where the EMAIL parameter is the address for sending security alerts.

If you do not need to receive email alerts, leave the email_alert parameter at 0 and do not change the email_addr registry, malware analysis specialists point to.

Finally, save and close the file.

Installing ClamAV

The next step is to install ClamAV. In order to do this, enter the command:

sudo apt-get install clamav clamav-daemon –y

According to malware analysis specialists, if you are using a Red Hat-based distribution, you must first enable the EPEL repository with the following command:

sudo dnf install epel-release –y

At the end of this step, you can install ClamAV using these commands:

sudo dnf update
sudo dnf install clamd

Testing

To test this system, we will download some malicious files to the server. In this case, malware analysis experts resorted to the use of EICAR.

Switch to the /srv directory (using the cd/srv command) and run the following commands:

sudo wget http://www.eicar.org/download/eicar.com 
sudo wget http://www.eicar.org/download/eicar.com.txt 
sudo wget http://www.eicar.org/download/eicar_com.zip 
sudo wget http://www.eicar.org/download/eicarcom2.zip

After you have downloaded the files, run a scan of this directory using this command:

sudo maldet --scan-all / srv

When the scan is complete, you should see that the system has found all the malicious files and quarantined them.

Subsequently the four EICAR files will be deleted from the /srv directory. You don’t need to worry about starting a scan manually, as LMD will be configured to run daily.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.