LINUX-MALWARE-DETECT(19) User Commands LINUX-MALWARE-DETECT(19)
NAME
maldet - Linux Malware Detect
SYNOPSIS
maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
[-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
[-u|--update-sigs]
DESCRIPTION
Linux Malware Detect is a malware scanner for Linux released under the
GNU GPLv2 license, that is designed around the threats faced in shared
hosted environments. It uses threat data from network edge intrusion
detection systems to extract malware that is actively being used in
attacks and generates signatures for detection. In addition, threat
data is also derived from user submissions with the LMD checkout fea-
ture and from malware community resources. The signatures that LMD uses
are MD5 file hashes and HEX pattern matches, they are also easily
exported to any number of detection tools such as ClamAV.
The driving force behind LMD is that there is currently limited avail-
ability of open source/restriction free tools for Linux systems that
focus on malware detection and more important that get it right. Many
of the AV products that perform malware detection on Linux have a very
poor track record of detecting threats, especially those targeted at
shared hosted environments.
The threat landscape in shared hosted environments is unique from that
of the standard AV products detection suite in that they are detecting
primarily OS level trojans, rootkits and traditional file-infecting
viruses but missing the ever increasing variety of malware on the user
account level which serves as an attack platform.
FEATURES
o MD5 file hash detection for quick threat identification
o HEX based pattern matching for identifying threat variants
o statistical analysis component for detection of obfuscated threats
(e.g: base64)
o integrated detection of ClamAV to use as scanner engine for improved
performance
o integrated signature update feature with -u|--update
o integrated version update feature with -d|--update-ver
o scan-recent option to scan only files that have been added/changed
in X days
o scan-all option for full path based scanning
o checkout option to upload suspected malware to rfxn.com for review /
hashing
o full reporting system to view current and previous scan results
o quarantine queue that stores threats in a safe fashion with no per-
missions
o quarantine batching option to quarantine the results of a current or
past scans
o quarantine restore option to restore files to original path, owner
and perms
o quarantine suspend account option to Cpanel suspend or shell revoke
users
o cleaner rules to attempt removal of malware injected strings
o cleaner batching option to attempt cleaning of previous scan reports
o cleaner rules to remove base64 and gzinflate(base64 injected malware
o daily cron based scanning of all changes in last 24h in user home-
dirs
o daily cron script compatible with stock RH style systems, Cpanel &
Ensim
o kernel based inotify real time file scanning of created/modi-
fied/moved files
o kernel inotify monitor that can take path data from STDIN or FILE
o kernel inotify monitor convenience feature to monitor system users
o kernel inotify monitor can be restricted to a configurable user html
root
o kernel inotify monitor with dynamic sysctl limits for optimal per-
formance
o kernel inotify alerting through daily and/or optional weekly reports
o e-mail alert reporting after every scan execution (manual & daily)
o path, extension and signature based ignore options
o background scanner option for unattended scan operations
o verbose logging & output of all actions
THREAT SOURCE DATA
The defining difference with LMD is that it doesn't just detect malware
based on signatures/hashes that someone else generated but rather it is
an encompassing project that actively tracks in the wild threats and
generates signatures based on those real world threats that are cur-
rently circulating.
There are four main sources for malware data that is used to generate
LMD signatures:
o Network Edge IPS: The network I manage hosts over 35,000 web sites
and as such receives a large amount of daily abuse, all of which is
logged by our network edge IPS. The IPS events are processed to
extract malware url's, decode POST payload and base64/gzip encoded
abuse data and ultimately that malware is retrieved, reviewed, clas-
sified and then signatures generated as appropriate. The vast major-
ity of LMD signatures have been derived from IPS extracted data.
o Community Data: Data is aggregated from multiple community malware
websites such as clean-mx and malwaredomainlist then processed to
retrieve new malware, review, classify and then generate signatures.
o ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored
for relevant updates that apply to the target user group of LMD and
added to the project as appropriate. To date there has been roughly
400 signatures ported from ClamAV while the LMD project has contrib-
uted back to ClamAV by submitting over 1,100 signatures and contin-
ues to do so on an ongoing basis.
o User Submission: LMD has a checkout feature that allows users to
submit suspected malware for review, this has grown into a very pop-
ular feature and generates on average about 30-50 submissions per
week.
SIGNATURE UPDATES
The LMD signatures are updated typically once per day or more fre-
quently depending on incoming threat data from the LMD checkout fea-
ture, IPS malware extraction and other sources. The updating of signa-
tures in LMD installations is performed daily through the default
cron.daily script with the --update option, which can be run manually
at any time.
An RSS feed is available for tracking malware threat updates:
RSS Recent Signatures: http://www.rfxn.com/api/lmd
CLI USAGE
The command line options are as follows:
-b, --background
Execute operations in the background, ideal for large scans e.g:
maldet -b -r /home/?/public_html 7
-u, --update-sigs
Update malware detection signatures from rfxn.com
-f, --file-list
Scan files or paths defined in line spaced file e.g: maldet -f
/root/scan_file_list
-r, --scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d,
wildcard: ?) e.g: maldet -r /home/?/public_html 2
-a, --scan-all PATH
Scan all files in path (default: /home, wildcard: ?) e.g:
maldet -a /home/?/public_html
-i, --include-regex REGEX
Include paths/files from file list based on supplied posix-egrep
regular expression. e.g: To include only paths named wp-content
and files ending in .php: --include-regex ".*/wp-con-
tent/.*|.*.php$"
-x, --exclude-regex REGEX
Exclude paths/files from file list based on supplied posix-egrep
regular expression. e.g: To exclude paths containing 'wp-con-
tent/w3tc/' and core files: --exclude-regex ".*wp-con-
tent/w3tc/.*|.*core.[0-9]+$"
-m, --monitor USERS|PATHS|FILE|RELOAD
Run maldet with inotify kernel level file create/modify monitor-
ing If USERS is specified, monitor user homedirs for UID's > 500
If FILE is specified, paths will be extracted from file, line
spaced If PATHS are specified, must be comma spaced list, NO
WILDCARDS! e.g: maldet --monitor users e.g: maldet --monitor
/usr/local/maldetect/monitor_paths e.g: maldet --monitor
/home/mike,/home/ashton
-k, --kill-monitor
Terminate inotify monitoring service
-c, --checkout FILE
Upload suspected malware to rfxn.com for review & hashing into
signatures
-l, --log
View maldet log file events
-e, --report SCANID email
View scan report of most recent scan or of a specific SCANID and
optionally e-mail the report to a supplied e-mail address e.g:
maldet --report e.g: maldet --report list e.g: maldet --report
050910-1534.21135 e.g: maldet --report SCANID user@domain.com
-s, --restore FILE|SCANID
Restore file from quarantine queue to orginal path or restore
all items from a specific SCANID e.g: maldet --restore
/usr/local/maldetect/quarantine/config.php.23754 e.g: maldet
--restore 050910-1534.21135
-q, --quarantine SCANID
Quarantine all malware from report SCANID e.g: maldet --quaran-
tine 050910-1534.21135
-n, --clean SCANID
Try to clean & restore malware hits from report SCANID e.g:
maldet --clean 050910-1534.21135
-U, --user USER
Set execution under specified user, ideal for restoring from
user quarantine or to view user reports. e.g: maldet --user
nobody --report e.g: maldet --user nobody --restore
050910-1534.21135
-co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
Set or redefine the value of maldetect.conf config options e.g:
maldet --config-option email_addr=you@domain.com,quaran-
tine_hits=1
-p, --purge
Clear logs, quarantine queue, session and temporary data.
LICENSE
This program may be freely redistributed under the terms of the GNU GPL
v2
AUTHORS
(C) 2002-2019, R-fx Networks <proj@r-fx.org> (C) 2019, Ryan MacDonald
<ryan@r-fx.org>
Linux Malware Detect v1.6.4 September 2016 LINUX-MALWARE-DETECT(19)
Czas wygenerowania: 0.00053 sek.
Created with the man page lookup class by Andrew Collington.
Based on a C man page viewer by Vadim Pavlov
Unicode soft-hyphen fix (as used by RedHat) by Dan Edwards
Some optimisations by Eli Argon
Caching idea and code contribution by James Richardson
Copyright © 2003-2023 Linux.pl
Hosted by Hosting Linux.pl