How to integrate Linux Malware Detection and ClamAV for automated malware detection on Linux servers

Jack Wallen walks you through the steps of installing both Linux Malware Detection and ClamAV for a reliable one-two punch of malware and virus prevention.

Computer Malware Attack

Image: Getty Images/iStockphoto

More about cybersecurity

Say that you’ve deployed Linux as your data center servers because of the reliability and security the open source platform offers. Don’t be fooled into thinking using Linux will be the be-all, end-all of your security needs. It’s always important to remember that, so long as it’s attached to a network, any computer is vulnerable. With your Linux servers, you might have any number of users logging in and saving files to numerous directories. Or, maybe you’re using Linux as a mail server, where attachments are sent and received. 

Regardless of why you’re using that Linux server, it’s important that you take the necessary precautions to protect those servers and those who use them.

One way to add a layer of protection against malware is to integrate Linux Malware Detection (LMD) and ClamAV. This combination uses LMD as the malware detection tool and ClamAV as the antivirus engine. Once you have this combo installed and configured, you can be sure your Linux servers are better protected against such threats.

SEE: Security incident response policy (TechRepublic Premium)

What you’ll need

  • A Linux server (I’ll be demonstrating on Ubuntu Server 20.04) 
  • A user with sudo privileges

How to install and configure LMD

The first thing we’ll do is install LMD. Log in to your server and download the latest version with the command:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Once the download completes, unpack the file with the command:

tar xvzf maldetect-current.tar.gz

Install the software with the command:

sudo ./install.sh

With maldetect installed, we now have to configure it to work with ClamAV, which we’ll install in a moment. Open the configuration file with the command:

sudo nano /usr/local/maldetect/conf.maldet

In that file, you want to make sure to set the following configuration options:

email_alert=1
email_addr=EMAIL
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quarantine_hits=1
quarantine_clean=1
quarantine_susp=1
scan_clamscan="1"

Where EMAIL is the email address that will receive alerts. If you don’t need to receive email alerts, leave email_alert set to 0 and don’t change the email_addr entry.

Save and close the file.

How to install ClamAV

Now we’ll install ClamAV. To do this, issue the command:

sudo apt-get install clamav clamav-daemon -y

If you’re using a Red Hat-based distribution, you’ll need to first enable the EPEL repository with the command:

sudo dnf install epel-release -y

With that installed, you can then install ClamAV with the commands:

sudo dnf update
sudo dnf install clamd

How to test LDM/ClamAV

To test this system, we’ll download the infamous EICAR files to the server. Change into the /svr directory (with the command: cd /srv) and issue the following commands:

sudo wget http://www.eicar.org/download/eicar.com sudo wget http://www.eicar.org/download/eicar.com.txt sudo wget http://www.eicar.org/download/eicar_com.zip sudo wget http://www.eicar.org/download/eicarcom2.zip

After you’ve downloaded the files, run a scan for that directory with the command:

sudo maldet --scan-all /srv

When the scan completes, you should see that the system has detected the files and quarantined them. All four of the EICR files will have been removed from the /srv directory.

You don’t have to worry about launching a manual scan—although you can at any time—because maldet will be set to run daily (via cron).

And that’s all there is to deploying a reliable malware/virus detection system for your Linux servers. 

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see