Scan for Malware and Viruses on CentOS using ClamAV and Linux Malware Detect

Linux Malware Detect and ClamAV are two effective tools to easily scan for malware and viruses on a VPS server. In this article, we are going to install both programs on CentOS. These steps will work on both CentOS 6 and 7.

1. Install Linux Malware Detect

Install Linux Malware Detect from the official website. At the time of writing, the current version is maldetect-1.4.2.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvf maldetect-current.tar.gz
cd maldetect-1.4.2
./install.sh

Once the installation finishes, Linux Malware Detect will automatically create a daily cronjob task.

2. Configure Linux Malware Detect

All configuration settings of Linux Malware Detect are stored in the file /usr/local/maldetect/conf.maldet. Configure the following subset of options:

email_alert=1
email_addr=youremail@localhost
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
clam_av=1

For the values below, 1=true and 0=false.

1. email_alert=1: If you want to receive notifications via email.
2. email_addr=youremail@localhost: Enter your email address.
3. email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)" : Email subject of the notification.
4. quar_hits=1: Move the malware to quarantine.
5. quar_clean=1: Delete any malware detected.
6. clamav_scan=1: Use ClamAV’s malware library to scan.

3. Install ClamAV

Installing ClamAV helps Linux Malware Detect to scan processes faster and more effectively. First, we need to install the EPEL repo:

yum install epel-release

Then, we install ClamAV with the following command:

yum update && yum install clamav

4. How To Use Linux Malware Detect

After finishing the installation process, you are able to use Linux Malware Detect to scan for malware.

To scan a folder, use this command:

maldet --scan-all /home/domain.com/public_html

If you only want to scan some specified file types (.php for example), you can use the following command:

maldet --scan-all /home/domain.com/public_html/*.php

To view a scanning report, use the following command. Replace 14715-1421.3219 with the scan ID.

maldet --report 14715-1421.3219

You can update Linux Malware Detect by running:

maldet -u

To delete all quarantined files:

rm -rf /usr/local/maldetect/quarantine/*