Using MalDet to Protect Servers from Malware and Spammers
=========================================================

Linux Malware Detect, or MalDet, is a third party program, specifically designed to detect malware in shared hosting 
environments. While InterWorx is not affiliated with MalDet and does not directly support it, it can be a useful tool 
for identifying and eliminating malware that may be used to send spam from the server.

Detailed information on MalDet can be found `here <http://www.rfxn.com/projects/linux-malware-detect/>`__.

.. note::

   A full listing of MalDet’s options can be found in the README file, or by running  ``maldet –help`` after installation.

.. contents::

Installing MalDet
-----------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. Download the tarball for the current version of Maldet, using ``wget``

   .. code-block::
     
      wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

#. Using ``tar``, extract the file

   .. code-block::
    
      tar -zxvf maldetect-current.tar.gz

#. Navigate to the directory where the contents of the tar file were extracted. This will reside in the current directory, 
   and be named ``maldetect-[current-version]``. In this example, the current version is 1.6.4

   .. code-block::
   
      cd maldetect-1.6.4/

#. Run the install script, located in that directory 

   .. code-block::

      ./install.sh

Running a Scan 
--------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. Run ``maldet -a`` with the directory to be scanned. For example, to scan all files in the ``/chroot/home``
   directory: 

   .. code-block::

      [root@server ~]# maldet -a /chroot/home/
      Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
      This program may be freely redistributed under the terms of the GNU GPL v2

      maldet(1578): {scan} signatures loaded: 17189 (14367 MD5 | 2039 HEX | 783 YARA | 0 USER)
      maldet(1578): {scan} building file list for /chroot/home/, this might take awhile...
      maldet(1578): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
      maldet(1578): {scan} file list completed in 0s, found 1513 files...
      maldet(1578): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
      maldet(1578): {scan} scan of /chroot/home/ (1513 files) in progress...

      maldet(1578): {scan} scan completed on /chroot/home/: files 1513, malware hits 0, cleaned hits 0, time 34s
      maldet(1578): {scan} scan report saved, to view run: maldet --report 210130-1407.1578
      [root@server ~]#


#. After the scan is complete, it will provide a report of its findings (see last line in the example output above). 
   Running the provided command (``maldet --report [report number]``), provides a report of what files were scanned 
   and the findings, if any

   .. code-block::

      HOST:                                                                                                                                                                                                             
      SCAN ID:   210130-1407.1578com
      STARTED:   Jan 30 2021 14:07:20 -0500
      COMPLETED: Jan 30 2021 14:07:54 -0500
      ELAPSED:   34s [find: 0s]

      PATH:          /chroot/home/
      TOTAL FILES:   1513
      TOTAL HITS:    0
      TOTAL CLEANED: 0

    ===============================================
    Linux Malware Detect v1.6.4 < proj@rfxn.com >