Security / Server Setup

How to install Malware Detect in CentOS / RedHat 7

by , , revisited on


Linux Malware Detect (LMD, or maldet) allows you to easily spot malware within your website files.
Its developer, R-fx Networks, maintains high-quality malware definitions. Whether you suspect malware in your site, or intend to tighten your website’s security – Malware Detect is a must-have / must-use software.

Installing Malware Detect (maldet)

Setup GetPageSpeed repository

yum install https://extras.getpagespeed.com/release-el7-latest.rpm

Install Malware Detect

yum install maldet

Upon installing the package, it will immediately download its definition updates.

This will install few dependent packages which ensure the efficiency of scanning (namely clamav scanner and inotify-tools).

Use Malware Detect

Scan a directory for malware

Now that Malware Detect is installed, you can scan a directory for malware like this:

maldet --scan-all /var/www

Continuously watch directories for malware

One great feature of Malware Detect is being able to scan an entire directory for new/changed files.
This is especially useful for WordPress websites or other well-known CMS-es where each plugin contributes to lessened security. If you have a vulnerable plugin and hackers are able to upload malware, then it can be automatically cleaned up by Malware Detect.

To setup monitoring, edit /etc/maldet/maldet.conf and uncomment either of the lines:

# default_monitor_mode="users"
# default_monitor_mode="/var/lib/maldet/monitor_paths"

With default_monitor_mode="users" the scanning is most appropriate for cPanel servers, as this will result in continuous watching of files within each directory /home/<username>/public_html.

If you choose default_monitor_mode="/var/lib/maldet/monitor_paths" then you can specify exact directories you want to be scanned by editing /var/lib/maldet/monitor_paths.

So you can edit /var/lib/maldet/monitor_paths and specify each monitored directory on a new line like this:

/var/www
/some/other/directory

Make sure that the directories you specify actually exist, or else the monitoring service will fail to start.

Enable and start malware monitoring

systemctl enable maldet
systemctl start maldet

More Tips

It is important to understand the differences between clamav and clamd. When we installed Malware Detect, clamav was installed as dependency package. It is meant primarily for one-off scanning, and will help to improve performance of manual Malware Detect scans, e.g. launched via --scan-all option.

In case of continuous file monitoring, you may want to additionally install clamd package which contains the scanning daemon. Having it installed as well, will make maldet monitoring more efficient.

Configuring clamd scanning service will be covered in future posts. Stay tuned!


Also published on Medium.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.