Security

How to install malware detection and antivirus on CentOS 7

If you serve up files with a Linux machine, you should watch for malicious code. Follow this tutorial on how to add Linux Malware Detector and ClamAV for this very purpose.

Image: Jack Wallen

If you're running a CentOS as a file server, you owe it to yourself and your business to ensure the files housed on that Linux machine are free from malicious code.

You will probably have Windows users who connect to that server...the platform they are using could be susceptible to malware and viruses. Because of that, you must ensure those files are clean. Your best bet for managing that on CentOS is to install Linux Malware Detect (LMD) and ClamAV. I'll walk you through the steps of installing and configuring these tools so you can rest easier that your CentOS server isn't distributing malicious files.

Note: During the installation and usage of this tool, I employ sudo. You can skip that by first su'ing to the root user and then issue all of the commands without sudo.

SEE: Malware Protection Policy (Tech Pro Research)

Installing LMD

Before we install LMD, there are three dependencies that must be installed. To install Extra Packages for Enterprise Linux, open a terminal window and issue the command:

sudo yum -y install epel-release

Once that installation completes, we then must install mailx. This piece of software will be charged with mailing reports to your email address. To install mailx, go back to your terminal window and issue the command:

sudo yum -y install mailx

Finally, inotify-tools must be installed so that LMD has access to the inotifywait command. From the terminal, issue the command:

sudo yum install inotify-tools

Now we're ready to install LMD. Back at the terminal, issue the following commands:

sudo su
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvzf maldetect-current.tar.gz
cd maldetect-XXX (Where XXX is the release number)
./install.sh

We must create a symbolic link to the LMD executable with the following two commands:

ln -s /usr/local/maldetect/maldet /bin/maldet
​hash -r

Configuring LMD

With LMD installed, it's time to change a few configuration options. Issue the command nano /usr/local/maldetect/conf.maldet. In that file, you'll want to take care of the following.

Enable the email alert by changing the value 0 to 1 in this line:

email_alert="0"

Add your email address (for notifications) here:

email_addr="you@domain.com"

Enable the ClamAV clamscan binary as the default scan engine by changing the 0 to 1 on this line:

scan_clamscan="0"

Note: You will probably already find ClamAV enabled.

Enable quarantining so that malware will be automatically quarantined during the scan process. Change the '0' to '1' in this line:

quarantine_hits="0"

Finally, enable clean string based malware injections by changing the '0' to '1' in this line:

quarantine_clean="0"

Save and close conf.maldet.

Installing ClamAV

Now we move onto the installation of ClamAV. From the terminal window, issue the following command:

yum -y install clamav clamav-devel

The above command will also install a number of dependencies—allow this installation process to complete.

Testing LMD/ClamAV

In order to ensure this is working, we need to download a few malicious files to our server. To do this, go to the terminal window and issue the following commands:

cd /var/www/html
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Back at the terminal, issue the command maldet -a /var/www/html. When this command runs, it will find the malware, quarantine it, and report it. At the end of the scan, maldet will instruct you on the command to run to view the report (in the form of maldet —report REPORT_NUMBER)—that report will list out how many hits as well as how many files were cleaned (Figure A).

Figure A

Figure A

The eicar test revealed two malicious files.

Enabling folder monitoring

Now that we know the system is working, we need to set up folder monitoring, so you can depend upon LMD to regularly monitor the folder(s) that house your server's files. Say you want to monitor both /var/www/html and a specific folder that houses shared company data (we'll call it /data). To have LMD monitor these two folders (multiple directories are separated by a comma), issue the following command:

sudo maldet -m /var/www/html/,/data/

Out of the box, maldet is set to generate only one report a day; you can change this by creating a new hourly cronjob. Issue the following command:

sudo nano etc/cron.hourly/hourly_maldet_report

In this new file, add the following contents:

if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1fi

Save and close the file. Now maldet will generate an hourly report.

That's it—your specified folders are being monitored by LMD and ClamAV.

A solution for every need

One of the amazing things about Linux is that, if you have a need, there is a solution; in fact, with almost every need there are multiple solutions. This combination of LMD and ClamAV is one of the best solutions for keeping your folders free of malicious files and folders.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox