官方网站:
官方文档:
更新日志:
安装方法:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-1.3.7
./install.sh
修改配置文件:
修改 /usr/local/maldetect/conf.maldet
email_alert=1
email_addr="自己的邮件地址 "
quar_clean=1
......
使用说明:
Linux Malware Detect v1.3.7
DESCRIPTION ]
Linux Malware Detect (LMD) is a malware scanner for Linux released under the
GNU GPLv2 license, that is designed around the threats faced in shared hosted
environments. It uses threat data from network edge intrusion detection
systems to extract malware that is actively being used in attacks and
generates signatures for detection. In addition, threat data is also derived
from user submissions with the LMD checkout feature and from malware
community resources. The signatures that LMD uses are MD5 file hashes and HEX
pattern matches, they are also easily exported to any number of detection
tools such as ClamAV.
The driving force behind LMD is that there is currently limited availability
of open source/restriction free tools for Linux systems that focus on malware
detection and more important that get it right. Many of the AV products that
perform malware detection on Linux have a very poor track record of detecting
threats, especially those targeted at shared hosted environments.
The threat landscape in shared hosted environments is unique from that of the
standard AV products detection suite in that they are detecting primarily OS
level trojans, rootkits and traditional file-infecting viruses but missing
the ever increasing variety of malware on the user account level which serves
as an attack platform.
Using the CYMRU malware hash registry, which provides malware detection data
for 30 major AV packages, we can demonstrate this short coming in current
threat detection. The following is an analysis of the core MD5 hashes (2,597)
in LMD 1.3.6 and the percentage of major AV products that currently detect
the hashes.
KNOWN MALWARE: 569
% AV DETECT (AVG): 49
% AV DETECT (LOW): 58
% AV DETECT (HIGH): 71
UNKNOWN MALWARE: 2028
What this information means, is that of the of the 2,597 hashes, 78% or 2,028
malware items are not detected/known by the top 30 major AV packages. The 569
malware items that are known / detected have an average of a 49% detection
rate among major AV packages with a low / high margin of detection at 58 and
71 percent respective. This clearly demonstrates the lacking capacity in currently
available tools and why it is important that something fill the void, especially
in the Linux shared hosted environment.
.: 2 [ FEATURES ]
- MD5 file hash detection for quick threat identification
- HEX based pattern matching for identifying threat variants
- integrated signature update feature, executes through cron.daily and --update
- integrated version update feature with --update-ver, must run manual
- scan-recent option to scan only files that have been added/changed in X days
- scan-all option for full path based scanning
- checkout option to upload suspected malware to rfxn.com for review / hashing
- report option to view past or recent scan results
- quarantine queue that stores threats in a safe fashion with no permissions
- quarantine batching option to quarantine the results of a past or recent scan
- quarantine restore option to restore files to original path, owner and perms
- quarantine suspend account option to Cpanel suspend or shell revoke users
- cleaner rules to attempt removal of malware injected strings
- cleaner batching option to attempt cleaning of previous scan reports
- cleaner rules to remove base64 and gzinflate(base64 injected malware
- daily cron based scanning of all changes in last 24h in user homedirs
- daily cron script compatible with stock RH style systems, Cpanel & Ensim
- kernel based inotify real time file scanning of created/modified/moved files
- kernel inotify monitor that can take path data from STDIN or FILE
- kernel inotify monitor convenience feature to monitor system users
- kernel inotify monitor can be restricted to a configurable user html root
- kernel inotify monitor with dynamic sysctl limits for optimal performance
- kernel inotify alerting through daily and/or optional weekly reports
- e-mail alert reporting after every scan execution (manual & daily)
- path and signature based ignore options
- verbose logging & output of all actions
[ CLI USAGE ]
Once LMD is installed it can be run through the 'maldet' command, the '--help'
option gives a detailed summary of usage options:
-u, --update
Update malware detection signatures from rfxn.com
-m, --monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID's > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike,/home/ashton
-k, --kill
Terminate inotify monitoring service
-r, --scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2
-a, --scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html
-c, --checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures
-l, --log
View maldet log file events
-e, --report SCANID
View scan report of the most recent scan or provided SCANID
e.g: maldet --report
e.g: maldet --report 050910-1534.21135
-s, --restore FILE
Restore file from quarantine queue to orginal path
e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
-q, --quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet --quarantine 050910-1534.21135
-n, --clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet --clean 050910-1534.21135
-p, --purge
Clear logs, quarantine queue, session and temporary data.
阅读(2724) | 评论(0) | 转发(0) |