Linux Malware Detected (LMD) is a program used to scan malware on Linux OS, usually installed on dedicated servers and Hosting servers. By default, the LMD configuration file is located at /usr/local/maldetect/conf.maldet, below are the important parameters.
[GENERAL OPTIOPNS ]
email_alert="0" Email alert feature when maldet performs automated / manual scan or new version LMD notification. Configure email_alert = "1" to enable the feature and email_alert = "0" to disable this feature.
email_addr="you@domain" You need to select you@domain is the email you want to receive notifications from. Administrators can configure multiple emails to receive notifications and each email separated by commas (,). This feature is effective only when configuring email_alert = "1".
email_ignore_clean="1" The system will ignore and not send email notification to the user when LMD performed automatically successfully remove the malware that it detected during the scan. Configure email_ignore_clean = "1" to enable the feature and email_ignore_clean = "0" to disable this feature.
slack_alert="0" Enable / disable slack notifications ([0 = disabled, 1 = enabled]). When configuring slack_alert = "1", maldet will upload the scan result file to one or more slack chanels.
slack_subj="maldet alert from $(hostname)" Title of the file to be uploaded to channels
slack_channels="maldetreports" Configure channels / IDs to receive reports, each additional channel / ID is separated by commas
autoupdate_signatures=”1” Configuring enable / disable of the feature allows LMD to daily automatic updates of LMD signature files [0 = disable, 1 = enable]
autoupdate_version=”1” Configure enable/ disbale feature to daily automatic updates of the LMD installation [0 = disable, 1 = enable] [0 = disable, 1 = enable]
autoupdate_version_hashed="1" The downloaded installation packages will be MD5 encrypted on the transmission line. This allows LMD to reload the file in case LMD detects that the files have been tampered with or corrupted. In case the user does not select autoupdate_version = "1", it is recommended to disable this feature [0 = disable, 1 = enable]
import_config_url="" the import_config_url option allows a configuration file to be downloaded from a remote URL
import_config_expire="43200" Expiration time for the URL since the configuration time (unit: seconds). 43200 seconds (12 hours) is enough time to import the configuration file from the remote URL. cron_prune_days="21" The retention period is based on the date of the quarantined files, temporary files, old version information. Old data after "21" days will be deleted via daily cron execution.
cron_daily_scan="1" This controls whether or not daily automatic scanning of standard web directories is performed via cron.
import_custsigs_md5_url="" import_custsigs_hex_url="" Set to allow malicious files (signature) to be downloaded from the remote URL. * Note: This option allows to overwrite existing files. Often used in conjunction with import_config_url when deploying multiple servers with the same configuration and custom signature
scan_max_depth="15" This value represents the maximum accessibility that the tool can scan to the files and directories contained in a certain directory (simply understood as the smallest branch accessible in the directory tree). "15" is the recommended level to ensure the most efficient operation of Maldet.
scan_min_filesize="24" The minimum file size in bytes for a file to be included in LMD scans
scan_max_filesize="2048k" The maximum file size for a file to be included in LMD scans..When used in conjunction with clamscan, the max_filesize variable will be set automatically based on the largest file size known from the file encrypted with MD5 hashing. * Note: this change may have an impact on scan performance.
scan_hexfifo="1" This value represents the ability to scan the HEX string according to the First In First Out (FIFO) mechanism instead of the default Standard Input (stdin) to help optimize the scanning efficiency. This is highly recommended to be enabled on most systems. [0 = disabled, 1 = enabled]
scan_hexfifo_depth="524288” The maximum number of bytes that the scan engine can search into file content when using the FIFO mechanism. Can edit the default scan_hexdepth value to improve scan performance. * Note: this change may have an impact on scan performance.
scan_clamscan="1" If ClamAV is installed on the system, configure scan_clamscan = "1" to use clamscan binary as the default scanning engine, which increases scanning performance on large files. Clamscan uses a combination of "native ClamAV signatures" and "LMD signatures" to make scanning more effective. [0 = disabled, 1 = enabled]
scan_tmpdir_paths="/tmp" The path is used when storing temporary files for convenience when scanning and -a | scan types are required --al and -r | --recent
scan_user_access="0" Allow non-root users to scan. This is only done when using mod_security2 or if the administrator wants to allow the user to perform a scan. When enabled, this will create 'pub /' with the owned user in order to isolate, initiate sessions and temporary paths to facilitate scanning. [0 = disabled, 1 = enabled]
scan_cpunice="19" This value allows the CPU to schedule priority processing of scan operations. [-19 = high prio, 19 = low prio, default = 19]
scan_ionice="6" Configure the IO (ionice) priority levels for scanning operations. [0 = IO most favorable, 7 = IO least favorable]
scan_cpulimit="0" Set CPU limit for scanning processes. This requires that the "cpulimit" binary be available on the server. These values are expressed as% times N core on the system. An 8 core CPU server will accept values from 0 - 800, 12 cores 0 - 1200, etc. (100 = 1 core)
scan_ignore_root="1" LMD usually only scans paths from user files and directories, and should therefore ignore root-owned files. Should scan_ignore_root = "1" configuration to get the best scanning effect. [0 = disabled, 1 = enabled]
scan_ignore_user="" scan_ignore_group="" Allow skipping does not scan into specified users or groups. This option is recommended not to be used. Instead, an administrator should use ign_path, to exclude specific file names or paths from scanning.
scan_find_timeout="0" Maximum time in seconds that creating a 'find' file list will run. All 'find' results up to the moment of termination will be scanned in full. It is reasonable to perform a full scan of all user paths on a large server, but the search operation can take a long time to complete and so this feature can interfere. In such cases, this feature can be disabled / modified each time by scanning with CLI option '-co | --config-option ' For example: "maldet -co scan_find_timeout = 0 -a / home /? / Public_html". [0 = disable, 14400 = 4 hours of recommended waiting time]
scan_export_filelist="0" Daily cron 'find' is performed by LMD to detect recently created / modified user files. The 'find' can be particularly resource-intensive and can maintain the file list results so that other applications / tasks can use the results. When Scan_export_filelist is enabled, the most recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last' [0 = disabled, 1 = enabled]
quarantine_hits="1" The default quarantine action for malware hits
quarantine_clean="1" Try to clean string based malware injections [0 = disabled, 1 = clean]
quarantine_suspend_user="0" Implement suspend user in Cpanel or put shell / bin / false on system not using Cpanel [0 = disabled, 1 = suspend account] * Note: quarantine_hits = 1 is required
quarantine_suspend_user_minuid="500" The minimum userid value can be suspended, simply understanding that the userid values less than the configured minimum value will not be suspended [default = 500]
quarantine_on_error="1" When using other tools to perform malware scans, such as ClamAV should quarantine the files when receiving error message results or not. This defaults to 1, always quarantined, because ClamAV generates an escape code for minor errors like file not found. [0 = no quarantine, 1 = always quarantine]
[ SCAN OPTIONS ]
default_monitor_mode="users" This option is REQUIRED for script systemd maldet.service. The script only checks the value of $ default_monitor_mode. Service will not start if value is not provided. default_monitor_mode = "users" default_monitor_mode = "/ usr / local / maldetect / monitor_paths"
inotify_base_watches="16384" Maximum number of files that can be viewed on a link [maximum number of files viewable = inotify_base_watches * users]
inotify_reloadtime="3600" The time in seconds that inotify will reload configuration data, including remote and signature custom configurations
inotify_minuid="500" The minimum userid value will be added to the monitoring path when the above userid is specified
inotify_verbose="0" Log every file scanned by inotify monitoring mode, this is not recommendedand will drown out your 'event_log' file, intended only for debugging purposes. [0 = disabled, 1 = enable]
inotify_docroot="public_html,public_ftp" Monitoring webdir for homedir-related users from the root directory, when any option is set, [comma separated list of users, clear option for the default tracking homedir user]
[ STATISTICAL ANALYSIS ]
This is a beta feature and should therefore be used with caution. Currently, this feature may have an impact on scan performance, especially with large files. The string length test is used to identify threats based on the length of the longest uninterrupted chain in a file. This is useful because obfuscated code is often stored by coding methods that create very long strings with no spaces (e.g. base64). The length of string characters, default = 150000 string_length_scan="0" string_length="150000" [0 = disabled, 1 = enabled]
