maldet command switches
1, -b, –background
Execute operations in the background, ideal for large scans
Example:
[root@crybit ~]# maldet -b -r /home/crybit/ Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(9922): {scan} launching scan of /home/crybit/ changes in last 7d to background, see /usr/local/maldetect/event_log for progress
2, -u, –update
Update malware detection signatures from rfxn.com
3, -d, –update-ver
Update the installed version from rfxn.com
Example:
[root@crybit ~]# maldet -d Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(9997): {update} checking for available updates... maldet(9997): {update} hashing install files and checking against server... maldet(9997): {update} version check shows latest but hash check failed, forcing update... maldet(9997): {update} completed update v1.4.2 => v1.4.2, running signature updates... maldet(10289): {sigup} performing signature update check... maldet(10289): {sigup} local signature set is version 201402051649 maldet(10289): {sigup} latest signature set already installed maldet(9997): {update} update and config import completed.
4, -m, –monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced. When PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet –monitor users
Other example:
e.g: maldet –monitor /root/monitor_paths
Next one:
e.g: maldet –monitor /home/mike,/home/ashton
Example:
[root@crybit ~]# maldet -m /home/crybit/ Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(10347): {mon} set inotify max_user_instances to 128 /usr/local/sbin/maldet: line 1162: /proc/sys/fs/inotify/max_user_instances: Permission denied maldet(10347): {mon} set inotify max_user_watches to 0 /usr/local/sbin/maldet: line 1164: /proc/sys/fs/inotify/max_user_watches: Permission denied maldet(10347): {mon} added /home/crybit/ to inotify monitoring array maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile... maldet(10347): {mon} inotify startup successful (pid: 10422) maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log
5, -k, –kill
Terminate inotify monitoring service
Example:
[root@crybit ~]# maldet -k Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(10471): {mon} sent kill to monitor service
6, -r, –scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2
7, -a, –scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html
8, -c, –checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures
9, -l, –log
View maldet log file events.
Example:
[root@crybit ~]# maldet -l Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 Feb 06 02:38:28 jishnu maldet(10347): {mon} set inotify max_user_watches to 0 Feb 06 02:38:28 jishnu maldet(10347): {mon} added /home/crybit/ to inotify monitoring array Feb 06 02:38:28 jishnu maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile... Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify startup successful (pid: 10422) Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log Feb 06 02:39:43 jishnu maldet(10471): {mon} sent kill to monitor service Feb 06 02:40:00 jishnu maldet(10347): {mon} monitoring terminated by user, inotify killed. Feb 06 02:41:00 jishnu maldet(10550): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX) Feb 06 02:41:00 jishnu maldet(10550): {scan} building file list for /home/crybit/ of new/modified files from last 1 days, this might take awhile... Feb 06 02:41:00 jishnu maldet(10550): {scan} scan returned zero results, please increase days range or provide a new path. Feb 06 02:41:11 jishnu maldet(10615): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX) Feb 06 02:41:11 jishnu maldet(10615): {scan} building file list for /home/crybit/ of new/modified files from last 2 days, this might take awhile... Feb 06 02:41:11 jishnu maldet(10615): {scan} scan returned zero results, please increase days range or provide a new path.
10, -e, –report SCANID email
View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address.
e.g: maldet –report
Other optio:
e.g: maldet –report list
Another example:
e.g: maldet –report 050910-1534.21135
e.g: maldet –report SCANID user@domain.com
11, -s, –restore FILE|SCANID
Restore file from quarantine queue to orginal path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135
12, -q, –quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135
13, -n, –clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135
14, -U, –user USER
Set execution under specified user, ideal for restoring from user quarantine or to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135
15, -p, –purge
Clear logs, quarantine queue, session and temporary data.
That’s it!! These are the main maldet command switches for Linux servers.