From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search

pushd /usr/local/src/
rm -vrf /usr/local/src/maldetect-*
rm -vrf /usr/local/src/linux-malware-detect*
tar -zxvf maldetect-current.tar.gz
cd maldetect-*
sh ./
maldet --update-ver
#sed patch - commands added to address current problem with maldet overriding values in the conf file
sed -i 's/quarantine_hits=\"1\"/quarantine_hits=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_clean=\"1\"/quarantine_clean=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/email_alert=\"1\"/email_alert=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/email_addr=\"\"/email_addr=\"\"/' /usr/local/maldetect/conf.maldet
#end sed patch
maldet --update
if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ]
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
if [ ! -d /var/lib/clamav ]
then mkdir /var/lib/clamav
ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld 
echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n"


Project URL

Project README

Project Changelog


We have a new tool for malware scanning and cleanup called Checkers. It will find all the malware maldet+clamscan finds and more. It also has additional functionality to assist with investigation and cleanup. Check it out. Checkers.

Quick Review

Maldet is a great piece of software that can help you begin to determine which files, if any, are potentially compromised on a system. It will not always have all the answers, but it will likely point you in the right direction.

If a customer is reporting virus-like or "hacked" activity, one of the first things that should be checked is this:

 maldet -e

This command will simply display the last maldet report that was run on the server, and does not require the inclusion of a specific report number. This makes the report very easy to find and the command is simple to remember.

Be sure to do the needful, and remember - quarantine at your own risk. Stat the files and using chmod 000 is a much better choice!



 Linux Malware Detect (LMD) uses MD5 file hashes and hex pattern matches to identify malware. The goal of LMD is to provide a threat detection, alerting and quarantine tool for Linux web servers, though the MD5/hex signatures are portable to any number of detection tools.  There is currently limited availability of open source, restriction free, tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared web hosting servers. The threat landscape on shared web hosting servers is unique from that of the standard AV products detection suite in that they are detecting primarily trojans / rootkit content but missing the ever increasing malware on the account level which serves as an attack platform. Using the malware hash repository, which provides malware data for Microsoft, Google, Trend Micro, F-Secure, Symantec and more; we can demonstrate this short coming in current threat detection.


  • MD5 file hash detection for quick threat identification
  • HEX based pattern matching for identifying threat variants
  • integrated signature update feature, executes through cron.daily and –update
  • integrated version update feature with –update-ver, must run manual
  • scan-recent option to scan only files that have been added/changed in X days
  • scan-all option for full path based scanning
  • checkout option to upload suspected malware to for review / hashing
  • report option to view past or recent scan results
  • quarantine queue that stores threats in a safe fashion with no permissions
  • quarantine batching option to quarantine the results of a past or recent scan
  • quarantine restore option to restore files to original path, owner and perms
  • quarantine suspend account option to Cpanel suspend or shell revoke users
  • cleaner rules to attempt removal of malware injected strings
  • cleaner batching option to attempt cleaning of previous scan reports
  • cleaner rules to remove base64 and gzinflate(base64 injected malware
  • daily cron based scanning of all changes in last 24h in user homedirs
  • daily cron script compatible with stock RH style systems, Cpanel & Ensim
  • kernel based inotify real time file scanning of created/modified/moved files
  • kernel inotify monitor that can take path data from STDIN or FILE
  • kernel inotify monitor convenience feature to monitor system users
  • kernel inotify monitor can be restricted to a configurable user html root
  • kernel inotify monitor with dynamic sysctl limits for optimal performance
  • kernel inotify alerting through daily and/or optional weekly reports
  • e-mail alert reporting after every scan execution (manual & daily)
  • path and signature based ignore options
  • verbose logging & output of all actions


Wget Method

Git Method

Template:Info Template:Warning Copypasta installation:

pushd /usr/local/src/
rm -vrf /usr/local/src/maldetect-*
rm -vrf /usr/local/src/linux-malware-detect*
tar -zxvf maldetect-current.tar.gz
cd maldetect-*
sh ./
maldet --update-ver
#sed patch - commands added to address current problem with maldet overriding values in the conf file
sed -i 's/quarantine_hits=\"1\"/quarantine_hits=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_clean=\"1\"/quarantine_clean=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/email_alert=\"1\"/email_alert=\"0\"/' /usr/local/maldetect/conf.maldet
sed -i 's/email_addr=\"\"/email_addr=\"\"/' /usr/local/maldetect/conf.maldet
#end sed patch
maldet --update
if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ]
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
if [ ! -d /var/lib/clamav ]
then mkdir /var/lib/clamav
ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld 
echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n"

If you get a "bash: maldet: command not found":

 ln -s /usr/local/sbin/maldet /usr/local/bin/

If you've installed maldet before, but it cannot find the clamscan binary, run the following:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam

Notes for Plesk installs

If you are installing Maldet for Plesk, you will need to do the next line as well:

 vim /etc/cron.daily/maldet
 find the # psa section and add this next line after httpdocs:
 /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpsdocs 2 >> /dev/null 2>&1

Configure Maldet to also use ClamAV Sigs (cPanel servers)

If you want to ensure maldet will use both its own definitions, and the clamav definitions, then run (or re-run) these steps:

if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ]
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
if [ ! -d /var/lib/clamav ]
then mkdir /var/lib/clamav
ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld 
ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cvd /var/lib/clamav/main.cvd
ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cvd /var/lib/clamav/daily.cvd
ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cvd /var/lib/clamav/bytecode.cvd
echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n"

Post-installation Notes

Upon installing maldet, it creates /etc/cron.daily/maldet, which will:

  • Check for new definitions
  • Send daily notify alerts to $email_addr
  • Scan for file changes over the last 1 day on /home?/?/public_html (? being wildcard) if inotify isn't running
    • This scan is enabled if you ran the full install commands above
    • THIS COMMAND DOES NOT WORK FOR MOST SERVERS. It will scan /home?/, but not /home/. If the server only has a /home/ directory, then just change it to /hom?/. This will grab /home/ and /home{2,3,etc}/.

The command used to disable the daily scanning of maldet is:

line=$(egrep -n "^[^#]*maldet -b -r /home?\?/\?/public_html/,/var/www/html/,/usr/local/apache/htdocs/" /etc/cron.daily/maldet | cut -f1 -d:);  if [[ $line != [0-9]* ]]; then echo "The search string was not found, please let escalations know of this."; else sed -i "$line s/^/#/" /etc/cron.daily/maldet && line=$((line+1)) && sed -i "$(echo $line)i\echo " /etc/cron.daily/maldet; echo "Disabled"; fi

To re-enable daily scanning if you used the above command to disable:

line=$(egrep -n "^[[:blank:]]*#*.*maldet -b -r /home?\?/\?/public_html/,/var/www/html/,/usr/local/apache/htdocs/" /etc/cron.daily/maldet | cut -f1 -d:);  if [[ $line != [0-9]* ]]; then echo "The search string was not found, please let escalations know of this."; else sed -i "$line s/#*//" /etc/cron.daily/maldet; echo "Enabled"; fi


You may want to consider activating the inotify monitor by executing the following command:

 maldet --monitor users

You may also want to consider activating the many features of maldet, for example:


To edit these options, $EDITOR /usr/local/maldetect/conf.maldet

Troubleshooting: Maldet email is not being sent to customer when inotify is enabled

If the customer has a cron set up and is not receiving their daily maldet reports via email, check if inotify is enabled. The daily report is skipped and messages are sent out for significant monitoring events only.


If you are running monitor mode, the daily scans will be skipped and instead a
daily report will be issued for all monitoring events. If you need to scan
additional paths, you should review the cronjob and edit it accordingly.


maldet --help

 -b, --background
     Execute operations in the background, ideal for large scans
     e.g: maldet -b -r /home/?/public_html 7
 -u, --update
   Update malware detection signatures from
 -d, --update-ver
   Update the installed version from
 -m, --monitor USERS|PATHS|FILE
   Run maldet with inotify kernel level file create/modify monitoring
 If USERS is specified, monitor user homedirs for UID's > 500
 If FILE is specified, paths will be extracted from file, line spaced
 If PATHS are specified, must be comma spaced list, NO WILDCARDS!
   e.g: maldet --monitor users
   e.g: maldet --monitor /root/monitor_paths
   e.g: maldet --monitor /home/mike,/home/ashton
 -k, --kill
   Terminate inotify monitoring service
 -r, --scan-recent PATH DAYS
   Scan files created/modified in the last X days (default: 7d, wildcard: ?)
   e.g: maldet -r /home/?/public_html 2
 -a, --scan-all PATH
   Scan all files in path (default: /home, wildcard: ?)
   e.g: maldet -a /home/?/public_html
 -c, --checkout FILE
   Upload suspected malware to for review & hashing into signatures
 -l, --log
   View maldet log file events
 -e, --report SCANID
   View scan report of the most recent scan or provided SCANID
   e.g: maldet --report
   e.g: maldet --report 050910-1534.21135
   e.g: maldet --report list (lists all available SCANIDs by time)
 -s, --restore FILE
   Restore file from quarantine queue to orginal path
   e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
 -q, --quarantine SCANID
   Quarantine all malware from report SCANID
   e.g: maldet --quarantine 050910-1534.21135
 -n, --clean SCANID
   Try to clean & restore malware hits from report SCANID
   e.g: maldet --clean 050910-1534.21135
 -p, --purge
   Clear logs, quarantine queue, session and temporary data.

Common Tasks


Scanning in the Background

Screen Method This edit was by jeaton

Maldet now supports automatic backgrounding of scans, no need to run in a screen anymore, YAY! ***Warning this doesn't let you know when it's going to finish while running maldet -a will let you calculate a time when it will finish***

maldet -b -a /home/?/public_html

{scan} launching scan of /home/*/public_html to background, see /usr/local/maldetect/event_log for progress

Scanning all users public_html

Template:Warning cPanel - this does not work for Plesk (see below)

 maldet -b -a /home/?/public_html

If the customer has multiple home directories like /home, /home2, /home4, etc, this should get them all:

 maldet -b -a /hom?/?/public_html

Or for all cPanel users and a functional scan report which is not built off the whole of large webservers; this allows for ease of single user quarantine, edit $TICKETID:

for user in `ls -A1 /var/cpanel/users` ; do maldet -a /home?/"${user}"/public_html/ |grep 'malware hits [1-9]\|scanned: [1-9]' -A2|grep 'report' -B2;done  | tee $TICKETID.maldet.log 

Template:Note Example ways of viewing all:

[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212*

or just the files with

[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212-0146.903830 |cut -d: -f2-
[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212* |cut -d: -f3-

Plesk on Linux
You will need to run both of these commands, as Plesk serves secure and non-secure content from different directories (although this can be managed from the Plesk control panel). Be sure to run them consecutively, not concurrently! It is not recommended to combine these lines into a single, double-wildcard command.

 maldet -b -a /var/www/vhosts/?/httpdocs/
 maldet -b -a /var/www/vhosts/?/httpsdocs/

Scanning a single user's public_html


 maldet -a /home/USERNAME/public_html/

Plesk on linux (run both of these)

 maldet -a /var/www/vhosts/DOMAIN.COM/httpdocs/
 maldet -a /var/www/vhosts/DOMAIN.COM/httpsdocs/

Scanning some, but not all public_html directories

This no longer works and needs updating.

Courtesy of Alex Kwiecinski:

First, you'll need a list of the infected accounts in a file. In this example, list.

Now, you can use this list in a for loop to scan them:

  for each in `cat list` ; do maldet -a /home/$each/public_html | egrep '-report' >> results; echo "done with $each" ; done

The file results will give you the maldet --report references, so you can run that command to see what each scan found.

Scanning By Grouping Accounts

If you have a client who has just an excessive amount of accounts and files on their server, Maldet will "bork" if you try to run it on EVERY public_html/ directory, but it won't tell you until you have waited multiple hours before it tells you that it "borked". There is a way to do it by grouping accounts, and that can speed up your scans by not having to go account by account, but also won't break the scan either. It's REALLY easy formatting to do. Example, say I want to scan accounts that start with "a" to accounts that start with "c". Just do it like so:

maldet -a /home/[a-c]?/public_html/

That's it! Use your best judgement when deciding how many accounts to group together.

Scan recent changes

If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run the following.

maldet --scan-recent /home?/?/public_html 5

Quarantining a scan by ID


If you performed a scan and want to use the quarantine option, you could quarantine all malware results from the previous scan with:

maldet --quarantine SCANID

The better option, to chmod 000 all files in a scan:

cut -d':' -f 2 /usr/local/maldetect/sess/session.hits.$SCANID |xargs chmod 000

Cleaning a scan by ID


Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:

maldet --clean SCANID

Restoring a quarantined item

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

maldet --restore /usr/local/maldetect/quarantine/config.php.2384

Restoring by scan ID

Sometimes you may accidentally run a maldet without first making sure auto-quarantine is disabled. Not to worry, this can easily be fixed.

maldet --restore SCANID

Restoring ALL quarantined items

Do not do this blindly. Review the contents of /usr/local/maldetect/quarantine and be absolutely sure you wish to restore them all.

for i in `ls /usr/local/maldetect/quarantine|grep -v .info`; do maldet --restore $i; done

Marking Folders as ignored


Edit the following file and place the paths you want ignored in there line by line.

vim /usr/local/maldetect/ignore_paths

Example syntax below.


Now if i run a scan of the /home directory these users will be excluded.

Ignoring individual files

Additionally, you can ignore individual files in the same location

vim /usr/local/maldetect/ignore_paths

Example syntax below.


Now, if a scan hits that directory, it ignores that file. You might want to chattr +i that file too so it's protected in case they get hacked in the future

chattr +i /home/helpmeou/public_html/classes/file/that/really_looks/like_a_virus/but_is_not.php

Update Maldet to latest version

maldet --update-ver

[] ~ >> maldet --update-ver
Linux Malware Detect v1.3.7
           (C) 2002-2010, R-fx Networks <>
           (C) 2010, Ryan MacDonald <>
inotifywait (C) 2007, Rohan McGovern <>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(1924): {update} checking for available updates...
maldet(1924): {update} new version 1.3.9 found, updating...
maldet(1924): {update} completed update v1.3.7 => v1.3.9, running signature updates...
maldet(2083): {sigup} performing signature update check...
maldet(2083): {sigup} local signature set is version 2011041215989
maldet(2083): {sigup} latest signature set already installed
maldet(1924): {update} update and config import completed.

Information pulled from here

Finding Lost Output/Where the logs go

Maldet run logs are stored in


There are also session history logs in


Long running maldet scan?

Check /usr/local/maldetect/event_log to ensure the clamscan binary is loaded. You should see a line that looks like the following:

maldet(19139): {scan} found ClamAV clamscan binary, using as scanner engine...

If the clamscan binary is not loaded, cancel the maldet and run the following to update maldet:

maldet -d
maldet --update

You should now be able to run your maldet again and see the clamscan binary loaded.

If it does not:

Make sure the clamAV connector is installed in WHM >> Plugins, then:

<source lang='bash'> ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam </source>

How far along is the maldet?


strace -p $(pgrep -o maldet) 2>&1| grep "stat(\"/home/" old boxes

to see what it is currently scanning.

for boxes using clamav definitions:

strace -p $(pgrep -o clamscan) 2>&1| egrep -o 'stat\(\"/home/([^\s]+)'

for a few second to see where it is at (ctrl c to stop)

is the scan running on all the users? if so, compare it with the list of users:

\ls /var/cpanel/users

to get an idea on where the scan is at.

Generate a list of flagged files

After running the maldet, tail the event log

tail -f /usr/local/maldetect/event_log

Once it's finished you will get something like this:

Feb 22 18:47:40 host maldet(29850): {scan} scan completed on /home/*/public_html: files 468099, malware hits 16, cleaned hits 0
Feb 22 18:47:40 host maldet(29850): {scan} scan report saved, to view run: maldet --report 022212-1818.29850
Feb 22 18:47:40 host maldet(29850): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 022212-1818.29850

you can run the suggested:

maldet --report 022212-1818.29850

to get a report.
Or you can run:

cat /usr/local/maldetect/sess/session.022212-1818.29850 |grep "/home" |grep -v "/home/\*/" |cut -d " " -f3

replacing the "022212-1818.29850" with the appropriate number in the event_log for your scan,
to generate a nice list of files for the customer.

cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last) |grep "/home" |grep -v "/home/\*/" |cut -d " " -f3

will use the last session

The following modification of the above will work for Plesk systems

cat /usr/local/maldetect/sess/session.033112-0011.789 |grep "/www"  |cut -d " " -f3

wiki'd for copy posta

Post-Scan: Stat all the things

lastsess=`cat /usr/local/maldetect/sess/session.last`
cp $session /root/maldet-full.log
cat /root/maldet-full.log | grep -w public\_html | sed 1d | cut -f2 -d: > /root/maldet-files.log
for file in `cat /root/maldet-files.log`; do `stat $file >> /root/maldet-stat.log`; done;

If you plan on pasting the stat results, do the following to separate each stat by a newline:

sed '0~7 a\ ' /root/maldet-stat.log > /root/maldet-newstat.log

New method:

<source lang='bash'>cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)|tail -n +11|head -n -2|awk '{print $3}'|xargs stat -c"p:%a a:%x m:%y c:%z %n"|sort -k3</source>


stat all the things from the last scan to /root/maldet-stat.txt separated by newlines:

cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last) |grep "/www"  |cut -d " " -f3 |xargs stat | sed '0~7 a\ ' > /root/maldet-stat.txt

Realtime file monitoring

Troubleshooting the ClamAV binary (scans finish instantly with 0 hits)

When maldet uses the ClamAV binary, It's just calling a clamscan command using it's own signature files. For some reason, it calls this with errors piped to /dev/null. If there is a problem with clamav or the maldet databases, the maldet scan will finish instantly after the file list is created. This can now be fixed.

Run this to fix:

> /usr/local/maldetect/sigs/rfxn.hdb
> /usr/local/maldetect/sigs/md5.dat
> /usr/local/maldetect/sigs/hex.dat
> /usr/local/maldetect/sigs/maldet.sigs.ver
> /usr/local/maldetect/sigs/rfxn.ndb
maldet -u

Maldet should then replace the databases and function normally. If one is malformed and the sigs.ver file is current, maldet -u won't fix it unless the above commands are run. If for some reason it's still broken, this might shed some light:

Make a file list (Pick a cPanel username for '$USERNAME'), and run clamAV with the maldet DB's as such:

find /home/$USERNAME/public_html > /home/temp/filelist
clamscan -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb  -r --infected --no-summary -f /home/temp/filelist

If you get this error, you've found your problem, and the above steps should have fixed it.

LibClamAV Error: Can't load /usr/local/maldetect/sigs/rfxn.ndb: Malformed database

The last thing to look at here that will "break" maldet with clamav scanning, is if one of these directories exists but does not contain signatures:


You can fix this with the steps under "Configure Maldet to also use ClamAV Sigs (cPanel servers)" to make sure that /var/lib/clamav contains symlinks to valid signature files.

Disappearing files after initial scan

Occasionally you may perform a scan, find a hit, then attempt to stat it because you're awesome, but the file is already gone.

Check to see if maldet is configured to automatically quarantine hits that it finds:

grep ^quarantine_hits /usr/local/maldetect/conf.maldet

If this is is 1, set it to 0 to disable maldet auto-quarantine on the hits it finds.

Remember to set this back to $customer_config after you perform your scans.

Thanks to tmead for the info

Maldet won't work on centOS4 (line 47: syntax error)

Maldet has this error when installed on centos4:

# maldet -a `pwd` 
/usr/local/sbin/maldet: line 47: conditional binary operator expected
/usr/local/sbin/maldet: line 47: syntax error near `=~'
/usr/local/sbin/maldet: line 47: `		if [[ "$args" =~ "modsec" ]]; then'

Cent4 doesn't have a new enough bash version to recognize =~ as a conditional operator. It was introduced in Bash 3, whereas cent4 has Bash 2.x.

The bandaid fix is to edit /usr/local/sbin/maldet and change =~ to =

This should allow maldet to work. If the scan finishes instantly with no results, and the above section does not fix it, you might also have to edit this line in /usr/local/sbin/maldet:

for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb $clamav_db -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do

Simply remove '$clamav_db', so the line becomes:

for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do

This is because there could be an issue with clamav's own definitions stopping maldet from using it. If you need further information on this, please ask me (akwiecinski).

Disable scanning /tmp on every scan

Maldet scans /tmp, /var/tmp, and /dev/shm on every scan now. This can be very annoying if you have to scan multiple accounts individually, and will throw off your file count like so:

<source lang="text">

maldet(622028): {scan} scan completed on /home/somedude/hisdir/: files 714, malware hits 0, cleaned hits 0
# ls -la /home/somedude/hisdir
-rw-r--r--  1 somedude somedude       9001 Aug 23 13:31 datfile


User 'somedude' only has one file in the directory, yet maldet found 714 because 713 of those were in /tmp

To disable this, simply comment out this line ( tmpdir_paths="/dev/shm /tmp /var/tmp" ) in /usr/local/maldetect/maldet or use this handy one-liner to unset tmpdir_paths:

sed -i 's/tmpdir_paths="\/dev\/shm \/tmp \/var\/tmp"/tmpdir_paths=""/g' /usr/local/maldetect/maldet

Thank you AlexK for this info.

Additional Resources

Change Run Time

Either edit /etc/anacrontab to switch what time the /etc/cron.daily jobs start to a new time frame:

  1. the jobs will be started during the following hours only


  2. (guy lives in Thailand)
  1. or move that maldet crontab to the root crontab so you can have more fine control over when it starts.