maldet.sh

Linux Malware Detect (LMD) with ClamAV antivirus integration for malware scanning, real-time monitoring, and automated quarantine on Centmin Mod LEMP servers.

On This Page

Overview

Linux Malware Detect (LMD, also known as maldet) is an open-source malware scanner for Linux servers designed around the threats faced in shared hosting environments. The Centmin Mod maldet.sh addon installs LMD together with ClamAV antivirus, providing two layers of malware detection with shared signature databases.

The addon is located at /usr/local/src/centminmod/addons/maldet.sh and is supported on CentOS 7, AlmaLinux 8/9/10, Rocky Linux 8/9/10, and other RHEL-compatible distributions.

Key Features

  • Signature-based malware detection with LMD signature database
  • ClamAV engine integration for enhanced detection coverage
  • Real-time file system monitoring via inotify (watches for new/modified files)
  • Automated daily scans via cron covering Nginx web roots and system directories
  • Email alerts for scan hits (supports Pushover notifications)
  • Quarantine management — isolate and restore infected files
  • Auto-updating signatures via daily cron
  • PureFTPd upload scanning integration via ClamAV

About LMD

LMD is developed by R-fx Networks. When both LMD and ClamAV are installed, maldet automatically uses ClamAV as its scanning engine and also imports ClamAV signature databases, significantly expanding detection coverage beyond LMD’s native signatures.

Prerequisites

Before running maldet.sh, you must set the ALERTEMAIL variable. The script will exit without installing if this is not set.

Email Required Before Install

The installer checks ALERTEMAIL before proceeding. If it is empty, the script exits with a warning. Set it in the persistent config file first.

Set your alert email in the Centmin Mod persistent config file:

Shell 
# Create or edit the persistent config file
echo "ALERTEMAIL='your@domain.com'" >> /etc/centminmod/custom_config.inc

# Optional: Pushover notification email
# echo "ALERT_POEMAIL='youruserkey+devicename+p1@api.pushover.net'" >> /etc/centminmod/custom_config.inc

The script also installs inotify-tools automatically for real-time monitoring. No other prerequisites are required.

Installation

After setting ALERTEMAIL in the persistent config, run the addon script:

Shell 
/usr/local/src/centminmod/addons/maldet.sh

The installer performs the following steps:

  1. Downloads maldetect-current.tar.gz from rfxn.com and runs its installer
  2. Configures email alerts in /usr/local/maldetect/conf.maldet
  3. Installs ClamAV packages from EPEL (EL7: clamav clamav-update clamav-server; EL8/9/10: clamav clamav-freshclam clamav-data)
  4. Sets ClamAV MaxThreads to half your CPU thread count to reduce load
  5. Runs freshclam to download the latest ClamAV signatures
  6. Appends Centmin Mod-specific scan paths to /etc/cron.daily/maldet

Installation is logged to:

Shell 
/root/centminlogs/centminmod_maldet_install_DDMMYY-HHMMSS.log

Verify installation:

Shell 
maldet -v
# Output example:
# Linux Malware Detect v1.6.4
#                 (C) 2002-2019, R-fx Networks <proj@rfxn.com>
#                 (C) 2019, Ryan MacDonald <ryan@rfxn.com>

clamscan -V
# Output example:
# ClamAV 1.0.x

Configuration

The primary maldet configuration file is /usr/local/maldetect/conf.maldet. Key settings configured by the addon:

Setting Value Description
email_alert 1 Enable email alerts on scan hits
email_addr your@domain.com Alert email address (from ALERTEMAIL)
scan_clamscan 1 Use ClamAV engine when available
scan_ignore_root 1 Ignore files owned by root
quarantine_hits 0 Auto-quarantine (disabled by default; enable with caution)
autoupdate_signatures 1 Auto-update signatures daily
autoupdate_version 1 Auto-update maldet itself

Edit the configuration file directly:

Shell 
nano /usr/local/maldetect/conf.maldet

Scan Commands

All maldet commands are run as root. The binary is at /usr/local/sbin/maldet (also symlinked as maldet).

Foreground Scan

Shell 
# Scan a specific directory
maldet --scan-all /home/nginx/domains/yourdomain.com/public

# Scan recently modified files (last N days)
maldet --scan-recent /home/nginx/domains/ 7

# Scan all Nginx web roots
maldet --scan-all /home/nginx/domains/

Background (Non-blocking) Scan

Shell 
# Background scan (used in cron) — scan files modified in last 2 days
maldet -b -r /home/nginx/domains/ 2

# Background scan of a specific path
maldet -b --scan-all /home/nginx/domains/yourdomain.com/public

Reports & Logs

Shell 
# List all scan reports
maldet --list

# View a specific report by ID
maldet --report REPORT_ID

# View most recent report
maldet --report

# Scan logs location
ls /usr/local/maldetect/logs/

Signature Updates

Shell 
# Update maldet signatures
maldet --update

# Update ClamAV signatures
freshclam

ClamAV Integration

When ClamAV is installed alongside maldet, maldet automatically uses clamscan as its scan engine. This provides a significant performance improvement over maldet’s native scanner and adds detection coverage from the ClamAV signature database.

Configuration Files

  • /etc/clamd.conf — ClamAV daemon config (CentOS 7)
  • /etc/clamd.d/scan.conf — ClamAV daemon config (EL8/9/10)
  • /etc/freshclam.conf — Signature updater config

Verify ClamAV is active as the maldet scan engine:

Shell 
# Check maldet's configured scanner
grep "scan_clamscan\|scan_clamscan" /usr/local/maldetect/conf.maldet

# Verify clamscan binary exists
which clamscan
clamscan -V

ClamAV MaxThreads

The addon automatically sets MaxThreads to half your CPU thread count to prevent scans from overwhelming the server. The default ClamAV value of 50 threads is far too high for most servers.

Real-time Monitoring

maldet supports real-time file system monitoring via inotifywait (from inotify-tools). When enabled, maldet monitors a directory for newly created or modified files and scans them immediately.

Shell 
# Start real-time monitoring on a directory
maldet --monitor /home/nginx/domains/

# Check monitor status
maldet --monitor-status

# Stop monitoring
maldet --monitor-stop

inotify Watch Limits

Monitoring large directory trees may require increasing the kernel’s inotify watch limit. Check with cat /proc/sys/fs/inotify/max_user_watches and increase if needed: echo 524288 > /proc/sys/fs/inotify/max_user_watches.

PureFTPd Upload Scanning

Centmin Mod can integrate ClamAV with PureFTPd to scan uploaded files automatically before they are made available. This is done by configuring PureFTPd to call clamdscan (or clamscan) as a pre-upload callback.

The maldet real-time monitor approach is often used instead: watch the FTP upload directory with maldet --monitor so that every uploaded file is scanned immediately after landing on disk.

Shell 
# Monitor all user web roots (picks up FTP uploads immediately)
maldet --monitor /home/nginx/domains/

# Or scan a specific FTP upload directory
maldet --monitor /home/nginx/domains/yourdomain.com/public

For direct PureFTPd ClamAV integration, see the Centmin Mod community forums for current setup guides as the configuration depends on your server’s PureFTPd version.

Cron & Auto-updates

The maldet installer configures a daily cron job at /etc/cron.daily/maldet. Centmin Mod’s maldet.sh also appends Centmin Mod-specific paths to cover all Nginx web roots.

The extended cron covers the following paths:

Paths scanned daily 
/home/nginx/domains/*/public    # All Nginx vhost web roots
/var/www/html                   # Default Apache/Nginx web root
/usr/local/nginx/html           # Nginx default html directory
/boot                           # Boot partition
/etc                            # System configuration directory
/usr                            # System binaries and libraries

The cron scans use -b -r PATH 2 flags — background mode, scanning files modified in the last 2 days. This keeps daily scan time manageable on large servers.

Signature auto-update settings in conf.maldet:

/usr/local/maldetect/conf.maldet (excerpt) 
autoupdate_signatures="1"  # Auto-update LMD signatures daily
autoupdate_version="1"     # Auto-update maldet itself

Quarantine Management

Quarantine is disabled by default (quarantine_hits=0) to prevent false positives from removing legitimate files. Enable with care. Quarantined files are stored in /usr/local/maldetect/quarantine/.

Shell 
# View quarantined files
maldet --quarantine-list

# Restore a specific quarantined file
maldet --quarantine-restore /path/to/quarantined/file

# Clean (delete) all quarantined items
maldet --quarantine-clean

# Manually quarantine a file (from a scan report)
maldet --quarantine SCAN_ID

To enable automatic quarantine of scan hits, edit the config:

Shell 
sed -i 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet

Extending Signatures

The default maldet and ClamAV signature databases can be extended with additional community signature sets from sources such as Securiteinfo, MalwarePatrol, and the ClamAV Unofficial Signatures project to improve detection rates.

Community Guide: Extending Maldet & ClamAV Signatures

The Centmin Mod community forums have a detailed thread on extending maldet and ClamAV with additional signature databases, including step-by-step instructions for setting up unofficial signature sets.

Read the guide on community.centminmod.com →

The extended signatures are typically placed in /var/lib/clamav/ and automatically loaded by ClamAV. After adding signatures, restart freshclam and verify:

Shell 
# Update ClamAV signatures
freshclam

# Check signature database info
clamscan --version
# Example output: ClamAV 1.0.x/27000/Mon Jan 1 12:00:00 2026

# Count loaded signatures
clamscan --count-sigs /var/lib/clamav/