Scenario
Sometimes you will see a maldet scan gets finished at the very moment it was initiated. Moreover nothing will be detected after the ‘lightning scan’. Well, that’s not normal.
root@server [~]# maldet -b -a ~user
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2maldet(330625): {scan} launching scan of /home/usert to background, see /usr/local/maldetect/event_log for progress
root@server [~]# tail /usr/local/maldetect/event_log
Feb 13 04:06:35 server maldet(997832): {sigup} local signature set is version 201302097471
Feb 13 04:06:35 server maldet(997832): {sigup} latest signature set already installed
Feb 13 19:53:24 server maldet(330625): {scan} launching scan of /home/user to background, see /usr/local/maldetect/event_log for progress
Feb 13 19:53:24 server maldet(330625): {scan} signatures loaded: 10695 (8827 MD5 / 1868 HEX)
Feb 13 19:53:24 server maldet(330625): {scan} building file list for /home/user, this might take awhile…
Feb 13 19:53:26 server maldet(330625): {scan} file list completed, found 6574 files…
Feb 13 19:53:26 server maldet(330625): {scan} found ClamAV clamscan binary, using as scanner engine…
Feb 13 19:53:26 server maldet(330625): {scan} scan of /home/user (6574 files) in progress…
Feb 13 19:53:26 server maldet(330625): {scan} scan completed on /home/user: files 6574, malware hits 0, cleaned hits 0
Feb 13 19:53:26 server maldet(330625): {scan} scan report saved, to view run: maldet –report 021313-1953.330625
This is not usual, it would take atleast a minute to complete the Maldet scan, so there is something wrong with the Scan signatures.
How it works
The Maldet signature databases updates regularly. If there is a connection issue or something with the remote host it’ll create a 0 byte file and break. Thus there is nothing to be compared against during that Maldet scan and that is why it ends so fast.
Fix
This is the command to fix this issue, read on to the explanation
# cd /usr/local/maldetect && rm -rf sigs/ && mkdir sigs/ && maldet -u
# cd /usr/local/maldetect && rm -rf sigs/ && mkdir sigs/ && maldet -u
cat: /usr/local/maldetect/sigs/maldet.sigs.ver: No such file or directory
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2maldet(350347): {sigup} performing signature update check…
maldet(350347): {sigup} could not determine signature version
maldet(350347): {sigup} signature files missing or corrupted, forcing update…
maldet(350347): {sigup} new signature set (201302097471) available
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(350347): {sigup} signature set update completed
maldet(350347): {sigup} 10695 signatures (8827 MD5 / 1868 HEX)
This will remove the existing signatures from the directory /usr/local/maldetect and re-download those. maldet -u will update the signatures.
If this doesn’t work either, you may have to remove and re-install Maldet
Removing Maldet
There is no such script available, just do it manually
Kill the Maldet notify service first :
maldet -k
Remove the Maldet directory :
rm -rf /usr/local/maldetect
Remove the Cron file :
/etc/cron.daily/maldet
Re-installing Maldet is quite easy, follow the instructions at http://www.rfxn.com/projects/linux-malware-detect/
