Blog

Fix Maldet “Lightning Scan” Issues

Tags: maldetmalware

Published on: August 4, 2014 by Vipin R.N

Fix Maldet “Lightning Scan” Issues

Scenario:

Scenario

Sometimes you will see a maldet scan gets finished at the very moment it was initiated. Moreover nothing will be detected after the ‘lightning scan’. Well, that’s not normal.

root@server [~]# maldet -b -a ~user

Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(330625): {scan} launching scan of /home/usert to background, see /usr/local/maldetect/event_log for progress

root@server [~]# tail /usr/local/maldetect/event_log
Feb 13 04:06:35 server maldet(997832): {sigup} local signature set is version 201302097471
Feb 13 04:06:35 server maldet(997832): {sigup} latest signature set already installed
Feb 13 19:53:24 server maldet(330625): {scan} launching scan of /home/user to background, see /usr/local/maldetect/event_log for progress
Feb 13 19:53:24 server maldet(330625): {scan} signatures loaded: 10695 (8827 MD5 / 1868 HEX)
Feb 13 19:53:24 server maldet(330625): {scan} building file list for /home/user, this might take awhile…
Feb 13 19:53:26 server maldet(330625): {scan} file list completed, found 6574 files…
Feb 13 19:53:26 server maldet(330625): {scan} found ClamAV clamscan binary, using as scanner engine…
Feb 13 19:53:26 server maldet(330625): {scan} scan of /home/user (6574 files) in progress…
Feb 13 19:53:26 server maldet(330625): {scan} scan completed on /home/user: files 6574, malware hits 0, cleaned hits 0
Feb 13 19:53:26 server maldet(330625): {scan} scan report saved, to view run: maldet –report 021313-1953.330625

 

This is not usual, it would take atleast a minute to complete the Maldet scan, so there is something wrong with the Scan signatures. 

How it works

The Maldet signature databases updates regularly. If there is a connection issue or something with the remote host it’ll create a 0 byte file and break. Thus there is nothing to be compared against during that Maldet scan and that is why it ends so fast.

Fix

This is the command to fix this issue, read on to the explanation

# cd /usr/local/maldetect && rm -rf sigs/ && mkdir sigs/ && maldet -u

 

# cd /usr/local/maldetect && rm -rf sigs/ && mkdir sigs/ && maldet -u
cat: /usr/local/maldetect/sigs/maldet.sigs.ver: No such file or directory
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(350347): {sigup} performing signature update check…
maldet(350347): {sigup} could not determine signature version
maldet(350347): {sigup} signature files missing or corrupted, forcing update…
maldet(350347): {sigup} new signature set (201302097471) available
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(350347): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(350347): {sigup} signature set update completed
maldet(350347): {sigup} 10695 signatures (8827 MD5 / 1868 HEX)

 

This will remove the existing signatures from the directory /usr/local/maldetect and re-download those. maldet -u will update the signatures.

If this doesn’t work either, you may have to remove and re-install Maldet

Removing Maldet

There is no such script available, just do it manually

Kill the Maldet notify service first :

maldet -k

Remove the Maldet directory :

rm -rf /usr/local/maldetect

Remove the Cron file :

/etc/cron.daily/maldet

Re-installing Maldet is quite easy, follow the instructions at http://www.rfxn.com/projects/linux-malware-detect/

 

 

 

 

Category : Linux, Security

Vipin R.N

Vipin R.N

Vipin is a no-nonsense, disciplined guy who ensures that everything is carried out with the highest level of perfection. Apart from his great coding skills, he is quite interested in advanced server administration, issue analysis, documentation and training. In-depth knowledge in international politics, ammunition and automobiles makes this hard core Manchester United fan, one of the most referenced personalities in the entire team.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items