 Output of a sample run of LMD | |
| Developer(s) | R-fx Networks |
|---|---|
| Stable release | 1.6.5 / Mar 27 2023 |
| Operating system | Linux |
| Type | Linux malware Detector |
| License | GNU GPL v2 |
| Website | www |
Linux Malware Detect, abbreviated as LMD or maldet, is a software package that looks for malware on Linux systems and reports on it. [1]
To protect Linux systems against vulnerabilities, various software packages are available, such as rootkit detectors such as Rootkit Hunter and chkrootkit, and auditing systems like lynis. Malware detection software such as LMD and ClamAV improve the security of systems by scanning them based on the signatures of thousands of instances of known malware.
For malware signatures, LMD uses various sources such as the signatures database of ClamAV and the Malware Hash Registry of Team Cymru. [2] [3] Besides such third party signature databases, it also maintains its own database of signatures.
If a ClamAV scanner engine is already available on a system, LMD will use this for its scanner engine. This will normally give better performance than its built-in scanner engine. [1]
LMD can quarantine malware, and it can clean software that contains malicious code. [4]
The executable command of LMD is maldet. Typical command invocations are maldet -d, to check for later versions; maldet -u, to check for malware signature updates; and maldet -a, to scan the file system of the server on which LMD resides. Checking for malware signature updates is typically done in an automated manner. Besides periodic scans, real-time monitoring is also supported with the --monitor command-line argument. LMD can monitor users, paths and files in such a way. [4]
Linux Malware Detect is one of the objectives for the LPI 303 certification. [5]
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.
ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.
ClamWin Free Antivirus is a free and open-source antivirus tool for Windows. It provides a graphical user interface to the Clam AntiVirus engine.
Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.
Chkrootkit (Check Rootkit) is a widely used Unix-based utility designed to aid system administrators in examining their systems for rootkits. Operating as a shell script, it leverages common Unix/Linux tools such as the strings and grep command. The primary purpose is to scan core system programs for identifying signatures and to compare data obtained from traversal the /proc with the output derived from the ps (process status) command, aiming to identify inconsistencies. It offers flexibility in execution, allowing it to function from a rescue disc, often a live CD, and provides an optional alternative directory for executing its commands. These approaches enhance chkrootkit's reliance on the commands it employs.
Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.
OSSEC (Open Source HIDS SECurity) is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats.
HitmanPro is a portable antimalware program, which aims to detect and remove malicious files and registry entries related to rootkits, trojans, viruses, worms, spyware, adware, rogue antivirus programs, ransomware, and other malware from infected computers.
Kaspersky Internet Security was an internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.
Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.
VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.
Lynis is an extensible security audit tool for computer systems running Linux, FreeBSD, macOS, OpenBSD, Solaris, and other Unix derivatives. It assists system administrators and security professionals with scanning a system and its security defenses, with the final goal being system hardening.
A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.
Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT. For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak. HBGary was later acquired by a large defense contractor.
Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).
Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats.
Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for its Avira Free Security antivirus software. Although founded in 2006, the Avira antivirus application has been under active development since 1986 through its predecessor company H+BEDV Datentechnik GmbH. Since 2021, Avira has been owned by American software company NortonLifeLock, which also operates Norton, Avast and AVG. It was previously owned by investment firm Investcorp.