Increase maldet speed

Anyone who deals with professional web hosting knows what a threat they represent infected users with malware, web shells etc. In the obšiât case is used maldet not a bad script. It is distinguished by 3 things

  1. Terribly slow
  2. It is horribly slow and if you drop it in the monitoring regime will mess with your server
  3. Maintain your own database with md5/hex definici for bad code.

Just his last feature makes it useful, as you can s″bmitvaš files which have not been detected so far, and at a later stage will enter into the database. As I shared in section 1 and 2 its speed is shockingly low – at low load of the machine 70 k file are scanned for about an hour and a half. For this reason I started to help my good friend by ShadowX Malmo – an alternative to the maldet written in python with a little more flexibility. Unfortunately due to lack of time (mainly but not only) We're not a finished project, which at the moment is not very usable – There are quite a few bugs that need to be cleaned. In the past few days I had problems with clients infected with CryptoPHP who had the huge public_html files ~ 60 k + inod-user. Since the total had to be scanned over 200 k file which in rough accounts would take 5+ hours I decided to Nip/Tuck maldet configuration, to reduce the files that will be scanned to a more reasonable number and time. While čopleh konfa I noticed the following lines

# Attempt to detect the presence of ClamAV clamscan binary
# and use as default scanner engine; up to four times faster
# scan performance and superior hex analysis. This option
# only uses ClamAV as the scanner engine, LMD signatures
# are still the basis for detecting threats.
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=1

Interesting… Apparently, there is a possibility to use the ClamAV – who also is distinguished by its great speed but why not try. The quickly installed it

/scripts/update_local_rpm_versions --edit target_settings.clamav installed

/scripts/check_cpanel_rpms --fix --targets=clamav

I run maldet and click the small folder – I don't see a difference in speed and behavior – He used his perl-ski scanner instead of clamav. After a brief delving through the source I found maldet the following lines

 clamscan=`which clamscan 2> /dev/null`
 if [ -f "$clamscan" ] && [ "$clamav_scan" == "1" ]; then
        eout "{scan} found ClamAV clamscan binary, using as scanner engine..." 1
    for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb $clamav_db -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do

Yes I did a which clamscan and to my great surprise I discovered that clamav is not in PATH-what a stupid Cpanel has left him only in/usr/local/cpanel/3rdparty/bin/from where he uses binarkite. A quick fix the problem ln:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan

In re scan now maldet top reports

{scan} found ClamAV clamscan binary, using as scanner engine...

After already uses ClamAV maldet ends your scan 3-4-5 times faster than before. The test showed – 70k-izt″rkla inod them for about 25 min which is about 3 and a half times faster than before.

leave a reply

Your email address will not be published. Required fields are marked *

anti SPAM *