File: //proc/2/cwd/usr/local/maldetect/conf.maldet
#
##
# Linux Malware Detect v1.6.6
#             (C) 2002-2025, R-fx Networks <proj@r-fx.org>
#             (C) 2025, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##
# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID user@domain.com'.
# [0 = disabled, 1 = enabled]
email_alert="0"
# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="you@domain.com"
# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"
# Enable user alerts for specific web hosting control panels. If hits are detected,
# attempt to determine the web hosting control in use, if any. If a control
# panel is detected, determine the user contact information from the panel's
# toolset and send an email summary of the detected hits to that user.
# The list of hits will be limited to files owned by the panel user/account in question.
# Disabling alerts globally with email_alert will also disable this function.
email_panel_user_alerts="0"
# The from header that will be set on alerts to control panel users. This should
# be set by any web hosts that will be supporting the control panel users/accounts 
# on this server.
email_panel_from="you@example.com"
# The reply-to header that will be set on alerts to control panel users. This should
# be set by any web hosts that will be supporting the control panel users/accounts 
# on this server.
email_panel_replyto="you@example.com"
# The subject that will be used on alerts to control panel account contacts
email_panel_alert_subj="maldet alert from vps.rockyroadprinting.net"
# Enable or disable slack alerts, this will upload the scan report as a file
# into one or more slack channels
# [0 = disabled, 1 = enabled]
slack_alert="0"
# The file name of the file that will be uploaded to slack channel(s)
slack_subj="maldet alert from vps.rockyroadprinting.net"
# Slack authentication token.
# Requires scope: files:write:user
# more information https://api.slack.com/methods/files.upload
slack_token="AUTH_TOKEN"
# Comma-separated list of channel names or IDs
# where the scan report will be shared.
slack_channels="maldetreports"
# Enable or disable telegram alerts
# [0 = disabled, 1 = enabled]
telegram_alert="0"
# Caption for report file will be sent to telegram channel
telegram_file_caption="maldet alert from vps.rockyroadprinting.net"
# Telegram bot token.
# more information https://core.telegram.org/bots
telegram_bot_token="TELEGRAM_BOT_TOKEN"
# Telegram channel id
# more information https://stackoverflow.com/questions/33858927/how-to-obtain-the-chat-id-of-a-private-telegram-channel?answertab=active#tab-top
telegram_channel_id="TELEGRAM_CHANNEL_ID"
# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures="1"
# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version="1"
# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed="1"
# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days="21"
# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan="1"
# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url=""
# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire="43200"
# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url=""
import_custsigs_hex_url=""
##
# [ SCAN OPTIONS ]
##
# The maximum directory depth that the scanner will search, a value
# of 15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth="15"
# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize="24"
# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize="2048k"
# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth="65536"
# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo="1"
# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth="524288"
# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"
# Include the scanning of known temporary world-writable paths for
# -a|--al and -r|--recent scan types.
scan_tmpdir_paths="/tmp /var/tmp /dev/shm"
# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate 'pub/' with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access="0"
# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice="19"
# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice="6"
# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the 'cpulimit' binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
scan_cpulimit="0"
# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root="1"
# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user=""
scan_ignore_group=""
# The maximum amount of time, in seconds, that the 'find' file list generation
# will run before it is terminated. All 'find' results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# '-co|--config-option' CLI option, such as:
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout="0"
# The daily cron 'find' operation performed by LMD detects recently created/modifed
# user files. This 'find' operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist="0"
##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="0"
# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="0"
# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user="0"
# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid="500"
# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error="1"
##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either 'users' or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is
# present with a defined value for .
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of users. The service will fail to
# start if a value is not provided.
# default_monitor_mode="users"
# default_monitor_mode="/usr/local/maldetect/monitor_paths"
default_monitor_mode="users"
# The base number of files that can be watched under a path
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches="16384"
# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved
inotify_sleep="30"
# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports.
inotify_reloadtime="3600"
# The minimum userid that will be added to path monitoring when
# the USERS option is specified
inotify_minuid="500"
# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot="public_html,public_ftp"
# Process CPU scheduling (nice) priority level for monitoring process.
# [ -19 = high prio , 19 = low prio, default = 15 ]
inotify_cpunice="18"
# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice="6"
# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the 'cpulimit' binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
inotify_cpulimit="0"
# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your 'event_log' file, intended only for debugging purposes.
inotify_verbose="0"
# Remote clamd support
# If you're running a dedicated clamd server, you can instruct clamdscan to use
# it instead of the local daemon (which doesn't even need to run). To use
# this you need to create a 'clamd.remote.conf' with:
#
# TCPSocket 3310
# TCPAddr clamd.example.com
#
#
# Enable connecting to a remote clamd service to conduct all file scanning
# offload from local system. This requires that clamdscan binary be available
# to the local system.
#
# Files being scanned are effectively piped to remote daemon, this can be very
# bandwidth intensive.
# [ 0 = disabled, 1 = enabled ]
scan_clamd_remote="0"
# To instruct maldetect to use that config, enter the path to that file:
remote_clamd_config="/etc/clamd.d/clamd.remote.conf"
# If remote clamd doesn't respond properly, how many times should we retry
# the same file
remote_clamd_max_retry="5"
# How many seconds to sleep between retrys
remote_clamd_retry_sleep="3"
##
# [ STATISTICAL ELK COLLECT ]
##
# Enable statistic to bring it into ELK stack
enable_statistic="0"
# The host definition for the TCP input
# Must be define if enable_statistic=1
# Example : 192.168.1.1
elk_host=""
# The port definition for the TCP input
# Must be define if enable_statistic=1
# Example : 12345
elk_port=""
# The index definition for the Elasticsearch
# Must be define if enable_statistic=1
# Example : maldet
elk_index=""
##
# [ STATISTICAL ANALYSIS ]
# This is a beta feature and as such should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
string_length="150000"		# [ max string length ]