How to Install Linux Malware Detect (Maldet) on a cPanel Server

Linux Malware Detect (LMD), also called Maldet, is a free, open-source malware scanner designed specifically for shared hosting environments. It detects PHP web shells, backdoors, drive-by download injections, and other malicious code that Imunify360 or ClamAV might miss on their own. Maldet can run standalone or use ClamAV as its scan engine for better performance.

Prerequisites

• Linux server running cPanel/WHM (any supported OS)
• Root SSH access
• ClamAV installed (optional but recommended for speed)

Step 1 — Install ClamAV (Recommended)

ClamAV dramatically speeds up Maldet scans. Install via WHM > Manage Plugins > ClamAV, or via CLI:

yum install clamd clamav clamav-update -y
freshclam

Step 2 — Download and Install Maldet

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

The installer places Maldet in /usr/local/maldetect/ and adds a daily cron job automatically.

Step 3 — Configure Maldet

nano /usr/local/maldetect/conf.maldet

Key Configuration Options

• email_alert="1" — enable email alerts
• email_addr="admin@yourdomain.com" — alert destination
• quarantine_hits="1" — auto-quarantine infected files instead of just logging
• quarantine_clean="0" — don't auto-delete (quarantine is safer — you can review)
• clamscan_enabled="1" — use ClamAV engine for faster scanning
• scan_user_access="1" — scan only files owned by system users (skips root files)

Step 4 — Run Your First Manual Scan

Scan all cPanel account home directories:

maldet --scan-all /home

For a specific user:

maldet --scan-all /home/username/public_html

Step 5 — Review Scan Reports

maldet --report list           # list all past scan reports
maldet --report SCAN_ID        # view a specific report

Step 6 — Working with the Quarantine

maldet --quarantine-list        # list quarantined files
maldet --restore /path/to/file # restore a false positive
maldet --quarantine-clean       # permanently delete quarantined malware

Keeping Maldet Signatures Updated

maldet -u

The daily cron job installed by Maldet handles signature updates and scans of recently modified files automatically — you don't need to schedule this separately.

Conclusion

Maldet is an essential free security layer for cPanel servers, especially for shared hosting where clients may upload compromised code. Pair it with Imunify360's real-time scanner for maximum coverage — Imunify catches threats as files are uploaded while Maldet's daily cron scan catches anything that slipped through. Together they give you a strong defence-in-depth posture.