rfxn

rfxn/linux-malware-detect

Shell GPL-2.0 Security

Multi-engine Linux malware scanner with five detection stages (MD5, HEX pattern, YARA, ClamAV, statistical), real-time inotify monitoring, quarantine, and multi-channel alerting

1.5k stars
247 forks
slow
GitHub +6 / week

1.5k

Stars

247

Forks

12

Open issues

28

Contributors

v2.0.1 29 Apr 2026

AI Analysis

Linux Malware Detect (LMD) is a specialized multi-stage malware scanner for Linux systems that combines signature-based detection (MD5, SHA-256, HEX patterns, YARA rules) with ClamAV integration and statistical analysis. It includes real-time file monitoring via inotify, quarantine capabilities, and multi-channel alerting. This tool is purpose-built for system administrators and security operations teams managing Linux infrastructure who need local threat detection—not for general-purpose use...

Security Security Tool Discovery value: 5/10
Documentation 8/10
Activity 8/10
Community 7/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

malware-detection linux-security intrusion-detection real-time-monitoring yara-scanning
Actively maintained Well documented Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
5d ago

Linux malware scanner with multi-stage detection and real-time inotify monitoring, optimized for shared hosting threats

Linux Malware Detect (LMD) is a GPL-licensed malware scanner purpose-built for shared hosting and web application threats (PHP shells, JavaScript injectors, obfuscated backdoors). It combines five detection stages (MD5, HEX patterns, YARA, ClamAV, statistical analysis), real-time inotify monitoring, quarantine operations, and multi-channel alerting. Adoption appears concentrated in managed hosting providers and system administrators managing large shared hosting infrastructures; mainstream consumer visibility remains limited.

Origin

First released in 2013 by R-fx Networks, LMD emerged from operational experience detecting malware in shared hosting environments. The project has maintained continuous development across 13 years, with v2.0.1 released in 2026 featuring significant performance rewrites (43x faster scanning) and expanded detection/alerting capabilities.

Growth

Stars grew modestly from initial release to ~1,462 by 2026, maintaining steady but unremarkable GitHub visibility. The v2.0.1 rewrite (apparent focus: performance and detection accuracy) suggests developer-driven improvement rather than marketing-driven growth. Real-time inotify monitoring and multi-engine detection remain relatively niche feature combinations in the malware detection space.

In production

Adoption not verified via public documentation in README. No case studies, customer testimonials, or deployment counts provided. Project copyright includes both R-fx Networks (organizational copyright 2002-2026) and individual contributor (2026), suggesting some organizational backing, but scale/scope of deployment undefined. Presence of ELK integration, remote ClamAV support, and multi-channel alerting (Slack, Telegram, Discord) suggests real-world production usage patterns, but no metrics provided.

Code analysis
Architecture

Appears to be a modular shell script architecture with configurable scanning pipelines. Likely implements five discrete detection stages (MD5 hash lookup, batch HEX pattern matching via grep with Aho-Corasick parallelization, YARA integration, ClamAV subprocess calls, statistical string analysis). README indicates batch processing redesign in v2.0.1 replacing per-file subprocess overhead. Architecture designed for long-running scans over large file sets without explicit per-file overhead.

Tests

README mentions CI/CD badge (GitHub Actions smoke-test workflow) but does not document test coverage depth or testing methodology. Not documented in README beyond existence of automated testing.

Maintenance

Last push 2026-05-24 (42 days before evaluation date 2026-07-05), indicating active maintenance within the past 6 weeks. CHANGELOG and version bump to 2.0.1 suggest recent major release cycle. 200+ bug fixes and significant performance rewrite in v2.0.1 indicate substantial ongoing development effort. Project appears actively maintained, not stagnant, though growth velocity remains low (7 stars in past 7 days).

Honest verdict

ADOPT IF: You manage shared hosting infrastructure, need real-time file monitoring with low overhead, require multi-stage detection (MD5/HEX/YARA/ClamAV), and can operate shell-based tooling. AVOID IF: You require vendor support, formal SLAs, or require Windows/macOS support; you need turnkey cloud-native malware detection. MONITOR IF: You are evaluating malware detection for Linux servers and want to benchmark LMD's 43x performance improvement against your existing scanning pipeline, or need to assess whether its shared-hosting-specific detection rules match your threat model.

Independent dimensions

Mainstream potential

3/10

Technical importance

6/10

Adoption evidence

2/10

Risks
  • Adoption not publicly verified; deployment scale and production usage breadth are unclear from available evidence.
  • Shell script implementation may face maintenance complexity and performance limits at extreme scale; reliance on subprocess calls (ClamAV, YARA) introduces external dependency coupling.
  • No documented vendor support, commercial SLA, or formal security audit apparent; GPL-2.0 licensing imposes copyleft obligations on derivative works.
  • Real-time inotify monitoring may generate false negatives if malware execution precedes file write detection; statistical analysis stage effectiveness highly dependent on tuning and threat profile.
  • Multi-engine detection increases false positives; README does not document tuning guidance for precision vs. recall tradeoff in production environments.
Prediction

LMD likely remains a specialized tool for managed hosting and system administrator communities. Modest GitHub growth suggests it is serving its core niche effectively without expanding broadly. Future development may focus on performance optimization (v2.0.1 precedent) and detection accuracy rather than ecosystem expansion or mainstream adoption.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Shell
94%
Roff
2.7%
Go Template
2.1%
Makefile
1%
Dockerfile
0.1%
PHP
0.1%
DIGITAL Command Language
0%

Information

Language
Shell
License
GPL-2.0
Last updated
2mo ago
Created
156mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

lenucksi

lenucksi/aur-malware-check

This is a specialized security tool for detecting and analyzing the June 2026...

2k Python Security
speed47

speed47/spectre-meltdown-checker

A self-contained shell script that diagnoses Linux and BSD systems for...

3.9k Shell Security
BlackSnufkin

BlackSnufkin/LitterBox

LitterBox is a self-hosted sandbox designed for red teams to test malware...

1.5k YARA Security
alexandreborges

alexandreborges/malwoverview

Malwoverview is a Python-based threat hunting and malware analysis platform...

3.9k Python Security
horsicq

horsicq/Detect-It-Easy

Detect It Easy (DiE) is a cross-platform file type identification and analysis...

11.1k JavaScript Security
vs. alternatives
ClamAV (VirusTotal/yara as dependency)

LMD integrates ClamAV as one of five detection stages rather than replacing it. LMD adds PHP/JavaScript/obfuscation-focused heuristics and real-time monitoring designed for shared hosting; ClamAV is general-purpose and signature-reactive.

malwoverview (3,897 stars, Python)

malwoverview appears broader-scoped (VirusTotal API integration, sandbox analysis submission). LMD is more focused on continuous local scanning and real-time monitoring; different use cases despite category overlap.

LitterBox (1,468 stars, YARA)

LitterBox appears YARA-focused. LMD uses YARA as one component in a multi-stage pipeline; LMD adds MD5 hashing, HEX patterns, ClamAV, and statistical analysis.

spectre-meltdown-checker (3,944 stars, Shell)

Similar shell-based security scanning approach but solves fundamentally different problem (CPU vulnerability detection vs. malware). Provides context for shell-based security tooling adoption.

aur-malware-check (1,948 stars, Python)

Focused on Arch Linux package repository scanning. LMD is distribution-agnostic and designed for hosted file systems. Different niche within malware detection.