Multi-engine Linux malware scanner with five detection stages (MD5, HEX pattern, YARA, ClamAV, statistical), real-time inotify monitoring, quarantine, and multi-channel alerting
1.5k
Stars
247
Forks
12
Open issues
28
Contributors
AI Analysis
Linux Malware Detect (LMD) is a specialized multi-stage malware scanner for Linux systems that combines signature-based detection (MD5, SHA-256, HEX patterns, YARA rules) with ClamAV integration and statistical analysis. It includes real-time file monitoring via inotify, quarantine capabilities, and multi-channel alerting. This tool is purpose-built for system administrators and security operations teams managing Linux infrastructure who need local threat detection—not for general-purpose use...
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Linux malware scanner with multi-stage detection and real-time inotify monitoring, optimized for shared hosting threats
Linux Malware Detect (LMD) is a GPL-licensed malware scanner purpose-built for shared hosting and web application threats (PHP shells, JavaScript injectors, obfuscated backdoors). It combines five detection stages (MD5, HEX patterns, YARA, ClamAV, statistical analysis), real-time inotify monitoring, quarantine operations, and multi-channel alerting. Adoption appears concentrated in managed hosting providers and system administrators managing large shared hosting infrastructures; mainstream consumer visibility remains limited.
First released in 2013 by R-fx Networks, LMD emerged from operational experience detecting malware in shared hosting environments. The project has maintained continuous development across 13 years, with v2.0.1 released in 2026 featuring significant performance rewrites (43x faster scanning) and expanded detection/alerting capabilities.
Stars grew modestly from initial release to ~1,462 by 2026, maintaining steady but unremarkable GitHub visibility. The v2.0.1 rewrite (apparent focus: performance and detection accuracy) suggests developer-driven improvement rather than marketing-driven growth. Real-time inotify monitoring and multi-engine detection remain relatively niche feature combinations in the malware detection space.
Adoption not verified via public documentation in README. No case studies, customer testimonials, or deployment counts provided. Project copyright includes both R-fx Networks (organizational copyright 2002-2026) and individual contributor (2026), suggesting some organizational backing, but scale/scope of deployment undefined. Presence of ELK integration, remote ClamAV support, and multi-channel alerting (Slack, Telegram, Discord) suggests real-world production usage patterns, but no metrics provided.
Appears to be a modular shell script architecture with configurable scanning pipelines. Likely implements five discrete detection stages (MD5 hash lookup, batch HEX pattern matching via grep with Aho-Corasick parallelization, YARA integration, ClamAV subprocess calls, statistical string analysis). README indicates batch processing redesign in v2.0.1 replacing per-file subprocess overhead. Architecture designed for long-running scans over large file sets without explicit per-file overhead.
README mentions CI/CD badge (GitHub Actions smoke-test workflow) but does not document test coverage depth or testing methodology. Not documented in README beyond existence of automated testing.
Last push 2026-05-24 (42 days before evaluation date 2026-07-05), indicating active maintenance within the past 6 weeks. CHANGELOG and version bump to 2.0.1 suggest recent major release cycle. 200+ bug fixes and significant performance rewrite in v2.0.1 indicate substantial ongoing development effort. Project appears actively maintained, not stagnant, though growth velocity remains low (7 stars in past 7 days).
ADOPT IF: You manage shared hosting infrastructure, need real-time file monitoring with low overhead, require multi-stage detection (MD5/HEX/YARA/ClamAV), and can operate shell-based tooling. AVOID IF: You require vendor support, formal SLAs, or require Windows/macOS support; you need turnkey cloud-native malware detection. MONITOR IF: You are evaluating malware detection for Linux servers and want to benchmark LMD's 43x performance improvement against your existing scanning pipeline, or need to assess whether its shared-hosting-specific detection rules match your threat model.
Independent dimensions
Mainstream potential
3/10
Technical importance
6/10
Adoption evidence
2/10
- Adoption not publicly verified; deployment scale and production usage breadth are unclear from available evidence.
- Shell script implementation may face maintenance complexity and performance limits at extreme scale; reliance on subprocess calls (ClamAV, YARA) introduces external dependency coupling.
- No documented vendor support, commercial SLA, or formal security audit apparent; GPL-2.0 licensing imposes copyleft obligations on derivative works.
- Real-time inotify monitoring may generate false negatives if malware execution precedes file write detection; statistical analysis stage effectiveness highly dependent on tuning and threat profile.
- Multi-engine detection increases false positives; README does not document tuning guidance for precision vs. recall tradeoff in production environments.
LMD likely remains a specialized tool for managed hosting and system administrator communities. Modest GitHub growth suggests it is serving its core niche effectively without expanding broadly. Future development may focus on performance optimization (v2.0.1 precedent) and detection accuracy rather than ecosystem expansion or mainstream adoption.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Shell
- License
- GPL-2.0
- Last updated
- 2mo ago
- Created
- 156mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Checkout / FTP not working
maldet 2.01 email sends with no summary contents
False positive {HEX}php.cmdshell.gifheader.400
Feature request: allow `clamdscan --stream` instead of hardcoded `--fdpass` for `scan_clamd_remote`
run maldet -d fails.
Open pull requests
No open pull requests.
Top contributors
Similar repos
lenucksi/aur-malware-check
This is a specialized security tool for detecting and analyzing the June 2026...
speed47/spectre-meltdown-checker
A self-contained shell script that diagnoses Linux and BSD systems for...
alexandreborges/malwoverview
Malwoverview is a Python-based threat hunting and malware analysis platform...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1.5k | +6 | Shell | 8/10 | 2mo ago |
|
|
2k | — | Python | 8/10 | 3d ago |
|
|
3.9k | — | Shell | 8/10 | 7d ago |
|
|
1.5k | — | YARA | 8/10 | 2mo ago |
|
|
3.9k | — | Python | 7/10 | 2w ago |
|
|
11.1k | — | JavaScript | 8/10 | 2d ago |
LMD integrates ClamAV as one of five detection stages rather than replacing it. LMD adds PHP/JavaScript/obfuscation-focused heuristics and real-time monitoring designed for shared hosting; ClamAV is general-purpose and signature-reactive.
malwoverview appears broader-scoped (VirusTotal API integration, sandbox analysis submission). LMD is more focused on continuous local scanning and real-time monitoring; different use cases despite category overlap.
LitterBox appears YARA-focused. LMD uses YARA as one component in a multi-stage pipeline; LMD adds MD5 hashing, HEX patterns, ClamAV, and statistical analysis.
Similar shell-based security scanning approach but solves fundamentally different problem (CPU vulnerability detection vs. malware). Provides context for shell-based security tooling adoption.
Focused on Arch Linux package repository scanning. LMD is distribution-agnostic and designed for hosted file systems. Different niche within malware detection.