It also looks like the quarantine_hits is no longer working in the latest master and RC3 versions of maldet 2.01. quarantine_hits is enabled in conf.maldet and maldet monitoring is running in user mode:
quarantine_hits="1"
default_monitor_mode="users"
inotify_docroot="httpdocs"
# systemctl status maldet
● maldet.service - Linux Malware Detect monitoring - maldet
Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; preset: 5:185mdisabled)
Active: active (running) since Sun 2026-04-19 01:32:10 MDT; 5min ago
Invocation: 48a7c0fb915544f997faa746a16019d2
Main PID: 277968 (bash)
Tasks: 3 (limit: 22860)
Memory: 12.1M (peak: 97.4M)
CPU: 3.612s
CGroup: /system.slice/maldet.service
├─277968 bash /usr/local/maldetect/maldet --monitor
├─278128 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/.inotify.paths.VkWH05 --exclude "(\\^/var/tmp/mysql\\.sock\\\$|\\^/tmp/mysql\\.sock\\\$|\\^/var/cache/buagent/md0\\.cache\\.data\\\$|\\^/var/tmp/#sql-\\.\\*\\\$|\\^/tmp/#sq>
└─279517 sleep 15
Apr 19 01:32:10 el10p18.danami.com maldet[277968]: This program may be freely redistributed under the terms of the GNU GPL v2
Apr 19 01:32:11 el10p18.danami.com maldet[277968]: maldet(277968): {mon} added /var/www/vhosts/sjdfklajsdklfajsdkaskdjfaklsdfjlkasdf.com/httpdocs to inotify monitoring array
Apr 19 01:32:11 el10p18.danami.com maldet[277968]: maldet(277968): {mon} added /var/www/vhosts/testwilly.com/httpdocs to inotify monitoring array
Apr 19 01:32:11 el10p18.danami.com maldet[277968]: maldet(277968): {mon} added /dev/shm to inotify monitoring array
Apr 19 01:32:12 el10p18.danami.com maldet[277968]: maldet(277968): {mon} added /var/tmp to inotify monitoring array
Apr 19 01:32:12 el10p18.danami.com maldet[277968]: maldet(277968): {mon} added /tmp to inotify monitoring array
Apr 19 01:32:12 el10p18.danami.com maldet[277968]: maldet(277968): {mon} starting inotify process on 5 paths, this might take awhile...
Apr 19 01:32:14 el10p18.danami.com maldet[277968]: maldet(277968): {mon} inotify startup successful (pid: 278128)
Apr 19 01:32:14 el10p18.danami.com maldet[277968]: maldet(277968): {mon} inotify monitoring log: /var/log/maldet/inotify_log
Apr 19 01:32:29 el10p18.danami.com maldet[277968]: maldet(277968): {mon} regenerated signature files on ignore_sigs file change detected
When I download some sample malware to a site in the vhosts the files are detected by the event monitoring but nothing is moved to the quarantine:
// download sample malware into vhost directory and set the ownership from root to the website user so maldet can pick it up:
cd /var/www/vhosts/testwilly.com/httpdocs
wget https://github.com/marcocesarato/PHP-Malware-Collection/archive/refs/heads/master.zip
unzip master.zip
// changing the owership should allow maldet to quarantine them at this stage
chown testwilly.com_axeemlwux2m:psacln PHP-Malware-Collection-master/
// there are still 270 malware files in the directory so nothing was quarantined
find PHP-Malware-Collection-master/ -type f | wc -l
270
I can see that inotify_log detected the newly created files but the maldet quarantine directory is empty and there is no session/quarantine.hist:
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/r57shell2.0.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/robots.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/robots.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/rootshell.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/rootshell.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/ru24_post_sh.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/ru24_post_sh.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s1.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s1.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s2.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s2.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s72 Shell v1.1 Coding.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s72 Shell v1.1 Coding.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s72_Shell_v1.1_Coding.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/s72_Shell_v1.1_Coding.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sa.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sa.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sa.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sadrazam.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sadrazam.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/sadrazam.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/safe0ver.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/safe0ver.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/shellzx.php CREATE 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/shellzx.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/shellzx.php MODIFY 19 Apr 01:44:36
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/simattacker.php CREATE 19 Apr 01:44:37
/var/www/vhosts/testwilly.com/httpdocs/PHP-Malware-Collection-master/shell/simattacker.php MODIFY 19 Apr 01:44:37
Reverting back to maldet 1.66 and repeating the steps above and the files are quarantined to the quarantine directory and they are listed properly in session/quarantine.hist
It also looks like the
quarantine_hitsis no longer working in the latest master and RC3 versions of maldet 2.01.quarantine_hitsis enabled inconf.maldetand maldet monitoring is running in user mode:When I download some sample malware to a site in the vhosts the files are detected by the event monitoring but nothing is moved to the quarantine:
I can see that
inotify_logdetected the newly created files but the maldet quarantine directory is empty and there is nosession/quarantine.hist:Reverting back to maldet 1.66 and repeating the steps above and the files are quarantined to the quarantine directory and they are listed properly in
session/quarantine.hist