rescue mode scans
 

I have a virtual rhel 7.9 server, and it is triggering firewall alerts for malware.
I've run many scans, and found a couple php items, but that's it.
I'd like to know if there is a why to boot to rescue mode, and then install/run clamav and lmd, while the image isn't running.

I can get into rescue, and I can get network, once I chroot /mnt/sysimage. I can then wget the clamav and lmd. They appear to install, though clamscan doesn't work. Lmd does, but I can't seem to scan anything. The scan starts, it loads signatures, but the scan returns and empty file list.

My command is: bash-4.4# ./maldet -a /dev/mapper/vgtest-root, which is what df -h shows.

It's likely simple, but I have worked very little in rescue, and it was to replace boot loaders.

Thanks!