Centos7安装杀毒软件ClamAV

原文链接：https://ismailyenigul.wordpress.com/2015/01/05/install-clamav-on-centos-7/

Clam AntiVirus（ClamAV）是免费而且开放源代码的防毒软件，软件与病毒码的更新皆由社群免费发布。目前ClamAV主要是使用在由

Linux、FreeBSD等Unix-like系统架设的邮件服务器上，提供电子邮件的病毒扫描服务.

安装EPEL源

（http://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/）

Clamav可以通过EPEL源来安装，所以要首先安装EPEL，可以采用两种方法来安装：

第一种，通过命令行安装

[root@server_for_product ~]# yum install epel-release

第二种，使用下载好的安装包进行安装

[root@server_for_product ~]# cd /tmp

[root@server_for_product tmp]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

ls *.rpm

[root@server_for_product tmp]# yum install epel-release-7.noarch.rpm

刷新安装源并查看是否已经安装

[root@server_for_product ~]# yum repolist

看到以下字样就代表安装完成

epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64

查看EPEL源含有的安装包

[root@server_for_product ~]# yum --disablerepo="*" --enablerepo="epel" list available | less

安装ClamAV

在安装了EPEL源后，运行下面的命令安装ClamAV

[root@server_for_product ~]# yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

在两个配置文件/etc/freshclam.conf和/etc/clamd.d/scan.conf中移除“Example”字符

[root@server_for_product ~]#sed -i -e “s/^Example/#Example/” /etc/freshclam.conf

[root@server_for_product ~]#sed -i -e “s/^Example/#Example/” /etc/clamd.d/scan.conf

手动更新病毒库

[root@server_for_product ~]# freshclam

顺便一提，freshclam命令通过文件/etc/cron.d/clamav-update来自动运行，该文件的内容

|

Adjust this line...

MAILTO=root

It is ok to execute it as root; freshclam drops privileges and becomes

user 'clamupdate' as soon as possible

0 */3 * * * root /usr/share/clamav/freshclam-sleep

|

但默认情况下是禁止了自动更新功能，需要移除文件/etc/sysconfig/freshclam最后一行的配置才能启用

|

Adjust this line...

MAILTO=root

It is ok to execute it as root; freshclam drops privileges and becomes

user 'clamupdate' as soon as possible

0 */3 * * * root /usr/share/clamav/freshclam-sleep

[root@server_for_product kylin]# ^C

[root@server_for_product kylin]# tail /etc/sysconfig/freshclam

This option accepts two special values:

'disabled-warn' ... disables the automatic freshclam update and

gives out a warning

'disabled' ... disables the automatic freshclam silently

FRESHCLAM_DELAY=

!!!!! REMOVE ME !!!!!!

REMOVE ME: By default, the freshclam update is disabled to avoid

REMOVE ME: network access without prior activation

FRESHCLAM_DELAY=disabled-warn # REMOVE ME

|

记得移除上面红色字体

定义服务器类型（本地或者TCP），在这里定义为使用本地socket，将文件/etc/clam.d/scan.conf中的这一行前面的注释符号去掉：

LocalSocket /var/run/clamd.scan/clamd.sock

配置开机启动

[root@server_for_product ~]# systemctl enable clamd@scan

[root@server_for_product ~]# ln -s ‘/usr/lib/systemd/system/[email protected]’ ‘/etc/systemd/system/multi-user.target.wants/[email protected]’

启动并检查服务状态

[root@server_for_product ~]# systemctl start clamd@scan

[root@server_for_product ~]# systemctl status clamd@scan

看到active字样就表示安装成功

备注

如果在手动更新病毒库的时候遇到错误：Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working.

此时就要删除掉旧的镜像地址文件

[root@server_for_product ~]# rm -f /var/lib/clamav/mirrors.dat

再手动更新一次病毒库

[root@server_for_product ~]# freshclam
更新病毒库

freshclam

扫描方法

clamscan -r /etc --max-dir-recursion=5 -l /root/etcclamav.log

clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log

clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log

clamscan -r --remove /usr/bin/bsd-port

clamscan -r --remove /usr/bin/

clamscan -r --remove /usr/local/zabbix/sbin
查看日志发现

/bin/netstat: Linux.Trojan.Agent FOUND为病毒

grep FOUND /root/usrclamav.log

/usr/bin/.sshd: Linux.Trojan.Agent FOUND

/usr/sbin/ss: Linux.Trojan.Agent FOUND

/usr/sbin/lsof: Linux.Trojan.Agent FOUND
扫描所有用户的主目录就使用 clamscan -r /home

· 扫描您计算机上的所有文件并且显示所有的文件的扫描结果，就使用 clamscan -r /

· 扫描您计算机上的所有文件并且显示有问题的文件的扫描结果，就使用 clamscan -r --bell -i /

执行下面命令扫描根目录下面的所有文件。如下所示：56个文件被感染了。基本上都是Linux.Trojan.Agent和Linux.Backdoor.Gates等。

/opt/clamav/bin/clamscan -r --bell -i