安全防护工具之:ClamAV

安全防护工具之:ClamAV_第1张图片
ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库,Linux系统的病毒较少,但是并不意味着病毒免疫,尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范,而ClamAV则能起到不少作用。
ClamAV相关信息如下:

项目 详细
官方地址 http://www.clamav.net/
下载地址 http://www.clamav.net/downloads
当前稳定版本 0.99.2

功能特性

项目 详细
主要用途 邮件网关的病毒扫描,内建支持多种邮件格式
高性能 提供多线程的扫描进程
命令行 提供密令行扫描方式
扫描对象 可以对要发送的邮件或者文件进行扫描
文件格式 支持多种文件格式
病毒库更新频度 一天多次病毒库的更新
归档文件 支持扫描多种归档文件,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等
文档 支持流行的文档文件,比如: MS Office文件,MacOffice文件, HTML, Flash, RTF,PDF

安装方式

项目 详细
CENTOS/RHEL yum -y install clamav
Ubuntu/Debian apt-get install clamav

注意:centos上的clamd是在epel-release下,需要现行安装epel-release。 如果使用源码安装方式的话,保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。

安装日志

[root@liumiaocn ~]# yum -y install epel-release
Loaded plugins: fastestmirror
...
 Package    : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-9.noarch                                                                                                                               1/1 
  Verifying  : epel-release-7-9.noarch                                                                                                                               1/1 

Installed:
  epel-release.noarch 0:7-9                                                                                                                                              

Complete!
[root@liumiaocn ~]# 
[root@liumiaocn ~]# yum -y install clamav
Loaded plugins: fastestmirror
...
Running transaction
  Installing : clamav-filesystem-0.99.2-8.el7.noarch                                                                                                                 1/4 
  Installing : clamav-data-0.99.2-8.el7.noarch                                                                                                                       2/4 
  Installing : clamav-lib-0.99.2-8.el7.x86_64                                                                                                                        3/4 
  Installing : clamav-0.99.2-8.el7.x86_64                                                                                                                            4/4 
  Verifying  : clamav-lib-0.99.2-8.el7.x86_64                                                                                                                        1/4 
  Verifying  : clamav-data-0.99.2-8.el7.noarch                                                                                                                       2/4 
  Verifying  : clamav-0.99.2-8.el7.x86_64                                                                                                                            3/4 
  Verifying  : clamav-filesystem-0.99.2-8.el7.noarch                                                                                                                 4/4 

Installed:
  clamav.x86_64 0:0.99.2-8.el7                                                                                                                                           

Dependency Installed:
  clamav-data.noarch 0:0.99.2-8.el7                     clamav-filesystem.noarch 0:0.99.2-8.el7                     clamav-lib.x86_64 0:0.99.2-8.el7                    

Complete!
[root@liumiaocn ~]#

版本确认

[root@liumiaocn ~]# clamscan --version
ClamAV 0.99.2/21723/Mon Jun 13 09:53:00 2016
[root@liumiaocn ~]# 

扫描

使用clamscan命令行对某一目录进行扫描,可以确认结果是否OK,同时会给出一个扫描的总体信息,其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描,未发现感染文件的情况。

[root@liumiaocn ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK

----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 19.365 sec (0 m 19 s)
[root@liumiaocn ~]# 

注意:此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能,后面我们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否能够扫描出来

[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-02 23:03:10--  http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com100%[===============================================================================================================================>] 68          --.-K/s   in 0s      

2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]

[root@liumiaocn ~]# ls
anaconda-ks.cfg  eicar.com
[root@liumiaocn ~]# pwd
/root

重新扫描

重新扫描看是否能够检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了

[root@liumiaocn ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 21.129 sec (0 m 21 s)
[root@liumiaocn ~]# 

但是缺省的方式下,clamscan只会检测不会自动删除文件

[root@liumiaocn ~]# ls
anaconda-ks.cfg  eicar.com
[root@liumiaocn ~]# 

扫描并删除感染文件

使用–remove选项,会直接删除检测出来的文件。

[root@liumiaocn ~]# clamscan --remove /root
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 23.546 sec (0 m 23 s)
[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操作,所以可以考虑使用源码安装方式。

下载源码

项目 详细
下载命令 wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz

解压

项目 详细
解压命令 tar xvpf clamav-0.99.2.tar.gz
变更目录 cd clamav-0.99.2

编译前依赖

项目 详细
安装gcc yum install gcc -y
安装openssl yum install openssl openssl-devel -y
创建目录 mkdir -p /usr/local/clamav

config & make & make install

项目 详细
config ./configure –prefix=/usr/local/clamav
make make
make install make install

安装后确认

[root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin
clamav-config  clambc  clamconf  clamdscan  clamscan  freshclam  sigtool
[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
ClamAV 0.99.2
[root@liumiaocn clamav-0.99.2]# 

注意:此时如果执行clamscan进行扫描,会提示如下问题。

[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
ERROR: Can't get file status

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.002 sec (0 m 0 s)
[root@liumiaocn clamav-0.99.2]# 

查看源码之后发现其实很简单,此时需要有可用的病毒库文件,同时用户和组的权限也需要设定。整体的顺序按照:

项目 详细
Step 1 创建用户和组
Step 2 创建目录并设定权限
Step 3 拷贝和更新设定文件
Step 4 更新病毒库
Step 5 扫描病毒

设定

Step 1: 创建用户和组

项目 详细
创建group groupadd clamav
创建用户 useradd -g clamav clamav

Step 2: 创建目录并设定权限

创建目录

目录 详细
logs 存放日志信息
database 存放更新病毒库信息
worktmp 存放pid等临时文件或状态文件信息
[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# ls
bin  etc  include  lib64  sbin  share
[root@liumiaocn clamav]# mkdir -p logs database worktmp
[root@liumiaocn clamav]#

设定权限

[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# chown clamav:clamav database
[root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

目录 源文件 目标文件
/usr/local/clamav/etc clamd.conf.sample clamd.conf
/usr/local/clamav/etc freshclam.conf.sample freshclam.conf
[root@liumiaocn etc]# pwd
/usr/local/clamav/etc
[root@liumiaocn etc]# cp clamd.conf.sample clamd.conf
[root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf
[root@liumiaocn etc]# ls
clamd.conf  clamd.conf.sample  freshclam.conf  freshclam.conf.sample
[root@liumiaocn etc]# 

生成病毒库更新日志文件

[root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log
[root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
[root@liumiaocn etc]#

修改文件

[root@liumiaocn etc]# ls
clamd.conf  clamd.conf.sample  freshclam.conf  freshclam.conf.sample
[root@liumiaocn etc]# vi clamd.conf
[root@liumiaocn etc]# vi freshclam.conf
[root@liumiaocn etc]# diff clamd.conf  clamd.conf.sample
14c14
< LogFile /usr/local/clamav/logs/clamd.log
---
> #LogFile /tmp/clamd.log
66c66
< PidFile /var/clamav/worktmp/clamd.pid
---
> #PidFile /var/run/clamd.pid
74c74
< DatabaseDirectory /var/lib/clamav/database
---
> #DatabaseDirectory /var/lib/clamav
[root@liumiaocn etc]# 
[root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample 
8c8
< #Example
---
> Example
13c13
< DatabaseDirectory /usr/local/clamav/database/
---
> #DatabaseDirectory /var/lib/clamav
17c17
< UpdateLogFile /usr/local/clamav/logs/freshclam.log
---
> #UpdateLogFile /var/log/freshclam.log
51c51
< PidFile /usr/local/clamav/worktmp/freshclam.pid
---
> #PidFile /var/run/freshclam.pid
[root@liumiaocn etc]# 

其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。

更新病毒库

在设定freshclam.conf之后,使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

[root@liumiaocn etc]# /usr/local/clamav/bin/freshclam 
ClamAV update process started at Fri Aug  4 22:39:40 2017
Trying host database.clamav.net (69.12.162.28)...
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
[root@liumiaocn etc]# 

更新之后

[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# ls database/
bytecode.cvd  daily.cvd  main.cvd  mirrors.dat
[root@liumiaocn clamav]# 

扫描病毒

下载病毒测试文件

[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-04 23:00:41--  http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com100%[===============================================================================================================================>] 68          --.-K/s   in 0.001s  

2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]

[root@liumiaocn ~]# ls
anaconda-ks.cfg  eicar.com
[root@liumiaocn ~]# 

扫描并删除感染文件

[root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6302548
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 22.310 sec (0 m 22 s)
[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]# 

总结

ClamAV提供和方便的命令行方式进行集成,保持更新的病毒库,给开源的安全方案提供了一种选择。

你可能感兴趣的:(工具,DevOps,#,自动化工具,#,持续监控)