ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库,Linux系统的病毒较少,但是并不意味着病毒免疫,尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范,而ClamAV则能起到不少作用。
ClamAV相关信息如下:
项目 | 详细 |
---|---|
官方地址 | http://www.clamav.net/ |
下载地址 | http://www.clamav.net/downloads |
当前稳定版本 | 0.99.2 |
项目 | 详细 |
---|---|
主要用途 | 邮件网关的病毒扫描,内建支持多种邮件格式 |
高性能 | 提供多线程的扫描进程 |
命令行 | 提供密令行扫描方式 |
扫描对象 | 可以对要发送的邮件或者文件进行扫描 |
文件格式 | 支持多种文件格式 |
病毒库更新频度 | 一天多次病毒库的更新 |
归档文件 | 支持扫描多种归档文件,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等 |
文档 | 支持流行的文档文件,比如: MS Office文件,MacOffice文件, HTML, Flash, RTF,PDF |
项目 | 详细 |
---|---|
CENTOS/RHEL | yum -y install clamav |
Ubuntu/Debian | apt-get install clamav |
注意:centos上的clamd是在epel-release下,需要现行安装epel-release。 如果使用源码安装方式的话,保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。
[root@liumiaocn ~]# yum -y install epel-release
Loaded plugins: fastestmirror
...
Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-9.noarch 1/1
Verifying : epel-release-7-9.noarch 1/1
Installed:
epel-release.noarch 0:7-9
Complete!
[root@liumiaocn ~]#
[root@liumiaocn ~]# yum -y install clamav
Loaded plugins: fastestmirror
...
Running transaction
Installing : clamav-filesystem-0.99.2-8.el7.noarch 1/4
Installing : clamav-data-0.99.2-8.el7.noarch 2/4
Installing : clamav-lib-0.99.2-8.el7.x86_64 3/4
Installing : clamav-0.99.2-8.el7.x86_64 4/4
Verifying : clamav-lib-0.99.2-8.el7.x86_64 1/4
Verifying : clamav-data-0.99.2-8.el7.noarch 2/4
Verifying : clamav-0.99.2-8.el7.x86_64 3/4
Verifying : clamav-filesystem-0.99.2-8.el7.noarch 4/4
Installed:
clamav.x86_64 0:0.99.2-8.el7
Dependency Installed:
clamav-data.noarch 0:0.99.2-8.el7 clamav-filesystem.noarch 0:0.99.2-8.el7 clamav-lib.x86_64 0:0.99.2-8.el7
Complete!
[root@liumiaocn ~]#
[root@liumiaocn ~]# clamscan --version
ClamAV 0.99.2/21723/Mon Jun 13 09:53:00 2016
[root@liumiaocn ~]#
使用clamscan命令行对某一目录进行扫描,可以确认结果是否OK,同时会给出一个扫描的总体信息,其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描,未发现感染文件的情况。
[root@liumiaocn ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 19.365 sec (0 m 19 s)
[root@liumiaocn ~]#
注意:此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能,后面我们会使用源码安装方式来解决这个问题。
从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否能够扫描出来
[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com’
100%[===============================================================================================================================>] 68 --.-K/s in 0s
2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]
[root@liumiaocn ~]# ls
anaconda-ks.cfg eicar.com
[root@liumiaocn ~]# pwd
/root
重新扫描看是否能够检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了
[root@liumiaocn ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 21.129 sec (0 m 21 s)
[root@liumiaocn ~]#
但是缺省的方式下,clamscan只会检测不会自动删除文件
[root@liumiaocn ~]# ls
anaconda-ks.cfg eicar.com
[root@liumiaocn ~]#
使用–remove选项,会直接删除检测出来的文件。
[root@liumiaocn ~]# clamscan --remove /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 23.546 sec (0 m 23 s)
[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]#
目前使用yum源安装病毒库的更新相关的仍需手动操作,所以可以考虑使用源码安装方式。
项目 | 详细 |
---|---|
下载命令 | wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz |
项目 | 详细 |
---|---|
解压命令 | tar xvpf clamav-0.99.2.tar.gz |
变更目录 | cd clamav-0.99.2 |
项目 | 详细 |
---|---|
安装gcc | yum install gcc -y |
安装openssl | yum install openssl openssl-devel -y |
创建目录 | mkdir -p /usr/local/clamav |
项目 | 详细 |
---|---|
config | ./configure –prefix=/usr/local/clamav |
make | make |
make install | make install |
[root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin
clamav-config clambc clamconf clamdscan clamscan freshclam sigtool
[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
ClamAV 0.99.2
[root@liumiaocn clamav-0.99.2]#
注意:此时如果执行clamscan进行扫描,会提示如下问题。
[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
ERROR: Can't get file status
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.002 sec (0 m 0 s)
[root@liumiaocn clamav-0.99.2]#
查看源码之后发现其实很简单,此时需要有可用的病毒库文件,同时用户和组的权限也需要设定。整体的顺序按照:
项目 | 详细 |
---|---|
Step 1 | 创建用户和组 |
Step 2 | 创建目录并设定权限 |
Step 3 | 拷贝和更新设定文件 |
Step 4 | 更新病毒库 |
Step 5 | 扫描病毒 |
项目 | 详细 |
---|---|
创建group | groupadd clamav |
创建用户 | useradd -g clamav clamav |
目录 | 详细 |
---|---|
logs | 存放日志信息 |
database | 存放更新病毒库信息 |
worktmp | 存放pid等临时文件或状态文件信息 |
[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# ls
bin etc include lib64 sbin share
[root@liumiaocn clamav]# mkdir -p logs database worktmp
[root@liumiaocn clamav]#
[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# chown clamav:clamav database
[root@liumiaocn clamav]#
目录 | 源文件 | 目标文件 |
---|---|---|
/usr/local/clamav/etc | clamd.conf.sample | clamd.conf |
/usr/local/clamav/etc | freshclam.conf.sample | freshclam.conf |
[root@liumiaocn etc]# pwd
/usr/local/clamav/etc
[root@liumiaocn etc]# cp clamd.conf.sample clamd.conf
[root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf
[root@liumiaocn etc]# ls
clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
[root@liumiaocn etc]#
生成病毒库更新日志文件
[root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log
[root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
[root@liumiaocn etc]#
[root@liumiaocn etc]# ls
clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
[root@liumiaocn etc]# vi clamd.conf
[root@liumiaocn etc]# vi freshclam.conf
[root@liumiaocn etc]# diff clamd.conf clamd.conf.sample
14c14
< LogFile /usr/local/clamav/logs/clamd.log
---
> #LogFile /tmp/clamd.log
66c66
< PidFile /var/clamav/worktmp/clamd.pid
---
> #PidFile /var/run/clamd.pid
74c74
< DatabaseDirectory /var/lib/clamav/database
---
> #DatabaseDirectory /var/lib/clamav
[root@liumiaocn etc]#
[root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample
8c8
< #Example
---
> Example
13c13
< DatabaseDirectory /usr/local/clamav/database/
---
> #DatabaseDirectory /var/lib/clamav
17c17
< UpdateLogFile /usr/local/clamav/logs/freshclam.log
---
> #UpdateLogFile /var/log/freshclam.log
51c51
< PidFile /usr/local/clamav/worktmp/freshclam.pid
---
> #PidFile /var/run/freshclam.pid
[root@liumiaocn etc]#
其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。
在设定freshclam.conf之后,使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。
[root@liumiaocn etc]# /usr/local/clamav/bin/freshclam
ClamAV update process started at Fri Aug 4 22:39:40 2017
Trying host database.clamav.net (69.12.162.28)...
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
[root@liumiaocn etc]#
更新之后
[root@liumiaocn clamav]# pwd
/usr/local/clamav
[root@liumiaocn clamav]# ls database/
bytecode.cvd daily.cvd main.cvd mirrors.dat
[root@liumiaocn clamav]#
[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com’
100%[===============================================================================================================================>] 68 --.-K/s in 0.001s
2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]
[root@liumiaocn ~]# ls
anaconda-ks.cfg eicar.com
[root@liumiaocn ~]#
[root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6302548
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 22.310 sec (0 m 22 s)
[root@liumiaocn ~]# ls
anaconda-ks.cfg
[root@liumiaocn ~]#
ClamAV提供和方便的命令行方式进行集成,保持更新的病毒库,给开源的安全方案提供了一种选择。