20200220
《ClamAV》
《Linux上杀毒软件的使用》
《clamav完整查杀linux病毒实战》
《如何使用ClamAV扫描病毒》
《ClamAV病毒查杀》
《clamtk, 按需病毒扫描器,用于Linux系统,易于使用,重量轻》
《CentOS7 安装ClamAV 进行病毒扫描查杀》
http://www.clamav.net/downloads
https://github.com/dave-theunsub/clamtk
https://github.com/dave-theunsub/clamtk-gnome
安装Linux下使用ClamAV,主要还是扫描Windows病毒,毕竟在Windows下干扰太多了。
sudo apt-get install clamav-daemon clamav-docs libclamunrar7
注:
1、clamav-daemon,clamav-daemon将会建立一个名为'clamav'的帐户。如果你安装clamav,要自己建账户。推荐
clamav-docs,ClamAV说明文档。可选
libclamunrar7,支持ClamAV扫描压缩的RAR文件。推荐
其他依赖在apt-get install 时会自动安装。
2、默认配置文件位置:
/etc/clamav/clam.conf
/etc/clamav/freshclam.conf
3、默认log文件位置(需要root权限写入):
/var/log/clamav/clamav.log
/var/log/clamav/freshclam.log
4、缺点:不能显示进度百分比。
sudo freshclam
clamscan -r /指定路径
clamscan -r --bell -i /指定路径
clamscan -r --bell -i /指定路径 -l /指定log文件位置
clamscan -r --bell -i -o /指定路径 -l /指定log文件位置
-r 递归扫描
--bell 报警声
-i 只显示受感染的文件
-l 指定log文件位置(需要提前创建文件)
-o 跳过扫描OK的文件
--remove 删除被感染文件(不推荐)
--move 移动病毒文件至指定目录
--quiet 只输出错误消息
--unzip(unrar)解压压缩文件扫描
注意:检查log文件写入是否需要root权限写入,需要就在命令前加sudo。
sudo apt-get install clamtk clamtk-gnome
sudo clamtk
注:
1、默认log文件需要root权限写入,所以要用root权限运行ClamTK。
2、clamtk-gnome安装后需重启Nautilus,在深度文件管理器无法生效。
3、优点:可以显示扫描数量和百分比。
缺点:sudo扫描后,历史也没有记录。一个窗口只能执行一个扫描。不能显示细节。
完整命令格式
clamscan -h
Clam AntiVirus: Scanner 0.100.2
By The ClamAV Team: https://www.clamav.net/about.html#credits
(C) 2007-2018 Cisco Systems, Inc.
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also-
dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)] Always block (flag) SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)] Always block (flag) cloaked URLs (phishing module)
--partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block (flag) encrypted archives
--block-macros[=yes/no(*)] Block (flag) OLE2 files with VBA macros
--block-max[=yes/no(*)] Block (flag) files that exceed max file size, max scan size, or max recursion limit
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
Pass in - as the filename for stdin.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
vi /etc/clamav/clam.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
vi /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
PS:
1、有些Windows下Avast、Symantec没报的,ClamAV却报了,只能说结果仅供参考。
2、不放心可以上报到这里扫描:https://www.virscan.org/language/zh-cn/