安全防护工具之:ClamAV

安全防护工具之:ClamAV

ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库,Linux系统的病毒较少,但是并不意味着病毒免疫,尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范,而ClamAV则能起到不少作用。 ClamAV相关信息如下:

项目

详细

官方地址

http://www.clamav.net/

下载地址

http://www.clamav.net/downloads

当前稳定版本

0.99.2

功能特性

项目

详细

主要用途

邮件网关的病毒扫描,内建支持多种邮件格式

高性能

提供多线程的扫描进程

命令行

提供密令行扫描方式

扫描对象

可以对要发送的邮件或者文件进行扫描

文件格式

支持多种文件格式

病毒库更新频度

一天多次病毒库的更新

归档文件

支持扫描多种归档文件,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等

文档

支持流行的文档文件,比如: MS Office文件,MacOffice文件, HTML, Flash, RTF,PDF

安装方式

项目

详细

CENTOS/RHEL

yum -y install clamav

Ubuntu/Debian

apt-get install clamav

注意:centos上的clamd是在epel-release下,需要现行安装epel-release。 如果使用源码安装方式的话,保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。

安装日志

  1. [root@liumiaocn ~]# yum -y install epel-release
  2. Loaded plugins: fastestmirror
  3. ...
  4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
  5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
  6. Running transaction check
  7. Running transaction test
  8. Transaction test succeeded
  9. Running transaction
  10. Installing : epel-release-7-9.noarch 1/1
  11. Verifying : epel-release-7-9.noarch 1/1
  12. Installed:
  13. epel-release.noarch 0:7-9
  14. Complete!
  15. [root@liumiaocn ~]#
  1. [root@liumiaocn ~]# yum -y install clamav
  2. Loaded plugins: fastestmirror
  3. ...
  4. Running transaction
  5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5
  6. Installing : pcre2-10.23-2.el7.x86_64 2/5
  7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5
  8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5
  9. Installing : clamav-0.101.2-1.el7.x86_64 5/5
  10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5
  11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5
  12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5
  13. Verifying : pcre2-10.23-2.el7.x86_64 4/5
  14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5
  15. Installed:
  16. clamav.x86_64 0:0.101.2-1.el7
  17. Dependency Installed:
  18. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7
  19. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7
  20. Complete!
  21. [root@liumiaocn ~]#

版本确认

  1. [root@liumiaocn ~]# clamscan --version
  2. ClamAV 0.101.2
  3. [root@liumiaocn ~]#

扫描

使用clamscan命令行对某一目录进行扫描,可以确认结果是否OK,同时会给出一个扫描的总体信息,其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描,未发现感染文件的情况。

  1. [root@liumiaocn ~]# clamscan /root
  2. LibClamAV Warning: **************************************************
  3. LibClamAV Warning: *** The virus database is older than 7 days! ***
  4. LibClamAV Warning: *** Please update it as soon as possible. ***
  5. LibClamAV Warning: **************************************************
  6. /root/.bash_logout: OK
  7. /root/.bash_profile: OK
  8. /root/.bashrc: OK
  9. /root/.cshrc: OK
  10. /root/.tcshrc: OK
  11. /root/anaconda-ks.cfg: OK
  12. /root/.bash_history: OK
  13. ----------- SCAN SUMMARY -----------
  14. Known viruses: 4490129
  15. Engine version: 0.99.2
  16. Scanned directories: 1
  17. Scanned files: 7
  18. Infected files: 0
  19. Data scanned: 0.00 MB
  20. Data read: 0.00 MB (ratio 0.00:1)
  21. Time: 19.365 sec (0 m 19 s)
  22. [root@liumiaocn ~]#

注意:此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能,后面我们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否能够扫描出来

  1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
  2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com
  3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
  4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: 68 [application/octet-stream]
  7. Saving to: ‘eicar.com’
  8. 100%[===============================================================================================================================>] 68 --.-K/s in 0s
  9. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]
  10. [root@liumiaocn ~]# ls
  11. anaconda-ks.cfg eicar.com
  12. [root@liumiaocn ~]# pwd
  13. /root

重新扫描

重新扫描看是否能够检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了

  1. [root@liumiaocn ~]# clamscan /root
  2. LibClamAV Warning: **************************************************
  3. LibClamAV Warning: *** The virus database is older than 7 days! ***
  4. LibClamAV Warning: *** Please update it as soon as possible. ***
  5. LibClamAV Warning: **************************************************
  6. /root/.bash_logout: OK
  7. /root/.bash_profile: OK
  8. /root/.bashrc: OK
  9. /root/.cshrc: OK
  10. /root/.tcshrc: OK
  11. /root/anaconda-ks.cfg: OK
  12. /root/.bash_history: OK
  13. /root/eicar.com: Eicar-Test-Signature FOUND
  14. ----------- SCAN SUMMARY -----------
  15. Known viruses: 4490129
  16. Engine version: 0.99.2
  17. Scanned directories: 1
  18. Scanned files: 8
  19. Infected files: 1
  20. Data scanned: 0.00 MB
  21. Data read: 0.00 MB (ratio 0.00:1)
  22. Time: 21.129 sec (0 m 21 s)
  23. [root@liumiaocn ~]#

但是缺省的方式下,clamscan只会检测不会自动删除文件

  1. [root@liumiaocn ~]# ls
  2. anaconda-ks.cfg eicar.com
  3. [root@liumiaocn ~]#

扫描并删除感染文件

使用–remove选项,会直接删除检测出来的文件。

  1. [root@liumiaocn ~]# clamscan --remove /root
  2. LibClamAV Warning: **************************************************
  3. LibClamAV Warning: *** The virus database is older than 7 days! ***
  4. LibClamAV Warning: *** Please update it as soon as possible. ***
  5. LibClamAV Warning: **************************************************
  6. /root/.bash_logout: OK
  7. /root/.bash_profile: OK
  8. /root/.bashrc: OK
  9. /root/.cshrc: OK
  10. /root/.tcshrc: OK
  11. /root/anaconda-ks.cfg: OK
  12. /root/.bash_history: OK
  13. /root/eicar.com: Eicar-Test-Signature FOUND
  14. /root/eicar.com: Removed.
  15. ----------- SCAN SUMMARY -----------
  16. Known viruses: 4490129
  17. Engine version: 0.99.2
  18. Scanned directories: 1
  19. Scanned files: 8
  20. Infected files: 1
  21. Data scanned: 0.00 MB
  22. Data read: 0.00 MB (ratio 0.00:1)
  23. Time: 23.546 sec (0 m 23 s)
  24. [root@liumiaocn ~]# ls
  25. anaconda-ks.cfg
  26. [root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操作,所以可以考虑使用源码安装方式。

下载源码

项目

详细

下载命令

wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz

解压

项目

详细

解压命令

tar xvpf clamav-0.99.2.tar.gz

变更目录

cd clamav-0.99.2

编译前依赖

项目

详细

安装gcc

yum install gcc -y

安装openssl

yum install openssl openssl-devel -y

创建目录

mkdir -p /usr/local/clamav

config & make & make install

项目

详细

config

./configure –prefix=/usr/local/clamav

make

make

make install

make install

安装后确认

  1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin
  2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool
  3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
  4. ClamAV 0.99.2
  5. [root@liumiaocn clamav-0.99.2]#

注意:此时如果执行clamscan进行扫描,会提示如下问题。

  1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
  2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
  3. ERROR: Can't get file status
  4. ----------- SCAN SUMMARY -----------
  5. Known viruses: 0
  6. Engine version: 0.99.2
  7. Scanned directories: 0
  8. Scanned files: 0
  9. Infected files: 0
  10. Data scanned: 0.00 MB
  11. Data read: 0.00 MB (ratio 0.00:1)
  12. Time: 0.002 sec (0 m 0 s)
  13. [root@liumiaocn clamav-0.99.2]#

查看源码之后发现其实很简单,此时需要有可用的病毒库文件,同时用户和组的权限也需要设定。整体的顺序按照:

项目

详细

Step 1

创建用户和组

Step 2

创建目录并设定权限

Step 3

拷贝和更新设定文件

Step 4

更新病毒库

Step 5

扫描病毒

设定

Step 1: 创建用户和组

项目

详细

创建group

groupadd clamav

创建用户

useradd -g clamav clamav

Step 2: 创建目录并设定权限

创建目录

目录

详细

logs

存放日志信息

database

存放更新病毒库信息

worktmp

存放pid等临时文件或状态文件信息

  1. [root@liumiaocn clamav]# pwd
  2. /usr/local/clamav
  3. [root@liumiaocn clamav]# ls
  4. bin etc include lib64 sbin share
  5. [root@liumiaocn clamav]# mkdir -p logs database worktmp
  6. [root@liumiaocn clamav]#

设定权限

  1. [root@liumiaocn clamav]# pwd
  2. /usr/local/clamav
  3. [root@liumiaocn clamav]# chown clamav:clamav database
  4. [root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

目录

源文件

目标文件

/usr/local/clamav/etc

clamd.conf.sample

clamd.conf

/usr/local/clamav/etc

freshclam.conf.sample

freshclam.conf

  1. [root@liumiaocn etc]# pwd
  2. /usr/local/clamav/etc
  3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf
  4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf
  5. [root@liumiaocn etc]# ls
  6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
  7. [root@liumiaocn etc]#

生成病毒库更新日志文件

  1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log
  2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
  3. [root@liumiaocn etc]#

修改文件

  1. [root@liumiaocn etc]# ls
  2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
  3. [root@liumiaocn etc]# vi clamd.conf
  4. [root@liumiaocn etc]# vi freshclam.conf
  5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample
  6. 14c14
  7. < LogFile /usr/local/clamav/logs/clamd.log
  8. ---
  9. > #LogFile /tmp/clamd.log
  10. 66c66
  11. < PidFile /var/clamav/worktmp/clamd.pid
  12. ---
  13. > #PidFile /var/run/clamd.pid
  14. 74c74
  15. < DatabaseDirectory /var/lib/clamav/database
  16. ---
  17. > #DatabaseDirectory /var/lib/clamav
  18. [root@liumiaocn etc]#
  19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample
  20. 8c8
  21. < #Example
  22. ---
  23. > Example
  24. 13c13
  25. < DatabaseDirectory /usr/local/clamav/database/
  26. ---
  27. > #DatabaseDirectory /var/lib/clamav
  28. 17c17
  29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log
  30. ---
  31. > #UpdateLogFile /var/log/freshclam.log
  32. 51c51
  33. < PidFile /usr/local/clamav/worktmp/freshclam.pid
  34. ---
  35. > #PidFile /var/run/freshclam.pid
  36. [root@liumiaocn etc]#

其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。

更新病毒库

在设定freshclam.conf之后,使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

  1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam
  2. ClamAV update process started at Fri Aug 4 22:39:40 2017
  3. Trying host database.clamav.net (69.12.162.28)...
  4. Downloading main.cvd [100%]
  5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
  6. Downloading daily.cvd [100%]
  7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
  8. Downloading bytecode.cvd [100%]
  9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
  10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
  11. [root@liumiaocn etc]#

更新之后

  1. [root@liumiaocn clamav]# pwd
  2. /usr/local/clamav
  3. [root@liumiaocn clamav]# ls database/
  4. bytecode.cvd daily.cvd main.cvd mirrors.dat
  5. [root@liumiaocn clamav]#

扫描病毒

下载病毒测试文件

  1. [root@liumiaocn ~]# ls
  2. anaconda-ks.cfg
  3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
  4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com
  5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
  6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
  7. HTTP request sent, awaiting response... 200 OK
  8. Length: 68 [application/octet-stream]
  9. Saving to: ‘eicar.com’
  10. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s
  11. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]
  12. [root@liumiaocn ~]# ls
  13. anaconda-ks.cfg eicar.com
  14. [root@liumiaocn ~]#

扫描并删除感染文件

  1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root
  2. /root/.bash_logout: OK
  3. /root/.bash_profile: OK
  4. /root/.bashrc: OK
  5. /root/.cshrc: OK
  6. /root/.tcshrc: OK
  7. /root/anaconda-ks.cfg: OK
  8. /root/.bash_history: OK
  9. /root/eicar.com: Eicar-Test-Signature FOUND
  10. /root/eicar.com: Removed.
  11. ----------- SCAN SUMMARY -----------
  12. Known viruses: 6123265
  13. Engine version: 0.101.2
  14. Scanned directories: 1
  15. Scanned files: 3
  16. Infected files: 0
  17. Data scanned: 0.12 MB
  18. Data read: 0.06 MB (ratio 1.88:1)
  19. Time: 49.224 sec (0 m 49 s)
  20. [root@liumiaocn ~]#

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

扫码关注云+社区

领取腾讯云代金券