安全防护工具之：ClamAV

安全防护工具之：ClamAV

ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库，Linux系统的病毒较少，但是并不意味着病毒免疫，尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范，而ClamAV则能起到不少作用。 ClamAV相关信息如下：

功能特性

安装方式

注意：centos上的clamd是在epel-release下，需要现行安装epel-release。 如果使用源码安装方式的话，保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。

安装日志

1. [root@liumiaocn ~]# yum -y install epel-release
2. Loaded plugins: fastestmirror
3. ...
4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
6. Running transaction check
7. Running transaction test
8. Transaction test succeeded
9. Running transaction
10. Installing : epel-release-7-9.noarch 1/1
11. Verifying : epel-release-7-9.noarch 1/1
13. Installed:
14. epel-release.noarch 0:7-9
16. Complete!
17. [root@liumiaocn ~]#

1. [root@liumiaocn ~]# yum -y install clamav
2. Loaded plugins: fastestmirror
3. ...
4. Running transaction
5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5
6. Installing : pcre2-10.23-2.el7.x86_64 2/5
7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5
8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5
9. Installing : clamav-0.101.2-1.el7.x86_64 5/5
10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5
11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5
12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5
13. Verifying : pcre2-10.23-2.el7.x86_64 4/5
14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5
16. Installed:
17. clamav.x86_64 0:0.101.2-1.el7
19. Dependency Installed:
20. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7
21. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7
23. Complete!
24. [root@liumiaocn ~]#

版本确认

1. [root@liumiaocn ~]# clamscan --version
2. ClamAV 0.101.2
3. [root@liumiaocn ~]#

扫描

使用clamscan命令行对某一目录进行扫描，可以确认结果是否OK，同时会给出一个扫描的总体信息，其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描，未发现感染文件的情况。

1. [root@liumiaocn ~]# clamscan /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
14. ----------- SCAN SUMMARY -----------
15. Known viruses: 4490129
16. Engine version: 0.99.2
17. Scanned directories: 1
18. Scanned files: 7
19. Infected files: 0
20. Data scanned: 0.00 MB
21. Data read: 0.00 MB (ratio 0.00:1)
22. Time: 19.365 sec (0 m 19 s)
23. [root@liumiaocn ~]#

注意：此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能，后面我们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件，看一下clamav是否能够扫描出来

1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com
3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 68 [application/octet-stream]
7. Saving to: ‘eicar.com’
9. 100%[===============================================================================================================================>] 68 --.-K/s in 0s
11. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]
13. [root@liumiaocn ~]# ls
14. anaconda-ks.cfg eicar.com
15. [root@liumiaocn ~]# pwd
16. /root

重新扫描

重新扫描看是否能够检测出新下载的病毒测试文件。进过测试，发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”，同时“Infected files: 1”，说明此病毒文件被检测出来了

1. [root@liumiaocn ~]# clamscan /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
13. /root/eicar.com: Eicar-Test-Signature FOUND
15. ----------- SCAN SUMMARY -----------
16. Known viruses: 4490129
17. Engine version: 0.99.2
18. Scanned directories: 1
19. Scanned files: 8
20. Infected files: 1
21. Data scanned: 0.00 MB
22. Data read: 0.00 MB (ratio 0.00:1)
23. Time: 21.129 sec (0 m 21 s)
24. [root@liumiaocn ~]#

但是缺省的方式下，clamscan只会检测不会自动删除文件

1. [root@liumiaocn ~]# ls
2. anaconda-ks.cfg eicar.com
3. [root@liumiaocn ~]#

扫描并删除感染文件

使用–remove选项，会直接删除检测出来的文件。

1. [root@liumiaocn ~]# clamscan --remove /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
13. /root/eicar.com: Eicar-Test-Signature FOUND
14. /root/eicar.com: Removed.
16. ----------- SCAN SUMMARY -----------
17. Known viruses: 4490129
18. Engine version: 0.99.2
19. Scanned directories: 1
20. Scanned files: 8
21. Infected files: 1
22. Data scanned: 0.00 MB
23. Data read: 0.00 MB (ratio 0.00:1)
24. Time: 23.546 sec (0 m 23 s)
25. [root@liumiaocn ~]# ls
26. anaconda-ks.cfg
27. [root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操作，所以可以考虑使用源码安装方式。

下载源码

解压

编译前依赖

config & make & make install

安装后确认

1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin
2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool
3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
4. ClamAV 0.99.2
5. [root@liumiaocn clamav-0.99.2]#

注意：此时如果执行clamscan进行扫描，会提示如下问题。

1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
3. ERROR: Can't get file status
5. ----------- SCAN SUMMARY -----------
6. Known viruses: 0
7. Engine version: 0.99.2
8. Scanned directories: 0
9. Scanned files: 0
10. Infected files: 0
11. Data scanned: 0.00 MB
12. Data read: 0.00 MB (ratio 0.00:1)
13. Time: 0.002 sec (0 m 0 s)
14. [root@liumiaocn clamav-0.99.2]#

查看源码之后发现其实很简单，此时需要有可用的病毒库文件，同时用户和组的权限也需要设定。整体的顺序按照：

设定

Step 1: 创建用户和组

Step 2: 创建目录并设定权限

创建目录

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# ls
4. bin etc include lib64 sbin share
5. [root@liumiaocn clamav]# mkdir -p logs database worktmp
6. [root@liumiaocn clamav]#

设定权限

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# chown clamav:clamav database
4. [root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

1. [root@liumiaocn etc]# pwd
2. /usr/local/clamav/etc
3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf
4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf
5. [root@liumiaocn etc]# ls
6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
7. [root@liumiaocn etc]#

生成病毒库更新日志文件

1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log
2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
3. [root@liumiaocn etc]#

修改文件

1. [root@liumiaocn etc]# ls
2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
3. [root@liumiaocn etc]# vi clamd.conf
4. [root@liumiaocn etc]# vi freshclam.conf
5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample
6. 14c14
7. < LogFile /usr/local/clamav/logs/clamd.log
8. ---
9. > #LogFile /tmp/clamd.log
10. 66c66
11. < PidFile /var/clamav/worktmp/clamd.pid
12. ---
13. > #PidFile /var/run/clamd.pid
14. 74c74
15. < DatabaseDirectory /var/lib/clamav/database
16. ---
17. > #DatabaseDirectory /var/lib/clamav
18. [root@liumiaocn etc]#
19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample
20. 8c8
21. < #Example
22. ---
23. > Example
24. 13c13
25. < DatabaseDirectory /usr/local/clamav/database/
26. ---
27. > #DatabaseDirectory /var/lib/clamav
28. 17c17
29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log
30. ---
31. > #UpdateLogFile /var/log/freshclam.log
32. 51c51
33. < PidFile /usr/local/clamav/worktmp/freshclam.pid
34. ---
35. > #PidFile /var/run/freshclam.pid
36. [root@liumiaocn etc]#

其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。

更新病毒库

在设定freshclam.conf之后，使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam
2. ClamAV update process started at Fri Aug 4 22:39:40 2017
3. Trying host database.clamav.net (69.12.162.28)...
4. Downloading main.cvd [100%]
5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
6. Downloading daily.cvd [100%]
7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
8. Downloading bytecode.cvd [100%]
9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
11. [root@liumiaocn etc]#

更新之后

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# ls database/
4. bytecode.cvd daily.cvd main.cvd mirrors.dat
5. [root@liumiaocn clamav]#

扫描病毒

下载病毒测试文件

1. [root@liumiaocn ~]# ls
2. anaconda-ks.cfg
3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com
5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
7. HTTP request sent, awaiting response... 200 OK
8. Length: 68 [application/octet-stream]
9. Saving to: ‘eicar.com’
11. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s
13. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]
15. [root@liumiaocn ~]# ls
16. anaconda-ks.cfg eicar.com
17. [root@liumiaocn ~]#

扫描并删除感染文件

1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root
2. /root/.bash_logout: OK
3. /root/.bash_profile: OK
4. /root/.bashrc: OK
5. /root/.cshrc: OK
6. /root/.tcshrc: OK
7. /root/anaconda-ks.cfg: OK
8. /root/.bash_history: OK
9. /root/eicar.com: Eicar-Test-Signature FOUND
10. /root/eicar.com: Removed.
12. ----------- SCAN SUMMARY -----------
13. Known viruses: 6123265
14. Engine version: 0.101.2
15. Scanned directories: 1
16. Scanned files: 3
17. Infected files: 0
18. Data scanned: 0.12 MB
19. Data read: 0.06 MB (ratio 1.88:1)
20. Time: 49.224 sec (0 m 49 s)
22. [root@liumiaocn ~]#