安全防护工具之：ClamAV

安全防护工具之：ClamAV

ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库，Linux系统的病毒较少，但是并不意味着病毒免疫，尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范，而ClamAV则能起到不少作用。 ClamAV相关信息如下：

项目	详细
官方地址	http://www.clamav.net/
下载地址	http://www.clamav.net/downloads
当前稳定版本	0.99.2

功能特性

项目	详细
主要用途	邮件网关的病毒扫描，内建支持多种邮件格式
高性能	提供多线程的扫描进程
命令行	提供密令行扫描方式
扫描对象	可以对要发送的邮件或者文件进行扫描
文件格式	支持多种文件格式
病毒库更新频度	一天多次病毒库的更新
归档文件	支持扫描多种归档文件,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等
文档	支持流行的文档文件，比如： MS Office文件，MacOffice文件, HTML, Flash, RTF，PDF

安装方式

项目	详细
CENTOS/RHEL	yum -y install clamav
Ubuntu/Debian	apt-get install clamav

注意：centos上的clamd是在epel-release下，需要现行安装epel-release。 如果使用源码安装方式的话，保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。

安装日志

代码语言：javascript复制

1. [root@liumiaocn ~]# yum -y install epel-release
2. Loaded plugins: fastestmirror
3. ...
4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
6. Running transaction check
7. Running transaction test
8. Transaction test succeeded
9. Running transaction
10. Installing : epel-release-7-9.noarch 1/1
11. Verifying : epel-release-7-9.noarch 1/1
13. Installed:
14. epel-release.noarch 0:7-9
16. Complete!
17. [root@liumiaocn ~]#

代码语言：javascript复制

1. [root@liumiaocn ~]# yum -y install clamav
2. Loaded plugins: fastestmirror
3. ...
4. Running transaction
5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5
6. Installing : pcre2-10.23-2.el7.x86_64 2/5
7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5
8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5
9. Installing : clamav-0.101.2-1.el7.x86_64 5/5
10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5
11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5
12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5
13. Verifying : pcre2-10.23-2.el7.x86_64 4/5
14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5
16. Installed:
17. clamav.x86_64 0:0.101.2-1.el7
19. Dependency Installed:
20. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7
21. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7
23. Complete!
24. [root@liumiaocn ~]#

版本确认

代码语言：javascript复制

1. [root@liumiaocn ~]# clamscan --version
2. ClamAV 0.101.2
3. [root@liumiaocn ~]#

扫描

使用clamscan命令行对某一目录进行扫描，可以确认结果是否OK，同时会给出一个扫描的总体信息，其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描，未发现感染文件的情况。

代码语言：javascript复制

1. [root@liumiaocn ~]# clamscan /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
14. ----------- SCAN SUMMARY -----------
15. Known viruses: 4490129
16. Engine version: 0.99.2
17. Scanned directories: 1
18. Scanned files: 7
19. Infected files: 0
20. Data scanned: 0.00 MB
21. Data read: 0.00 MB (ratio 0.00:1)
22. Time: 19.365 sec (0 m 19 s)
23. [root@liumiaocn ~]#

注意：此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能，后面我们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件，看一下clamav是否能够扫描出来

代码语言：javascript复制

1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com
3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 68 [application/octet-stream]
7. Saving to: ‘eicar.com’
9. 100%[===============================================================================================================================>] 68 --.-K/s in 0s
11. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]
13. [root@liumiaocn ~]# ls
14. anaconda-ks.cfg eicar.com
15. [root@liumiaocn ~]# pwd
16. /root

重新扫描

重新扫描看是否能够检测出新下载的病毒测试文件。进过测试，发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”，同时“Infected files: 1”，说明此病毒文件被检测出来了

代码语言：javascript复制

1. [root@liumiaocn ~]# clamscan /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
13. /root/eicar.com: Eicar-Test-Signature FOUND
15. ----------- SCAN SUMMARY -----------
16. Known viruses: 4490129
17. Engine version: 0.99.2
18. Scanned directories: 1
19. Scanned files: 8
20. Infected files: 1
21. Data scanned: 0.00 MB
22. Data read: 0.00 MB (ratio 0.00:1)
23. Time: 21.129 sec (0 m 21 s)
24. [root@liumiaocn ~]#

但是缺省的方式下，clamscan只会检测不会自动删除文件

代码语言：javascript复制

1. [root@liumiaocn ~]# ls
2. anaconda-ks.cfg eicar.com
3. [root@liumiaocn ~]#

扫描并删除感染文件

使用–remove选项，会直接删除检测出来的文件。

代码语言：javascript复制

1. [root@liumiaocn ~]# clamscan --remove /root
2. LibClamAV Warning: **************************************************
3. LibClamAV Warning: *** The virus database is older than 7 days! ***
4. LibClamAV Warning: *** Please update it as soon as possible. ***
5. LibClamAV Warning: **************************************************
6. /root/.bash_logout: OK
7. /root/.bash_profile: OK
8. /root/.bashrc: OK
9. /root/.cshrc: OK
10. /root/.tcshrc: OK
11. /root/anaconda-ks.cfg: OK
12. /root/.bash_history: OK
13. /root/eicar.com: Eicar-Test-Signature FOUND
14. /root/eicar.com: Removed.
16. ----------- SCAN SUMMARY -----------
17. Known viruses: 4490129
18. Engine version: 0.99.2
19. Scanned directories: 1
20. Scanned files: 8
21. Infected files: 1
22. Data scanned: 0.00 MB
23. Data read: 0.00 MB (ratio 0.00:1)
24. Time: 23.546 sec (0 m 23 s)
25. [root@liumiaocn ~]# ls
26. anaconda-ks.cfg
27. [root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操作，所以可以考虑使用源码安装方式。

下载源码

项目	详细
下载命令	wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz

解压

项目	详细
解压命令	tar xvpf clamav-0.99.2.tar.gz
变更目录	cd clamav-0.99.2

编译前依赖

项目	详细
安装gcc	yum install gcc -y
安装openssl	yum install openssl openssl-devel -y
创建目录	mkdir -p /usr/local/clamav

config & make & make install

项目	详细
config	./configure –prefix=/usr/local/clamav
make	make
make install	make install

安装后确认

代码语言：javascript复制

1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin
2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool
3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
4. ClamAV 0.99.2
5. [root@liumiaocn clamav-0.99.2]#

注意：此时如果执行clamscan进行扫描，会提示如下问题。

代码语言：javascript复制

1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
3. ERROR: Can't get file status
5. ----------- SCAN SUMMARY -----------
6. Known viruses: 0
7. Engine version: 0.99.2
8. Scanned directories: 0
9. Scanned files: 0
10. Infected files: 0
11. Data scanned: 0.00 MB
12. Data read: 0.00 MB (ratio 0.00:1)
13. Time: 0.002 sec (0 m 0 s)
14. [root@liumiaocn clamav-0.99.2]#

查看源码之后发现其实很简单，此时需要有可用的病毒库文件，同时用户和组的权限也需要设定。整体的顺序按照：

项目	详细
Step 1	创建用户和组
Step 2	创建目录并设定权限
Step 3	拷贝和更新设定文件
Step 4	更新病毒库
Step 5	扫描病毒

设定

Step 1: 创建用户和组

项目	详细
创建group	groupadd clamav
创建用户	useradd -g clamav clamav

Step 2: 创建目录并设定权限

创建目录

目录	详细
logs	存放日志信息
database	存放更新病毒库信息
worktmp	存放pid等临时文件或状态文件信息

代码语言：javascript复制

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# ls
4. bin etc include lib64 sbin share
5. [root@liumiaocn clamav]# mkdir -p logs database worktmp
6. [root@liumiaocn clamav]#

设定权限

代码语言：javascript复制

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# chown clamav:clamav database
4. [root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

目录	源文件	目标文件
/usr/local/clamav/etc	clamd.conf.sample	clamd.conf
/usr/local/clamav/etc	freshclam.conf.sample	freshclam.conf

代码语言：javascript复制

1. [root@liumiaocn etc]# pwd
2. /usr/local/clamav/etc
3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf
4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf
5. [root@liumiaocn etc]# ls
6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
7. [root@liumiaocn etc]#

生成病毒库更新日志文件

代码语言：javascript复制

1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log
2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
3. [root@liumiaocn etc]#

修改文件

代码语言：javascript复制

1. [root@liumiaocn etc]# ls
2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
3. [root@liumiaocn etc]# vi clamd.conf
4. [root@liumiaocn etc]# vi freshclam.conf
5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample
6. 14c14
7. < LogFile /usr/local/clamav/logs/clamd.log
8. ---
9. > #LogFile /tmp/clamd.log
10. 66c66
11. < PidFile /var/clamav/worktmp/clamd.pid
12. ---
13. > #PidFile /var/run/clamd.pid
14. 74c74
15. < DatabaseDirectory /var/lib/clamav/database
16. ---
17. > #DatabaseDirectory /var/lib/clamav
18. [root@liumiaocn etc]#
19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample
20. 8c8
21. < #Example
22. ---
23. > Example
24. 13c13
25. < DatabaseDirectory /usr/local/clamav/database/
26. ---
27. > #DatabaseDirectory /var/lib/clamav
28. 17c17
29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log
30. ---
31. > #UpdateLogFile /var/log/freshclam.log
32. 51c51
33. < PidFile /usr/local/clamav/worktmp/freshclam.pid
34. ---
35. > #PidFile /var/run/freshclam.pid
36. [root@liumiaocn etc]#

其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。

更新病毒库

在设定freshclam.conf之后，使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

代码语言：javascript复制

1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam
2. ClamAV update process started at Fri Aug 4 22:39:40 2017
3. Trying host database.clamav.net (69.12.162.28)...
4. Downloading main.cvd [100%]
5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
6. Downloading daily.cvd [100%]
7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
8. Downloading bytecode.cvd [100%]
9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
11. [root@liumiaocn etc]#

更新之后

代码语言：javascript复制

1. [root@liumiaocn clamav]# pwd
2. /usr/local/clamav
3. [root@liumiaocn clamav]# ls database/
4. bytecode.cvd daily.cvd main.cvd mirrors.dat
5. [root@liumiaocn clamav]#

扫描病毒

下载病毒测试文件

代码语言：javascript复制

1. [root@liumiaocn ~]# ls
2. anaconda-ks.cfg
3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com
4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com
5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
7. HTTP request sent, awaiting response... 200 OK
8. Length: 68 [application/octet-stream]
9. Saving to: ‘eicar.com’
11. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s
13. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]
15. [root@liumiaocn ~]# ls
16. anaconda-ks.cfg eicar.com
17. [root@liumiaocn ~]#

扫描并删除感染文件

代码语言：javascript复制

1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root
2. /root/.bash_logout: OK
3. /root/.bash_profile: OK
4. /root/.bashrc: OK
5. /root/.cshrc: OK
6. /root/.tcshrc: OK
7. /root/anaconda-ks.cfg: OK
8. /root/.bash_history: OK
9. /root/eicar.com: Eicar-Test-Signature FOUND
10. /root/eicar.com: Removed.
12. ----------- SCAN SUMMARY -----------
13. Known viruses: 6123265
14. Engine version: 0.101.2
15. Scanned directories: 1
16. Scanned files: 3
17. Infected files: 0
18. Data scanned: 0.12 MB
19. Data read: 0.06 MB (ratio 1.88:1)
20. Time: 49.224 sec (0 m 49 s)
22. [root@liumiaocn ~]#

bash bash指令 文件存储 anaconda 数据库

0 人点赞