安全防御工具之:ClamAV

时间  2019-12-07
标签 安全 防御 工具 clamav 栏目 系统安全 繁體版
原文   原文链接

安全防御工具之:ClamAV

2018年10月02日 00:49:35 neo_will_mvp 阅读数 359centos

 版权声明:精心研究,潜心学习,本文为博主原创文章,未经博主容许不得转载。 https://blog.csdn.net/qq_33468857/article/details/82920832安全

ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。能够在线更新病毒库,Linux系统的病毒较少,可是并不意味着病毒免疫,尤为是对于诸如邮件或者归档文件中夹杂的病毒每每更加难以防范,而ClamAV则能起到很多做用。
ClamAV相关信息以下:bash

项目 详细
官方地址 http://www.clamav.net/
下载地址 http://www.clamav.net/downloads
当前稳定版本 0.99.2

功能特性

项目 详细
主要用途 邮件网关的病毒扫描,内建支持多种邮件格式
高性能 提供多线程的扫描进程
命令行 提供密令行扫描方式
扫描对象 能够对要发送的邮件或者文件进行扫描
文件格式 支持多种文件格式
病毒库更新频度 一天屡次病毒库的更新
归档文件 支持扫描多种归档文件,好比Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等
文档 支持流行的文档文件,好比: MS Office文件,MacOffice文件, HTML, Flash, RTF,PDF

安装方式

项目 详细
CENTOS/RHEL yum -y install clamav
Ubuntu/Debian apt-get install clamav

注意:centos上的clamd是在epel-release下,须要现行安装epel-release。 若是使用源码安装方式的话,保证C编译器和ZLIB等存在的状况下对源码./configure->make->make install便可。多线程

安装日志

 

  1. [root@liumiaocn ~]# yum -y install epel-releaseapp

  2. Loaded plugins: fastestmirror工具

  3. ...性能

  4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)学习

  5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7测试

  6. Running transaction checkui

  7. Running transaction test

  8. Transaction test succeeded

  9. Running transaction

  10. Installing : epel-release-7-9.noarch 1/1

  11. Verifying : epel-release-7-9.noarch 1/1

  12.  

  13. Installed:

  14. epel-release.noarch 0:7-9

  15.  

  16. Complete!

  17. [root@liumiaocn ~]#

  •  
 

  1. [root@liumiaocn ~]# yum -y install clamav

  2. Loaded plugins: fastestmirror

  3. ...

  4. Running transaction

  5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5

  6. Installing : pcre2-10.23-2.el7.x86_64 2/5

  7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5

  8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5

  9. Installing : clamav-0.101.2-1.el7.x86_64 5/5

  10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5

  11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5

  12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5

  13. Verifying : pcre2-10.23-2.el7.x86_64 4/5

  14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5

  15.  

  16. Installed:

  17. clamav.x86_64 0:0.101.2-1.el7

  18.  

  19. Dependency Installed:

  20. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7

  21. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7

  22.  

  23. Complete!

  24. [root@liumiaocn ~]#

版本确认

 

  1. [root@liumiaocn ~]# clamscan --version

  2. ClamAV 0.101.2

  3. [root@liumiaocn ~]#

扫描

使用clamscan命令行对某一目录进行扫描,能够确认结果是否OK,同时会给出一个扫描的整体信息,其中Infected files是扫描出来的被感染的文件个数。好比以下示例代表对/root目录下的文件进行扫描,未发现感染文件的状况。

 

  1. [root@liumiaocn ~]# clamscan /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13.  

  14. ----------- SCAN SUMMARY -----------

  15. Known viruses: 4490129

  16. Engine version: 0.99.2

  17. Scanned directories: 1

  18. Scanned files: 7

  19. Infected files: 0

  20. Data scanned: 0.00 MB

  21. Data read: 0.00 MB (ratio 0.00:1)

  22. Time: 19.365 sec (0 m 19 s)

  23. [root@liumiaocn ~]#

注意:此处提示“The virus database is older than 7 days!”的缘由在于病毒库没有及时更新。由于使用yum缺省安装目前的版本彷佛不会自动安装freshclam的病毒库更新功能,后面咱们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否可以扫描出来

 

  1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

  2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com

  3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

  4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

  5. HTTP request sent, awaiting response... 200 OK

  6. Length: 68 [application/octet-stream]

  7. Saving to: ‘eicar.com’

  8.  

  9. 100%[===============================================================================================================================>] 68 --.-K/s in 0s

  10.  

  11. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]

  12.  

  13. [root@liumiaocn ~]# ls

  14. anaconda-ks.cfg eicar.com

  15. [root@liumiaocn ~]# pwd

  16. /root

从新扫描

从新扫描看是否可以检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了

 

  1. [root@liumiaocn ~]# clamscan /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13. /root/eicar.com: Eicar-Test-Signature FOUND

  14.  

  15. ----------- SCAN SUMMARY -----------

  16. Known viruses: 4490129

  17. Engine version: 0.99.2

  18. Scanned directories: 1

  19. Scanned files: 8

  20. Infected files: 1

  21. Data scanned: 0.00 MB

  22. Data read: 0.00 MB (ratio 0.00:1)

  23. Time: 21.129 sec (0 m 21 s)

  24. [root@liumiaocn ~]#

可是缺省的方式下,clamscan只会检测不会自动删除文件

 

  1. [root@liumiaocn ~]# ls

  2. anaconda-ks.cfg eicar.com

  3. [root@liumiaocn ~]#

扫描并删除感染文件

使用–remove选项,会直接删除检测出来的文件。

 

  1. [root@liumiaocn ~]# clamscan --remove /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13. /root/eicar.com: Eicar-Test-Signature FOUND

  14. /root/eicar.com: Removed.

  15.  

  16. ----------- SCAN SUMMARY -----------

  17. Known viruses: 4490129

  18. Engine version: 0.99.2

  19. Scanned directories: 1

  20. Scanned files: 8

  21. Infected files: 1

  22. Data scanned: 0.00 MB

  23. Data read: 0.00 MB (ratio 0.00:1)

  24. Time: 23.546 sec (0 m 23 s)

  25. [root@liumiaocn ~]# ls

  26. anaconda-ks.cfg

  27. [root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操做,因此能够考虑使用源码安装方式。

下载源码

项目 详细
下载命令 wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz

解压

项目 详细
解压命令 tar xvpf clamav-0.99.2.tar.gz
变动目录 cd clamav-0.99.2

编译前依赖

项目 详细
安装gcc yum install gcc -y
安装openssl yum install openssl openssl-devel -y
建立目录 mkdir -p /usr/local/clamav

config & make & make install

项目 详细
config ./configure –prefix=/usr/local/clamav
make make
make install make install

安装后确认

 

  1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin

  2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool

  3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version

  4. ClamAV 0.99.2

  5. [root@liumiaocn clamav-0.99.2]#

注意:此时若是执行clamscan进行扫描,会提示以下问题。

 

  1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root

  2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav

  3. ERROR: Can't get file status

  4.  

  5. ----------- SCAN SUMMARY -----------

  6. Known viruses: 0

  7. Engine version: 0.99.2

  8. Scanned directories: 0

  9. Scanned files: 0

  10. Infected files: 0

  11. Data scanned: 0.00 MB

  12. Data read: 0.00 MB (ratio 0.00:1)

  13. Time: 0.002 sec (0 m 0 s)

  14. [root@liumiaocn clamav-0.99.2]#

查看源码以后发现其实很简单,此时须要有可用的病毒库文件,同时用户和组的权限也须要设定。总体的顺序按照:

项目 详细
Step 1 建立用户和组
Step 2 建立目录并设定权限
Step 3 拷贝和更新设定文件
Step 4 更新病毒库
Step 5 扫描病毒

设定

Step 1: 建立用户和组

项目 详细
建立group groupadd clamav
建立用户 useradd -g clamav clamav

Step 2: 建立目录并设定权限

建立目录

目录 详细
logs 存放日志信息
database 存放更新病毒库信息
worktmp 存放pid等临时文件或状态文件信息 
 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# ls

  4. bin etc include lib64 sbin share

  5. [root@liumiaocn clamav]# mkdir -p logs database worktmp

  6. [root@liumiaocn clamav]#

设定权限

 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# chown clamav:clamav database

  4. [root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

目录 源文件 目标文件
/usr/local/clamav/etc clamd.conf.sample clamd.conf
/usr/local/clamav/etc freshclam.conf.sample freshclam.conf 
 

  1. [root@liumiaocn etc]# pwd

  2. /usr/local/clamav/etc

  3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf

  4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf

  5. [root@liumiaocn etc]# ls

  6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

  7. [root@liumiaocn etc]#

生成病毒库更新日志文件

 

  1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log

  2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log

  3. [root@liumiaocn etc]#

修改文件

 

  1. [root@liumiaocn etc]# ls

  2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

  3. [root@liumiaocn etc]# vi clamd.conf

  4. [root@liumiaocn etc]# vi freshclam.conf

  5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample

  6. 14c14

  7. < LogFile /usr/local/clamav/logs/clamd.log

  8. ---

  9. > #LogFile /tmp/clamd.log

  10. 66c66

  11. < PidFile /var/clamav/worktmp/clamd.pid

  12. ---

  13. > #PidFile /var/run/clamd.pid

  14. 74c74

  15. < DatabaseDirectory /var/lib/clamav/database

  16. ---

  17. > #DatabaseDirectory /var/lib/clamav

  18. [root@liumiaocn etc]#

  19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample

  20. 8c8

  21. < #Example

  22. ---

  23. > Example

  24. 13c13

  25. < DatabaseDirectory /usr/local/clamav/database/

  26. ---

  27. > #DatabaseDirectory /var/lib/clamav

  28. 17c17

  29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log

  30. ---

  31. > #UpdateLogFile /var/log/freshclam.log

  32. 51c51

  33. < PidFile /usr/local/clamav/worktmp/freshclam.pid

  34. ---

  35. > #PidFile /var/run/freshclam.pid

  36. [root@liumiaocn etc]#

  •  

其实本次示例中只需保证freshclam.conf文件正确设定便可保证ClamAV正常动做。

更新病毒库

在设定freshclam.conf以后,使用freshclam命令便可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

 

  1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam

  2. ClamAV update process started at Fri Aug 4 22:39:40 2017

  3. Trying host database.clamav.net (69.12.162.28)...

  4. Downloading main.cvd [100%]

  5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

  6. Downloading daily.cvd [100%]

  7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)

  8. Downloading bytecode.cvd [100%]

  9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)

  10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)

  11. [root@liumiaocn etc]#

更新以后

 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# ls database/

  4. bytecode.cvd daily.cvd main.cvd mirrors.dat

  5. [root@liumiaocn clamav]#

扫描病毒

下载病毒测试文件

 

  1. [root@liumiaocn ~]# ls

  2. anaconda-ks.cfg

  3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

  4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com

  5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

  6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

  7. HTTP request sent, awaiting response... 200 OK

  8. Length: 68 [application/octet-stream]

  9. Saving to: ‘eicar.com’

  10.  

  11. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s

  12.  

  13. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]

  14.  

  15. [root@liumiaocn ~]# ls

  16. anaconda-ks.cfg eicar.com

  17. [root@liumiaocn ~]#

  •  

扫描并删除感染文件

 

  1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root

  2. /root/.bash_logout: OK

  3. /root/.bash_profile: OK

  4. /root/.bashrc: OK

  5. /root/.cshrc: OK

  6. /root/.tcshrc: OK

  7. /root/anaconda-ks.cfg: OK

  8. /root/.bash_history: OK

  9. /root/eicar.com: Eicar-Test-Signature FOUND

  10. /root/eicar.com: Removed.

  11.  

  12. ----------- SCAN SUMMARY -----------

  13. Known viruses: 6123265

  14. Engine version: 0.101.2

  15. Scanned directories: 1

  16. Scanned files: 3

  17. Infected files: 0

  18. Data scanned: 0.12 MB

  19. Data read: 0.06 MB (ratio 1.88:1)

  20. Time: 49.224 sec (0 m 49 s)

  21.  

  22. [root@liumiaocn ~]#

  •  

总结

ClamAV提供和方便的命令行方式进行集成,保持更新的病毒库,给开源的安全方案提供了一种选择。

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程