安全防護工具之:ClamAV
ClamAV是一個C語言開發的開源病毒掃描工具用於檢測木馬/病毒/惡意軟體等。可以線上更新病毒庫,Linux系統的病毒較少,但是並不意味著病毒免疫,尤其是對於諸如郵件或者歸檔檔案中夾雜的病毒往往更加難以防範,而ClamAV則能起到不少作用。
ClamAV相關資訊如下:
專案 詳細
官方地址 http://www.clamav.net/
下載地址 http://www.clamav.net/downloads
當前穩定版本 0.99.2
功能特性
專案 詳細
主要用途 郵件閘道器的病毒掃描,內建支援多種郵件格式
高效能 提供多執行緒的掃描程序
命令列 提供密令行掃描方式
掃描物件 可以對要傳送的郵件或者檔案進行掃描
檔案格式 支援多種檔案格式
病毒庫更新頻度 一天多次病毒庫的更新
歸檔檔案 支援掃描多種歸檔檔案,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等
文件 支援流行的文件檔案,比如: MS Office檔案,MacOffice檔案, HTML, Flash, RTF,PDF
安裝方式
專案 詳細
CENTOS/RHEL yum -y install clamav
Ubuntu/Debian apt-get install clamav
注意:centos上的clamd是在epel-release下,需要現行安裝epel-release。 如果使用原始碼安裝方式的話,保證C編譯器和ZLIB等存在的情況下對原始碼./configure->make->make install即可。
安裝日誌
[[email protected] ~]# yum -y install epel-release
Loaded plugins: fastestmirror
...
Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-9.noarch 1/1
Verifying : epel-release-7-9.noarch 1/1
Installed:
epel-release.noarch 0:7-9
Complete!
[[email protected] ~]#
[[email protected] ~]# yum -y install clamav
Loaded plugins: fastestmirror
...
Running transaction
Installing : clamav-filesystem-0.99.2-8.el7.noarch 1/4
Installing : clamav-data-0.99.2-8.el7.noarch 2/4
Installing : clamav-lib-0.99.2-8.el7.x86_64 3/4
Installing : clamav-0.99.2-8.el7.x86_64 4/4
Verifying : clamav-lib-0.99.2-8.el7.x86_64 1/4
Verifying : clamav-data-0.99.2-8.el7.noarch 2/4
Verifying : clamav-0.99.2-8.el7.x86_64 3/4
Verifying : clamav-filesystem-0.99.2-8.el7.noarch 4/4
Installed:
clamav.x86_64 0:0.99.2-8.el7
Dependency Installed:
clamav-data.noarch 0:0.99.2-8.el7 clamav-filesystem.noarch 0:0.99.2-8.el7 clamav-lib.x86_64 0:0.99.2-8.el7
Complete!
[[email protected] ~]#
版本確認
[[email protected] ~]# clamscan --version
ClamAV 0.99.2/21723/Mon Jun 13 09:53:00 2016
[[email protected] ~]#
掃描
使用clamscan命令列對某一目錄進行掃描,可以確認結果是否OK,同時會給出一個掃描的總體資訊,其中Infected files是掃描出來的被感染的檔案個數。比如如下示例表明對/root目錄下的檔案進行掃描,未發現感染檔案的情況。
[[email protected] ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 19.365 sec (0 m 19 s)
[[email protected] ~]#
注意:此處提示“The virus database is older than 7 days!”的原因在於病毒庫沒有及時更新。因為使用yum預設安裝目前的版本似乎不會自動安裝freshclam的病毒庫更新功能,後面我們會使用原始碼安裝方式來解決這個問題。
模擬病毒檔案
從eicar.org下載一個用於模擬病毒的檔案,看一下clamav是否能夠掃描出來
[[email protected] ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com’
100%[===============================================================================================================================>] 68 --.-K/s in 0s
2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]
[[email protected] ~]# ls
anaconda-ks.cfg eicar.com
[[email protected] ~]# pwd
/root
重新掃描
重新掃描看是否能夠檢測出新下載的病毒測試檔案。進過測試,發現結果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同時“Infected files: 1”,說明此病毒檔案被檢測出來了
[[email protected] ~]# clamscan /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 21.129 sec (0 m 21 s)
[[email protected] ~]#
但是預設的方式下,clamscan只會檢測不會自動刪除檔案
[[email protected] ~]# ls
anaconda-ks.cfg eicar.com
[[email protected] ~]#
掃描並刪除感染檔案
使用–remove選項,會直接刪除檢測出來的檔案。
[[email protected] ~]# clamscan --remove /root
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 8
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 23.546 sec (0 m 23 s)
[[email protected] ~]# ls
anaconda-ks.cfg
[[email protected] ~]#
原始碼安裝方式
目前使用yum源安裝病毒庫的更新相關的仍需手動操作,所以可以考慮使用原始碼安裝方式。
下載原始碼
專案 詳細
下載命令 wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz
解壓
專案 詳細
解壓命令 tar xvpf clamav-0.99.2.tar.gz
變更目錄 cd clamav-0.99.2
編譯前依賴
專案 詳細
安裝gcc yum install gcc -y
安裝openssl yum install openssl openssl-devel -y
建立目錄 mkdir -p /usr/local/clamav
config & make & make install
專案 詳細
config ./configure –prefix=/usr/local/clamav
make make
make install make install
安裝後確認
[[email protected] clamav-0.99.2]# ls /usr/local/clamav/bin
clamav-config clambc clamconf clamdscan clamscan freshclam sigtool
[[email protected] clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version
ClamAV 0.99.2
[[email protected] clamav-0.99.2]#
注意:此時如果執行clamscan進行掃描,會提示如下問題。
[[email protected] clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root
LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav
ERROR: Can't get file status
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.002 sec (0 m 0 s)
[[email protected] clamav-0.99.2]#
檢視原始碼之後發現其實很簡單,此時需要有可用的病毒庫檔案,同時使用者和組的許可權也需要設定。整體的順序按照:
專案 詳細
Step 1 建立使用者和組
Step 2 建立目錄並設定許可權
Step 3 拷貝和更新設定檔案
Step 4 更新病毒庫
Step 5 掃描病毒
設定
Step 1: 建立使用者和組
專案 詳細
建立group groupadd clamav
建立使用者 useradd -g clamav clamav
Step 2: 建立目錄並設定許可權
建立目錄
目錄 詳細
logs 存放日誌資訊
database 存放更新病毒庫資訊
worktmp 存放pid等臨時檔案或狀態檔案資訊
[[email protected] clamav]# pwd
/usr/local/clamav
[[email protected] clamav]# ls
bin etc include lib64 sbin share
[[email protected] clamav]# mkdir -p logs database worktmp
[[email protected] clamav]#
設定許可權
[[email protected] clamav]# pwd
/usr/local/clamav
[[email protected] clamav]# chown clamav:clamav database
[[email protected] clamav]#
Step 3: 拷貝和更新設定檔案
拷貝生成設定檔案
目錄 原始檔 目標檔案
/usr/local/clamav/etc clamd.conf.sample clamd.conf
/usr/local/clamav/etc freshclam.conf.sample freshclam.conf
[[email protected] etc]# pwd
/usr/local/clamav/etc
[[email protected] etc]# cp clamd.conf.sample clamd.conf
[[email protected] etc]# cp freshclam.conf.sample freshclam.conf
[[email protected] etc]# ls
clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
[[email protected] etc]#
生成病毒庫更新日誌檔案
[[email protected] etc]# touch /usr/local/clamav/logs/freshclam.log
[[email protected] etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log
[[email protected] etc]#
修改檔案
[[email protected] etc]# ls
clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample
[[email protected]umiaocn etc]# vi clamd.conf
[[email protected] etc]# vi freshclam.conf
[[email protected] etc]# diff clamd.conf clamd.conf.sample
14c14
< LogFile /usr/local/clamav/logs/clamd.log
---
> #LogFile /tmp/clamd.log
66c66
< PidFile /var/clamav/worktmp/clamd.pid
---
> #PidFile /var/run/clamd.pid
74c74
< DatabaseDirectory /var/lib/clamav/database
---
> #DatabaseDirectory /var/lib/clamav
[[email protected] etc]#
[[email protected] etc]# diff freshclam.conf freshclam.conf.sample
8c8
< #Example
---
> Example
13c13
< DatabaseDirectory /usr/local/clamav/database/
---
> #DatabaseDirectory /var/lib/clamav
17c17
< UpdateLogFile /usr/local/clamav/logs/freshclam.log
---
> #UpdateLogFile /var/log/freshclam.log
51c51
< PidFile /usr/local/clamav/worktmp/freshclam.pid
---
> #PidFile /var/run/freshclam.pid
[[email protected] etc]#
其實本次示例中只需保證freshclam.conf檔案正確設定即可保證ClamAV正常動作。
更新病毒庫
在設定freshclam.conf之後,使用freshclam命令即可聯網更新病毒庫至database目錄了, 首次更新稍微會花一點時間。
[[email protected] etc]# /usr/local/clamav/bin/freshclam
ClamAV update process started at Fri Aug 4 22:39:40 2017
Trying host database.clamav.net (69.12.162.28)...
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)
[[email protected] etc]#
更新之後
[[email protected] clamav]# pwd
/usr/local/clamav
[[email protected] clamav]# ls database/
bytecode.cvd daily.cvd main.cvd mirrors.dat
[[email protected] clamav]#
掃描病毒
下載病毒測試檔案
[[email protected] ~]# ls
anaconda-ks.cfg
[[email protected] ~]# wget http://www.eicar.org/download/eicar.com
--2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com’
100%[===============================================================================================================================>] 68 --.-K/s in 0.001s
2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]
[[email protected] ~]# ls
anaconda-ks.cfg eicar.com
[[email protected] ~]#
掃描並刪除感染檔案
[[email protected] ~]# /usr/local/clamav/bin/clamscan --remove /root
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Eicar-Test-Signature FOUND
/root/eicar.com: Removed.