完整記錄一次linux下clamav軟體安裝、病毒查殺及解決過程

ClamAV介紹

ClamAV 防毒是Linux平臺最受歡迎的防毒軟體，ClamAV屬於免費開源產品，支援多種平臺，如：Linux/Unix、MAC OS X、Windows、OpenVMS。ClamAV是基於病毒掃描的命令列工具，但同時也有支援圖形介面的ClamTK工具。ClamAV主要用於郵件伺服器掃描郵件。它有多種介面從郵件伺服器掃描郵件，支援檔案格式有如：ZIP、RAR、TAR、GZIP、BZIP2、HTML、DOC、PDF,、SIS CHM、RTF等等。ClamAV有自動的資料庫更新器，還可以從共享庫中執行。命令列的介面讓ClamAV執行流暢。

安裝部署

• 建立使用者和組
• 建立目錄並設定許可權
• 拷貝和更新設定檔案
• 更新病毒庫
• 掃描病毒

1.編譯安裝clamav:

tar xf clamav-0.100.0.tar.gz
cd clamav-0.100.0
./configure --prefix=/usr/local/clamav
make && make install

2.新增使用者組clamav和組成員clamav：

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

3.建立目錄並設定許可權:

cd /usr/local/clamav
mkdir -p logs database worktmp
chown clamav:clamav database

# logs存放日誌資訊
 

# database存放更新病毒庫資訊
# worktmp存放pid等臨時檔案或狀態檔案資訊

4.拷貝生成設定檔案

cd /usr/local/clamav/etc
cp clamd.conf.sample clamd.conf
cp freshclam.conf.sample freshclam.conf

5.修改配置檔案

# diff clamd.conf  clamd.conf.sample
14c14
< LogFile /usr/local/clamav/logs/clamd.log
---
> #LogFile /tmp/clamd.log
66c66
< PidFile /var/clamav/worktmp/clamd.pid
---
 

> #PidFile /var/run/clamd.pid
74c74
< DatabaseDirectory /var/lib/clamav/database
---
> #DatabaseDirectory /var/lib/clamav

# diff freshclam.conf freshclam.conf.sample 
8c8
< #Example
---
> Example
13c13
< DatabaseDirectory /usr/local/clamav/database/
---
> #DatabaseDirectory /var/lib/clamav
17c17
< UpdateLogFile /usr/local/clamav/logs/freshclam.log
---
> #UpdateLogFile /var/log/freshclam.log
51c51
< PidFile /usr/local/clamav/worktmp/freshclam.pid
---
> #PidFile /var/run/freshclam.pid

更新病毒庫

#建立日誌檔案
touch /usr/local/clamav/logs/freshclam.log
chown -R clamav.clamav /usr/local/clamav/logs/*

#更新病毒庫
/usr/local/clamav/bin/freshclam

存放目錄：/usr/local/clamav/database

病毒庫第一次更新會比較慢，需要定時更新，可以寫成定時任務

掃描病毒

clamscan -r /     # 不僅會顯示找到的病毒，正常的掃描檔案也會顯示出來
clamscan --no-summary -ri /   # 只顯示找到的病毒資訊
    -r 遞迴掃描子目錄
    -i 只顯示發現的病毒檔案
    --no-summary 不顯示統計資訊

針對重要目錄一一排查是否感染病毒：

/usr/local/clamav/bin/clamscan -ri /data/
....   # 省略一些警告資訊
/data/***/store/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/util/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/index/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/queryParser/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/search/payloads/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/search/function/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/document/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/analysis/standard/package.html: Legacy.Trojan.Agent-1388596 FOUND
.....
----------- SCAN SUMMARY -----------
Known viruses: 6472191
Engine version: 0.100.0
Scanned directories: 170
Scanned files: 2247
Infected files: 8
Data scanned: 2662.96 MB
Data read: 6934.71 MB (ratio 0.38:1)
Time: 225.648 sec (3 m 45 s)

可以看到/data目錄下有8個感染檔案，對比正常的檔案發現了問題的根源：

解決辦法

首先先find查詢到被感染的檔案，確認無誤後是由sed命令將vbscript標籤段刪除掉，附上完整命令：

find / -type f -name "*.html" |xargs sed -i '/VBScript><!--/,/\/\/--><\/SCRIPT>/d'