linjin200

linjin200

关注
发信
关注(28)粉丝(399)

安全防护工具之:ClamAV

安全防护工具之:ClamAV

2018年10月02日 00:49:35 neo_will_mvp 阅读数 359

ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库,Linux系统的病毒较少,但是并不意味着病毒免疫,尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范,而ClamAV则能起到不少作用。
ClamAV相关信息如下:

功能特性

安装方式

注意:centos上的clamd是在epel-release下,需要现行安装epel-release。 如果使用源码安装方式的话,保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。

安装日志

 

  1. [root@liumiaocn ~]# yum -y install epel-release

  2. Loaded plugins: fastestmirror

  3. ...

  4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)

  5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

  6. Running transaction check

  7. Running transaction test

  8. Transaction test succeeded

  9. Running transaction

  10. Installing : epel-release-7-9.noarch 1/1

  11. Verifying : epel-release-7-9.noarch 1/1

  12.  

  13. Installed:

  14. epel-release.noarch 0:7-9

  15.  

  16. Complete!

  17. [root@liumiaocn ~]#

  •  
 

  1. [root@liumiaocn ~]# yum -y install clamav

  2. Loaded plugins: fastestmirror

  3. ...

  4. Running transaction

  5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5

  6. Installing : pcre2-10.23-2.el7.x86_64 2/5

  7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5

  8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5

  9. Installing : clamav-0.101.2-1.el7.x86_64 5/5

  10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5

  11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5

  12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5

  13. Verifying : pcre2-10.23-2.el7.x86_64 4/5

  14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5

  15.  

  16. Installed:

  17. clamav.x86_64 0:0.101.2-1.el7

  18.  

  19. Dependency Installed:

  20. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7

  21. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7

  22.  

  23. Complete!

  24. [root@liumiaocn ~]#

版本确认

 

  1. [root@liumiaocn ~]# clamscan --version

  2. ClamAV 0.101.2

  3. [root@liumiaocn ~]#

扫描

使用clamscan命令行对某一目录进行扫描,可以确认结果是否OK,同时会给出一个扫描的总体信息,其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描,未发现感染文件的情况。

 

  1. [root@liumiaocn ~]# clamscan /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13.  

  14. ----------- SCAN SUMMARY -----------

  15. Known viruses: 4490129

  16. Engine version: 0.99.2

  17. Scanned directories: 1

  18. Scanned files: 7

  19. Infected files: 0

  20. Data scanned: 0.00 MB

  21. Data read: 0.00 MB (ratio 0.00:1)

  22. Time: 19.365 sec (0 m 19 s)

  23. [root@liumiaocn ~]#

注意:此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能,后面我们会使用源码安装方式来解决这个问题。

模拟病毒文件

从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否能够扫描出来

 

  1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

  2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com

  3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

  4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

  5. HTTP request sent, awaiting response... 200 OK

  6. Length: 68 [application/octet-stream]

  7. Saving to: ‘eicar.com’

  8.  

  9. 100%[===============================================================================================================================>] 68 --.-K/s in 0s

  10.  

  11. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]

  12.  

  13. [root@liumiaocn ~]# ls

  14. anaconda-ks.cfg eicar.com

  15. [root@liumiaocn ~]# pwd

  16. /root

重新扫描

重新扫描看是否能够检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了

 

  1. [root@liumiaocn ~]# clamscan /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13. /root/eicar.com: Eicar-Test-Signature FOUND

  14.  

  15. ----------- SCAN SUMMARY -----------

  16. Known viruses: 4490129

  17. Engine version: 0.99.2

  18. Scanned directories: 1

  19. Scanned files: 8

  20. Infected files: 1

  21. Data scanned: 0.00 MB

  22. Data read: 0.00 MB (ratio 0.00:1)

  23. Time: 21.129 sec (0 m 21 s)

  24. [root@liumiaocn ~]#

但是缺省的方式下,clamscan只会检测不会自动删除文件

 

  1. [root@liumiaocn ~]# ls

  2. anaconda-ks.cfg eicar.com

  3. [root@liumiaocn ~]#

扫描并删除感染文件

使用–remove选项,会直接删除检测出来的文件。

 

  1. [root@liumiaocn ~]# clamscan --remove /root

  2. LibClamAV Warning: **************************************************

  3. LibClamAV Warning: *** The virus database is older than 7 days! ***

  4. LibClamAV Warning: *** Please update it as soon as possible. ***

  5. LibClamAV Warning: **************************************************

  6. /root/.bash_logout: OK

  7. /root/.bash_profile: OK

  8. /root/.bashrc: OK

  9. /root/.cshrc: OK

  10. /root/.tcshrc: OK

  11. /root/anaconda-ks.cfg: OK

  12. /root/.bash_history: OK

  13. /root/eicar.com: Eicar-Test-Signature FOUND

  14. /root/eicar.com: Removed.

  15.  

  16. ----------- SCAN SUMMARY -----------

  17. Known viruses: 4490129

  18. Engine version: 0.99.2

  19. Scanned directories: 1

  20. Scanned files: 8

  21. Infected files: 1

  22. Data scanned: 0.00 MB

  23. Data read: 0.00 MB (ratio 0.00:1)

  24. Time: 23.546 sec (0 m 23 s)

  25. [root@liumiaocn ~]# ls

  26. anaconda-ks.cfg

  27. [root@liumiaocn ~]#

源码安装方式

目前使用yum源安装病毒库的更新相关的仍需手动操作,所以可以考虑使用源码安装方式。

下载源码

解压

编译前依赖

config & make & make install

安装后确认

 

  1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin

  2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool

  3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version

  4. ClamAV 0.99.2

  5. [root@liumiaocn clamav-0.99.2]#

注意:此时如果执行clamscan进行扫描,会提示如下问题。

 

  1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root

  2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav

  3. ERROR: Can't get file status

  4.  

  5. ----------- SCAN SUMMARY -----------

  6. Known viruses: 0

  7. Engine version: 0.99.2

  8. Scanned directories: 0

  9. Scanned files: 0

  10. Infected files: 0

  11. Data scanned: 0.00 MB

  12. Data read: 0.00 MB (ratio 0.00:1)

  13. Time: 0.002 sec (0 m 0 s)

  14. [root@liumiaocn clamav-0.99.2]#

查看源码之后发现其实很简单,此时需要有可用的病毒库文件,同时用户和组的权限也需要设定。整体的顺序按照:

设定

Step 1: 创建用户和组

Step 2: 创建目录并设定权限

创建目录

 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# ls

  4. bin etc include lib64 sbin share

  5. [root@liumiaocn clamav]# mkdir -p logs database worktmp

  6. [root@liumiaocn clamav]#

设定权限

 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# chown clamav:clamav database

  4. [root@liumiaocn clamav]#

Step 3: 拷贝和更新设定文件

拷贝生成设定文件

 

  1. [root@liumiaocn etc]# pwd

  2. /usr/local/clamav/etc

  3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf

  4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf

  5. [root@liumiaocn etc]# ls

  6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

  7. [root@liumiaocn etc]#

生成病毒库更新日志文件

 

  1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log

  2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log

  3. [root@liumiaocn etc]#

修改文件

 

  1. [root@liumiaocn etc]# ls

  2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

  3. [root@liumiaocn etc]# vi clamd.conf

  4. [root@liumiaocn etc]# vi freshclam.conf

  5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample

  6. 14c14

  7. < LogFile /usr/local/clamav/logs/clamd.log

  8. ---

  9. > #LogFile /tmp/clamd.log

  10. 66c66

  11. < PidFile /var/clamav/worktmp/clamd.pid

  12. ---

  13. > #PidFile /var/run/clamd.pid

  14. 74c74

  15. < DatabaseDirectory /var/lib/clamav/database

  16. ---

  17. > #DatabaseDirectory /var/lib/clamav

  18. [root@liumiaocn etc]#

  19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample

  20. 8c8

  21. < #Example

  22. ---

  23. > Example

  24. 13c13

  25. < DatabaseDirectory /usr/local/clamav/database/

  26. ---

  27. > #DatabaseDirectory /var/lib/clamav

  28. 17c17

  29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log

  30. ---

  31. > #UpdateLogFile /var/log/freshclam.log

  32. 51c51

  33. < PidFile /usr/local/clamav/worktmp/freshclam.pid

  34. ---

  35. > #PidFile /var/run/freshclam.pid

  36. [root@liumiaocn etc]#

  •  

其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。

更新病毒库

在设定freshclam.conf之后,使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。

 

  1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam

  2. ClamAV update process started at Fri Aug 4 22:39:40 2017

  3. Trying host database.clamav.net (69.12.162.28)...

  4. Downloading main.cvd [100%]

  5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

  6. Downloading daily.cvd [100%]

  7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)

  8. Downloading bytecode.cvd [100%]

  9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)

  10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)

  11. [root@liumiaocn etc]#

更新之后

 

  1. [root@liumiaocn clamav]# pwd

  2. /usr/local/clamav

  3. [root@liumiaocn clamav]# ls database/

  4. bytecode.cvd daily.cvd main.cvd mirrors.dat

  5. [root@liumiaocn clamav]#

扫描病毒

下载病毒测试文件

 

  1. [root@liumiaocn ~]# ls

  2. anaconda-ks.cfg

  3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

  4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com

  5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

  6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

  7. HTTP request sent, awaiting response... 200 OK

  8. Length: 68 [application/octet-stream]

  9. Saving to: ‘eicar.com’

  10.  

  11. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s

  12.  

  13. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]

  14.  

  15. [root@liumiaocn ~]# ls

  16. anaconda-ks.cfg eicar.com

  17. [root@liumiaocn ~]#

  •  

扫描并删除感染文件

 

  1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root

  2. /root/.bash_logout: OK

  3. /root/.bash_profile: OK

  4. /root/.bashrc: OK

  5. /root/.cshrc: OK

  6. /root/.tcshrc: OK

  7. /root/anaconda-ks.cfg: OK

  8. /root/.bash_history: OK

  9. /root/eicar.com: Eicar-Test-Signature FOUND

  10. /root/eicar.com: Removed.

  11.  

  12. ----------- SCAN SUMMARY -----------

  13. Known viruses: 6123265

  14. Engine version: 0.101.2

  15. Scanned directories: 1

  16. Scanned files: 3

  17. Infected files: 0

  18. Data scanned: 0.12 MB

  19. Data read: 0.06 MB (ratio 1.88:1)

  20. Time: 49.224 sec (0 m 49 s)

  21.  

  22. [root@liumiaocn ~]#

  •  

总结

ClamAV提供和方便的命令行方式进行集成,保持更新的病毒库,给开源的安全方案提供了一种选择。

06-18 19:26
Powered by LMLPHP ©2024 linjin200 0.055661