安全防禦工具之：ClamAV

安全防禦工具之：ClamAV

2018年10月02日 00:49:35 neo_will_mvp 閱讀數 359

 版權聲明：精心研究，潛心學習，本文爲博主原創文章，未經博主容許不得轉載。 https://blog.csdn.net/qq_33468857/article/details/82920832

ClamAV是一個C語言開發的開源病毒掃描工具用於檢測木馬/病毒/惡意軟件等。能夠在線更新病毒庫，Linux系統的病毒較少，可是並不意味着病毒免疫，尤爲是對於諸如郵件或者歸檔文件中夾雜的病毒每每更加難以防範，而ClamAV則能起到很多做用。
ClamAV相關信息以下：

項目	詳細
官方地址	http://www.clamav.net/
下載地址	http://www.clamav.net/downloads
當前穩定版本	0.99.2

功能特性

項目	詳細
主要用途	郵件網關的病毒掃描，內建支持多種郵件格式
高性能	提供多線程的掃描進程
命令行	提供密令行掃描方式
掃描對象	能夠對要發送的郵件或者文件進行掃描
文件格式	支持多種文件格式
病毒庫更新頻度	一天屢次病毒庫的更新
歸檔文件	支持掃描多種歸檔文件,好比Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等
文檔	支持流行的文檔文件，好比： MS Office文件，MacOffice文件, HTML, Flash, RTF，PDF

安裝方式

項目	詳細
CENTOS/RHEL	yum -y install clamav
Ubuntu/Debian	apt-get install clamav

注意：centos上的clamd是在epel-release下，須要現行安裝epel-release。 若是使用源碼安裝方式的話，保證C編譯器和ZLIB等存在的狀況下對源碼./configure->make->make install便可。

安裝日誌

1. [root@liumiaocn ~]# yum -y install epel-release

2. Loaded plugins: fastestmirror

3. ...

4. Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)

5. From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

6. Running transaction check

7. Running transaction test

8. Transaction test succeeded

9. Running transaction

10. Installing : epel-release-7-9.noarch 1/1

11. Verifying : epel-release-7-9.noarch 1/1

12.  

13. Installed:

14. epel-release.noarch 0:7-9

15.  

16. Complete!

17. [root@liumiaocn ~]#

•  

1. [root@liumiaocn ~]# yum -y install clamav

2. Loaded plugins: fastestmirror

3. ...

4. Running transaction

5. Installing : clamav-filesystem-0.101.2-1.el7.noarch 1/5

6. Installing : pcre2-10.23-2.el7.x86_64 2/5

7. Installing : clamav-lib-0.101.2-1.el7.x86_64 3/5

8. Installing : clamav-update-0.101.2-1.el7.x86_64 4/5

9. Installing : clamav-0.101.2-1.el7.x86_64 5/5

10. Verifying : clamav-0.101.2-1.el7.x86_64 1/5

11. Verifying : clamav-update-0.101.2-1.el7.x86_64 2/5

12. Verifying : clamav-lib-0.101.2-1.el7.x86_64 3/5

13. Verifying : pcre2-10.23-2.el7.x86_64 4/5

14. Verifying : clamav-filesystem-0.101.2-1.el7.noarch 5/5

15.  

16. Installed:

17. clamav.x86_64 0:0.101.2-1.el7

18.  

19. Dependency Installed:

20. clamav-filesystem.noarch 0:0.101.2-1.el7 clamav-lib.x86_64 0:0.101.2-1.el7

21. clamav-update.x86_64 0:0.101.2-1.el7 pcre2.x86_64 0:10.23-2.el7

22.  

23. Complete!

24. [root@liumiaocn ~]#

版本確認

1. [root@liumiaocn ~]# clamscan --version

2. ClamAV 0.101.2

3. [root@liumiaocn ~]#

掃描

使用clamscan命令行對某一目錄進行掃描，能夠確認結果是否OK，同時會給出一個掃描的整體信息，其中Infected files是掃描出來的被感染的文件個數。好比以下示例代表對/root目錄下的文件進行掃描，未發現感染文件的狀況。

1. [root@liumiaocn ~]# clamscan /root

2. LibClamAV Warning: **************************************************

3. LibClamAV Warning: *** The virus database is older than 7 days! ***

4. LibClamAV Warning: *** Please update it as soon as possible. ***

5. LibClamAV Warning: **************************************************

6. /root/.bash_logout: OK

7. /root/.bash_profile: OK

8. /root/.bashrc: OK

9. /root/.cshrc: OK

10. /root/.tcshrc: OK

11. /root/anaconda-ks.cfg: OK

12. /root/.bash_history: OK

13.  

14. ----------- SCAN SUMMARY -----------

15. Known viruses: 4490129

16. Engine version: 0.99.2

17. Scanned directories: 1

18. Scanned files: 7

19. Infected files: 0

20. Data scanned: 0.00 MB

21. Data read: 0.00 MB (ratio 0.00:1)

22. Time: 19.365 sec (0 m 19 s)

23. [root@liumiaocn ~]#

注意：此處提示「The virus database is older than 7 days!」的緣由在於病毒庫沒有及時更新。由於使用yum缺省安裝目前的版本彷佛不會自動安裝freshclam的病毒庫更新功能，後面咱們會使用源碼安裝方式來解決這個問題。

模擬病毒文件

從eicar.org下載一個用於模擬病毒的文件，看一下clamav是否可以掃描出來

1. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

2. --2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.com

3. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

4. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

5. HTTP request sent, awaiting response... 200 OK

6. Length: 68 [application/octet-stream]

7. Saving to: ‘eicar.com’

8.  

9. 100%[===============================================================================================================================>] 68 --.-K/s in 0s

10.  

11. 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68]

12.  

13. [root@liumiaocn ~]# ls

14. anaconda-ks.cfg eicar.com

15. [root@liumiaocn ~]# pwd

16. /root

從新掃描

從新掃描看是否可以檢測出新下載的病毒測試文件。進過測試，發現結果中提示「/root/eicar.com: Eicar-Test-Signature FOUND」，同時「Infected files: 1」，說明此病毒文件被檢測出來了

1. [root@liumiaocn ~]# clamscan /root

2. LibClamAV Warning: **************************************************

3. LibClamAV Warning: *** The virus database is older than 7 days! ***

4. LibClamAV Warning: *** Please update it as soon as possible. ***

5. LibClamAV Warning: **************************************************

6. /root/.bash_logout: OK

7. /root/.bash_profile: OK

8. /root/.bashrc: OK

9. /root/.cshrc: OK

10. /root/.tcshrc: OK

11. /root/anaconda-ks.cfg: OK

12. /root/.bash_history: OK

13. /root/eicar.com: Eicar-Test-Signature FOUND

14.  

15. ----------- SCAN SUMMARY -----------

16. Known viruses: 4490129

17. Engine version: 0.99.2

18. Scanned directories: 1

19. Scanned files: 8

20. Infected files: 1

21. Data scanned: 0.00 MB

22. Data read: 0.00 MB (ratio 0.00:1)

23. Time: 21.129 sec (0 m 21 s)

24. [root@liumiaocn ~]#

可是缺省的方式下，clamscan只會檢測不會自動刪除文件

1. [root@liumiaocn ~]# ls

2. anaconda-ks.cfg eicar.com

3. [root@liumiaocn ~]#

掃描並刪除感染文件

使用–remove選項，會直接刪除檢測出來的文件。

1. [root@liumiaocn ~]# clamscan --remove /root

2. LibClamAV Warning: **************************************************

3. LibClamAV Warning: *** The virus database is older than 7 days! ***

4. LibClamAV Warning: *** Please update it as soon as possible. ***

5. LibClamAV Warning: **************************************************

6. /root/.bash_logout: OK

7. /root/.bash_profile: OK

8. /root/.bashrc: OK

9. /root/.cshrc: OK

10. /root/.tcshrc: OK

11. /root/anaconda-ks.cfg: OK

12. /root/.bash_history: OK

13. /root/eicar.com: Eicar-Test-Signature FOUND

14. /root/eicar.com: Removed.

15.  

16. ----------- SCAN SUMMARY -----------

17. Known viruses: 4490129

18. Engine version: 0.99.2

19. Scanned directories: 1

20. Scanned files: 8

21. Infected files: 1

22. Data scanned: 0.00 MB

23. Data read: 0.00 MB (ratio 0.00:1)

24. Time: 23.546 sec (0 m 23 s)

25. [root@liumiaocn ~]# ls

26. anaconda-ks.cfg

27. [root@liumiaocn ~]#

源碼安裝方式

目前使用yum源安裝病毒庫的更新相關的仍需手動操做，因此能夠考慮使用源碼安裝方式。

下載源碼

項目	詳細
下載命令	wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz

解壓

項目	詳細
解壓命令	tar xvpf clamav-0.99.2.tar.gz
變動目錄	cd clamav-0.99.2

編譯前依賴

項目	詳細
安裝gcc	yum install gcc -y
安裝openssl	yum install openssl openssl-devel -y
建立目錄	mkdir -p /usr/local/clamav

config & make & make install

項目	詳細
config	./configure –prefix=/usr/local/clamav
make	make
make install	make install

安裝後確認

1. [root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/bin

2. clamav-config clambc clamconf clamdscan clamscan freshclam sigtool

3. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --version

4. ClamAV 0.99.2

5. [root@liumiaocn clamav-0.99.2]#

注意：此時若是執行clamscan進行掃描，會提示以下問題。

1. [root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /root

2. LibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamav

3. ERROR: Can't get file status

4.  

5. ----------- SCAN SUMMARY -----------

6. Known viruses: 0

7. Engine version: 0.99.2

8. Scanned directories: 0

9. Scanned files: 0

10. Infected files: 0

11. Data scanned: 0.00 MB

12. Data read: 0.00 MB (ratio 0.00:1)

13. Time: 0.002 sec (0 m 0 s)

14. [root@liumiaocn clamav-0.99.2]#

查看源碼以後發現其實很簡單，此時須要有可用的病毒庫文件，同時用戶和組的權限也須要設定。總體的順序按照：

項目	詳細
Step 1	建立用戶和組
Step 2	建立目錄並設定權限
Step 3	拷貝和更新設定文件
Step 4	更新病毒庫
Step 5	掃描病毒

設定

Step 1: 建立用戶和組

項目	詳細
建立group	groupadd clamav
建立用戶	useradd -g clamav clamav

Step 2: 建立目錄並設定權限

建立目錄

目錄	詳細
logs	存放日誌信息
database	存放更新病毒庫信息
worktmp	存放pid等臨時文件或狀態文件信息

1. [root@liumiaocn clamav]# pwd

2. /usr/local/clamav

3. [root@liumiaocn clamav]# ls

4. bin etc include lib64 sbin share

5. [root@liumiaocn clamav]# mkdir -p logs database worktmp

6. [root@liumiaocn clamav]#

設定權限

1. [root@liumiaocn clamav]# pwd

2. /usr/local/clamav

3. [root@liumiaocn clamav]# chown clamav:clamav database

4. [root@liumiaocn clamav]#

Step 3: 拷貝和更新設定文件

拷貝生成設定文件

目錄	源文件	目標文件
/usr/local/clamav/etc	clamd.conf.sample	clamd.conf
/usr/local/clamav/etc	freshclam.conf.sample	freshclam.conf

1. [root@liumiaocn etc]# pwd

2. /usr/local/clamav/etc

3. [root@liumiaocn etc]# cp clamd.conf.sample clamd.conf

4. [root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf

5. [root@liumiaocn etc]# ls

6. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

7. [root@liumiaocn etc]#

生成病毒庫更新日誌文件

1. [root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log

2. [root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log

3. [root@liumiaocn etc]#

修改文件

1. [root@liumiaocn etc]# ls

2. clamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample

3. [root@liumiaocn etc]# vi clamd.conf

4. [root@liumiaocn etc]# vi freshclam.conf

5. [root@liumiaocn etc]# diff clamd.conf clamd.conf.sample

6. 14c14

7. < LogFile /usr/local/clamav/logs/clamd.log

8. ---

9. > #LogFile /tmp/clamd.log

10. 66c66

11. < PidFile /var/clamav/worktmp/clamd.pid

12. ---

13. > #PidFile /var/run/clamd.pid

14. 74c74

15. < DatabaseDirectory /var/lib/clamav/database

16. ---

17. > #DatabaseDirectory /var/lib/clamav

18. [root@liumiaocn etc]#

19. [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample

20. 8c8

21. < #Example

22. ---

23. > Example

24. 13c13

25. < DatabaseDirectory /usr/local/clamav/database/

26. ---

27. > #DatabaseDirectory /var/lib/clamav

28. 17c17

29. < UpdateLogFile /usr/local/clamav/logs/freshclam.log

30. ---

31. > #UpdateLogFile /var/log/freshclam.log

32. 51c51

33. < PidFile /usr/local/clamav/worktmp/freshclam.pid

34. ---

35. > #PidFile /var/run/freshclam.pid

36. [root@liumiaocn etc]#

•  

其實本次示例中只需保證freshclam.conf文件正確設定便可保證ClamAV正常動做。

更新病毒庫

在設定freshclam.conf以後，使用freshclam命令便可聯網更新病毒庫至database目錄了, 首次更新稍微會花一點時間。

1. [root@liumiaocn etc]# /usr/local/clamav/bin/freshclam

2. ClamAV update process started at Fri Aug 4 22:39:40 2017

3. Trying host database.clamav.net (69.12.162.28)...

4. Downloading main.cvd [100%]

5. main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

6. Downloading daily.cvd [100%]

7. daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)

8. Downloading bytecode.cvd [100%]

9. bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)

10. Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)

11. [root@liumiaocn etc]#

更新以後

1. [root@liumiaocn clamav]# pwd

2. /usr/local/clamav

3. [root@liumiaocn clamav]# ls database/

4. bytecode.cvd daily.cvd main.cvd mirrors.dat

5. [root@liumiaocn clamav]#

掃描病毒

下載病毒測試文件

1. [root@liumiaocn ~]# ls

2. anaconda-ks.cfg

3. [root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com

4. --2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.com

5. Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

6. Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

7. HTTP request sent, awaiting response... 200 OK

8. Length: 68 [application/octet-stream]

9. Saving to: ‘eicar.com’

10.  

11. 100%[===============================================================================================================================>] 68 --.-K/s in 0.001s

12.  

13. 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68]

14.  

15. [root@liumiaocn ~]# ls

16. anaconda-ks.cfg eicar.com

17. [root@liumiaocn ~]#

•  

掃描並刪除感染文件

1. [root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root

2. /root/.bash_logout: OK

3. /root/.bash_profile: OK

4. /root/.bashrc: OK

5. /root/.cshrc: OK

6. /root/.tcshrc: OK

7. /root/anaconda-ks.cfg: OK

8. /root/.bash_history: OK

9. /root/eicar.com: Eicar-Test-Signature FOUND

10. /root/eicar.com: Removed.

11.  

12. ----------- SCAN SUMMARY -----------

13. Known viruses: 6123265

14. Engine version: 0.101.2

15. Scanned directories: 1

16. Scanned files: 3

17. Infected files: 0

18. Data scanned: 0.12 MB

19. Data read: 0.06 MB (ratio 1.88:1)

20. Time: 49.224 sec (0 m 49 s)

21.  

22. [root@liumiaocn ~]#

•  

總結

ClamAV提供和方便的命令行方式進行集成，保持更新的病毒庫，給開源的安全方案提供了一種選擇。