clamav
clamav¶
ClamAV 是一款开源防病毒软件,可检测病毒、恶意软件、特洛伊木马和其他威胁,是Linux 上最常用的防病毒软件之一。
代码库:https://github.com/Cisco-Talos/clamav
单机¶
yum安装¶
安装
$ yum install clamav
$ freshclam
参数:
–no-summary 不显示统计信息
-r/--recursive[=yes/no] 递归扫描子目录
--log=FILE/-l FILE 增加扫描报告
--move [路径] 移动病毒文件至..
--remove [路径] 删除病毒文件
--quiet 只输出错误消息
--infected/-i 只输出感染文件
--suppress-ok-results/-o 跳过扫描OK的文件
--bell 扫描到病毒文件发出警报声音
--unzip(unrar) 解压压缩文件扫描
--帮助
/data/clamav/bin/clamscan --help
--默认扫描当前目录下的文件,并显示扫描结果统计信息
/data/clamav/bin/clamscan
--扫描当前目录下的所有目录和文件,并显示结果统计信息
/data/clamav/bin/clamscan -r
--扫描data目录下的所有目录和文件,并显示结果统计信息
/data/clamav/bin/clamscan -r /data
--扫描data目录下的所有目录和文件,只显示有问题的扫描结果
/data/clamav/bin/clamscan -r --bell -i /data
--扫描data目录下的所有目录和文件,不显示统计信息
/data/clamav/bin/clamscan --no-summary -ri /data
--删除扫描过程中的发现的病毒文件
/data/clamav/bin/clamscan -r --remove
--扫描过程中发现病毒发出警报声
/data/clamav/bin/clamscan -r --bell -i
--扫描并将发现的病毒文件移动至对应的路径下
/data/clamav/bin/clamscan -r --move [路径]
--扫描显示发现的病毒文件,一般文件后面会显示FOUND
/data/clamav/bin/clamscan -r --infected -i
Infected files 为感染的文件数
$ clamscan -i -r /sbin/ /lib/ /lib64/ /opt/
/opt/new.tgz: Multios.Coinminer.Miner-6781728-2 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8645206
Engine version: 0.103.7
Scanned directories: 17534
Scanned files: 198620
Infected files: 1
Data scanned: 7138.50 MB
Data read: 4982.75 MB (ratio 1.43:1)
Time: 2089.282 sec (34 m 49 s)
Start Date: 2022:12:01 01:34:20
End Date: 2022:12:01 02:09:10
离线安装配置¶
下载源码并编译安装
wget http://www.clamav.net/downloads/production/clamav-0.103.7.tar.gz # 0.103.7为LTS版本
tar xf clamav-0.103.7.tar.gz
cd clamav-0.103.7
mkdir /opt/clamav
./configure --prefix=/opt/clamav
make
make install
如果本来就是以普通用户运行,编译时使用--disable-clamav所以可以不用创建
useradd clamav -s /sbin/nologin -M
#创建日志目录
mkdir /opt/clamav/logs
#创建杀毒库目录
mkdir /opt/clamav/database
#创建clamd服务运行时目录
mkdir /opt/clamav/run
#创建日志文件
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
# 更改目录及日志权限
chown clamav:clamav /opt/clamav/run/
chown clamav:clamav /opt/clamav/database/
chown clamav:clamav /opt/clamav/logs/*
cd /opt/clamav/etc/
#扫描病毒的配置
cp clamd.conf.sample clamd.conf
#更新病毒库配置
cp freshclam.conf.sample freshclam.conf
vim /opt/clamav/etc/clamd.conf
#Example //注释掉这一行
#添加以下内容
LogFile /opt/clamav/logs/clamd.log
PidFile /opt/clamav/run/clamd.pid
DatabaseDirectory /opt/clamav/database/
vim /opt/clamav/etc/freshclam.conf
#Example //注释掉这一行
#添加以下内容
LogFile /opt/clamav/logs/freshclam.log
PidFile /opt/clamav/run/freshclam.pid
DatabaseDirectory /opt/clamav/database/
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
cd /opt/clamav/database/
wget http://database.clamav.net/main.cvd
wget http://database.clamav.net/daily.cvd
wget http://database.clamav.net/bytecode.cvd
chown clamav:clamav *
singularity镜像¶
# pull 镜像
$ singularity pull docker://clamav/clamav
# 运行时目录,运行时的日志、数据库等置于此目录
$ mkdir run
# 更新病毒库
$ singularity exec -B run/:/var/log/clamav/ -B run/:/var/lib/clamav clamav_latest.sif freshclam
ClamAV update process started at Fri Aug 25 02:01:24 2023
daily database available for download (remote version: 27010)
Time: 2.0s, ETA: 0.0s [========================>] 58.83MiB/58.83MiB
Testing database: '/var/lib/clamav/tmp.ab57170b1c/clamav-186f59d844a36252a86dd5b68f844455.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 27010, sigs: 2039992, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 6.9s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.ab57170b1c/clamav-349b1a901371f269808f4559c1e7fef3.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
Time: 0.5s, ETA: 0.0s [========================>] 285.12KiB/285.12KiB
Testing database: '/var/lib/clamav/tmp.ab57170b1c/clamav-7eb63bac83d0da06e3fdc8f13d492184.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
# 将系统的/usr/bin/目录绑定到镜像的/opt/目录并扫描
$ singularity exec -B run/:/var/log/clamav/ -B run/:/var/lib/clamav -B /usr/bin/:/opt/ clamav_latest.sif clamscan -i -r /opt/
/opt/h64: Unix.Malware.Agent-1395347 FOUND
/opt/cb.pl: Win.Trojan.Perlscript-1 FOUND
/opt/run32: Unix.Malware.Agent-6331225-0 FOUND
/opt/run64: Unix.Ircbot.Ircbot-9938780-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8671882
Engine version: 1.1.1
Scanned directories: 1
Scanned files: 2191
Infected files: 4
Total errors: 7
Data scanned: 457.77 MB
Data read: 424.00 MB (ratio 1.08:1)
Time: 84.537 sec (1 m 24 s)
Start Date: 2023:08:25 02:09:32
End Date: 2023:08:25 02:10:56
远程服务¶
如果有多台机器需要扫描,可以在server节点下载更新病毒库、开启扫描服务,client节点调用server节点的扫描服务扫描本地文件。
server¶
安装
yum install clamav-server clamav
$ vim /etc/clamd.d/scan.conf
# 更改下面几项,其它不变
LogFile /var/log/clamd.scan
LogSyslog yes
TCPSocket 3310
TCPAddr 192.168.1.100 # 此IP为client节点与server节点通讯的内网IP
$ freshclam
$ clamd
$ lsof -i:3310
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
clamd 30362 clamscan 6u IPv4 132979614 0t0 TCP login02:dyna-access (LISTEN)
clamdscan --reload,让clamd服务重新加载病毒库。 client¶
可以直接安装 yum install clamav
如果client节点与server节点有共享的目录/share/,推荐以下做法,避免重复安装和配置
$ mkdir -p /share/clamav/lib/
$ scp server://usr/bin/clamdscan /share/clamav/
scp server:/usr/lib64/{libprelude.so.28, libclamav.so.9, libclammspack.so.0} /share/clamav/lib/
$ cat > /share/clamav/scan.con <<EOF
TCPSocket 3310
TCPAddr 192.168.1.100
EOF
$ LD_LIBRARY_PATH=/share/clamav/lib/ /share/clamav/clamdscan --config-file=/share/clamav/scan.conf -i /tmp/
/tmp/mihner: Multios.Coinminer.Miner-6781728-2 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Total errors: 0
Time: 553.301 sec (9 m 13 s)
Start Date: 2022:12:01 17:10:46
End Date: 2022:12:01 17:19:59
# 安装
yum install clamav
yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
#源码安装
useradd clamav -s /sbin/nologin -M
wget http://www.clamav.net/downloads/production/clamav-0.103.7.tar.gz
./configure --prefix=/opt/clamav
make
make install
cd /opt/clamav/etc/
cp clamd.conf.sample clamd.conf
cp freshclam.conf.sample freshclam.conf
vim /opt/clamav/etc/clamd.conf
LogFile /opt/clamav/logs/clamd.log
PidFile /opt/clamav/run/clamd.pid
DatabaseDirectory /opt/clamav/database/
vim /opt/clamav/etc/freshclam.conf
LogFile /opt/clamav/logs/freshclam.log
PidFile /opt/clamav/run/freshclam.pid
DatabaseDirectory /opt/clamav/database/
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
chown clamav:clamav /opt/clamav/run/
chown clamav:clamav /opt/clamav/database/
chown clamav:clamav /opt/clamav/logs/*
chmo u+w /opt/clamav/logs/*
cd /opt/clamav/database/
wget http://database.clamav.net/main.cvd
wget http://database.clamav.net/daily.cvd
wget http://database.clamav.net/bytecode.cvd
# 更新病毒库
$ freshclam
# 扫描/usr/目录,并显示异常文件
$ clamscan -i /sbin/ /lib/ /lib64/ /opt/
/opt/new.tgz: Multios.Coinminer.Miner-6781728-2 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8645206
Engine version: 0.103.7
Scanned directories: 17534
Scanned files: 198620
Infected files: 1
Data scanned: 7138.50 MB
Data read: 4982.75 MB (ratio 1.43:1)
Time: 2089.282 sec (34 m 49 s)
Start Date: 2022:12:01 01:34:20
End Date: 2022:12:01 02:09:10
本站总访问量 次