ClamAV是一个C语言开发的开源病毒扫描工具用于检测木马/病毒/恶意软件等。可以在线更新病毒库,Linux系统的病毒较少,但是并不意味着病毒免疫,尤其是对于诸如邮件或者归档文件中夹杂的病毒往往更加难以防范,而ClamAV则能起到不少作用。
ClamAV相关信息如下:
| 项目 | 详细 |
|---|---|
| 官方地址 | http://www.clamav.net/ |
| 下载地址 | http://www.clamav.net/downloads |
| 当前稳定版本 | 0.99.2 |
功能特性
| 项目 | 详细 |
|---|---|
| 主要用途 | 邮件网关的病毒扫描,内建支持多种邮件格式 |
| 高性能 | 提供多线程的扫描进程 |
| 命令行 | 提供密令行扫描方式 |
| 扫描对象 | 可以对要发送的邮件或者文件进行扫描 |
| 文件格式 | 支持多种文件格式 |
| 病毒库更新频度 | 一天多次病毒库的更新 |
| 归档文件 | 支持扫描多种归档文件,比如Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS等 |
| 文档 | 支持流行的文档文件,比如: MS Office文件,MacOffice文件, HTML, Flash, RTF,PDF |
安装方式
| 项目 | 详细 |
|---|---|
| CENTOS/RHEL | yum -y install clamav |
| Ubuntu/Debian | apt-get install clamav |
注意:centos上的clamd是在epel-release下,需要现行安装epel-release。 如果使用源码安装方式的话,保证C编译器和ZLIB等存在的情况下对源码./configure->make->make install即可。
安装日志
[root@liumiaocn ~]# yum -y install epel-releaseLoaded plugins: fastestmirror... Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : epel-release-7-9.noarch 1/1 Verifying : epel-release-7-9.noarch 1/1 Installed: epel-release.noarch 0:7-9 Complete![root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
[root@liumiaocn ~]# yum -y install clamavLoaded plugins: fastestmirror...Running transaction Installing : clamav-filesystem-0.99.2-8.el7.noarch 1/4 Installing : clamav-data-0.99.2-8.el7.noarch 2/4 Installing : clamav-lib-0.99.2-8.el7.x86_64 3/4 Installing : clamav-0.99.2-8.el7.x86_64 4/4 Verifying : clamav-lib-0.99.2-8.el7.x86_64 1/4 Verifying : clamav-data-0.99.2-8.el7.noarch 2/4 Verifying : clamav-0.99.2-8.el7.x86_64 3/4 Verifying : clamav-filesystem-0.99.2-8.el7.noarch 4/4 Installed: clamav.x86_64 0:0.99.2-8.el7 Dependency Installed: clamav-data.noarch 0:0.99.2-8.el7 clamav-filesystem.noarch 0:0.99.2-8.el7 clamav-lib.x86_64 0:0.99.2-8.el7 Complete![root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
版本确认
[root@liumiaocn ~]# clamscan --versionClamAV 0.99.2/21723/Mon Jun 13 09:53:00 2016[root@liumiaocn ~]#
- 1
- 2
- 3
扫描
使用clamscan命令行对某一目录进行扫描,可以确认结果是否OK,同时会给出一个扫描的总体信息,其中Infected files是扫描出来的被感染的文件个数。比如如下示例表明对/root目录下的文件进行扫描,未发现感染文件的情况。
[root@liumiaocn ~]# clamscan /rootLibClamAV Warning: **************************************************LibClamAV Warning: *** The virus database is older than 7 days! ***LibClamAV Warning: *** Please update it as soon as possible. ***LibClamAV Warning: **************************************************/root/.bash_logout: OK/root/.bash_profile: OK/root/.bashrc: OK/root/.cshrc: OK/root/.tcshrc: OK/root/anaconda-ks.cfg: OK/root/.bash_history: OK----------- SCAN SUMMARY -----------Known viruses: 4490129Engine version: 0.99.2Scanned directories: 1Scanned files: 7Infected files: 0Data scanned: 0.00 MBData read: 0.00 MB (ratio 0.00:1)Time: 19.365 sec (0 m 19 s)[root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
注意:此处提示“The virus database is older than 7 days!”的原因在于病毒库没有及时更新。因为使用yum缺省安装目前的版本似乎不会自动安装freshclam的病毒库更新功能,后面我们会使用源码安装方式来解决这个问题。
模拟病毒文件
从eicar.org下载一个用于模拟病毒的文件,看一下clamav是否能够扫描出来
[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com--2017-08-02 23:03:10-- http://www.eicar.org/download/eicar.comResolving www.eicar.org (www.eicar.org)... 213.211.198.62Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 68 [application/octet-stream]Saving to: ‘eicar.com’100%[===============================================================================================================================>] 68 --.-K/s in 0s 2017-08-02 23:03:20 (318 KB/s) - ‘eicar.com’ saved [68/68][root@liumiaocn ~]# lsanaconda-ks.cfg eicar.com[root@liumiaocn ~]# pwd/root
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
重新扫描
重新扫描看是否能够检测出新下载的病毒测试文件。进过测试,发现结果中提示“/root/eicar.com: Eicar-Test-Signature FOUND”,同时“Infected files: 1”,说明此病毒文件被检测出来了
[root@liumiaocn ~]# clamscan /rootLibClamAV Warning: **************************************************LibClamAV Warning: *** The virus database is older than 7 days! ***LibClamAV Warning: *** Please update it as soon as possible. ***LibClamAV Warning: **************************************************/root/.bash_logout: OK/root/.bash_profile: OK/root/.bashrc: OK/root/.cshrc: OK/root/.tcshrc: OK/root/anaconda-ks.cfg: OK/root/.bash_history: OK/root/eicar.com: Eicar-Test-Signature FOUND----------- SCAN SUMMARY -----------Known viruses: 4490129Engine version: 0.99.2Scanned directories: 1Scanned files: 8Infected files: 1Data scanned: 0.00 MBData read: 0.00 MB (ratio 0.00:1)Time: 21.129 sec (0 m 21 s)[root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
但是缺省的方式下,clamscan只会检测不会自动删除文件
[root@liumiaocn ~]# lsanaconda-ks.cfg eicar.com[root@liumiaocn ~]#
- 1
- 2
- 3
扫描并删除感染文件
使用–remove选项,会直接删除检测出来的文件。
[root@liumiaocn ~]# clamscan --remove /rootLibClamAV Warning: **************************************************LibClamAV Warning: *** The virus database is older than 7 days! ***LibClamAV Warning: *** Please update it as soon as possible. ***LibClamAV Warning: **************************************************/root/.bash_logout: OK/root/.bash_profile: OK/root/.bashrc: OK/root/.cshrc: OK/root/.tcshrc: OK/root/anaconda-ks.cfg: OK/root/.bash_history: OK/root/eicar.com: Eicar-Test-Signature FOUND/root/eicar.com: Removed.----------- SCAN SUMMARY -----------Known viruses: 4490129Engine version: 0.99.2Scanned directories: 1Scanned files: 8Infected files: 1Data scanned: 0.00 MBData read: 0.00 MB (ratio 0.00:1)Time: 23.546 sec (0 m 23 s)[root@liumiaocn ~]# lsanaconda-ks.cfg[root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
源码安装方式
目前使用yum源安装病毒库的更新相关的仍需手动操作,所以可以考虑使用源码安装方式。
下载源码
| 项目 | 详细 |
|---|---|
| 下载命令 | wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz |
解压
| 项目 | 详细 |
|---|---|
| 解压命令 | tar xvpf clamav-0.99.2.tar.gz |
| 变更目录 | cd clamav-0.99.2 |
编译前依赖
| 项目 | 详细 |
|---|---|
| 安装gcc | yum install gcc -y |
| 安装openssl | yum install openssl openssl-devel -y |
| 创建目录 | mkdir -p /usr/local/clamav |
config & make & make install
| 项目 | 详细 |
|---|---|
| config | ./configure –prefix=/usr/local/clamav |
| make | make |
| make install | make install |
安装后确认
[root@liumiaocn clamav-0.99.2]# ls /usr/local/clamav/binclamav-config clambc clamconf clamdscan clamscan freshclam sigtool[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan --versionClamAV 0.99.2[root@liumiaocn clamav-0.99.2]#
- 1
- 2
- 3
- 4
- 5
注意:此时如果执行clamscan进行扫描,会提示如下问题。
[root@liumiaocn clamav-0.99.2]# /usr/local/clamav/bin/clamscan /rootLibClamAV Error: cl_load(): No such file or directory: /usr/local/clamav/share/clamavERROR: Can't get file status----------- SCAN SUMMARY -----------Known viruses: 0Engine version: 0.99.2Scanned directories: 0Scanned files: 0Infected files: 0Data scanned: 0.00 MBData read: 0.00 MB (ratio 0.00:1)Time: 0.002 sec (0 m 0 s)[root@liumiaocn clamav-0.99.2]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
查看源码之后发现其实很简单,此时需要有可用的病毒库文件,同时用户和组的权限也需要设定。整体的顺序按照:
| 项目 | 详细 |
|---|---|
| Step 1 | 创建用户和组 |
| Step 2 | 创建目录并设定权限 |
| Step 3 | 拷贝和更新设定文件 |
| Step 4 | 更新病毒库 |
| Step 5 | 扫描病毒 |
设定
Step 1: 创建用户和组
| 项目 | 详细 |
|---|---|
| 创建group | groupadd clamav |
| 创建用户 | useradd -g clamav clamav |
Step 2: 创建目录并设定权限
创建目录
| 目录 | 详细 |
|---|---|
| logs | 存放日志信息 |
| database | 存放更新病毒库信息 |
| worktmp | 存放pid等临时文件或状态文件信息 |
[root@liumiaocn clamav]# pwd/usr/local/clamav[root@liumiaocn clamav]# lsbin etc include lib64 sbin share[root@liumiaocn clamav]# mkdir -p logs database worktmp[root@liumiaocn clamav]#
- 1
- 2
- 3
- 4
- 5
- 6
设定权限
[root@liumiaocn clamav]# pwd/usr/local/clamav[root@liumiaocn clamav]# chown clamav:clamav database[root@liumiaocn clamav]#
- 1
- 2
- 3
- 4
Step 3: 拷贝和更新设定文件
拷贝生成设定文件
| 目录 | 源文件 | 目标文件 |
|---|---|---|
| /usr/local/clamav/etc | clamd.conf.sample | clamd.conf |
| /usr/local/clamav/etc | freshclam.conf.sample | freshclam.conf |
[root@liumiaocn etc]# pwd/usr/local/clamav/etc[root@liumiaocn etc]# cp clamd.conf.sample clamd.conf[root@liumiaocn etc]# cp freshclam.conf.sample freshclam.conf[root@liumiaocn etc]# lsclamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample[root@liumiaocn etc]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
生成病毒库更新日志文件
[root@liumiaocn etc]# touch /usr/local/clamav/logs/freshclam.log[root@liumiaocn etc]# chown clamav:clamav /usr/local/clamav/logs/freshclam.log[root@liumiaocn etc]#
- 1
- 2
- 3
修改文件
[root@liumiaocn etc]# lsclamd.conf clamd.conf.sample freshclam.conf freshclam.conf.sample[root@liumiaocn etc]# vi clamd.conf[root@liumiaocn etc]# vi freshclam.conf[root@liumiaocn etc]# diff clamd.conf clamd.conf.sample14c14< LogFile /usr/local/clamav/logs/clamd.log---> #LogFile /tmp/clamd.log66c66< PidFile /var/clamav/worktmp/clamd.pid---> #PidFile /var/run/clamd.pid74c74< DatabaseDirectory /var/lib/clamav/database---> #DatabaseDirectory /var/lib/clamav[root@liumiaocn etc]# [root@liumiaocn etc]# diff freshclam.conf freshclam.conf.sample 8c8< #Example---> Example13c13< DatabaseDirectory /usr/local/clamav/database/---> #DatabaseDirectory /var/lib/clamav17c17< UpdateLogFile /usr/local/clamav/logs/freshclam.log---> #UpdateLogFile /var/log/freshclam.log51c51< PidFile /usr/local/clamav/worktmp/freshclam.pid---> #PidFile /var/run/freshclam.pid[root@liumiaocn etc]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
其实本次示例中只需保证freshclam.conf文件正确设定即可保证ClamAV正常动作。
更新病毒库
在设定freshclam.conf之后,使用freshclam命令即可联网更新病毒库至database目录了, 首次更新稍微会花一点时间。
[root@liumiaocn etc]# /usr/local/clamav/bin/freshclam ClamAV update process started at Fri Aug 4 22:39:40 2017Trying host database.clamav.net (69.12.162.28)...Downloading main.cvd [100%]main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)Downloading daily.cvd [100%]daily.cvd updated (version: 23629, sigs: 1741893, f-level: 63, builder: neo)Downloading bytecode.cvd [100%]bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)Database updated (6308208 signatures) from database.clamav.net (IP: 69.12.162.28)[root@liumiaocn etc]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
更新之后
[root@liumiaocn clamav]# pwd/usr/local/clamav[root@liumiaocn clamav]# ls database/bytecode.cvd daily.cvd main.cvd mirrors.dat[root@liumiaocn clamav]#
- 1
- 2
- 3
- 4
- 5
扫描病毒
下载病毒测试文件
[root@liumiaocn ~]# lsanaconda-ks.cfg[root@liumiaocn ~]# wget http://www.eicar.org/download/eicar.com--2017-08-04 23:00:41-- http://www.eicar.org/download/eicar.comResolving www.eicar.org (www.eicar.org)... 213.211.198.62Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 68 [application/octet-stream]Saving to: ‘eicar.com’100%[===============================================================================================================================>] 68 --.-K/s in 0.001s 2017-08-04 23:00:43 (92.3 KB/s) - ‘eicar.com’ saved [68/68][root@liumiaocn ~]# lsanaconda-ks.cfg eicar.com[root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
扫描并删除感染文件
[root@liumiaocn ~]# /usr/local/clamav/bin/clamscan --remove /root/root/.bash_logout: OK/root/.bash_profile: OK/root/.bashrc: OK/root/.cshrc: OK/root/.tcshrc: OK/root/anaconda-ks.cfg: OK/root/.bash_history: OK/root/eicar.com: Eicar-Test-Signature FOUND/root/eicar.com: Removed.----------- SCAN SUMMARY -----------Known viruses: 6302548Engine version: 0.99.2Scanned directories: 1Scanned files: 8Infected files: 1Data scanned: 0.01 MBData read: 0.00 MB (ratio 2.00:1)Time: 22.310 sec (0 m 22 s)[root@liumiaocn ~]# lsanaconda-ks.cfg[root@liumiaocn ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
总结
ClamAV提供和方便的命令行方式进行集成,保持更新的病毒库,给开源的安全方案提供了一种选择。
再分享一下我老师大神的人工智能教程吧。零基础!通俗易懂!风趣幽默!还带黄段子!希望你也加入到我们人工智能的队伍中来!https://blog.csdn.net/jiangjunshow