Linux 操作系统上部署 ClamAV病毒查杀软件

0. 序言

因为公司业务合作,对方需要我方提交审查资料,其中需要包含Linux主机的病毒扫描情况,特记录一次ClamAV的部署与使用

1. clamav介绍

ClamAV是一个开源的引擎,用于检测病毒、木马、恶意软件和其他威胁。ClamAV支持Windows、Linux和MacOS等系统,ClamAV社区提供了免费的持续的病毒特征库升级。可实现一次部署,长期使用。
ClamAV Github https://github.com/Cisco-Talos/clamav

2. clamav部署

2.1. 软件安装

2.1.1 clamav软件安装

yum install epel-release -y # 需要安装epel源才能安装clamav
yum install clamav clamd -y # 安装clamav

2.1.2 clamav 组件介绍

安装好的ClamAV由如下几个主要组成部分:
clamscan:手工扫描程序
clamdscan:依赖后台服务的扫描程序
clamonacc:按需扫描程序(实时监控),对应配置文件/etc/clamd.d/scan.conf
clamd:按需扫描的后台进程,对应配置文件/etc/clamd.d/scan.conf
fleshclam:病毒库升级工具,对应配置文件/etc/freshclam.conf
clamconf:配置文件生成工具

2.2. 特征库更新

2.2.1 通过freshclam手动更新特征库

[root@nginx /]# freshclam
ClamAV update process started at Fri Jun  2 03:40:51 2023
daily database available for download (remote version: 26925)
Time:   14.2s, ETA:    0.0s [========================>]   58.58MiB/58.58MiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-fb6b65e2404ef7e0d260cef6d262cf76.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26925, sigs: 2036167, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time:   35.2s, ETA:    0.0s [========================>]  162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-6813737acbac914dcfaf6774368a10ad.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
Time:    1.3s, ETA:    0.0s [========================>]  285.12KiB/285.12KiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-4a48d3d2b5a8a96d263c70c389d0e610.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
[root@nginx /]#

2.2.2 设置后台自动升级病毒库

# systemctl start clamav-freshclam
# systemctl enable clamav-freshclam

-- 在/etc/freshclam.conf文件中,已经默认每两个小时自动更新一次
# Number of database checks per day.
# Default: 12 (every two hours)

3. 病毒扫描测试

3.1 测试病毒样例

# 下载eicar仿真病毒测试样例(不具有攻击性和危害性)
[root@nginx ~]# wget https://secure.eicar.org/eicar.com
--2023-06-02 13:06:32--  https://secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68
Saving to: 'eicar.com'

100%[===========================================================================================================================>] 68          --.-K/s   in 0s

2023-06-02 13:06:33 (1.15 MB/s) - 'eicar.com' saved [68/68]

[root@nginx ~]#

# webshell文件
[root@nginx ~]# cat /root/evl.php
<?php @eval($_POST['cmd']); ?>
[root@nginx ~]#

3.2 病毒扫描

  • 下述实验证明了clamscan能够检测病毒、木马、恶意软件,但是不能检测到webshell文件
[root@nginx ~]# clamscan /root/
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/root/evl.php: OK
/root/.viminfo: OK

----------- SCAN SUMMARY -----------
Known viruses: 8668050
Engine version: 0.103.8
Scanned directories: 1
Scanned files: 10
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 41.957 sec (0 m 41 s)
Start Date: 2023:06:02 13:34:27
End Date:   2023:06:02 13:35:09
[root@nginx ~]#

4.clamav命令

4.1 clamscan的命令参数

[root@nginx ~]# clamscan --help

                       Clam AntiVirus: Scanner 0.103.8
           By The ClamAV Team: https://www.clamav.net/about.html#credits
           (C) 2022 Cisco Systems, Inc.

    clamscan [options] [file/directory/-]

    --help                -h             Show this help
    --version             -V             Print version number
    --verbose             -v             Be verbose
    --archive-verbose     -a             Show filenames inside scanned archives
    --debug                              Enable libclamav's debug messages
    --quiet                              Only output error messages
    --stdout                             Write to stdout instead of stderr. Does not affect 'debug' messages.
    --no-summary                         Disable summary at end of scanning
    --infected            -i             Only print infected files
    --suppress-ok-results -o             Skip printing OK files
    --bell                               Sound bell on virus detection

    --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
    --leave-temps[=yes/no(*)]            Do not remove temporary files
    --gen-json[=yes/no(*)]               Generate JSON description of scanned file(s). JSON will be printed and also-
                                         dropped to the temp directory if --leave-temps is enabled.
    --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load all supported db files from DIR
    --official-db-only[=yes/no(*)]       Only load official signatures
    --log=FILE            -l FILE        Save scan report to FILE
    --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
    --allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
    --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
    --follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
    --follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
    --file-list=FILE      -f FILE        Scan files from FILE
    --remove[=yes/no(*)]                 Remove infected files. Be careful!
    --move=DIRECTORY                     Move infected files into DIRECTORY
    --copy=DIRECTORY                     Copy infected files into DIRECTORY
    --exclude=REGEX                      Don't scan file names matching REGEX
    --exclude-dir=REGEX                  Don't scan directories matching REGEX
    --include=REGEX                      Only scan file names matching REGEX
    --include-dir=REGEX                  Only scan directories matching REGEX

    --bytecode[=yes(*)/no]               Load bytecode from the database
    --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
                                         **Caution**: You should NEVER run bytecode signatures from untrusted sources.
                                         Doing so may result in arbitrary code execution.
    --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
    --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
    --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
    --exclude-pua=CAT                    Skip PUA sigs of category CAT
    --include-pua=CAT                    Load PUA sigs of category CAT
    --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
    --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
    --structured-ssn-count=N             Min SSN count to generate a detect
    --structured-cc-count=N              Min CC count to generate a detect
    --structured-cc-mode=X               CC mode (0=credit debit and private label, 1=credit cards only
    --scan-mail[=yes(*)/no]              Scan mail files
    --phishing-sigs[=yes(*)/no]          Enable email signature-based phishing detection
    --phishing-scan-urls[=yes(*)/no]     Enable URL signature-based phishing detection
    --heuristic-alerts[=yes(*)/no]       Heuristic alerts
    --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
    --normalize[=yes(*)/no]              Normalize html, script, and text files. Use normalize=no for yara compatibility
    --scan-pe[=yes(*)/no]                Scan PE files
    --scan-elf[=yes(*)/no]               Scan ELF files
    --scan-ole2[=yes(*)/no]              Scan OLE2 containers
    --scan-pdf[=yes(*)/no]               Scan PDF files
    --scan-swf[=yes(*)/no]               Scan SWF files
    --scan-html[=yes(*)/no]              Scan HTML files
    --scan-xmldocs[=yes(*)/no]           Scan xml-based document files
    --scan-hwp3[=yes(*)/no]              Scan HWP3 files
    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
    --alert-broken[=yes/no(*)]           Alert on broken executable files (PE & ELF)
    --alert-broken-media[=yes/no(*)]     Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
    --alert-encrypted[=yes/no(*)]        Alert on encrypted archives and documents
    --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
    --alert-encrypted-doc[=yes/no(*)]    Alert on encrypted documents
    --alert-macros[=yes/no(*)]           Alert on OLE2 files containing VBA macros
    --alert-exceeds-max[=yes/no(*)]      Alert on files that exceed max file size, max scan size, or max recursion limit
    --alert-phishing-ssl[=yes/no(*)]     Alert on emails containing SSL mismatches in URLs
    --alert-phishing-cloak[=yes/no(*)]   Alert on emails containing cloaked URLs
    --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
    --nocerts                            Disable authenticode certificate chain verification in PE files
    --dumpcerts                          Dump authenticode certificate chain in PE files

    --max-scantime=#n                    Scan time longer than this will be skipped and assumed clean (milliseconds)
    --max-filesize=#n                    Files larger than this will be skipped and assumed clean
    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
    --max-files=#n                       The maximum number of files to scan for each container file (**)
    --max-recursion=#n                   Maximum archive recursion level for container file (**)
    --max-dir-recursion=#n               Maximum directory recursion level
    --max-embeddedpe=#n                  Maximum size file to check for embedded PE
    --max-htmlnormalize=#n               Maximum size of HTML file to normalize
    --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
    --max-scriptnormalize=#n             Maximum size of script file to normalize
    --max-ziptypercg=#n                  Maximum size zip to type reanalyze
    --max-partitions=#n                  Maximum number of partitions in disk image to be scanned
    --max-iconspe=#n                     Maximum number of icons in PE file to be scanned
    --max-rechwp3=#n                     Maximum recursive calls to HWP3 parsing function
    --pcre-match-limit=#n                Maximum calls to the PCRE match function.
    --pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.
    --pcre-max-filesize=#n               Maximum size file to perform PCRE subsig matching.
    --disable-cache                      Disable caching and cache checks for hash sums of scanned files.

Pass in - as the filename for stdin.

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
   files inside. The above options ensure safe processing of this kind of data.

[root@nginx ~]#
posted @ 2023-06-02 14:12  二乘八是十六  阅读(789)  评论(0编辑  收藏  举报