扫描Linux服务器查找恶意软件和rootkit的一款工具
官网
参考
官网安装教程:
wget https://www.clamav.net/downloads/production/clamav-0.101.1.tar.gz
tar -zxvf clamav-0.101.1.tar.gz -C /usr/local/
cd /usr/local/clamav-0.101.1/
yum -y install libxml2 libxml2-devel openssl*
./configure && make && make check && make install #必须安装gcc
#复制freshclam示例配置
cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
sed -i "s/^Example/# Example/" /usr/local/etc/freshclam.conf
sed -i "s/#LogTime/LogTime/" /usr/local/etc/freshclam.conf
sed -i "s/#LogRotate/LogRotate/" /usr/local/etc/freshclam.conf
sed -i "s/#NotifyClamd \/path\/to\/clamd.conf/NotifyClamd \/usr\/local\/etc\/clamd.conf/" /usr/local/etc/freshclam.conf
sed -i "s/#DatabaseOwne/DatabaseOwne/" /usr/local/etc/freshclam.conf
#创建数据库目录
mkdir /usr/local/share/clamav
#复制clamd 配置(可选)
cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf
sed -i "s/^Example/# Example/" /usr/local/etc/clamd.conf
sed -i "s/#TCPSocket/TCPSocket/" /usr/local/etc/clamd.conf
sed -i "s/#LogTime/LogTime/" /usr/local/etc/clamd.conf
sed -i "s/#LogClean/LogClean/" /usr/local/etc/clamd.conf
sed -i "s/#LogRotate/LogRotate/" /usr/local/etc/clamd.conf
sed -i "s/#User/User/" /usr/local/etc/clamd.conf #这一步的用户是clamav用户,
sed -i "s/#ScanOnAccess/ScanOnAccess/" /usr/local/etc/clamd.conf
sed -i "s/#OnAccessIncludePath \/home/OnAccessIncludePath \/home/" /usr/local/etc/clamd.conf
sed -i "s/#OnAccessExcludePath \/home\/bofh/OnAccessExcludePath \/home\/bofh/" /usr/local/etc/clamd.conf
sed -i "s/#OnAccessPrevention/OnAccessPrevention/" /usr/local/etc/clamd.conf
#创建用户
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav
chown -R clamav:clamav /usr/local/share/clamav #最后设置数据库目录的用户所有权
#下载/更新签名数据库
freshclam
clamscan用法:
clamscan [options] [file/directory/-]
常见的选项:
注:使用clamscan --help 或者 man clamscan 都能查到帮助
--log=FILE 将扫描报告保存到FILE
--database=FILE/DIR 从FILE加载病毒数据库或从DIR加载所有支持的db文件
--official-db-only[=yes/no(*)] 只加载官方签名
--max-filesize=#n 将跳过大于此的文件并假定为干净
--max-scansize=#n 要扫描每个容器文件的最大数据量
--leave-temps[=yes/no(*)] 不要删除临时文件
--file-list=FILE 从文件中扫描文件
--quiet 仅输出错误消息
--bell 病毒检测的响铃
--cross-fs[=yes(*)/no] 扫描其他文件系统上的文件和目录
--move=DIRECTORY 将受感染的文件移至DIRECTORY
--copy=DIRECTORY 将受感染的文件复制到DIRECTORY中
--bytecode-timeout=N 设置字节码超时(以毫秒为单位)
--heuristic-alerts[=yes(*)/no] 切换启发式警报
--alert-encrypted[=yes/no(*)] 警告加密档案和文件
--nocerts 在PE文件中禁用authenticode证书链验证
--disable-cache 禁用缓存和缓存检查扫描文件的哈希值
示例:
-r:递归扫描,-i:只显示被感染的文件