0. 序言
因为公司业务合作,对方需要我方提交审查资料,其中需要包含Linux主机的病毒扫描情况,特记录一次ClamAV的部署与使用
1. clamav介绍
ClamAV是一个开源的引擎,用于检测病毒、木马、恶意软件和其他威胁。ClamAV支持Windows、Linux和MacOS等系统,ClamAV社区提供了免费的持续的病毒特征库升级。可实现一次部署,长期使用。
ClamAV Github https://github.com/Cisco-Talos/clamav
2. clamav部署
2.1. 软件安装
2.1.1 clamav软件安装
yum install epel-release -y # 需要安装epel源才能安装clamav
yum install clamav clamd -y # 安装clamav
2.1.2 clamav 组件介绍
安装好的ClamAV由如下几个主要组成部分:
clamscan:手工扫描程序
clamdscan:依赖后台服务的扫描程序
clamonacc:按需扫描程序(实时监控),对应配置文件/etc/clamd.d/scan.conf
clamd:按需扫描的后台进程,对应配置文件/etc/clamd.d/scan.conf
fleshclam:病毒库升级工具,对应配置文件/etc/freshclam.conf
clamconf:配置文件生成工具
2.2. 特征库更新
2.2.1 通过freshclam手动更新特征库
[root@nginx /]# freshclam
ClamAV update process started at Fri Jun 2 03:40:51 2023
daily database available for download (remote version: 26925)
Time: 14.2s, ETA: 0.0s [========================>] 58.58MiB/58.58MiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-fb6b65e2404ef7e0d260cef6d262cf76.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26925, sigs: 2036167, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 35.2s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-6813737acbac914dcfaf6774368a10ad.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
Time: 1.3s, ETA: 0.0s [========================>] 285.12KiB/285.12KiB
Testing database: '/var/lib/clamav/tmp.c8cfde0ed1/clamav-4a48d3d2b5a8a96d263c70c389d0e610.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
[root@nginx /]#
2.2.2 设置后台自动升级病毒库
# systemctl start clamav-freshclam
# systemctl enable clamav-freshclam
-- 在/etc/freshclam.conf文件中,已经默认每两个小时自动更新一次
# Number of database checks per day.
# Default: 12 (every two hours)
3. 病毒扫描测试
3.1 测试病毒样例
# 下载eicar仿真病毒测试样例(不具有攻击性和危害性)
[root@nginx ~]# wget https://secure.eicar.org/eicar.com
--2023-06-02 13:06:32-- https://secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68
Saving to: 'eicar.com'
100%[===========================================================================================================================>] 68 --.-K/s in 0s
2023-06-02 13:06:33 (1.15 MB/s) - 'eicar.com' saved [68/68]
[root@nginx ~]#
# webshell文件
[root@nginx ~]# cat /root/evl.php
<?php @eval($_POST['cmd']); ?>
[root@nginx ~]#
3.2 病毒扫描
- 下述实验证明了clamscan能够检测病毒、木马、恶意软件,但是不能检测到webshell文件
[root@nginx ~]# clamscan /root/
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
/root/.cshrc: OK
/root/.tcshrc: OK
/root/anaconda-ks.cfg: OK
/root/.bash_history: OK
/root/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/root/evl.php: OK
/root/.viminfo: OK
----------- SCAN SUMMARY -----------
Known viruses: 8668050
Engine version: 0.103.8
Scanned directories: 1
Scanned files: 10
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 41.957 sec (0 m 41 s)
Start Date: 2023:06:02 13:34:27
End Date: 2023:06:02 13:35:09
[root@nginx ~]#
4.clamav命令
4.1 clamscan的命令参数
[root@nginx ~]# clamscan --help
Clam AntiVirus: Scanner 0.103.8
By The ClamAV Team: https://www.clamav.net/about.html#credits
(C) 2022 Cisco Systems, Inc.
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also-
dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
**Caution**: You should NEVER run bytecode signatures from untrusted sources.
Doing so may result in arbitrary code execution.
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--structured-cc-mode=X CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents
--alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-scantime=#n Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
Pass in - as the filename for stdin.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
[root@nginx ~]#