


オープンソースのLinux用アンチウイルスソフトであるClamAVをインストールしてみました
ClamAV
http://www.clamav.net/lang/en/
CentOS 6.3
http://www.centos.org/
Kernel: 2.6.32-358.2.1.el6.x86_64
メンテナンスも考えて最近は出来るだけパッケージからインストールするようにしています
(本音は楽をしたい^^;)
ClamAVはEPELリポジトリに含まれているのでまずこれをインストールします
EPEL
http://fedoraproject.org/wiki/EPEL
Download
http://dl.fedoraproject.org/pub/epel/
ここから最新のリポジトリを調べます。
今回はCentOS 6.3 x86_64ですのでhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmになります
- EPELのインストール
- ClamAVのインストール
- /etc/clamd.confを編集
- clamdの実行
- clamdの自動実行
- ウィルス定義ファイルの更新
- freshclamの自動実行
- ウィルススキャンの実行
- テストウィルスでチェック
- 定期スキャンの実行スクリプト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
[root@host1 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm を取得中 警告: /var/tmp/rpm-tmp.Zall1t: ヘッダ V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY 準備中... ########################################### [100%] 1:epel-release ########################################### [100%] [root@host1 ~]# ls -l /etc/yum.repos.d/ 合計 24 -rw-r--r--. 1 root root 1926 2月 25 17:57 2013 CentOS-Base.repo -rw-r--r--. 1 root root 638 2月 25 17:57 2013 CentOS-Debuginfo.repo -rw-r--r--. 1 root root 630 2月 25 17:57 2013 CentOS-Media.repo -rw-r--r--. 1 root root 3664 2月 25 17:57 2013 CentOS-Vault.repo -rw-r--r--. 1 root root 1056 11月 5 12:52 2012 epel-testing.repo -rw-r--r--. 1 root root 957 11月 5 12:52 2012 epel.repo [root@host1 ~]# cat /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 6 - $basearch #baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch failovermethod=priority <font color=red>enabled=1</font> gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 (snip) |
利用できるパッケージ
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@host1 ~]# yum list | grep clam clamav.i686 0.97.7-1.el6 epel clamav.x86_64 0.97.7-1.el6 epel clamav-db.x86_64 0.97.7-1.el6 epel clamav-devel.i686 0.97.7-1.el6 epel clamav-devel.x86_64 0.97.7-1.el6 epel clamav-milter.x86_64 0.97.7-1.el6 epel clamav-unofficial-sigs.noarch 3.7.1-6.el6 epel clamd.x86_64 0.97.7-1.el6 epel clamsmtp.x86_64 1.10-6.el6 epel clamz.x86_64 0.5-0.el6 epel claws-mail-plugins-clamd.x86_64 3.9.0-2.el6 epel |
インストールはclamdを指定すれば関連モジュールとしてclamav, clamav-dbもインストールされます
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
[root@host1 ~]# yum install clamd Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.jaist.ac.jp * epel: ftp.jaist.ac.jp * extras: ftp.jaist.ac.jp * updates: ftp.jaist.ac.jp Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package clamd.x86_64 0:0.97.7-1.el6 will be installed --> Processing Dependency: clamav = 0.97.7-1.el6 for package: clamd-0.97.7-1.el6.x86_64 --> Processing Dependency: libclamav.so.6(CLAMAV_PUBLIC)(64bit) for package: clamd-0.97.7-1.el6.x86_64 --> Processing Dependency: libclamav.so.6(CLAMAV_PRIVATE)(64bit) for package: clamd-0.97.7-1.el6.x86_64 --> Processing Dependency: libclamav.so.6()(64bit) for package: clamd-0.97.7-1.el6.x86_64 --> Running transaction check ---> Package clamav.x86_64 0:0.97.7-1.el6 will be installed --> Processing Dependency: clamav-db = 0.97.7-1.el6 for package: clamav-0.97.7-1.el6.x86_64 --> Running transaction check ---> Package clamav-db.x86_64 0:0.97.7-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: clamd x86_64 0.97.7-1.el6 epel 132 k Installing for dependencies: clamav x86_64 0.97.7-1.el6 epel 10 M clamav-db x86_64 0.97.7-1.el6 epel 52 M Transaction Summary ================================================================================ Install 3 Package(s) Total download size: 63 M Installed size: 68 M Is this ok [y/N]: y Downloading Packages: (1/3): clamav-0.97.7-1.el6.x86_64.rpm | 10 MB 00:05 (2/3): clamav-db-0.97.7-1.el6.x86_64.rpm | 52 MB 00:29 (3/3): clamd-0.97.7-1.el6.x86_64.rpm | 132 kB 00:00 -------------------------------------------------------------------------------- Total 1.8 MB/s | 63 MB 00:35 警告: rpmts_HdrFromFdno: ヘッダ V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Importing GPG key 0x0608B895: Userid : EPEL (6) <epel@fedoraproject.org> Package: epel-release-6-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : clamav-db-0.97.7-1.el6.x86_64 1/3 Installing : clamav-0.97.7-1.el6.x86_64 2/3 Installing : clamd-0.97.7-1.el6.x86_64 3/3 Verifying : clamd-0.97.7-1.el6.x86_64 1/3 Verifying : clamav-db-0.97.7-1.el6.x86_64 2/3 Verifying : clamav-0.97.7-1.el6.x86_64 3/3 Installed: clamd.x86_64 0:0.97.7-1.el6 Dependency Installed: clamav.x86_64 0:0.97.7-1.el6 clamav-db.x86_64 0:0.97.7-1.el6 Complete! |
ログファイルの容量設定とclamdがrootで起動するように変更します
デフォルトの/etc/clamd.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 |
[root@host1 ~]# cat /etc/clamd.conf ## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamav/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 0 # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable verbose logging. # Default: no #LogVerbose yes # Log additional information about the infected file, such as its # size and hash, together with the virus name. #ExtendedDetectionInfo yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory /var/lib/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly no # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/run/clamav/clamd.sock # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) #LocalSocketGroup virusgroup # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) #LocalSocketMode 660 # Remove stale socket after unclean shutdown. # Default: yes FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 200 MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 50 # Waiting for data from a client socket will timeout after this time (seconds). # Default: 120 ReadTimeout 300 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 5 #CommandReadTimeout 5 # This option specifies how long to wait (in miliseconds) if the send buffer is full. # Keep this value low to prevent clamd hanging # # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by MaxThreads threads) # It is recommended to have this value at least twice MaxThreads if possible. # WARNING: you shouldn't increase this too much to avoid running out of file descriptors, # the following condition should hold: # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) # # Default: 100 #MaxQueue 200 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Don't scan files and directories matching regex # This directive can be used multiple times # Default: scan all #ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems yes # Perform a database check. # Default: 600 (10 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clam # Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See http://www.clamav.net/support/pua for the complete list of PUA # categories. # Default: Load all categories (if DetectPUA is activated) #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: Load all categories (if DetectPUA is activated) #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. If you turn off this option, the original files will still be # scanned, but without additional processing. # Default: yes ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanOLE2 yes # With this option enabled OLE2 files with VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #OLE2BlockMacros no # This option enables scanning within PDF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # If you turn off this option, the original files will still be scanned, but # without parsing individual messages/attachments. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #ScanPartialMessages yes # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ## ## Data Loss Prevention (DLP) ## # Enable the DLP module # Default: No #StructuredDataDetection yes # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz # Default: yes #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped yes ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes # If you turn off this option, the original files will still be scanned, but # without additional processing. #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # If you turn off this option, the original files will still be scanned, but # without unpacking and additional processing. # Default: yes ScanArchive yes # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). # Default: no ArchiveBlockEncrypted no ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: setting this limit too high may result in severe damage to the system. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 ## ## Clamuko settings ## # Enable Clamuko. Dazuko must be configured and running. Clamuko supports # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS # is the preferred option. For more information please visit www.dazuko.org # Default: no #ClamukoScanOnAccess yes # The number of scanner threads that will be started (DazukoFS only). # Having multiple scanner threads allows Clamuko to serve multiple # processes simultaneously. This is particularly beneficial on SMP machines. # Default: 3 #ClamukoScannerCount 3 # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M # Set access mask for Clamuko (Dazuko only). # Default: no #ClamukoScanOnOpen yes #ClamukoScanOnClose yes #ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. (Dazuko only) # Default: disabled #ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. (Dazuko only) # Default: disabled #ClamukoExcludePath /home/bofh # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files. # This option can be used multiple times (one per line). # Default: disabled #ClamukoExcludeUID 0 # With this option enabled ClamAV will load bytecode from the database. # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. # Default: yes #Bytecode yes # Set bytecode security level. # Possible values: # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS # This value is only available if clamav was built with --enable-debug! # TrustSigned - trust bytecode loaded from signed .c[lv]d files, # insert runtime safety checks for bytecode loaded from other sources # Paranoid - don't trust any bytecode, insert runtime checks for all # Recommended: TrustSigned, because bytecode in .cvd files already has these checks # Note that by default only signed bytecode is loaded, currently you can only # load unsigned bytecode in --enable-debug mode. # # Default: TrustSigned #BytecodeSecurity TrustSigned # Set bytecode timeout in miliseconds. # # Default: 5000 # BytecodeTimeout 1000 |
取り敢えずログサイズは10Mに変更しました。これ以外にも細かく設定できるんですね
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@host1 ~]# vi /etc/clamd.conf # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M <font color=red>LogFileMaxSize 10M</font> # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges <font color=red>#User clam</font> |
デーモンのclamdを開始します
1 2 |
[root@host1 ~]# /etc/init.d/clamd start Starting Clam AntiVirus Daemon: [ OK ] |
1 2 3 |
[root@host1 ~]# chkconfig clamd on [root@host1 ~]# chkconfig --list | grep clamd clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
ウィルス定義ファイルを更新するコマンド /usr/bin/freshclamの設定ファイル/etc/freshclam.confを確認して “#Example”になっていなければコメントアウトにします
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
[root@host1 ~]# cat /etc/freshclam.conf ## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) DatabaseDirectory /var/lib/clamav # Path to the log file (make sure it has proper permissions) # Default: disabled UpdateLogFile /var/log/clamav/freshclam.log # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). # in bytes just don't use modifiers. # Default: 1M #LogFileMaxSize 2M # Log time with each message. # Default: no #LogTime yes # Enable verbose logging. # Default: no #LogVerbose yes # Use system logger (can work together with UpdateLogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # This option allows you to save the process identifier of the daemon # Default: disabled #PidFile /var/run/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) DatabaseOwner clam # Initialize supplementary group access (freshclam must be started by root). # Default: no #AllowSupplementaryGroups yes # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. With this directive you can change # the database verification domain. # WARNING: Do not touch it unless you're configuring freshclam to use your # own database verification domain. # Default: current.cvd.clamav.net #DNSDatabaseInfo current.cvd.clamav.net # Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. # You can use db.XY.ipv6.clamav.net for IPv6 connections. #DatabaseMirror db.XY.clamav.net # database.clamav.net is a round-robin record which points to our most # reliable mirrors. It's used as a fall back in case db.XY.clamav.net is # not working. DO NOT TOUCH the following line unless you know what you # are doing. DatabaseMirror db.jp.clamav.net DatabaseMirror db.local.clamav.net # How many attempts to make before giving up. # Default: 3 (per mirror) #MaxAttempts 5 # With this option you can control scripted updates. It's highly recommended # to keep it enabled. # Default: yes #ScriptedUpdates yes # By default freshclam will keep the local databases (.cld) uncompressed to # make their handling faster. With this option you can enable the compression; # the change will take effect with the next database update. # Default: no #CompressLocalDatabase no # With this option you can provide custom sources (http:// or file://) for # database files. This option can be used multiple times. # Default: no custom URLs #DatabaseCustomURL http://myserver.com/mysigs.ndb #DatabaseCustomURL file:///mnt/nfs/local.hdb # Number of database checks per day. # Default: 12 (every two hours) #Checks 24 # Proxy settings # Default: disabled #HTTPProxyServer myproxy.com #HTTPProxyPort 1234 #HTTPProxyUsername myusername #HTTPProxyPassword mypass # If your servers are behind a firewall/proxy which applies User-Agent # filtering you can use this option to force the use of a different # User-Agent header. # Default: clamav/version_number #HTTPUserAgent SomeUserAgentIdString # Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for # multi-homed systems. # Default: Use OS'es default outgoing IP address. #LocalIPAddress aaa.bbb.ccc.ddd # Send the RELOAD command to clamd. # Default: no #NotifyClamd /path/to/clamd.conf # Run command after successful database update. # Default: disabled #OnUpdateExecute command # Run command when database update process fails. # Default: disabled #OnErrorExecute command # Run command when freshclam reports outdated version. # In the command string %v will be replaced by the new version number. # Default: disabled #OnOutdatedExecute command # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Timeout in seconds when connecting to database server. # Default: 30 #ConnectTimeout 60 # Timeout in seconds when reading from database server. # Default: 30 #ReceiveTimeout 60 # With this option enabled, freshclam will attempt to load new # databases into memory to make sure they are properly handled # by libclamav before replacing the old ones. # Default: yes #TestDatabases yes # When enabled freshclam will submit statistics to the ClamAV Project about # the latest virus detections in your environment. The ClamAV maintainers # will then use this data to determine what types of malware are the most # detected in the field and in what geographic area they are. # Freshclam will connect to clamd in order to get recent statistics. # Default: no #SubmitDetectionStats /path/to/clamd.conf # Country of origin of malware/detection statistics (for statistical # purposes only). The statistics collector at ClamAV.net will look up # your IP address to determine the geographical origin of the malware # reported by your installation. If this installation is mainly used to # scan data which comes from a different location, please enable this # option and enter a two-letter code (see http://www.iana.org/domains/root/db/) # of the country of origin. # Default: disabled #DetectionStatsCountry country-code # This option enables support for our "Personal Statistics" service. # When this option is enabled, the information on malware detected by # your clamd installation is made available to you through our website. # To get your HostID, log on http://www.stats.clamav.net and add a new # host to your host list. Once you have the HostID, uncomment this option # and paste the HostID here. As soon as your freshclam starts submitting # information to our stats collecting service, you will be able to view # the statistics of this clamd installation by logging into # http://www.stats.clamav.net with the same credentials you used to # generate the HostID. For more information refer to: # http://www.clamav.net/support/faq/faq-cctts/ # This feature requires SubmitDetectionStats to be enabled. # Default: disabled #DetectionStatsHostID unique-id # This option enables support for Google Safe Browsing. When activated for # the first time, freshclam will download a new database file (safebrowsing.cvd) # which will be automatically loaded by clamd and clamscan during the next # reload, provided that the heuristic phishing detection is turned on. This # database includes information about websites that may be phishing sites or # possible sources of malware. When using this option, it's mandatory to run # freshclam at least every 30 minutes. # Freshclam uses the ClamAV's mirror infrastructure to distribute the # database and its updates but all the contents are provided under Google's # terms of use. See http://code.google.com/support/bin/answer.py?answer=70015 # and http://safebrowsing.clamav.net for more information. # Default: disabled #SafeBrowsing yes # This option enables downloading of bytecode.cvd, which includes additional # detection mechanisms and improvements to the ClamAV engine. # Default: enabled #Bytecode yes # Download an additional 3rd party signature database distributed through # the ClamAV mirrors. Here you can find a list of available databases: # http://www.clamav.net/download/cvd/3rdparty # This option can be used multiple times. #ExtraDatabase dbname1 #ExtraDatabase dbname2 |
freshclamを実行します
1 2 3 4 5 6 7 |
[root@host1 ~]# freshclam ClamAV update process started at Sat Apr 20 13:08:17 2013 main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) Downloading daily-17046.cdiff [100%] daily.cld updated (version: 17046, sigs: 1124676, f-level: 63, builder: guitar) bytecode.cvd is up to date (version: 214, sigs: 41, f-level: 63, builder: neo) Database updated (2169104 signatures) from db.jp.clamav.net (IP: 219.94.128.99) |
freshclamはインストール時に/etc/cron.daily/freshclamで毎日自動実行されるように設定されています。
しかしCentOS 6からcrontabの仕様が大幅に変更になってるんですね
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@host1 ~]# ls -l /etc/cron.daily/ 合計 40 -rwxr-xr-x. 1 root root 133 9月 21 21:34 2005 00webalizer -rwxr-xr-x. 1 root root 2243 11月 11 12:52 2010 certwatch -rwxr-xr-x. 1 root root 118 3月 1 18:43 2013 cups -rwxr-xr-x. 1 root root 396 3月 19 00:27 2013 freshclam -rwxr-xr-x. 1 root root 196 8月 16 01:26 2012 logrotate -rwxr-xr-x. 1 root root 905 2月 22 11:13 2013 makewhatis.cron -rwxr-xr-x. 1 root root 174 9月 24 21:39 2012 mlocate.cron -rwxr-xr-x. 1 root root 2126 4月 23 23:34 2010 prelink -rwxr-xr-x. 1 root root 563 8月 23 18:36 2010 readahead.cron -rwxr-xr-x. 1 root root 365 10月 16 14:52 2009 tmpwatch |
ウィルススキャンを実行するコマンドは/usr/bin/clamscanになります。
取り敢えずユーザ・データが多く保存される/var/wwwのスキャンを実行して、ウィルスが発見された場合は削除するコマンドを実行してみました
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@host1 ~]# clamscan -r --remove /var/www /var/www/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var: OK (snip) /var/www/icons/f.png: OK ----------- SCAN SUMMARY ----------- Known viruses: 2163694 Engine version: 0.97.7 Scanned directories: 26 Scanned files: 467 Infected files: 0 Data scanned: 4.70 MB Data read: 3.32 MB (ratio 1.41:1) Time: 4.360 sec (0 m 4 s) |
テストウィルスを使ってスキャンテストを行なってみます
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
[root@host1 ~]# wget http://www.eicar.org/download/eicar.com --2013-04-20 14:00:08-- http://www.eicar.org/download/eicar.com www.eicar.org をDNSに問いあわせています... 188.40.238.250 www.eicar.org|188.40.238.250|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 68 [application/octet-stream] `eicar.com' に保存中 100%[======================================>] 68 --.-K/s 時間 0s 2013-04-20 14:00:09 (11.3 MB/s) - `eicar.com' へ保存完了 [68/68] [root@host1 ~]# wget http://www.eicar.org/download/eicar.com.txt --2013-04-20 14:00:20-- http://www.eicar.org/download/eicar.com.txt www.eicar.org をDNSに問いあわせています... 188.40.238.250 www.eicar.org|188.40.238.250|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 68 [application/octet-stream] `eicar.com.txt' に保存中 100%[======================================>] 68 --.-K/s 時間 0s 2013-04-20 14:00:20 (10.9 MB/s) - `eicar.com.txt' へ保存完了 [68/68] [root@host1 ~]# wget http://www.eicar.org/download/eicar_com.zip --2013-04-20 14:00:30-- http://www.eicar.org/download/eicar_com.zip www.eicar.org をDNSに問いあわせています... 188.40.238.250 www.eicar.org|188.40.238.250|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 184 [application/octet-stream] `eicar_com.zip' に保存中 100%[======================================>] 184 --.-K/s 時間 0s 2013-04-20 14:00:30 (30.3 MB/s) - `eicar_com.zip' へ保存完了 [184/184] [root@host1 ~]# wget http://www.eicar.org/download/eicarcom2.zip --2013-04-20 14:00:37-- http://www.eicar.org/download/eicarcom2.zip www.eicar.org をDNSに問いあわせています... 188.40.238.250 www.eicar.org|188.40.238.250|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 308 [application/octet-stream] `eicarcom2.zip' に保存中 100%[======================================>] 308 --.-K/s 時間 0s 2013-04-20 14:00:37 (53.2 MB/s) - `eicarcom2.zip' へ保存完了 [308/308] [root@host1 ~]# ls -l 合計 160 -rw-r--r--. 1 root root 68 4月 20 14:00 2013 eicar.com -rw-r--r--. 1 root root 68 4月 20 14:00 2013 eicar.com.txt -rw-r--r--. 1 root root 184 4月 20 14:00 2013 eicar_com.zip -rw-r--r--. 1 root root 308 4月 20 14:00 2013 eicarcom2.zip [root@host1 ~]# clamscan -r --remove /root /root/.cshrc: OK /root/eicar.com: Eicar-Test-Signature FOUND /root/eicar.com: Removed. /root/eicarcom2.zip: Eicar-Test-Signature FOUND /root/eicarcom2.zip: Removed. /root/eicar.com.txt: Eicar-Test-Signature FOUND /root/eicar.com.txt: Removed. (snip) /root/eicar_com.zip: Eicar-Test-Signature FOUND /root/eicar_com.zip: Removed. /root/.bash_history: OK ----------- SCAN SUMMARY ----------- Known viruses: 2163694 Engine version: 0.97.7 Scanned directories: 207 Scanned files: 231 <font color=red>Infected files: 4</font> Data scanned: 36.96 MB Data read: 27.49 MB (ratio 1.34:1) Time: 5.230 sec (0 m 5 s) |
定期的にスキャンを実行するようにスクリプトを作成して自動実行の設定を行います
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@host1 ~]# vi /etc/cron.daily/clamav_scan.sh [root@host1 ~]# cat /etc/cron.daily/clamav_scan.sh #!/bin/sh TMPCLAMSCAN=`mktemp` clamscan --remove -r /var/www > $TMPCLAMSCAN grep "Removed" $TMPCLAMSCAN > /var/log/clamscan_remove.log rm -r $TMPCLAMSCAN [root@host1 ~]# chmod +x /etc/cron.daily/clamav_scan.sh [root@host1 ~]# ls -l /etc/cron.daily/ -rwxr-xr-x. 1 root root 155 4月 20 14:27 2013 clamav_scan.sh |