


定義ファイルの更新ができたので試しにclamscanで手動スキャンを実行してみます。
1 2 3 4 5 6 7 8 9 10 |
[root@centos8 ~]# rpmquery --list clamav /usr/bin/clambc /usr/bin/clamconf /usr/bin/clamdscan /usr/bin/clamdtop /usr/bin/clamonacc /usr/bin/clamscan /usr/bin/clamsubmit /usr/bin/sigtool (snip) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@centos8 ~]# clamscan -v /home /var /tmp /var/run: Symbolic link /var/lock: Symbolic link /var/mail: Symbolic link Scanning /var/.updated /var/.updated: OK Scanning /tmp/ks-script-mhj_zaxt /tmp/ks-script-mhj_zaxt: OK Scanning /tmp/lua_fAgsc2 /tmp/lua_fAgsc2: OK ----------- SCAN SUMMARY ----------- Known viruses: 8942356 Engine version: 0.102.4 Scanned directories: 3 Scanned files: 3 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 15.042 sec (0 m 15 s) |
テストウィルスEICARでテストしてみます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
[root@centos8 ~]# wget https://files.trendmicro.com/products/eicar-file/eicar.com --2020-11-22 15:04:02-- https://files.trendmicro.com/products/eicar-file/eicar.com Resolving files.trendmicro.com (files.trendmicro.com)... 2403:e800:e803:785::4b46, 2403:e800:e803:787::4b46, 122.222.40.51 Connecting to files.trendmicro.com (files.trendmicro.com)|2403:e800:e803:785::4b46|:443... failed: Connection refused. Connecting to files.trendmicro.com (files.trendmicro.com)|2403:e800:e803:787::4b46|:443... failed: Connection refused. Connecting to files.trendmicro.com (files.trendmicro.com)|122.222.40.51|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 68 [application/octet-stream] Saving to: 'eicar.com' eicar.com 100%[============================>] 68 --.-KB/s in 0s 2020-11-22 15:04:04 (123 MB/s) - 'eicar.com' saved [68/68] [root@centos8 ~]# clamscan -v /root Scanning /root/.bash_logout /root/.bash_logout: OK Scanning /root/.bash_profile /root/.bash_profile: OK Scanning /root/.cshrc /root/.cshrc: OK Scanning /root/.tcshrc /root/.tcshrc: OK Scanning /root/anaconda-ks.cfg /root/anaconda-ks.cfg: OK Scanning /root/.bashrc /root/.bashrc: OK Scanning /root/.bash_history /root/.bash_history: OK Scanning /root/eicar.com /root/eicar.com: Win.Test.EICAR_HDB-1 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8942356 Engine version: 0.102.4 Scanned directories: 1 Scanned files: 8 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 14.968 sec (0 m 14 s) |
見つけてくれました。”/root/eicar.com: Win.Test.EICAR_HDB-1 FOUND”
見つけたウィルスを削除してみます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@centos8 ~]# clamscan --remove=yes /root /root/.bash_logout: OK /root/.bash_profile: OK /root/.cshrc: OK /root/.tcshrc: OK /root/anaconda-ks.cfg: OK /root/.bashrc: OK /root/.bash_history: OK /root/eicar.com: Win.Test.EICAR_HDB-1 FOUND /root/eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 8942356 Engine version: 0.102.4 Scanned directories: 1 Scanned files: 8 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 15.028 sec (0 m 15 s) |
オプションがありすぎてよくわかりません(^^;
help
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
[root@centos8 ~]# clamscan -h Clam AntiVirus: Scanner 0.102.4 By The ClamAV Team: https://www.clamav.net/about.html#credits (C) 2020 Cisco Systems, Inc. clamscan [options] [file/directory/-] --help -h Show this help --version -V Print version number --verbose -v Be verbose --archive-verbose -a Show filenames inside scanned archives --debug Enable libclamav's debug messages --quiet Only output error messages --stdout Write to stdout instead of stderr. Does not affdebug' messages. --no-summary Disable summary at end of scanning --infected -i Only print infected files --suppress-ok-results -o Skip printing OK files --bell Sound bell on virus detection --tempdir=DIRECTORY Create temporary files in DIRECTORY --leave-temps[=yes/no(*)] Do not remove temporary files --gen-json[=yes/no(*)] Generate JSON description of scanned file(s). Jill be printed and also- dropped to the temp directory if --leave-temps abled. --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all suppodb files from DIR --official-db-only[=yes/no(*)] Only load official signatures --log=FILE -l FILE Save scan report to FILE --recursive[=yes/no(*)] -r Scan subdirectories recursively --allmatch[=yes/no(*)] -z Continue scanning within file after finding a m --cross-fs[=yes(*)/no] Scan files and directories on other filesystems --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direc= always) --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 ays) --file-list=FILE -f FILE Scan files from FILE --remove[=yes/no(*)] Remove infected files. Be careful! --move=DIRECTORY Move infected files into DIRECTORY --copy=DIRECTORY Copy infected files into DIRECTORY --exclude=REGEX Don't scan file names matching REGEX --exclude-dir=REGEX Don't scan directories matching REGEX --include=REGEX Only scan file names matching REGEX --include-dir=REGEX Only scan directories matching REGEX --bytecode[=yes(*)/no] Load bytecode from the database --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode --bytecode-timeout=N Set bytecode timeout (in milliseconds) --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications --exclude-pua=CAT Skip PUA sigs of category CAT --include-pua=CAT Load PUA sigs of category CAT --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card) --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both) --structured-ssn-count=N Min SSN count to generate a detect --structured-cc-count=N Min CC count to generate a detect --scan-mail[=yes(*)/no] Scan mail files --phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection --phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection --heuristic-alerts[=yes(*)/no] Heuristic alerts --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match ind --normalize[=yes(*)/no] Normalize html, script, and text files. Use nore=no for yara compatibility --scan-pe[=yes(*)/no] Scan PE files --scan-elf[=yes(*)/no] Scan ELF files --scan-ole2[=yes(*)/no] Scan OLE2 containers --scan-pdf[=yes(*)/no] Scan PDF files --scan-swf[=yes(*)/no] Scan SWF files --scan-html[=yes(*)/no] Scan HTML files --scan-xmldocs[=yes(*)/no] Scan xml-based document files --scan-hwp3[=yes(*)/no] Scan HWP3 files --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav) --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF) --alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives --alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents --alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros --alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max size, or max recursion limit --alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in UR --alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing pion intersections --nocerts Disable authenticode certificate chain verificain PE files --dumpcerts Dump authenticode certificate chain in PE files --max-scantime=#n Scan time longer than this will be skipped and ed clean --max-filesize=#n Files larger than this will be skipped and assulean --max-scansize=#n The maximum amount of data to scan for each conr file (**) --max-files=#n The maximum number of files to scan for each coer file (**) --max-recursion=#n Maximum archive recursion level for container f**) --max-dir-recursion=#n Maximum directory recursion level --max-embeddedpe=#n Maximum size file to check for embedded PE --max-htmlnormalize=#n Maximum size of HTML file to normalize --max-htmlnotags=#n Maximum size of normalized HTML file to scan --max-scriptnormalize=#n Maximum size of script file to normalize --max-ziptypercg=#n Maximum size zip to type reanalyze --max-partitions=#n Maximum number of partitions in disk image to bnned --max-iconspe=#n Maximum number of icons in PE file to be scanne --max-rechwp3=#n Maximum recursive calls to HWP3 parsing functio --pcre-match-limit=#n Maximum calls to the PCRE match function. --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match funct --pcre-max-filesize=#n Maximum size file to perform PCRE subsig matchi --disable-cache Disable caching and cache checks for hash sums anned files. Pass in - as the filename for stdin. (*) Default scan settings (**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data. |