ClamAV
https://www.clamav.net/
オープンソースのアンチウイルスソフト。
最新版は 2018-07-09 リリースの ClamAV 0.100.1 になる。
パッケージ
諸君らが愛してくれた RPMForge は死んだ!
RPMForge (RepoForge) リポジトリでは clamd
というパッケージ名だったデーモンは EPEL リポジトリでは clamav-scanner
として存在している。なお Atomic リポジトリでは clamd
パッケージが存在している。
以下は EPEL リポジトリにおけるパッケージの一覧。
パッケージ名 | 説明 |
---|---|
clamav | End-user tools for the Clam Antivirus scanner |
clamav-data | Virus signature data for the Clam Antivirus scanner |
clamav-data-empty | Empty data package for the Clam Antivirus scanner |
clamav-devel | Header files and libraries for the Clam Antivirus scanner |
clamav-filesystem | Filesystem structure for clamav |
clamav-lib | Dynamic libraries for the Clam Antivirus scanner |
clamav-milter | Milter module for the Clam Antivirus scanner |
clamav-milter-systemd | Systemd initscripts for the clamav |
clamav-milter-sysvinit | SysV initscripts for the clamav sendmail-milter |
clamav-scanner | Clamav scanner daemon |
clamav-scanner-systemd | Systemd initscripts for clamav scanner daemon |
clamav-scanner-sysvinit | SysV initscripts for clamav scanner daemon |
clamav-server | Clam Antivirus scanner server |
clamav-server-systemd | Systemd initscripts for clamav server |
clamav-server-sysvinit | SysV initscripts for clamav server |
clamav-unofficial-sigs | Scripts to download unoffical clamav signatures |
clamav-update | Auto-updater for the Clam Antivirus scanner data-files |
インストール
yum install epel-release
yum install clamav clamav-{update,scanner-systemd}
EPEL のパッケージは 2018-03-02 に 0.99.4 がビルドされている。
CentOS 7 では clamav-scanner-systemd
を、 CentOS 6 では clamav-scanner-sysvinit
をインストールすればよいものと思われる。
上記指定だけで依存関係により以下もインストールされるのでばかすか指定する必要はない。
clamav-data
clamav-filesystem
clamav-lib
clamav-scanner
clamav-server
clamav-server-systemd
nmap-ncat
更新
cp -a /etc/freshclam.conf{,.org}
cp -a /etc/sysconfig/freshclam{,.org}
sed -i '/^Example/s/^/#/' /etc/freshclam.conf
sed -i 's/^#DatabaseMirror db.XY/DatabaseMirror db.jp/' /etc/freshclam.conf
sed -i '/^FRESHCLAM_DELAY=disabled/s/^/#/' /etc/sysconfig/freshclam
freshclam
出力例
ClamAV update process started at Mon Aug 8 16:00:00 2016
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22049, sigs: 491550, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)
なぜか freshclam.conf の Example
を消さないと freshclam
コマンドが動作しない。中身をちゃんと見ろということか。
スキャン
検出サンプル (Eicar-Test-Signature) 1
curl -O http://www.eicar.org/download/eicar.com
スキャン実行
clamscan -r -i ~
出力例
/root/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4704996
Engine version: 0.99.2
Scanned directories: 184
Scanned files: 202
Infected files: 1
Data scanned: 167.39 MB
Data read: 45.88 MB (ratio 3.65:1)
Time: 40.700 sec (0 m 40 s)
デーモンの起動
ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
sed -i '/^Example/s/^/#/' /etc/clamd.conf
sed -i '/TCPSocket/s/^#//' /etc/clamd.conf
sed -i '/TCPAddr/s/^#//' /etc/clamd.conf
sed -i '/clamd.sock/s/^#//' /etc/clamd.conf
clamd
pgrep -a clamd
systemctl enable clamd@scan
出力例
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.
systemctl start clamd@scan
systemctl status clamd@scan
出力例
● clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
Active: active (running) since 木 2016-08-11 03:00:11 JST; 5s ago
Main PID: 32109 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─32109 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes
8月 11 03:00:11 localhost.localdomain clamd[32109]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Running as user clamscan (UID 993, GID 992)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Log file size limited to 1048576 bytes.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Reading databases from /var/lib/clamav
8月 11 03:00:11 localhost.localdomain clamd[32109]: Not loading PUA signatures.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Bytecode: Security mode set to "TrustSigned".
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Virus database timestamp in the future! ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Please check the timezone and clock settings ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
デフォルト設定ファイル
/etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root
## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
/etc/logrotate.d/clamav-update
/var/log/freshclam.log {
monthly
notifempty
}
/etc/sysconfig/freshclam
## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * * ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=
## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn' ... disables the automatic freshclam update and
## gives out a warning
## 'disabled' ... disables the automatic freshclam silently
# FRESHCLAM_DELAY=
### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn # REMOVE ME
/etc/freshclam.conf
Example
# DatabaseDirectory /var/lib/clamav
# UpdateLogFile /var/log/freshclam.log
# LogFileMaxSize 2M
# LogTime yes
# LogVerbose yes
LogSyslog yes
# LogFacility LOG_MAIL
# LogRotate yes
# PidFile /var/run/freshclam.pid
# DatabaseOwner clamupdate
# AllowSupplementaryGroups yes
# DNSDatabaseInfo current.cvd.clamav.net
# DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
# MaxAttempts 5
# ScriptedUpdates yes
# CompressLocalDatabase no
# DatabaseCustomURL http://myserver.com/mysigs.ndb
# DatabaseCustomURL file:///mnt/nfs/local.hdb
# PrivateMirror mirror1.mynetwork.com
# PrivateMirror mirror2.mynetwork.com
# Checks 24
# HTTPProxyServer myproxy.com
# HTTPProxyPort 1234
# HTTPProxyUsername myusername
# HTTPProxyPassword mypass
# HTTPUserAgent SomeUserAgentIdString
# LocalIPAddress aaa.bbb.ccc.ddd
# NotifyClamd /path/to/clamd.conf
# OnUpdateExecute command
# OnErrorExecute command
# OnOutdatedExecute command
# Foreground yes
# Debug yes
# ConnectTimeout 60
# ReceiveTimeout 60
# TestDatabases yes
# SubmitDetectionStats /path/to/clamd.conf
# DetectionStatsCountry country-code
# DetectionStatsHostID unique-id
# SafeBrowsing yes
# Bytecode yes
# ExtraDatabase dbname1
# ExtraDatabase dbname2
セキュリティ関連記事
- PHPセキュリティ強化モジュール Suhosin
- DoS攻撃/ブルートフォース攻撃対策アプリの近況
- Linuxアンチウイルスソフト ClamAV
- Linux Malware Detect
- ルートキット検出ツール Rootkit Hunter (rkhunter)
- ルートキット検出ツール chkrootkit
- ファイル改ざん検知ツール AFICK
- ファイル改ざん検知ツール AIDE
- 脆弱性スキャナー OpenVAS
- Linuxセキュリティ監査ツール Lynis