ClamAV
https://www.clamav.net/
オープンソースのアンチウイルスソフト。
最新版は 2018-07-09 リリースの ClamAV 0.100.1 になる。
パッケージ
諸君らが愛してくれた RPMForge は死んだ!
RPMForge (RepoForge) リポジトリでは clamd というパッケージ名だったデーモンは EPEL リポジトリでは clamav-scanner として存在している。なお Atomic リポジトリでは clamd パッケージが存在している。
以下は EPEL リポジトリにおけるパッケージの一覧。
| パッケージ名 | 説明 |
|---|---|
| clamav | End-user tools for the Clam Antivirus scanner |
| clamav-data | Virus signature data for the Clam Antivirus scanner |
| clamav-data-empty | Empty data package for the Clam Antivirus scanner |
| clamav-devel | Header files and libraries for the Clam Antivirus scanner |
| clamav-filesystem | Filesystem structure for clamav |
| clamav-lib | Dynamic libraries for the Clam Antivirus scanner |
| clamav-milter | Milter module for the Clam Antivirus scanner |
| clamav-milter-systemd | Systemd initscripts for the clamav |
| clamav-milter-sysvinit | SysV initscripts for the clamav sendmail-milter |
| clamav-scanner | Clamav scanner daemon |
| clamav-scanner-systemd | Systemd initscripts for clamav scanner daemon |
| clamav-scanner-sysvinit | SysV initscripts for clamav scanner daemon |
| clamav-server | Clam Antivirus scanner server |
| clamav-server-systemd | Systemd initscripts for clamav server |
| clamav-server-sysvinit | SysV initscripts for clamav server |
| clamav-unofficial-sigs | Scripts to download unoffical clamav signatures |
| clamav-update | Auto-updater for the Clam Antivirus scanner data-files |
インストール
yum install epel-release
yum install clamav clamav-{update,scanner-systemd}
EPEL のパッケージは 2018-03-02 に 0.99.4 がビルドされている。
CentOS 7 では clamav-scanner-systemd を、 CentOS 6 では clamav-scanner-sysvinit をインストールすればよいものと思われる。
上記指定だけで依存関係により以下もインストールされるのでばかすか指定する必要はない。
clamav-data
clamav-filesystem
clamav-lib
clamav-scanner
clamav-server
clamav-server-systemd
nmap-ncat
更新
cp -a /etc/freshclam.conf{,.org}
cp -a /etc/sysconfig/freshclam{,.org}
sed -i '/^Example/s/^/#/' /etc/freshclam.conf
sed -i 's/^#DatabaseMirror db.XY/DatabaseMirror db.jp/' /etc/freshclam.conf
sed -i '/^FRESHCLAM_DELAY=disabled/s/^/#/' /etc/sysconfig/freshclam
freshclam
出力例
ClamAV update process started at Mon Aug 8 16:00:00 2016
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22049, sigs: 491550, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)
なぜか freshclam.conf の Example を消さないと freshclam コマンドが動作しない。中身をちゃんと見ろということか。
スキャン
検出サンプル (Eicar-Test-Signature) 1
curl -O http://www.eicar.org/download/eicar.com
スキャン実行
clamscan -r -i ~
出力例
/root/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4704996
Engine version: 0.99.2
Scanned directories: 184
Scanned files: 202
Infected files: 1
Data scanned: 167.39 MB
Data read: 45.88 MB (ratio 3.65:1)
Time: 40.700 sec (0 m 40 s)
デーモンの起動
ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
sed -i '/^Example/s/^/#/' /etc/clamd.conf
sed -i '/TCPSocket/s/^#//' /etc/clamd.conf
sed -i '/TCPAddr/s/^#//' /etc/clamd.conf
sed -i '/clamd.sock/s/^#//' /etc/clamd.conf
clamd
pgrep -a clamd
systemctl enable clamd@scan
出力例
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.
systemctl start clamd@scan
systemctl status clamd@scan
出力例
● clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
Active: active (running) since 木 2016-08-11 03:00:11 JST; 5s ago
Main PID: 32109 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─32109 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes
8月 11 03:00:11 localhost.localdomain clamd[32109]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Running as user clamscan (UID 993, GID 992)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Log file size limited to 1048576 bytes.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Reading databases from /var/lib/clamav
8月 11 03:00:11 localhost.localdomain clamd[32109]: Not loading PUA signatures.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Bytecode: Security mode set to "TrustSigned".
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Virus database timestamp in the future! ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Please check the timezone and clock settings ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
デフォルト設定ファイル
/etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root
## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
/etc/logrotate.d/clamav-update
/var/log/freshclam.log {
monthly
notifempty
}
/etc/sysconfig/freshclam
## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * * ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=
## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn' ... disables the automatic freshclam update and
## gives out a warning
## 'disabled' ... disables the automatic freshclam silently
# FRESHCLAM_DELAY=
### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn # REMOVE ME
/etc/freshclam.conf
Example
#DatabaseDirectory /var/lib/clamav
#UpdateLogFile /var/log/freshclam.log
#LogFileMaxSize 2M
#LogTime yes
#LogVerbose yes
LogSyslog yes
#LogFacility LOG_MAIL
#LogRotate yes
#PidFile /var/run/freshclam.pid
#DatabaseOwner clamupdate
#AllowSupplementaryGroups yes
#DNSDatabaseInfo current.cvd.clamav.net
#DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
#MaxAttempts 5
#ScriptedUpdates yes
#CompressLocalDatabase no
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
#Checks 24
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
#HTTPUserAgent SomeUserAgentIdString
#LocalIPAddress aaa.bbb.ccc.ddd
#NotifyClamd /path/to/clamd.conf
#OnUpdateExecute command
#OnErrorExecute command
#OnOutdatedExecute command
#Foreground yes
#Debug yes
#ConnectTimeout 60
#ReceiveTimeout 60
#TestDatabases yes
#SubmitDetectionStats /path/to/clamd.conf
#DetectionStatsCountry country-code
#DetectionStatsHostID unique-id
#SafeBrowsing yes
#Bytecode yes
#ExtraDatabase dbname1
#ExtraDatabase dbname2
セキュリティ関連記事
- PHPセキュリティ強化モジュール Suhosin
- DoS攻撃/ブルートフォース攻撃対策アプリの近況
- Linuxアンチウイルスソフト ClamAV
- Linux Malware Detect
- ルートキット検出ツール Rootkit Hunter (rkhunter)
- ルートキット検出ツール chkrootkit
- ファイル改ざん検知ツール AFICK
- ファイル改ざん検知ツール AIDE
- 脆弱性スキャナー OpenVAS
- Linuxセキュリティ監査ツール Lynis