Linuxアンチウイルスソフト ClamAV

ClamAV

https://www.clamav.net/
オープンソースのアンチウイルスソフト。
最新版は 2018-07-09 リリースの ClamAV 0.100.1 になる。

パッケージ

諸君らが愛してくれた RPMForge は死んだ！
RPMForge (RepoForge) リポジトリでは clamd というパッケージ名だったデーモンは EPEL リポジトリでは clamav-scanner として存在している。なお Atomic リポジトリでは clamd パッケージが存在している。
以下は EPEL リポジトリにおけるパッケージの一覧。

パッケージ名	説明
clamav	End-user tools for the Clam Antivirus scanner
clamav-data	Virus signature data for the Clam Antivirus scanner
clamav-data-empty	Empty data package for the Clam Antivirus scanner
clamav-devel	Header files and libraries for the Clam Antivirus scanner
clamav-filesystem	Filesystem structure for clamav
clamav-lib	Dynamic libraries for the Clam Antivirus scanner
clamav-milter	Milter module for the Clam Antivirus scanner
clamav-milter-systemd	Systemd initscripts for the clamav
clamav-milter-sysvinit	SysV initscripts for the clamav sendmail-milter
clamav-scanner	Clamav scanner daemon
clamav-scanner-systemd	Systemd initscripts for clamav scanner daemon
clamav-scanner-sysvinit	SysV initscripts for clamav scanner daemon
clamav-server	Clam Antivirus scanner server
clamav-server-systemd	Systemd initscripts for clamav server
clamav-server-sysvinit	SysV initscripts for clamav server
clamav-unofficial-sigs	Scripts to download unoffical clamav signatures
clamav-update	Auto-updater for the Clam Antivirus scanner data-files

インストール

yum install epel-release
yum install clamav clamav-{update,scanner-systemd}

EPEL のパッケージは 2018-03-02 に 0.99.4 がビルドされている。
CentOS 7 では clamav-scanner-systemd を、 CentOS 6 では clamav-scanner-sysvinit をインストールすればよいものと思われる。
上記指定だけで依存関係により以下もインストールされるのでばかすか指定する必要はない。

 clamav-data
 clamav-filesystem
 clamav-lib
 clamav-scanner
 clamav-server
 clamav-server-systemd
 nmap-ncat

更新

cp -a /etc/freshclam.conf{,.org}
cp -a /etc/sysconfig/freshclam{,.org}
sed -i '/^Example/s/^/#/' /etc/freshclam.conf
sed -i 's/^#DatabaseMirror db.XY/DatabaseMirror db.jp/' /etc/freshclam.conf
sed -i '/^FRESHCLAM_DELAY=disabled/s/^/#/' /etc/sysconfig/freshclam
freshclam

出力例

ClamAV update process started at Mon Aug  8 16:00:00 2016
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22049, sigs: 491550, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

なぜか freshclam.conf の Example を消さないと freshclam コマンドが動作しない。中身をちゃんと見ろということか。

スキャン

検出サンプル (Eicar-Test-Signature) ¹

curl -O http://www.eicar.org/download/eicar.com

スキャン実行

clamscan -r -i ~

出力例

/root/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4704996
Engine version: 0.99.2
Scanned directories: 184
Scanned files: 202
Infected files: 1
Data scanned: 167.39 MB
Data read: 45.88 MB (ratio 3.65:1)
Time: 40.700 sec (0 m 40 s)

デーモンの起動

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
sed -i '/^Example/s/^/#/' /etc/clamd.conf
sed -i '/TCPSocket/s/^#//' /etc/clamd.conf
sed -i '/TCPAddr/s/^#//' /etc/clamd.conf
sed -i '/clamd.sock/s/^#//' /etc/clamd.conf
clamd
pgrep -a clamd

systemctl enable clamd@scan

出力例

Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.

systemctl start clamd@scan
systemctl status clamd@scan

出力例

● clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
   Active: active (running) since 木 2016-08-11 03:00:11 JST; 5s ago
 Main PID: 32109 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
           └─32109 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

 8月 11 03:00:11 localhost.localdomain clamd[32109]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Running as user clamscan (UID 993, GID 992)
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Log file size limited to 1048576 bytes.
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Reading databases from /var/lib/clamav
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Not loading PUA signatures.
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Bytecode: Security mode set to "TrustSigned".
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ***      Virus database timestamp in the future!   ***
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ***  Please check the timezone and clock settings  ***
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************

デフォルト設定ファイル

/etc/cron.d/clamav-update

## Adjust this line...
MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0  */3 * * * root /usr/share/clamav/freshclam-sleep

/etc/logrotate.d/clamav-update

/var/log/freshclam.log {
        monthly
        notifempty
}

/etc/sysconfig/freshclam

## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * *  ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=

## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn'  ...  disables the automatic freshclam update and
##                         gives out a warning
## 'disabled'       ...  disables the automatic freshclam silently
# FRESHCLAM_DELAY=


### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn	# REMOVE ME

/etc/freshclam.conf

Example
# DatabaseDirectory /var/lib/clamav
# UpdateLogFile /var/log/freshclam.log
# LogFileMaxSize 2M
# LogTime yes
# LogVerbose yes
LogSyslog yes
# LogFacility LOG_MAIL
# LogRotate yes
# PidFile /var/run/freshclam.pid
# DatabaseOwner clamupdate
# AllowSupplementaryGroups yes
# DNSDatabaseInfo current.cvd.clamav.net
# DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
# MaxAttempts 5
# ScriptedUpdates yes
# CompressLocalDatabase no
# DatabaseCustomURL http://myserver.com/mysigs.ndb
# DatabaseCustomURL file:///mnt/nfs/local.hdb
# PrivateMirror mirror1.mynetwork.com
# PrivateMirror mirror2.mynetwork.com
# Checks 24
# HTTPProxyServer myproxy.com
# HTTPProxyPort 1234
# HTTPProxyUsername myusername
# HTTPProxyPassword mypass
# HTTPUserAgent SomeUserAgentIdString
# LocalIPAddress aaa.bbb.ccc.ddd
# NotifyClamd /path/to/clamd.conf
# OnUpdateExecute command
# OnErrorExecute command
# OnOutdatedExecute command
# Foreground yes
# Debug yes
# ConnectTimeout 60
# ReceiveTimeout 60
# TestDatabases yes
# SubmitDetectionStats /path/to/clamd.conf
# DetectionStatsCountry country-code
# DetectionStatsHostID unique-id
# SafeBrowsing yes
# Bytecode yes
# ExtraDatabase dbname1
# ExtraDatabase dbname2

セキュリティ関連記事

• PHPセキュリティ強化モジュール Suhosin
• DoS攻撃/ブルートフォース攻撃対策アプリの近況
• Linuxアンチウイルスソフト ClamAV
• Linux Malware Detect
• ルートキット検出ツール Rootkit Hunter (rkhunter)
• ルートキット検出ツール chkrootkit
• ファイル改ざん検知ツール AFICK
• ファイル改ざん検知ツール AIDE
• 脆弱性スキャナー OpenVAS
• Linuxセキュリティ監査ツール Lynis

1. EICARテストファイル - Wikipedia ↩