Help us understand the problem. What is going on with this article?

Linuxアンチウイルスソフト ClamAV

More than 1 year has passed since last update.

ClamAV

https://www.clamav.net/
オープンソースのアンチウイルスソフト。
最新版は 2018-07-09 リリースの ClamAV 0.100.1 になる。

パッケージ

諸君らが愛してくれた RPMForge は死んだ!
RPMForge (RepoForge) リポジトリでは clamd というパッケージ名だったデーモンは EPEL リポジトリでは clamav-scanner として存在している。なお Atomic リポジトリでは clamd パッケージが存在している。
以下は EPEL リポジトリにおけるパッケージの一覧。

パッケージ名 説明
clamav End-user tools for the Clam Antivirus scanner
clamav-data Virus signature data for the Clam Antivirus scanner
clamav-data-empty Empty data package for the Clam Antivirus scanner
clamav-devel Header files and libraries for the Clam Antivirus scanner
clamav-filesystem Filesystem structure for clamav
clamav-lib Dynamic libraries for the Clam Antivirus scanner
clamav-milter Milter module for the Clam Antivirus scanner
clamav-milter-systemd Systemd initscripts for the clamav
clamav-milter-sysvinit SysV initscripts for the clamav sendmail-milter
clamav-scanner Clamav scanner daemon
clamav-scanner-systemd Systemd initscripts for clamav scanner daemon
clamav-scanner-sysvinit SysV initscripts for clamav scanner daemon
clamav-server Clam Antivirus scanner server
clamav-server-systemd Systemd initscripts for clamav server
clamav-server-sysvinit SysV initscripts for clamav server
clamav-unofficial-sigs Scripts to download unoffical clamav signatures
clamav-update Auto-updater for the Clam Antivirus scanner data-files

インストール

yum install epel-release
yum install clamav clamav-{update,scanner-systemd}

EPEL のパッケージは 2018-03-02 に 0.99.4 がビルドされている。
CentOS 7 では clamav-scanner-systemd を、 CentOS 6 では clamav-scanner-sysvinit をインストールすればよいものと思われる。
上記指定だけで依存関係により以下もインストールされるのでばかすか指定する必要はない。

 clamav-data
 clamav-filesystem
 clamav-lib
 clamav-scanner
 clamav-server
 clamav-server-systemd
 nmap-ncat

更新

cp -a /etc/freshclam.conf{,.org}
cp -a /etc/sysconfig/freshclam{,.org}
sed -i '/^Example/s/^/#/' /etc/freshclam.conf
sed -i 's/^#DatabaseMirror db.XY/DatabaseMirror db.jp/' /etc/freshclam.conf
sed -i '/^FRESHCLAM_DELAY=disabled/s/^/#/' /etc/sysconfig/freshclam
freshclam
出力例
ClamAV update process started at Mon Aug  8 16:00:00 2016
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22049, sigs: 491550, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

なぜか freshclam.conf の Example を消さないと freshclam コマンドが動作しない。中身をちゃんと見ろということか。

スキャン

検出サンプル (Eicar-Test-Signature) 1

curl -O http://www.eicar.org/download/eicar.com

スキャン実行

clamscan -r -i ~
出力例
/root/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4704996
Engine version: 0.99.2
Scanned directories: 184
Scanned files: 202
Infected files: 1
Data scanned: 167.39 MB
Data read: 45.88 MB (ratio 3.65:1)
Time: 40.700 sec (0 m 40 s)

デーモンの起動

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
sed -i '/^Example/s/^/#/' /etc/clamd.conf
sed -i '/TCPSocket/s/^#//' /etc/clamd.conf
sed -i '/TCPAddr/s/^#//' /etc/clamd.conf
sed -i '/clamd.sock/s/^#//' /etc/clamd.conf
clamd
pgrep -a clamd
systemctl enable clamd@scan
出力例
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.
systemctl start clamd@scan
systemctl status clamd@scan
出力例
● clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
   Active: active (running) since 木 2016-08-11 03:00:11 JST; 5s ago
 Main PID: 32109 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
           └─32109 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

 8月 11 03:00:11 localhost.localdomain clamd[32109]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Running as user clamscan (UID 993, GID 992)
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Log file size limited to 1048576 bytes.
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Reading databases from /var/lib/clamav
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Not loading PUA signatures.
 8月 11 03:00:11 localhost.localdomain clamd[32109]: Bytecode: Security mode set to "TrustSigned".
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ***      Virus database timestamp in the future!   ***
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ***  Please check the timezone and clock settings  ***
 8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************

デフォルト設定ファイル

/etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0  */3 * * * root /usr/share/clamav/freshclam-sleep
/etc/logrotate.d/clamav-update
/var/log/freshclam.log {
        monthly
        notifempty
}
/etc/sysconfig/freshclam
## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * *  ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=

## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn'  ...  disables the automatic freshclam update and
##                         gives out a warning
## 'disabled'       ...  disables the automatic freshclam silently
# FRESHCLAM_DELAY=


### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn   # REMOVE ME
/etc/freshclam.conf
Example
#DatabaseDirectory /var/lib/clamav
#UpdateLogFile /var/log/freshclam.log
#LogFileMaxSize 2M
#LogTime yes
#LogVerbose yes
LogSyslog yes
#LogFacility LOG_MAIL
#LogRotate yes
#PidFile /var/run/freshclam.pid
#DatabaseOwner clamupdate
#AllowSupplementaryGroups yes
#DNSDatabaseInfo current.cvd.clamav.net
#DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
#MaxAttempts 5
#ScriptedUpdates yes
#CompressLocalDatabase no
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
#Checks 24
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
#HTTPUserAgent SomeUserAgentIdString
#LocalIPAddress aaa.bbb.ccc.ddd
#NotifyClamd /path/to/clamd.conf
#OnUpdateExecute command
#OnErrorExecute command
#OnOutdatedExecute command
#Foreground yes
#Debug yes
#ConnectTimeout 60
#ReceiveTimeout 60
#TestDatabases yes
#SubmitDetectionStats /path/to/clamd.conf
#DetectionStatsCountry country-code
#DetectionStatsHostID unique-id
#SafeBrowsing yes
#Bytecode yes
#ExtraDatabase dbname1
#ExtraDatabase dbname2

セキュリティ関連記事

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした