Linux
CentOS
セキュリティ
clamav

Linuxアンチウイルスソフト ClamAV


ClamAV

https://www.clamav.net/

オープンソースのアンチウイルスソフト。

最新版は 2018-07-09 リリースの ClamAV 0.100.1 になる。


パッケージ

諸君らが愛してくれた RPMForge は死んだ!

RPMForge (RepoForge) リポジトリでは clamd というパッケージ名だったデーモンは EPEL リポジトリでは clamav-scanner として存在している。なお Atomic リポジトリでは clamd パッケージが存在している。

以下は EPEL リポジトリにおけるパッケージの一覧。

パッケージ名
説明

clamav
End-user tools for the Clam Antivirus scanner

clamav-data
Virus signature data for the Clam Antivirus scanner

clamav-data-empty
Empty data package for the Clam Antivirus scanner

clamav-devel
Header files and libraries for the Clam Antivirus scanner

clamav-filesystem
Filesystem structure for clamav

clamav-lib
Dynamic libraries for the Clam Antivirus scanner

clamav-milter
Milter module for the Clam Antivirus scanner

clamav-milter-systemd
Systemd initscripts for the clamav

clamav-milter-sysvinit
SysV initscripts for the clamav sendmail-milter

clamav-scanner
Clamav scanner daemon

clamav-scanner-systemd
Systemd initscripts for clamav scanner daemon

clamav-scanner-sysvinit
SysV initscripts for clamav scanner daemon

clamav-server
Clam Antivirus scanner server

clamav-server-systemd
Systemd initscripts for clamav server

clamav-server-sysvinit
SysV initscripts for clamav server

clamav-unofficial-sigs
Scripts to download unoffical clamav signatures

clamav-update
Auto-updater for the Clam Antivirus scanner data-files


インストール

yum install epel-release

yum install clamav clamav-{update,scanner-systemd}

EPEL のパッケージは 2018-03-02 に 0.99.4 がビルドされている。

CentOS 7 では clamav-scanner-systemd を、 CentOS 6 では clamav-scanner-sysvinit をインストールすればよいものと思われる。

上記指定だけで依存関係により以下もインストールされるのでばかすか指定する必要はない。

 clamav-data

clamav-filesystem
clamav-lib
clamav-scanner
clamav-server
clamav-server-systemd
nmap-ncat


更新

cp -a /etc/freshclam.conf{,.org}

cp -a /etc/sysconfig/freshclam{,.org}
sed -i '/^Example/s/^/#/' /etc/freshclam.conf
sed -i 's/^#DatabaseMirror db.XY/DatabaseMirror db.jp/' /etc/freshclam.conf
sed -i '/^FRESHCLAM_DELAY=disabled/s/^/#/' /etc/sysconfig/freshclam
freshclam


出力例

ClamAV update process started at Mon Aug  8 16:00:00 2016

main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22049, sigs: 491550, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

なぜか freshclam.conf の Example を消さないと freshclam コマンドが動作しない。中身をちゃんと見ろということか。


スキャン


検出サンプル (Eicar-Test-Signature) 1

curl -O http://www.eicar.org/download/eicar.com


スキャン実行

clamscan -r -i ~


出力例

/root/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4704996
Engine version: 0.99.2
Scanned directories: 184
Scanned files: 202
Infected files: 1
Data scanned: 167.39 MB
Data read: 45.88 MB (ratio 3.65:1)
Time: 40.700 sec (0 m 40 s)



デーモンの起動

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

sed -i '/^Example/s/^/#/' /etc/clamd.conf
sed -i '/TCPSocket/s/^#//' /etc/clamd.conf
sed -i '/TCPAddr/s/^#//' /etc/clamd.conf
sed -i '/clamd.sock/s/^#//' /etc/clamd.conf
clamd
pgrep -a clamd

systemctl enable clamd@scan


出力例

Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.


systemctl start clamd@scan

systemctl status clamd@scan


出力例

● clamd@scan.service - Generic clamav scanner daemon

Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
Active: active (running) since 木 2016-08-11 03:00:11 JST; 5s ago
Main PID: 32109 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─32109 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

8月 11 03:00:11 localhost.localdomain clamd[32109]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Running as user clamscan (UID 993, GID 992)
8月 11 03:00:11 localhost.localdomain clamd[32109]: Log file size limited to 1048576 bytes.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Reading databases from /var/lib/clamav
8月 11 03:00:11 localhost.localdomain clamd[32109]: Not loading PUA signatures.
8月 11 03:00:11 localhost.localdomain clamd[32109]: Bytecode: Security mode set to "TrustSigned".
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Virus database timestamp in the future! ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: *** Please check the timezone and clock settings ***
8月 11 03:00:11 localhost.localdomain clamd[32109]: LibClamAV Warning: ******************************************************



デフォルト設定ファイル


/etc/cron.d/clamav-update

## Adjust this line...

MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep



/etc/logrotate.d/clamav-update

/var/log/freshclam.log {

monthly
notifempty
}


/etc/sysconfig/freshclam

## When changing the periodicity of freshclam runs in the crontab,

## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * * ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=

## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn' ... disables the automatic freshclam update and
## gives out a warning
## 'disabled' ... disables the automatic freshclam silently
# FRESHCLAM_DELAY=

### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn # REMOVE ME



/etc/freshclam.conf

Example

#DatabaseDirectory /var/lib/clamav
#UpdateLogFile /var/log/freshclam.log
#LogFileMaxSize 2M
#LogTime yes
#LogVerbose yes
LogSyslog yes
#LogFacility LOG_MAIL
#LogRotate yes
#PidFile /var/run/freshclam.pid
#DatabaseOwner clamupdate
#AllowSupplementaryGroups yes
#DNSDatabaseInfo current.cvd.clamav.net
#DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
#MaxAttempts 5
#ScriptedUpdates yes
#CompressLocalDatabase no
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
#Checks 24
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
#HTTPUserAgent SomeUserAgentIdString
#LocalIPAddress aaa.bbb.ccc.ddd
#NotifyClamd /path/to/clamd.conf
#OnUpdateExecute command
#OnErrorExecute command
#OnOutdatedExecute command
#Foreground yes
#Debug yes
#ConnectTimeout 60
#ReceiveTimeout 60
#TestDatabases yes
#SubmitDetectionStats /path/to/clamd.conf
#DetectionStatsCountry country-code
#DetectionStatsHostID unique-id
#SafeBrowsing yes
#Bytecode yes
#ExtraDatabase dbname1
#ExtraDatabase dbname2


セキュリティ関連記事