当前位置：网站首页>Installation and use of anti-virus software ClamAV

Installation and use of anti-virus software ClamAV

2022-07-27 03:43:00 【Qingxiao】

Catalog

One 、clamAV Introduce

Two 、 install ClamAV、clamdscan

3、 ... and 、 Update database manually

Four 、 usage

4.1、clamscan usage

4.2、clamdscan usage

5、 ... and 、python Determine whether virus is detected

One 、clamAV Introduce

ClamAV Antivirus is Linux The platform is the most popular Anti virus software ,ClamAV Belong to Free open source products , Support multiple platforms , Such as ：Linux/Unix、MAC OS X、Windows、OpenVMS.

ClamAV yes Command line tools based on virus scanning , But there is also support Graphic interface ClamTK Tools .

ClamAV It is mainly used for mail server to scan mail . It has multiple interfaces to scan mail from the mail server , Support file formats such as ：ZIP、RAR、TAR、GZIP、BZIP2、HTML、DOC、PDF,、SIS CHM、RTF wait .

ClamAV It can automatically upgrade the virus database , You can also run... From a shared library . The command line interface makes ClamAV Smooth operation .

By default, you can only find the virus in your computer , But it cannot be cleared .

clamav There are two orders ：clamdscan、clamscan：

clamscan command ： Universal , Not dependent on services , There are many command parameters , Execution speed is a little slower
clamdscan command ： It's a collocation clamd often Resident service Anti drug tools , The function is very similar clamscan, High efficiency of execution , But there are fewer parameters available （ Because some functions are made of clamd The control of the ）. No need to bring it -r , By default, it will recursively scan subdirectories

Two 、 install ClamAV、clamdscan

apt -y install clamav clamtk clamav-daemon clamdscan device-tree-compiler

systemctl status clamav-daemon

Restart the service ：/etc/init.d/clamav-daemon restart

ps -ef| grep clamd

clamdscan Depend on clamd service ：/usr/sbin/clamd

3、 ... and 、 Update database manually

Virus library location ：/var/lib/clamav/*

1、 Temporarily stop service ：sudo systemctl stop clamav-freshclam

2、 function freshclam：sudo freshclam Or directly ： /usr/bin/freshclam

3、 Restart the service ：sudo systemctl start clamav-freshclam

Four 、 usage

Use malware_scanner_eicar File as test case , The contents of the document are as follows ：

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

4.1、clamscan usage

1、clamscan --help

-i tell ClamAV Show only infected files 
-r` Flags make scanning recursive 
--max-scansize= Flag setting you want ClamAV The maximum amount of data crawled . The maximum is 4000M please remember , This is the actual data being read , Not the size of the file .
--max-filesize= Set what you want ClamAV The maximum size of the scanned file .

2、clamav Configuration file for ：/etc/clamav/freshclam.conf

# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav  #  Virus library location 
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0  #  increase ClamAV Overtime 
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf  #  To configure 
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

3、 Scan files ：clamscaneicar.com

4、 Scan directory ：clamscan -i-r--max-scansize=4000M --max-filesize=4000M ~/Downloads

4.2、clamdscan usage

1、 clamdscan--help

                      Clam AntiVirus: Daemon Client 0.103.5
           By The ClamAV Team: https://www.clamav.net/about.html#credits
           (C) 2022 Cisco Systems, Inc.
    clamdscan [options] [file/directory/-]
    --help              -h             Show this help
    --version           -V             Print version number and exit
    --verbose           -v             Be verbose
    --quiet                            Be quiet, only output error messages
    --stdout                           Write to stdout instead of stderr. Does not affect 'debug' messages.
                                       (this help is always written to stdout)
    --log=FILE          -l FILE        Save scan report in FILE
    --file-list=FILE    -f FILE        Scan files from FILE
    --ping              -p A[:I]       Ping clamd up to [A] times at optional interval [I] until it responds.
    --wait              -w             Wait up to 30 seconds for clamd to start. Optionally use alongside --ping to set attempts [A] and interval [I] to check clamd.
    --remove                           Remove infected files. Be careful!
    --move=DIRECTORY                   Move infected files into DIRECTORY
    --copy=DIRECTORY                   Copy infected files into DIRECTORY
    --config-file=FILE                 Read configuration from FILE.
    --allmatch            -z           Continue scanning within file after finding a match.
    --multiscan           -m           Force MULTISCAN mode
    --infected            -i           Only print infected files  Only the virus files found are output 
    --no-summary                       Disable summary at end of scanning
    --reload                           Request clamd to reload virus database
    --fdpass                           Pass filedescriptor to clamd (useful if clamd is running as a different user)
    --stream                           Force streaming files to clamd (for debugging and unit testing)

2、 Example

In the use of clamdscan Before anti drug , You can start with Test and clamd The connection of If there is something wrong ：clamdscan -p 3

If the display PONG It means with clamd The connection is OK .

Check the ClamAV And virus code version ：clamdscan --version

26601 It's a virus code （signatures） Version of , The last date is the date of the virus code .

Clean the specified files ：clamdscan archive.zip

Specify the directory path for anti-virus ：clamdscan /home/ubuntu

Document list anti poison , Prepare the document list first filelist.txt, The format is one file per line ：clamdscan -f filelist.txt

Clean the data stream ：cat myfile | clamscan -

Report errors ：/home/malware_scanner_eicar: Can't open file or directory ERROR

Online explanation ：

But when I tested it, I found that adding it didn't seem to work , For the time being, the virus samples to be tested can only be stored in /etc/apparmor.d/usr.sbin.clamd Under the directory listed in .

The following method is feasible , Finally, restart the machine ：

Not detected ：

Detected. ：

Infected files The value of is 1, It means that we have found .

5、 ... and 、python Determine whether virus is detected

import re
result = '''
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.006 sec (0 m 0 s)
Start Date: 2022:07:15 13:34:40
End Date:   2022:07:15 13:34:40
'''
t = re.findall("Infec[\D]+([\d])", result)
print(t)  # ['1']

原网站

版权声明
本文为[Qingxiao]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/208/202207270012392152.html