How to Install ClamAV on CentOS 7

tiny丶發表於2018-09-06
CentOS

ClamAV or Clam Antivirus is an open source antivirus tool for UNIX. It was built specially for scanning emails at mail gateways but these days it is used for securing various types of systems and applications. ClamAV provides a number of utilities including a flexible multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. ClamAV is used widely for securing Linux servers, mail gateways. It is also used along with CPanel to secure the file system.

A few notable features of ClamAV are:

  • It is opensource, POSIX compliant, portable software licensed under GNU general public licence.
  • It provides fast scanning and supports on access scanning of a file.
  • It claims to detect over 1 million viruses, worms and Trojans, including Microsoft Office macro viruses, mobile malware, and other threats.
  • Capable of scanning within various types of archives and compressed files.
  • Supports Portable Executable files, ELF and Mach-O files as well.
  • Supports almost all mail formats and special files and formats.
  • Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries.

Requirements

ClamAV does not require any special hardware, you will only need a server with CentOS 7.x installed. You will need root or sudo access to your system. If you are logged in as non root user, you can either execute sudo -i to switch to root account or you can use sudo command at the start of all the administrative command.

Installing ClamAV

Before installing any package, it is recommended to update the system and packages using the following command.

    yum -y update

After updating the system we will need to add the EPEL repository into our system as ClamAV is not available in the default repository of CentOS 7. To add EPEL repository run the following command.

    yum -y install epel-release
    yum -y update
    yum clean all

Now run the following command to install ClamAV antivirus.

    yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Before running Clam antivirus you will need to configure few things.

As we are working on CentOS, it comes comes with SELinux. SELinux may deny access to few files, which will generate errors and warning. You can either disable SELinux or modify it's configuration so that ClamAV can access all the files on the disk.

To disable SELinux run the following command.

    setenforce 0

To modify its configuration to allow ClamAV, run the following command.

    setsebool -P antivirus_can_scan_system 1
    setsebool -P clamd_use_jit 1

To check the status of SELinux configuration for antivirus, run the following command.

    getsebool -a | grep antivirus

You will get following output.

    [root@ip-172-31-16-226 ~]# getsebool -a | grep antivirus
    antivirus_can_scan_system --> on
    antivirus_use_jit --> off

Once we have adjusted SELinux, we will now need to modify the scanner configuration files of ClamAV. By default a configuration file is created at /etc/clamd.d/scan.conf, hence you will only need to modify the configuration. Before we can use the configuration, we must need to remove or comment out the Example word from the configuration. You can run the following command to remove the example word directly.

    cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.backup
    sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf

If the above command results in an error then open the file in your favourite editor and remove the text Example from the file.

You also have the option of which user will run ClamAV. You can either run ClamAV with the root user or any other user like clamscan etc. By default ClamAV creates a user in your system which we can use to run the scanner service. To find the user, you can run the following command.

    cat /etc/passwd | grep clam

You will likely see the following output.

    [root@ip-172-31-7-222 ~]# cat /etc/passwd | grep clam
    clamupdate:x:995:992:Clamav database update user:/var/lib/clamav:/sbin/nologin
    clamscan:x:994:991:Clamav scanner user:/:/sbin/nologin

We can use the above clamscan user to run the ClamAV scanner. Open the scanner configuration file in your favourite editor. In this tutorial we will be using nano editor, if you don't have nano installed, you can run yum -y install nano command to install nano editor in your computer.

    nano /etc/clamd.d/scan.conf

Scroll down to find the following lines.

    # Run as another user (clamd must be started by root for this option to work)
    # Default: don't drop privileges
    User clamscan

If you are using the ClamAV user, then you will need to start the daemon as root. As we are logged in as root, we can keep using this user. If you want you can also switch to root user here.

Next you will need to define the server type in the configuration, scroll down to find the following lines.

    # The daemon can work in local mode, network mode or both.
    # Due to security reasons we recommend the local mode.

# Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /var/run/clamd.scan/clamd.sock

 

Uncomment the line #LocalSocket /var/run/clamd.scan/clamd.sock to

    LocalSocket /var/run/clamd.scan/clamd.sock

Save and exit from editor. But before we can run the scanner service, we will need to configure and run Freshclam.

Freshclam is used to update the database of virus definitions into the server. Freshclam configuration file is located at /etc/freshclam.conf. We will take a backup of the file and then we will comment out the Example line from the file.

    cp /etc/freshclam.conf /etc/freshclam.conf.bakup
    sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

We can now run Freshclam using the following command.

    freshclam

You will get following output.

    [root@ip-172-31-7-222 ~]# freshclam
    ClamAV update process started at Tue Nov  1 08:44:10 2016
    main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
    Trying host database.clamav.net (27.96.54.66)...
    Downloading daily.cvd [100%]
    daily.cvd updated (version: 22463, sigs: 804704, f-level: 63, builder: neo)
    Downloading bytecode-279.cdiff [100%]
    Downloading bytecode-280.cdiff [100%]
    Downloading bytecode-281.cdiff [100%]
    Downloading bytecode-282.cdiff [100%]
    Downloading bytecode-283.cdiff [100%]
    bytecode.cld updated (version: 283, sigs: 53, f-level: 63, builder: neo)
    Database updated (5023547 signatures) from database.clamav.net (IP: 27.96.54.66)

To check if the database is up to date or not, run the same command freshclam again, if any update is available, it will update it or it will show you that everything is up to date.

    [root@ip-172-31-7-222 ~]# freshclam
    ClamAV update process started at Tue Nov  1 08:51:46 2016
    main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
    daily.cvd is up to date (version: 22463, sigs: 804704, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

As freshclam updates the virus database, it is recommended to run it frequently to download the latest malware signatures. To run it automatically, you either create a cron job or you can create a systemd service file.

To create a cron job run the following command.

    crontab -e

This will open the cron job file in VI text editor, go to insert mode by pressing i and then enter the following line into the file.

     00 01,13 * * *  /usr/bin/freshclam --quiet

Now press Esc and then in command mode type :wq to save and exit from editor. The above cron job will execute the the freshclam command, twice a day, once at 1AM and then again at 1PM.

You can also create a systemd service if you do not want to use cron jobs. Create a new text file using your favourite editor.

    nano /usr/lib/systemd/system/freshclam.service

Now add the following lines into the file.

    [Unit]
    Description = freshclam scanner
    After = network.target[Service]
    Type = forking
    ExecStart = /usr/bin/freshclam -d -c 2
    Restart = on-failure
    PrivateTmp = true

[Install] WantedBy=multi-user.target

 

Now save and exit from the editor. To start the service and enable it to automatically start at boot time, run the following command.

    systemctl start freshclam
    systemctl enable freshclam

Now the systemd service will run freshclam twice a day to update the database. You can also check the status of our newly created freshclam service using the following command.

    systemctl status freshclam

You should see following output.

    [root@ip-172-31-7-222 ~]# systemctl status freshclam
    ● freshclam.service - freshclam scanner
       Loaded: loaded (/usr/lib/systemd/system/freshclam.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-11-01 09:07:06 UTC; 1min 7s ago
     Main PID: 4488 (freshclam)
       CGroup: /system.slice/freshclam.service
               └─4488 /usr/bin/freshclam -d -c 2

Nov 01 09:07:06 ip-172-31-7-222 systemd[1]: Starting freshclam scanner... Nov 01 09:07:06 ip-172-31-7-222 systemd[1]: Started freshclam scanner. Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: ClamAV update process started at Tue Nov 1 09:07:06 2016 Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: daily.cvd is up to date (version: 22463, sigs: 804704, f-level: 63, builder: neo) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: -------------------------------------- Hint: Some lines were ellipsized, use -l to show in full.

 

Now as we have our virus definitions updated, we can proceed further to run the scanner service of ClamAV. To start the scanner service run the following command.

    systemctl start clamd@scan

To automatically start the service at boot time, run the following command.

    systemctl enable clamd@scan

To check the status of scanner service, run the following command.

    systemctl status clamd@scan

It should produce the following output when running normally.

    [root@ip-172-31-7-222 ~]# systemctl status clamd@scan
    ● clamd@scan.service - Generic clamav scanner daemon
       Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-11-01 11:20:36 UTC; 12s ago
     Main PID: 4956 (clamd)
       CGroup: /system.slice/system-clamd.slice/clamd@scan.service
               └─4956 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HTML support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: XMLDOCS support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HWP3 support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: Self checking every 600 seconds. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: PDF support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: SWF support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HTML support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: XMLDOCS support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HWP3 support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: Self checking every 600 seconds.

 

You can also use clamconf utility to check the configuration files. This utility will display the configuration of config file clam.conf and freshclam.conf. It will display information about software settings, database, platform, and build information. To use this utility run the following command.

    clamconf

The sample output of the command is:

    [root@ip-172-31-7-222 ~]# clamconf
    Checking configuration files in /etcConfig file: clamd.conf 
    ERROR: Please edit the example config file /etc/clamav/clamd.confConfig file: freshclam.conf
    ---------------------------
    StatsHostID disabled
    StatsEnabled disabled
    StatsTimeout disabled
    LogFileMaxSize = "1048576"
    LogTime disabled
    LogSyslog = "yes"
    LogFacility = "LOG_LOCAL6"
    LogVerbose disabled
    LogRotate disabled
    PidFile disabled
    DatabaseDirectory = "/var/lib/clamav"
    Foreground disabled
    Debug disabled
    AllowSupplementaryGroups disabled
    UpdateLogFile disabled
    DatabaseOwner = "clamupdate"
    Checks = "12"
    DNSDatabaseInfo = "current.cvd.clamav.net"
    DatabaseMirror = "database.clamav.net"
    PrivateMirror disabled
    MaxAttempts = "3"
    ScriptedUpdates = "yes"
    TestDatabases = "yes"
    CompressLocalDatabase disabled
    ExtraDatabase disabled
    DatabaseCustomURL disabled
    HTTPProxyServer disabled
    HTTPProxyPort disabled
    HTTPProxyUsername disabled
    HTTPProxyPassword disabled
    HTTPUserAgent disabled
    NotifyClamd = "/etc/clamd.conf"
    OnUpdateExecute disabled
    OnErrorExecute disabled
    OnOutdatedExecute disabled
    LocalIPAddress disabled
    ConnectTimeout = "30"
    ReceiveTimeout = "30"
    SubmitDetectionStats disabled
    DetectionStatsCountry disabled
    DetectionStatsHostID disabled
    SafeBrowsing disabled
    Bytecode = "yes"clamav-milter.conf not foundSoftware settings
    -----------------
    Version: 0.99.2
    Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JITDatabase information
    --------------------
    Database directory: /var/lib/clamav
    main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016
    bytecode.cld: version 283, sigs: 53, built on Thu Jun 23 15:01:37 2016
    daily.cld: version 22464, sigs: 804704, built on Tue Nov  1 10:03:49 2016
    Total number of signatures: 5023547Platform information
    --------------------
    uname: Linux 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64
    OS: linux-gnu, ARCH: x86_64, CPU: x86_64
    zlib version: 1.2.7 (1.2.7), compile flags: a9
    Triple: x86_64-redhat-linux-gnu
    CPU: i686, Little-endian
    platform id: 0x0a2152520804080503040805

Build information ----------------- GNU C: 4.8.5 20150623 (Red Hat 4.8.5-4)(4.8.5) GNU C++: 4.8.5 20150623 (Red Hat 4.8.5-4) (4.8.5) CPPFLAGS: CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wall -W -Wmissing-prototypes -Wmissing-declarations -std=gnu99 -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu++98 LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed sizeof(void*) = 8 Engine flevel: 82, dconf: 82

 

To scan the files in a directory, you can use clamscan utility. Clamscan is the command line scanner utility in antivirus. To scan your home directory run the following command.

    clamscan --infected --remove --recursive /home /root

The above command will scan the directory /home and /root--infected option will print the list of infected files, --remove options will remove the virus detected and --recursive option will enable clamscan to scan all the sub-directories and files. You will find the following output.

    [root@ip-172-31-7-222 ~]# clamscan --infected --remove --recursive /home /root

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 7 Scanned files: 12 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.117 sec (0 m 10 s)

 

To verify that ClamAV is working correctly, you can use the EICAR Standard Anti-Virus Test File. It is simply a signature of a virus but not an actual virus. Download the file using following command.

    wget http://www.eicar.org/download/eicar_com.zip

Now scan the current directory using the following command.

    clamscan --infected --remove --recursive .

You should get following output.

    [root@ip-172-31-7-222 ~]# clamscan --infected --remove --recursive .
    ./eicar_com.zip: Eicar-Test-Signature FOUND
    ./eicar_com.zip: Removed.

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 4 Scanned files: 8 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.758 sec (0 m 10 s)

 

To scan the whole system, you can run the following command.

    clamscan --infected --recursive --exclude-dir="^/sys" /

The above command will scan the whole server but excluding the /sys directory. /sys directory contains few unreachable files, hence scanning them will print unnecessary warnings.

The above commands can be used to scan the system, although be careful with --remove option, you can simply run the command without this option and then check for the files containing virus. Once you are sure of the files are containing virus, you can remove them manually or simply run the command again with --remove option.

Conclusion

以上病毒庫簽名檔案總結如下:

簽名檔案字尾名 簽名型別 簽名格式
*.hdb 基於md5 hash的簽名 HashString:FileSize:MalwareName
*.hsb 基於sha1和sha256 hash的簽名 HashString:FileSize:MalwareName
*.mdb 基於PE section hash的簽名 PESectionSize:PESectionHash:MalwareName
*.db Body-based的基本簽名 MalwareName=HexSignature
*.ndb Body-based的擴充套件簽名 MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]]
*.ldb Body-based的邏輯簽名 SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0; Subsig1;Subsig2;…
*.idb PE檔案的圖示籤名 ICONNAME:GROUP1:GROUP2:ICON_HASH
*.ndb PE檔案版本資訊後設資料簽名 my_test_vi_sig:1:VI:paste_your_hex_sig_here
.crb, .crtdb 信任和撤銷的證照籤名 Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign; NotBefore;Comment[;minFL[;maxFL]]
*.cdb 容器後設資料簽名 VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]
.zmd(zip)和*.rmd(rar) 只基於ZIP/RAR後設資料的簽名 virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
.fp(md5)和.sfp(sha1和sha256) 白名單資料庫 HashString:FileSize:MalwareName
*.pdb 釣魚url/host簽名 R[Filter]:RealURL:DisplayedURL[:FuncLevelSpec]或H[Filter]:DisplayedHostname[:FuncLevelSpec]
*.gdb 釣魚URL hash簽名 S:P:HostPrefix[:FuncLevelSpec]或S:F:Sha256hash[:FuncLevelSpec]或S1:P:HostPrefix[:FuncLevelSpec]或S1:F:Sha256hash[:FuncLevelSpec]或S2:P:HostPrefix[:FuncLevelSpec]或S2:F:Sha256hash[:FuncLevelSpec]或S:W:Sha256hash[:FuncLevelSpec]
*.wdb 釣魚URL白名單簽名 X:RealURL:DisplayedURL[:FuncLevelSpec]或M:RealHostname:DisplayedHostname[:FuncLevelSpec] 
sigtool檢視cvd的資訊 : sigtool -i main.cvd
sigtool解壓cvd的資訊 : sigtool -u main.cvd
sigtool生成指紋的方法: sigtool –md5 test.exe > test.hdb  
sigtool生成指紋的方法: sigtool –sha1 test.exe > test.hsb 
sigtool生成指紋的方法: sigtool –sha256 test.exe >test.hsb
sigtool生成指紋的方法: sigtool –mdb test.exe > test.mdb

遺留問題:

1.  但是sigtool關於如何重新打包,研究許久 尚未解決。  

 

參考: https://blog.csdn.net/zourzh123/article/details/45719757

相關文章