CentOS 7 使用 ClamAV 进行病毒扫描的说明
huty
2023年02月10日 · 阅读 1,662
ClamAV 说明
开源的病毒扫描工具
官网:https://www.clamav.net
ClamAV 安装
- 更新 epel 仓库源
yum install -y epel-release
- 安装 ClamAV
yum install –y clamav clamav-update
- 测试是否安装成功(查看 ClamAV 版本)
clamscan --version
输出示例:
ClamAV 0.103.7/26807/Thu Feb 9 16:42:40 2023
- 更新病毒库
freshclam
ClamAV 使用
手动扫描目录
clamscan --recursive=yes --infected --log=指定日志文件 --move=指定被感染文件隔离目录 需要扫描的目录
参数说明:
--recursive=yes
: 递归扫描子目录--infected
:仅显示被感染的文件--log=文件名称
:指定日志文件--copy=目录名称
:将病毒文件复制到指定目录--move=目录名称
: 将病毒文件移动到指定目录--remove=yes
:直接删除病毒文件
示例: 扫描 /
目录,将病毒文件移动至 /opt/clamav/virus
目录,同时将日志输出到 /opt/clamav/clamscan_test.log
文件
clamscan --recursive=yes --infected --log=/opt/clamav/clamscan_test.log --move=/opt/clamav/virus /
定时扫描目录
- 编写扫描脚本
vim /opt/clamav/clamav_scan.sh
脚本内容如下:
#!/bin/bash
# 使用 ClamAV 扫描病毒脚本
## 参数配置
### 当前的日期、日期时间
date=`date +%Y%m%d`
datetime=`date +%Y%m%d`_`date +%H%M%S`
### 病毒文件处理模式【0:不处理,1:复制到指定目录、2:移动至指定目录、3:直接删除】
model=2
### 需要扫描的文件夹(绝对路径)
scanDir=/
### 工作目录
workPath=/opt/clamav
### 病毒文件转移(复制)文件夹
virusPath=$workPath/scan_$datetime/virus
### 日志文件目录
logsPath=$workPath/scan_$datetime/logs
## 相关方法
### 创建文件夹
createPath () {
echo '------------------------------ 开始创建相关文件夹... ------------------------------'
mkdir -pv $virusPath
mkdir -pv $logsPath
echo '------------------------------ 相关文件夹创建完成! ------------------------------'
}
### 更新 ClamAV
updateClamAV () {
echo '------------------------------ 开始更新 ClamAV ... ------------------------------'
yum -y update epel-release clamav clamav-update
echo '------------------------------ ClamAV 更新完成! ------------------------------'
}
### 更新病毒库
updateVirusDatabase () {
echo '------------------------------ 开始更新病毒库... ------------------------------'
freshclam
echo '------------------------------ 病毒库更新完成! ------------------------------'
}
### 扫描病毒
scanVirus () {
echo '------------------------------ 开始扫描指定目录... ------------------------------'
case $model in
0)
clamscan --recursive=yes --infected --log=$logsPath/clamscan.log $scanDir
;;
1)
clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --copy=$virusPath $scanDir
;;
2)
clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --move=$virusPath $scanDir
;;
3)
clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --remove=yes $scanDir
;;
*)
clamscan --recursive=yes --infected --log=$logsPath/clamscan.log $scanDir
;;
esac
echo '------------------------------ 指定目录扫描完成! ------------------------------'
echo '****************************** 扫描日志见:'$logsPath'/clamscan.log ******************************'
echo '****************************** 病毒文件见:'$virusPath',请及时处理 ******************************'
}
## 开始扫描
echo '===================================================================================================='
echo `date +%Y-%m-%d` `date +%H:%M:%S`
echo '============================== 开始扫描 '$scanDir' 目录...... =============================='
createPath
updateClamAV
updateVirusDatabase
scanVirus
echo '============================== '$scanDir' 目录扫描完成!!! =============================='
echo `date +%Y-%m-%d` `date +%H:%M:%S`
echo '===================================================================================================='
配置脚本文件可执行权限:
chmod +x /opt/clamav/clamav_scan.sh
- 配置定时任务
编辑定时任务:
crontab -e
示例: 每天 0 点执行病毒扫描,并将日志追加输出至 /opt/clamav/logs/auto_clamav_scan.log
文件
0 0 * * * /opt/clamav/clamav_scan.sh >> /opt/clamav/logs/auto_clamav_scan.log
查看定时任务:
crontab -l
ClamAV 命令详细说明
查看帮助
clamscan --help
查看版本
clamscan --version
详细说明
Clam AntiVirus: Scanner 0.103.7
By The ClamAV Team: https://www.clamav.net/about.html#credits
(C) 2022 Cisco Systems, Inc.
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also-
dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
**Caution**: You should NEVER run bytecode signatures from untrusted sources.
Doing so may result in arbitrary code execution.
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--structured-cc-mode=X CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents
--alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-scantime=#n Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
Pass in - as the filename for stdin.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
参考博客
- https://www.cnblogs.com/zhang-cb/p/14965723.html (平台:博客园,作者:客舍青)
- https://www.jianshu.com/p/5235b4972442 (平台:简书,作者:猪蹄胖)
- https://www.cnblogs.com/ghl1024/p/9018212.html (平台:博客园,作者:HaydenGuo)
评论已关闭