menu 学习笔记
search self_improvement
目录

CentOS 7 使用 ClamAV 进行病毒扫描的说明

huty
huty 2023年02月10日  ·  阅读 1,662

ClamAV 说明

开源的病毒扫描工具
官网:https://www.clamav.net

ClamAV 安装

  1. 更新 epel 仓库源
yum install -y epel-release
  1. 安装 ClamAV
yum install –y clamav clamav-update
  1. 测试是否安装成功(查看 ClamAV 版本)
clamscan --version

输出示例:

ClamAV 0.103.7/26807/Thu Feb  9 16:42:40 2023
  1. 更新病毒库
freshclam

ClamAV 使用

手动扫描目录

clamscan --recursive=yes --infected --log=指定日志文件 --move=指定被感染文件隔离目录 需要扫描的目录

参数说明:

  • --recursive=yes : 递归扫描子目录
  • --infected :仅显示被感染的文件
  • --log=文件名称 :指定日志文件
  • --copy=目录名称 :将病毒文件复制到指定目录
  • --move=目录名称 : 将病毒文件移动到指定目录
  • --remove=yes :直接删除病毒文件

示例: 扫描 / 目录,将病毒文件移动至 /opt/clamav/virus 目录,同时将日志输出到 /opt/clamav/clamscan_test.log 文件

clamscan --recursive=yes --infected --log=/opt/clamav/clamscan_test.log --move=/opt/clamav/virus /

定时扫描目录

  1. 编写扫描脚本
vim /opt/clamav/clamav_scan.sh

脚本内容如下:

#!/bin/bash

# 使用 ClamAV 扫描病毒脚本

## 参数配置
### 当前的日期、日期时间
date=`date +%Y%m%d`
datetime=`date +%Y%m%d`_`date +%H%M%S`
### 病毒文件处理模式【0:不处理,1:复制到指定目录、2:移动至指定目录、3:直接删除】
model=2
### 需要扫描的文件夹(绝对路径)
scanDir=/
### 工作目录
workPath=/opt/clamav
### 病毒文件转移(复制)文件夹
virusPath=$workPath/scan_$datetime/virus
### 日志文件目录
logsPath=$workPath/scan_$datetime/logs

## 相关方法
### 创建文件夹
createPath () {
  echo '------------------------------ 开始创建相关文件夹... ------------------------------'
  mkdir -pv $virusPath
  mkdir -pv $logsPath
  echo '------------------------------ 相关文件夹创建完成! ------------------------------'
}
### 更新 ClamAV
updateClamAV () {
  echo '------------------------------ 开始更新 ClamAV ... ------------------------------'
  yum -y update epel-release clamav clamav-update
  echo '------------------------------ ClamAV 更新完成! ------------------------------'
}
### 更新病毒库
updateVirusDatabase () {
  echo '------------------------------ 开始更新病毒库... ------------------------------'
  freshclam
  echo '------------------------------ 病毒库更新完成! ------------------------------'
}
### 扫描病毒
scanVirus () {
  echo '------------------------------ 开始扫描指定目录... ------------------------------'
  case $model in
    0)
      clamscan --recursive=yes --infected --log=$logsPath/clamscan.log $scanDir
      ;;
    1)
      clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --copy=$virusPath $scanDir
      ;;
    2)
      clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --move=$virusPath $scanDir
      ;;
    3)
      clamscan --recursive=yes --infected --log=$logsPath/clamscan.log --remove=yes $scanDir
      ;;
    *)
      clamscan --recursive=yes --infected --log=$logsPath/clamscan.log $scanDir
      ;;
  esac
  echo '------------------------------ 指定目录扫描完成! ------------------------------'
  echo '****************************** 扫描日志见:'$logsPath'/clamscan.log ******************************'
  echo '****************************** 病毒文件见:'$virusPath',请及时处理 ******************************'
}

## 开始扫描
echo '===================================================================================================='
echo `date +%Y-%m-%d` `date +%H:%M:%S`
echo '============================== 开始扫描 '$scanDir' 目录...... =============================='
createPath
updateClamAV
updateVirusDatabase
scanVirus
echo '============================== '$scanDir' 目录扫描完成!!! =============================='
echo `date +%Y-%m-%d` `date +%H:%M:%S`
echo '===================================================================================================='

配置脚本文件可执行权限:

chmod +x /opt/clamav/clamav_scan.sh
  1. 配置定时任务

编辑定时任务:

crontab -e

示例: 每天 0 点执行病毒扫描,并将日志追加输出至 /opt/clamav/logs/auto_clamav_scan.log 文件

0 0 * * * /opt/clamav/clamav_scan.sh >> /opt/clamav/logs/auto_clamav_scan.log

查看定时任务:

crontab -l

ClamAV 命令详细说明

查看帮助

clamscan --help

查看版本

clamscan --version

详细说明


                       Clam AntiVirus: Scanner 0.103.7
           By The ClamAV Team: https://www.clamav.net/about.html#credits
           (C) 2022 Cisco Systems, Inc.

    clamscan [options] [file/directory/-]

    --help                -h             Show this help
    --version             -V             Print version number
    --verbose             -v             Be verbose
    --archive-verbose     -a             Show filenames inside scanned archives
    --debug                              Enable libclamav's debug messages
    --quiet                              Only output error messages
    --stdout                             Write to stdout instead of stderr. Does not affect 'debug' messages.
    --no-summary                         Disable summary at end of scanning
    --infected            -i             Only print infected files
    --suppress-ok-results -o             Skip printing OK files
    --bell                               Sound bell on virus detection

    --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
    --leave-temps[=yes/no(*)]            Do not remove temporary files
    --gen-json[=yes/no(*)]               Generate JSON description of scanned file(s). JSON will be printed and also-
                                         dropped to the temp directory if --leave-temps is enabled.
    --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load all supported db files from DIR
    --official-db-only[=yes/no(*)]       Only load official signatures
    --log=FILE            -l FILE        Save scan report to FILE
    --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
    --allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
    --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
    --follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
    --follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
    --file-list=FILE      -f FILE        Scan files from FILE
    --remove[=yes/no(*)]                 Remove infected files. Be careful!
    --move=DIRECTORY                     Move infected files into DIRECTORY
    --copy=DIRECTORY                     Copy infected files into DIRECTORY
    --exclude=REGEX                      Don't scan file names matching REGEX
    --exclude-dir=REGEX                  Don't scan directories matching REGEX
    --include=REGEX                      Only scan file names matching REGEX
    --include-dir=REGEX                  Only scan directories matching REGEX

    --bytecode[=yes(*)/no]               Load bytecode from the database
    --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
                                         **Caution**: You should NEVER run bytecode signatures from untrusted sources.
                                         Doing so may result in arbitrary code execution.
    --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
    --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
    --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
    --exclude-pua=CAT                    Skip PUA sigs of category CAT
    --include-pua=CAT                    Load PUA sigs of category CAT
    --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
    --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
    --structured-ssn-count=N             Min SSN count to generate a detect
    --structured-cc-count=N              Min CC count to generate a detect
    --structured-cc-mode=X               CC mode (0=credit debit and private label, 1=credit cards only
    --scan-mail[=yes(*)/no]              Scan mail files
    --phishing-sigs[=yes(*)/no]          Enable email signature-based phishing detection
    --phishing-scan-urls[=yes(*)/no]     Enable URL signature-based phishing detection
    --heuristic-alerts[=yes(*)/no]       Heuristic alerts
    --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
    --normalize[=yes(*)/no]              Normalize html, script, and text files. Use normalize=no for yara compatibility
    --scan-pe[=yes(*)/no]                Scan PE files
    --scan-elf[=yes(*)/no]               Scan ELF files
    --scan-ole2[=yes(*)/no]              Scan OLE2 containers
    --scan-pdf[=yes(*)/no]               Scan PDF files
    --scan-swf[=yes(*)/no]               Scan SWF files
    --scan-html[=yes(*)/no]              Scan HTML files
    --scan-xmldocs[=yes(*)/no]           Scan xml-based document files
    --scan-hwp3[=yes(*)/no]              Scan HWP3 files
    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
    --alert-broken[=yes/no(*)]           Alert on broken executable files (PE & ELF)
    --alert-broken-media[=yes/no(*)]     Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
    --alert-encrypted[=yes/no(*)]        Alert on encrypted archives and documents
    --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
    --alert-encrypted-doc[=yes/no(*)]    Alert on encrypted documents
    --alert-macros[=yes/no(*)]           Alert on OLE2 files containing VBA macros
    --alert-exceeds-max[=yes/no(*)]      Alert on files that exceed max file size, max scan size, or max recursion limit
    --alert-phishing-ssl[=yes/no(*)]     Alert on emails containing SSL mismatches in URLs
    --alert-phishing-cloak[=yes/no(*)]   Alert on emails containing cloaked URLs
    --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
    --nocerts                            Disable authenticode certificate chain verification in PE files
    --dumpcerts                          Dump authenticode certificate chain in PE files

    --max-scantime=#n                    Scan time longer than this will be skipped and assumed clean (milliseconds)
    --max-filesize=#n                    Files larger than this will be skipped and assumed clean
    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
    --max-files=#n                       The maximum number of files to scan for each container file (**)
    --max-recursion=#n                   Maximum archive recursion level for container file (**)
    --max-dir-recursion=#n               Maximum directory recursion level
    --max-embeddedpe=#n                  Maximum size file to check for embedded PE
    --max-htmlnormalize=#n               Maximum size of HTML file to normalize
    --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
    --max-scriptnormalize=#n             Maximum size of script file to normalize
    --max-ziptypercg=#n                  Maximum size zip to type reanalyze
    --max-partitions=#n                  Maximum number of partitions in disk image to be scanned
    --max-iconspe=#n                     Maximum number of icons in PE file to be scanned
    --max-rechwp3=#n                     Maximum recursive calls to HWP3 parsing function
    --pcre-match-limit=#n                Maximum calls to the PCRE match function.
    --pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.
    --pcre-max-filesize=#n               Maximum size file to perform PCRE subsig matching.
    --disable-cache                      Disable caching and cache checks for hash sums of scanned files.

Pass in - as the filename for stdin.

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
   files inside. The above options ensure safe processing of this kind of data.

参考博客

分类: CentOS
标签: CentOS ClamAV

评论已关闭