2021/5/3

Install ClamAV in CentOS 7

安裝 ClamAV

sudo yum -y install epel-release
sudo yum -y install clamav clamd

# 如果有 selinux,要 enable selinux
sudo setsebool -P antivirus_can_scan_system 1

增加台灣病毒碼更新資料庫

sudo vi /etc/freshclam.conf

DatabaseMirror db.tw.clamav.net
DatabaseMirror clamav.stu.edu.tw

更新病毒碼

sudo freshclam

ClamAV update process started at Wed Oct 28 14:39:25 2020
daily database available for download (remote version: 25970)
Time: 17.0s, ETA: 0.0s [=============================>] 108.67MiB/108.67MiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-3ea52eb38408f34bb5f4419b3286235e.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 25970, sigs: 4336254, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time: 17.3s, ETA: 0.0s [=============================>] 112.40MiB/112.40MiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-087960cd134405741c214b5dd9915ec8.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode database available for download (remote version: 331)
Time: 0.4s, ETA: 0.0s [=============================>] 289.44KiB/289.44KiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-4905f2da7d8e4b680242ba674f8d9ced.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

設定自動更新病毒碼

mkdir -p /var/log/clamav
chown -R clamupdate:clamupdate /var/log/clamav/

sudo vi /etc/freshclam.conf
UpdateLogFile /var/log/clamav/freshclam.log

增加自動更新病毒碼 cronjob

vi /etc/cron.daily/freshclam.sh

#!/bin/sh
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log


chmod 755 /etc/cron.daily/freshclam.sh

另一種設定自動更新的方式,是直接啟動 clamav-freshclam.service

設定 clamd

vi /etc/clamd.d/scan.conf

LocalSocket /var/run/clamd.scan/clamd.sock

# 啟用紀錄
LogFile /var/log/clamd/clamd.scan

# 啟用記錄訊息時間
LogTime yes

# 啟用LocalSocket
LocalSocket /var/run/clamd.scan/clamd.sock

# 啟用ExtendedDetecionInfo
ExtendedDetectionInfo yes

# 啟用PidFile
PidFile /var/run/clamd.scan/clamd.pid

產生 clamd log file

mkdir -p /var/log/clamd/
touch /var/log/clamd/clamd.scan
chown -R clamscan:clamscan /var/log/clamd

啟動 clamd

sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan

設定每日自動掃瞄特定目錄

儲存記錄檔於 /var/log/clamscan_daily.log

mkdir -p /var/log/clamscan

vi /etc/cron.daily/clamscan.sh

#!/bin/sh
echo "************" >> /var/log/clamscan/clamscan_daily.log
date '+%Y-%m-%d %T' >> /var/log/clamscan/clamscan_daily.log
/usr/bin/clamscan -i -r /var/www/html >> /var/log/clamscan/clamscan_daily.log
chmod 755 /etc/cron.daily/clamscan.sh

logrotate

vi /etc/logrotate.d/clamscan.logrotate

/var/log/clamscan/clamscan_daily.log {
   missingok
   rotate 30
   daily
}

修改 clamscan.logrotate

vi /etc/logrotate.d/clamav-update

/var/log/clamav/freshclam.log {
    monthly
    notifempty
    missingok
    postrotate
        systemctl try-restart clamav-freshclam.service
    endscript
}

安裝 LMD

# 安裝 EPEL
yum -y install epel-release
# 安裝 mailx
yum install mailx
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz

cd maldetect-1.6.4/
./install.sh

ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r

LMD 預設安裝目錄在 /usr/local/maldetect/ , 裡面的 conf.maldet 就是 LMD 的設定檔, 開啟 LMD 的設定檔

vi /usr/local/maldetect/conf.maldet

# 如果要發 email,要改成 1
email_alert="0"
email_addr="user@domain"

quarantine_hits="1"
quarantine_clean="1"

scan_clamscan="1"

掃描後查看 report

maldet -e list

# read report
maldet –report SCANID

# clean report
maldet --clean SCANID

測試 LMD

mkdir -p /var/www/LMDtest
cd /var/www/LMDtest
wget https://www.eicar.org/download/eicar.com 
wget https://www.eicar.org/download/eicar.com.txt 
wget https://www.eicar.org/download/eicar_com.zip 
wget https://www.eicar.org/download/eicarcom2.zip

chown -R httpd:httpd /var/www/LMDtest

掃描

maldet -a /var/www/LMDtest

看 report

maldet --report 201028-1639.16052

PATH:          /var/www/LMDtest/
TOTAL FILES:   4
TOTAL HITS:    4
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar.com => /usr/local/maldetect/quarantine/eicar.com.575417503
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.2371612503
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar.com.txt => /usr/local/maldetect/quarantine/eicar.com.txt.17479243
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.8340145
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

隔離區 /usr/local/maldetect/quarantine/

# 刪除隔離區檔案
rm -rf /usr/local/maldetect/quarantine/*

References

Install and configure LMD and Clam AntiVirus on CentOS 7

How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

CentOS7 安裝防毒軟體 ClamAV

How to Install ClamAV on CentOS 7: A Step-by-Step Guide

CENTOS 7 安裝ClamAV

沒有留言:

張貼留言