ClamAV

来自 Arch Linux 中文维基

Clam AntiVirus 是一款 UNIX 下开源的 (GPL) 反病毒工具包。它提供了包括一个灵活且可扩展的多线程守护进程,一个命令行扫描程序及用于自动更新数据库的高级工具在内的多个实用程序。 由于 ClamAV 主要用在与 Windows 桌面连接的文件及邮件服务器上,它的核心用途为通过内置特征检测 Windows 病毒和恶意程序。

安装[编辑 | 编辑源代码]

安装 clamav 软件包。

更新病毒库[编辑 | 编辑源代码]

通过下列命令更新病毒库:

# freshclam

如果你处于代理后,需编辑 /etc/clamav/freshclam.conf 并更新 HTTPProxyServer,HTTPProxyPort,HTTPProxyUsername 和 HTTPProxyPassword 的信息。

病毒库保存在下列文件中:

/var/lib/clamav/daily.cld
/var/lib/clamav/main.cld
/var/lib/clamav/bytecode.cvd

启动/启用 clamav-freshclam.serviceclamav-freshclam-once.timer 来保持病毒库为最新。

clamav-freshclam.service 将启动 freshclam 为守护进程模式,默认每天进行 12 次检查(每 2 小时一次)。检查频率可以在 /etc/clamav/freshclam.conf 中进行修改。

clamav-freshclam-once.timer 将启动 freshclam 为每天检查一次。检查频率可在 /usr/lib/systemd/system/clamav-freshclam-once.timer 中进行修改。

注意:
  • 以守护进程模式启动的 freshclam 在每次启动服务时会进行检查。
  • 每小时检查超过 1 次将被 CDN 屏蔽 24 小时。
  • .timer 单元将遵循计划配置,与设备重启或服务重启无关。

启动守护进程[编辑 | 编辑源代码]

该操作将把所有病毒特征加载到内存中。以 2024 年 2 月为例,这些特征共将占用至少 1.6GB 内存空间。在定期更新特征时,将短时占用多一倍的内存空间。

注意:
  • 在首次启动服务前需要先运行 freshclam,否则将出现报错,并无法正常启动 ClamAV。
  • 如果你只需要使用独立扫描器进行扫描,就无需启动守护进程。更多信息可参考下方的扫描病毒部分。

对应的服务是 clamav-daemon.service启动它并启用使它自动在启动时运行。

测试[编辑 | 编辑源代码]

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl https://secure.eicar.org/eicar.com.txt | clamscan -

The output must include:

stdin: Win.Test.EICAR_HDB-1 FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

添加更多病毒库/特征库[编辑 | 编辑源代码]

ClamAV 可以使用来自其他存储库或安全厂商的病毒/特征库。

可通过安装 clamav-unofficial-sigsAUR(参见 GitHub 描述)或是 python-fangfrischAUR(参见 线上文档)来添加最重要的部分。两者都会添加来自如 MalwarePatrol,SecuriteInfo,Yara,Linux Malware Detect 等著名供应商的特征/病毒库。

注意: 必须启动 clamav-freshclam.service 才能从 ClamAV 镜像更新官方特征信息。

选项 #1:配置 Fangfrisch[编辑 | 编辑源代码]

Fangfrisch 在设计上目标成为更安全,灵活和方便的 clamav-unofficial-sigs 替代品,且无需太多配置/etc/fangfrisch/fangfrisch.conf)。

最重要的是,与 clamav-unofficial-sigs 不同,Fangfrisch 用不需要以 root 权限运行

通过以下命令创建库结构:

# sudo -u clamav /usr/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb

启用 fangfrisch.timer(系统层级)。

选项 #2:配置 clamav-unofficial-sigs[编辑 | 编辑源代码]

启用 clamav-unofficial-sigs.timer

这将根据 /etc/clamav-unofficial-sigs 目录下的配置文件信息定期更新非官方特征信息。

可通过如下方法手动更新特征:

# clamav-unofficial-sigs.sh

可参考 /etc/clamav-unofficial-sigs/user.conf 来修改默认设置。

MalwarePatrol 病毒库[编辑 | 编辑源代码]

如果你想使用 MalwarePatrol 病毒库,需要先在 https://www.malwarepatrol.net/free-guard-upgrade-option[失效链接 2023-07-30 ⓘ] 注册账号。

/etc/clamav-unofficial-sigs/user.conf 中,修改以下内容来启用该功能:

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # 输入收据编号
malwarepatrol_product_code="8" # 免费账号设为 8,高级客户设为 15
malwarepatrol_list="clamav_basic" # clamav_basic 或是 clamav_ext
malwarepatrol_free="yes" # 免费账号设为 yes,高级客户设为 no 

来源:https://www.malwarepatrol.net/clamav-configuration-guide/

扫描病毒[编辑 | 编辑源代码]

有两种方法进行按需扫描:

使用独立扫描器[编辑 | 编辑源代码]

clamscan 可用以扫描文件, 用户目录亦或是整个系统:

$ clamscan myfile
$ clamscan --recursive --infected /home/archie
# clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /
  • 如果希望 clamscan 删除感染的文件,请使用 --remove 参数。
  • 使用 -l path/to/file 参数可以将 clamscan 的日志写入 log 文件。

如果希望 clamscan 删除感染的文件,请使用 --remove 参数,也可以使用 --move=/dir 来隔离文件。

你可能会想要 clamscan 扫描大文件,在这一情况下,可将 {{ic|1=--max-filesize=4000M} 和 --max-scansize=4000M 添加到命令中。'4000M' 指的是最大值,可按需降低。

-l /path/to/file 选项将把 clamscan 的日志输出为文本文件,方便定位受感染文件。

使用守护进程[编辑 | 编辑源代码]

clamdscan 与上一选项类似,但使用了守护进程,因此必须要守护进程运行中才能使用。由于守护进程会读取 /etc/clamav/clamd.conf 中指定的配置,大多数选项都将被忽略。

使用 milter[编辑 | 编辑源代码]

Milter will scan your sendmail server for email containing virus. Adjust /etc/clamav/clamav-milter.conf to your needs. For example:

/etc/clamav/clamav-milter.conf
MilterSocket /tmp/clamav-milter.socket
MilterSocketMode 660
FixStaleSocket yes
User clamav
MilterSocketGroup clamav
PidFile /run/clamav/clamav-milter.pid
TemporaryDirectory /tmp
ClamdSocket unix:/run/clamav/clamd.ctl
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

/etc/systemd/system/clamav-milter.service
[Unit]
Description='ClamAV Milter'
After=clamav-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start clamav-milter.service.

For Postfix add the following lines to /etc/postfix/main.cf:

/etc/postfix/main.cf
smtpd_milters = unix:/tmp/clamav-milter.socket
milter_default_action = tempfail

Check journalctl if the permission to access clamav-milter.socket for postfix is set accordingly, if not, add user postfix to group clamav.

OnAccessScan[编辑 | 编辑源代码]

(Original source: https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html)

On-access scanning will scan the file while reading, writing or executing it.

警告: At this point (November 2021), on-access scanning in ClamAV is still immature, you might see unexplained clamd crashes, and containerized processes do not get the protection. Therefore, it is debatable whether it is a security improvement or not. Do not enable it unless regulations, contracts, or your own curiosity force you to do so.

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8), which is true for official Arch Linux kernel packages. Check if fanotify has been enabled before enabling on-access scanning.

$ zgrep FANOTIFY /proc/config.gz

First, edit the /etc/clamav/clamd.conf configuration file by adding the following to the end of the file (you can also change the individual options).

警告: Please note the following warning about clamd port security if changing other parts of the file. Generally use an local unix socket but note that this port is not authenticated or protected. See https://docs.clamav.net/manual/Usage/Scanning.html#clamd-v0101 for more details in the Daemon and then ClamD section.
/etc/clamav/clamd.conf
# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /
OnAccessExcludePath /proc
OnAccessExcludePath /run
OnAccessExcludePath /sys

# Alternatively, add some directories instead of mount points
# OnAccessIncludePath /home

# Prevention doesn't work with OnAccessMountPath.
# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
# Including /var while activating prevention is also not recommended, because
# this would slow down package installation by a factor of 1000.
OnAccessPrevention false

# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true

# Exclude the UID of the scanner itself from checking, to prevent loops
OnAccessExcludeUname clamav

# Optionally, also exclude root-owned processes
# OnAccessExcludeRootUID true

# Specify an action to perform when clamav detects a malicious file
# it is possible to specify an inline command too
VirusEvent /etc/clamav/virus-event.bash

# WARNING: for security reasons, clamd should NEVER run as root.
# Previous instructions in this wiki included this line, remove it:
# User root    # REMOVE THIS
# Add this instead:
User clamav

Next, allow the clamav user to run notify-send as any user with custom environment variables via sudo:

/etc/sudoers.d/clamav
clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send

Next, create the file /etc/clamav/virus-event.bash, make it executable and add the following:

/etc/clamav/virus-event.bash
#!/bin/bash
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    USERID=${ADDRESS#/run/user/}
    /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
        /usr/bin/notify-send -i dialog-warning "Virus found!" "$ALERT"
done

This allows you to change/specify the message when a virus has been detected by clamd's on-access scanning service.

Restart the clamav-daemon.service.

By default, clamonacc passes clamav the names of just-accessed files for scanning. This is a problem, because files inaccessible to the clamav user cannot be scanned this way. Instead, it is possible to instruct clamonacc (which always runs as root) to use file descriptor passing. Edit clamav-clamonacc.service with the following:

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log

Lastly, you will need to start/enable the clamav-clamonacc.service.

If you get AppArmor denials about clamd, set the profile to a complain-only mode:

# aa-complain clamd

小贴士[编辑 | 编辑源代码]

使用多线程运行[编辑 | 编辑源代码]

使用 clamscan[编辑 | 编辑源代码]

When scanning a file or directory from command line using clamscan only single CPU thread is used. This may be ok in cases when timing is not critical or you do not want computer to become sluggish. If there is a need to scan large directory or USB drive quickly you may want to use all available CPUs to speed up the process.

clamscan is designed to be single-threaded, so xargs can be used to run the scan in parallel:

$ find /home/archie -type f -print0 | xargs -0 -P $(nproc) clamscan

In this example the -P parameter for xargs runs clamscan in as many processes as there are CPUs (reported by nproc) at the same time. --max-lines and --max-args options will allow even finer control of batching the workload across the threads.

使用 clamdscan[编辑 | 编辑源代码]

If you already have clamd daemon running clamdscan can be used instead (see #Starting the daemon):

$ clamdscan --multiscan --fdpass /home/archie

Here the --multiscan parameter enables clamd to scan the contents of the directory in parallel using available threads. --fdpass parameter is required to pass the file descriptor permissions to clamd as the daemon is running under clamav user and group.

The number of available threads for clamdscan is determined in /etc/clamav/clamd.conf via MaxThreads parameter clamd.conf(5). Even though you may see that the number of MaxThreads specified is more than one (current default is 10), when you start the scan using clamdscan from command line and do not specify --multiscan option, only one effective CPU thread will be used for scanning.

启用 TCPSocket[编辑 | 编辑源代码]

If you enable TCPSocket in /etc/clamav/clamd.conf, you must edit clamav-daemon.socket too (see FS#57669). The systemd socket file needs to be configured with a matching port and IP address:

/etc/systemd/system/clamav-daemon.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=/run/clamav/clamd.ctl
ListenStream=127.0.0.1:3310

And finally restart clamav-daemon.socket to see a Clamd binding at TCP port 3310:

# ss -tulpn | grep clamd
tcp   LISTEN 0      4096       127.0.0.1:3310      0.0.0.0:*    users:(("clamd",pid=599,fd=4),("systemd",pid=1,fd=44))

疑难解答[编辑 | 编辑源代码]

注意: 确保运行 clamscan 的用户拥有病毒库文件(/var/lib/clamav/*.c?d)的读取权限。

Error: Clamd was NOT notified[编辑 | 编辑源代码]

如果你在运行 freshclam 命令之后出现下列信息:

WARNING: Clamd was NOT notified: Cannot connect to clamd through 
/var/lib/clamav/clamd.sock connect(): No such file or directory

为 clamav 添加一个 sock 文件:

警告: 参考 #OnAccessScan 中的警告了解 clamd 端口安全的相关信息。
# touch /run/clamav/clamd.ctl
# chown clamav:clamav /run/clamav/clamd.ctl

然后, 编辑 /etc/clamav/clamd.conf,去掉该行注释:

LocalSocket /run/clamav/clamd.ctl

保存文件并重启 clamav-daemon.service

Error: No supported database files found[编辑 | 编辑源代码]

当启动守护进程时出现下列错误信息:

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/clamav/freshclam.conf setting DatabaseDirectory and /etc/clamav/clamd.conf setting DatabaseDirectory. /etc/clamav/freshclam.conf pointing to /var/lib/clamav, but /etc/clamav/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamav/clamd.conf and replace with the same DatabaseDirectory as in /etc/clamav/freshclam.conf. After that clamav will start up successfully.

Error: Can't create temporary directory[编辑 | 编辑源代码]

如果提示如下错误并给出包含 UID 和 GID 的提示,

# can't create temporary directory

请修改权限:

# chown UID:GID /var/lib/clamav && chmod 755 /var/lib/clamav

参考[编辑 | 编辑源代码]