clamav 简介

ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

yum 安装

yum install epel-release -y
yum -y  install  clamav clamav-update

病毒相关操作

更新病毒库

freshclam 

扫描并处理

clamscan –ri / -l clamscan.log –remove

源码安装

安装相关组件

先决条件

yum install -y \
  `# install tools` \
  gcc gcc-c++ make valgrind \
  `# install clamav dependencies` \
  bzip2-devel check-devel json-c-devel libcurl-devel libxml2-devel \
  ncurses-devel openssl-devel pcre2-devel sendmail-devel zlib-devel

下载并解压

Download the source from the clamav.net downloads page.

tar xzf clamav-[ver].tar.gz
cd clamav-[ver]

添加用户

If installing to the system, and if you intend to run freshclam or clamd as as service, you should create a service account before compiling and installing ClamAV.

groupadd clamav && useradd -g clamav clamav && id clamav

配置安装目录

日志目录

mkdir -p /usr/local/clamav/logs     
touch /usr/local/clamav/logs/clamd.log
touch /usr/local/clamav/logs/freshclam.log
chown clamav.clamav /usr/local/clamav/logs/clamd.log
chown clamav.clamav /usr/local/clamav/logs/freshclam.log

病毒存放目录

mkdir -p /usr/local/clamav/updata
chown -R root.clamav /usr/local/clamav/
chown -R clamav.clamav /usr/local/clamav/updata/

编译安装

./configure --prefix=/usr/local/clamav  --with-pcre
make && make install

配置clamav

修改clamd.conf文件

cd /usr/local/clamav/etc
cp clamd.conf.sample clamd.conf
vim clamd.conf
#Example    注释掉这一行.
添加下面三行：
LogFile /usr/local/clamav/logs/clamd.log    
PidFile /usr/local/clamav/updata/clamd.pid     
DatabaseDirectory /usr/local/clamav/updata

修改freshclam.conf文件

cp freshclam.conf.sample freshclam.conf
vim freshclam.conf
#Example    注释掉这一行. 
添加下面三行 
DatabaseDirectory /usr/local/clamav/updata
UpdateLogFile /usr/local/clamav/logs/freshclam.log
PidFile /usr/local/clamav/updata/freshclam.pid

启动

chown -R clamav.clamav /usr/local/clamav/
systemctl start clamav-freshclam.service
systemctl enable clamav-freshclam.service 
systemctl status clamav-freshclam.service

更新病毒库

先停止防护服务

systemctl stop clamav-freshclam.service 

更新

/usr/local/clamav/bin/freshclam  （根据网络质量确定更新时长）
或者
cd /usr/local/clamav/share/clamav
wget http://database.clamav.net/main.cvd
wget http://database.clamav.net/daily.cvd
wget http://database.clamav.net/bytecode.cvd

重启

systemctl start clamav-freshclam.service
systemctl status clamav-freshclam.service

扫描

clamd

clamd is a multi-threaded daemon that uses libclamav to scan files for viruses. Scanning behavior can be fully configured to fit most needs by modifying clamd.conf.

As clamd requires a virus signature database to run, we recommend setting up ClamAV’s official signatures before running clamd using freshclam.

The daemon works by listening for commands on the sockets specified in clamd.conf. Listening is supported over both unix local sockets and TCP sockets.
IMPORTANT: clamd does not currently protect or authenticate traffic coming over the TCP socket, meaning it will accept any and all of the following commands listed from any source. Thus, we strongly recommend following best networking practices when setting up your clamd instance. I.e. don’t expose your TCP socket to the Internet.

clamscan

clamscan is a command line tool which uses libclamav to scan files and/or directories for viruses. Unlike clamdscan, clamscan does not require a running clamd instance to function. Instead, clamscan will create a new engine and load in the virus database each time it is run. It will then scan the files and/or directories specified at the command line, create a scan report, and exit.

By default, when loading databases, clamscan will check the location to which freshclam installed the virus database signatures. This behavior, along with a myriad of other scanning and engine controls, can be modified by providing flags and other options at the command line.

查看命令

/usr/local/clamav/bin
./clamscan  -h

建立软连接

ln -s /usr/local/clamav/bin/clamscan /usr/local/sbin/clamscan

扫描示例

clamscan   -ri   --no-summary  /usr/local/bin/  -l  /usr/local/clamav/logs/clamscan.log
#或者
clamscan   -ri    /usr/local/bin/  -l  /usr/local/clamav/logs/clamscan.log

直接扫描，可能比clamdscan慢一些。

clamdscan

clamdscan is a clamd client, which greatly simplifies the task of scanning files with clamd. It sends commands to the clamd daemon across the socket specified in clamd.conf and generates a scan report after all requested scanning has been completed by the daemon.
Thus, to run clamdscan, you must have an instance of clamd already running as well.
Please keep in mind, that as a simple scanning client, clamdscan cannot change scanning and engine configurations. These are tied to the clamd instance and the configuration you set up in clamd.conf. Therefore, while clamdscan will accept many of the same commands as its sister tool clamscan, it will simply ignore most of them as (by design) no mechanism exists to make ClamAV engine configuration changes over the clamd socket.

clamdscan使用

clamdscan 需要与clamd服务配合使用，没有clamd，那就无法进行clamdscan 扫描。

建立clamdscan 软连接

ln -s /usr/local/clamav/bin/clamdscan /usr/local/sbin/clamdscan

查看命令

配置clamd

以上配置如果出问题，可能会报如下错误

ERROR: Please define server type (local and/or TCP)

如果是用yum安装的，则直接修改/etc/clamd.d/文件夹下的scan.conf文件，修改方式与clamd.conf类似。

启动clamd并验证

/usr/local/clamav/sbin/clamd

验证基本没问题。

扫描

clamdscan   -i    /usr/local/bin/  -l  /usr/local/clamav/logs/clamdscan.log

从开始时间和结束时间上对比来看，clamdscan 比clamscan 执行的速度要快的多。

定时扫毒

直接在系统中定时

vim /etc/crontab

定时任务结构说明

设定定时杀毒任务

#凌晨2:01  开始更新病毒库
#凌晨2:20   杀毒并处理
1  2  * * *  /usr/local/clamav/bin/freshclam --quiet
20 2  * * *  /usr/local/clamav/bin/clamscan  -r /home  --remove -l /var/log/clamscan.log

立即生效

crontab /etc/crontab

至此，小猿就完成linux 系统中的病毒软件安装完成。

参考网址
1、clamav 官网 https://docs.clamav.net/Introduction.html
2、ClamAV安装使用教程 https://blog.csdn.net/weixin_46011077/article/details/121735970