ClamAV CentOS7

ClamAV

アンチウィルスClamAVのインストールです。

…インストールや設定の仕方によっては、システムファイルをウィルスと誤検知した際に、該当ファイルに対して自動リムーブやムーブ設定を行っている場合、サーバが壊れる可能性が高いので導入には注意しましょう。

当サイトは私的なメモでありますが、閲覧は自由です。

全ては自己責任になっています。

注意されたし。

# yum  install --enablerepo=epel clamav clamav-server clamav-server-systemd clamav-update clamav-scanner



Installed:
  clamav.x86_64 0:0.99.2-8.el7                          clamav-scanner.noarch 0:0.99.2-8.el7           clamav-server.x86_64 0:0.99.2-8.el7
  clamav-server-systemd.noarch 0:0.99.2-8.el7           clamav-update.x86_64 0:0.99.2-8.el7

Dependency Installed:
  clamav-data.noarch 0:0.99.2-8.el7                     clamav-filesystem.noarch 0:0.99.2-8.el7              clamav-lib.x86_64 0:0.99.2-8.el7
  clamav-scanner-sysvinit.noarch 0:0.99.2-8.el7         clamav-server-sysvinit.noarch 0:0.99.2-8.el7         nmap-ncat.x86_64 2:6.40-7.el7

Complete!

# vi /etc/clamd.d/scan.conf


# Comment or remove the line below.
Example

↓変更

# Comment or remove the line below.
#Example



# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamscan

↓変更(root権限で実行)

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
#User clamscan



# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /var/run/clamd.scan/clamd.sock

↓変更(#をはずす)

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamd.scan/clamd.sock



#DetectBrokenExecutables yes

↓変更 ※重要

#DetectBrokenExecutables yes
DetectBrokenExecutables no




※最終行に追加

# 除外対象ディレクトリ
ExcludePath ^/proc/
ExcludePath ^/dev/
ExcludePath ^/sys/

/boot/efi/EFI/redhat/grub.efi: Heuristics.Broken.Executable FOUND
/usr/lib64/libgcj_bc.so.1.0.0: Heuristics.Broken.Executable FOUND
/root/eicar.com: Eicar-Test-Signature FOUND

上記の対策に下記を行います。

# vi /etc/clamd.d/scan.conf

#DetectBrokenExecutables yes
DetectBrokenExecutables no

# freshclam


Downloading bytecode-305.cdiff [100%]
Downloading bytecode-306.cdiff [100%]
Downloading bytecode-307.cdiff [100%]
Downloading bytecode-308.cdiff [100%]
Downloading bytecode-309.cdiff [100%]
Downloading bytecode-310.cdiff [100%]
Downloading bytecode-311.cdiff [100%]
Downloading bytecode-312.cdiff [100%]
bytecode.cld updated (version: 312, sigs: 74, f-level: 63, builder: neo)
Database updated (6309601 signatures) from database.clamav.net (IP: 69.12.162.28)

# systemctl enable clamd.scan

# systemctl start clamd.scan

起動しなかった場合

# systemctl status clamd.scan.service

● clamd.scan.service - SYSV: The clamd server running for scan
   Loaded: loaded (/etc/rc.d/init.d/clamd.scan; bad; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-09-27 15:18:31 JST; 21s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 677 ExecStop=/etc/rc.d/init.d/clamd.scan stop (code=exited, status=0/SUCCESS)
  Process: 1384 ExecStart=/etc/rc.d/init.d/clamd.scan start (code=exited, status=1/FAILURE)

 clamd[1389]: Not loading PUA signatures.
 clamd[1389]: Bytecode: Security mode set to "TrustSigned".
 clamd[1389]: Loaded 6303893 signatures.
 clamd[1389]: LOCAL: Socket file /var/run/clamd.scan/clamd.sock is in use by another process.
 clamd.scan[1384]: Starting clamd.scan: ERROR: LOCAL: Socket file /var/run/clamd.scan/clamd.sock is in use by another process.
 clamd.scan[1384]: [FAILED]
 systemd[1]: clamd.scan.service: control process exited, code=exited status=1
 systemd[1]: Failed to start SYSV: The clamd server running for scan.
 systemd[1]: Unit clamd.scan.service entered failed state.
 systemd[1]: clamd.scan.service failed.

# echo SHUTDOWN | nc -U /var/run/clamd.scan/clamd.sock

# ps aux | grep "clam"

root      1529  0.0  0.0 112664   980 pts/0    S+   15:20   0:00 grep --color=auto clam
root     32487  0.0  0.0      0     0 ?        Zs   15:00   0:00 [freshclam-sleep] <defunct>

# kill -9 32487

# systemctl start clamd.scan

テスト

# clamdscan -c /etc/clamd.d/scan.conf

ウィルス検知テスト

# wget http://www.eicar.org/download/eicar.com

# clamdscan -c /etc/clamd.d/scan.conf
/root/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.003 sec (0 m 0 s)

模擬ウィルス削除

# rm -f eicar.com

定期実行設定

定期実行スクリプト @see https://qiita.com/yamadar/items/c916152462272b397100

# vi /root/clamdscan.sh


#!/bin/sh

## -----------------------------------------------
SCAN_DIR=/
LOG="/var/log/clamdscan_result.log"
LOG_LATEST="/var/log/clamdscan_result.log.latest"
FROM=ClamAV@`hostname`
TO=root
## -----------------------------------------------



#-----------------------------
# virus database update

freshclam --quiet


#-----------------------------
# update clamd

yum -y update clamd > /dev/null 2>&1
yum -y update clamav-db > /dev/null 2>&1

#-----------------------------
# restart clamd (release memory)

systemctl restart clamd.scan > /dev/null

#-----------------------------
# scan

/usr/bin/clamdscan -c /etc/clamd.d/scan.conf --infected  --log=$LOG $SCAN_DIR > $LOG_LATEST

#-----------------------------
# send email if virus is found

cat $LOG_LATEST | grep 'FOUND' > /dev/null
if [ "$?" -eq 0 ]
then
  {
    echo "From: $FROM"
    echo "To: $TO"
    echo "Subject: [SERVER] Virus Found in `hostname`"
    echo
    echo "Virus Found in `hostname`"
    echo
    cat $LOG
  } | /usr/sbin/sendmail -f $FROM $TO

fi

# chmod +x /root/clamdscan.sh

設定を反映

# systemctl restart clamd@scan

テスト

# wget http://www.eicar.org/download/eicar.com

# /root/clamdscan.sh

メールが飛んだらOK

# vi /etc/crontab


SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=''

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

## 2時50分にClamAV実行
50 2 * * * root /root/clamdscan.sh