防病毒系统 Clam AntiVirus

1. 安装Clam AntiVirus http://download.sourceforge.net/clamav/

   [root@linuxas3 src]# wget http://download.sourceforge.net/clamav/clamav-0.70.tar.gz [root@linuxas3 clamav-0.70]# [root@linuxas3 clamav-0.70]# groupadd clamav [root@linuxas3 clamav-0.70]# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav [root@linuxas3 clamav-0.70]# ./configure --prefix=/usr/local/clamav [root@linuxas3 clamav-0.70]# make [root@linuxas3 clamav-0.70]# make install [root@linuxas3 clamav-0.70]# chown clamav.clamav -R /usr/local/clamav/ [root@linuxas3 clamav-0.70]# cd /usr/local/clamav/ [root@linuxas3 clamav]# mkdir /var/run/clamav/ [root@linuxas3 clamav]# make /var/log/amavis [root@linuxas3 clamav]# cd /var/log/amavis [root@linuxas3 clamav]# touch amavis.log [root@linuxas3 clamav]# chown amavis amavis.log

2. 编辑clamav.conf文件

   更改clamav.conf文件，去掉下面选项前面的＃ #Example 前面加上"#"注释 Example LogFile /tmp/clamd.log 去掉前面的# LogFileMaxSize 2M 去掉前面的＃ LogTime 去掉前面的＃ PidFile /var/run/clamd.pid 去掉前面的＃ DatabaseDirectory /var/lib/clamav 去掉前面的＃，并且修改路径为/usr/local/clamav/share/clamav

   Example 1. clamav.conf

   [root@linuxas3 clamav]# vi etc/clamav.conf ## ## Example config file for the Clam AV daemon ## Please read the clamav.conf(5) manual before editing this file. ## # Comment or remove the line below. # Example # Uncomment this option to enable logging. # LogFile must be writable for the user running the daemon. # Full path is required. LogFile /var/log/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. #LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. LogFileMaxSize 2M # Log time with an each message. LogTime # Log also clean files. May be useful in debugging but will drastically # increase the log size. #LogClean # Use system logger (can work together with LogFile). LogSyslog # Enable verbose logging. LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). PidFile /var/run/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. #TemporaryDirectory /var/tmp # Path to the database directory. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # but it depends on installation options). #DatabaseDirectory /var/lib/clamav DatabaseDirectory /usr/local/clamav/share/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. #LocalSocket /tmp/clamd LocalSocket /var/run/clamav/clamd.sock # Remove stale socket after unclean shutdown. #FixStaleSocket # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default is 15. #MaxConnectionQueueLength 30 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. #StreamSaveToDisk # Close the connection if this limit is exceeded. #StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. #MaxThreads 10 # Waiting for data from a client socket will timeout after this time (seconds). # Default is 120. Value of 0 disables the timeout. #ReadTimeout 300 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 15 # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. #FollowDirectorySymlinks # Follow regular file symlinks. #FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). #SelfCheck 600 # Execute a command when a virus is found. In the command string %v will # be replaced by the virus name. # #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. #User clamav # Initialize the supplementary group access (for all groups in /etc/group # user is added in. clamd must be started by root). #AllowSupplementaryGroups # Don't fork into background. Useful in debugging. #Foreground # Enable debug messages in libclamav. #Debug ## ## Document scanning ## # This option enables scanning of Microsoft Office document macros. ScanOLE2 ## ## Mail support ## # Uncomment this option if you are planning to scan mail files. ScanMail ## ## Archive support ## # Comment this line to disable scanning of the archives. ScanArchive # By default the built-in RAR unpacker is disabled by default because the code # terribly leaks, however it's probably a good idea to enable it. #ScanRAR # Options below protect your system against Denial of Service attacks # with archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR # archives are decompressed to the memory. That's why never disable # this limit (but you may increase it of course!) ArchiveMaxFileSize 10M # Archives are scanned recursively - e.g. if Zip archive contains RAR file, # the RAR file will be decompressed, too (but only if recursion limit is set # at least to 1). With this option you may set the recursion level. # Value of 0 disables the limit. ArchiveMaxRecursion 5 # Number of files to be scanned within archive. # Value of 0 disables the limit. ArchiveMaxFiles 1000 # Mark potential archive bombs as viruses (0 disables the limit) ArchiveMaxCompressionRatio 200 # Use slower decompression algorithm which uses less memory. This option # affects bzip2 decompressor only. #ArchiveLimitMemoryUsage # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). #ArchiveBlockEncrypted ## ## Clamuko settings ## WARNING: This is experimental software. It is very likely it will hang ## up your system !!! ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. #ClamukoScanOnAccess # Set access mask for Clamuko. ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec # Set the include paths (all files in them will be scanned). You can have # multiple ClamukoIncludePath options, but each directory must be added # in a seperate option. All subdirectories are scanned, too. ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. #ClamukoExcludePath /home/guru # Limit the file size to be scanned (probably you don't want to scan your movie # files ;)) # Value of 0 disables the limit. 1 Mb should be fine. ClamukoMaxFileSize 1M # Enable archive support. It uses the limits from clamd section. # (This option doesn't depend on ScanArchive, you can have archive support # in clamd disabled). ClamukoScanArchive

3. 配置freshclam.conf

   freshclam.conf是升级程序使用的配置文件

   Example 2. freshclam.conf

   [root@linuxas3 clamav]# vi etc/freshclam.conf ## ## Example config file for freshclam ## Please read the clamav.conf(5) manual before editing this file. ## This file may be optionally merged with clamav.conf. ## # You can change the default database directory here. #DatabaseDirectory /var/lib/clamav DatabaseDirectory /usr/local/clamav/share/clamav # Path to the log file (make sure it has proper permissions) UpdateLogFile /var/log/freshclam.log # Enable verbose logging. LogVerbose # Use system logger (can work together with UpdateLogFile). LogSyslog # By default when freshclam is started by root it drops privileges and # switches to the "clamav" user. You can change this behaviour here. #DatabaseOwner clamav # The main database mirror is database.clamav.net (this is a round-robin # DNS that points to many mirrors on the world) and in most cases you # SHOULD NOT change it. DatabaseMirror database.clamav.net # How many attempts to make before giving up. MaxAttempts 3 # How often check for a new database. We suggest checking for it every # two hours. Checks 12 # Proxy settings #HTTPProxyServer myproxy.com #HTTPProxyPort 1234 #HTTPProxyUsername myusername #HTTPProxyPassword mypass # Send the RELOAD command to clamd. #NotifyClamd [/optional/config/file/path] # Run command after database update. #OnUpdateExecute command # Run command if database update failed. #OnErrorExecute command

4. 配置amavisd.conf

   在vi中输入/clamav定位，可以找到http://www.clamav.net/,取消注释即可

   [root@linuxas3 clamav]# vi /etc/amavisd.conf # ### http://www.clamav.net/ ['Clam Antivirus-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

5. 测试

   amavisd提示Using internal av scanner code for (primary) Clam Antivirus-clamd表示成功

   [root@linuxas3 clamav]#./clamd [root@linuxas3 clamav]# /usr/local/sbin/amavisd debug Apr 23 14:07:52 linuxas3.9812.net amavisd[13278]: Using internal av scanner code for (primary) Clam Antivirus-clamd

6. 升级clamscan病毒定义库

   # freshclam --verbose //升级clamscan病毒库

7. 创建freshclam日志记录文件

   # touch /var/log/freshclam.log # chmod 644 /var/log/freshclam.log # chown clamav:clamav /var/log/freshclam.log

8. 创建Clamav自动启动脚本 clamav shell

   Example 3. 建立clamd的启动脚本

   # vi /etc/init.d/clamd ================================================================= #! /bin/bash # # crond Start/Stop the clam antivirus daemon. # # chkconfig: 2345 90 60 # description: clamdis a standard UNIX program that scans for Viruses. # processname: clamd # config: /usr/local/etc/clamd.conf # pidfile: /var/run/clamav/clamd.pid # Source function library. . /etc/init.d/functions RETVAL=0 # See how we were called. prog="clamd" progdir="/usr/local/clamav/sbin" # Source configuration if [ -f /etc/sysconfig/$prog ] ; then . /etc/sysconfig/$prog fi start() { echo -n $"Starting $prog: " daemon $progdir/$prog RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/run/clamav/clamd.pid return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/run/clamav/clamd.pid return $RETVAL } rhstatus() { status clamd } restart() { stop start } reload() { echo -n $"Reloading clam daemon configuration: " killproc clamd -HUP retval=$? echo return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; status) rhstatus ;; condrestart) [ -f /var/lock/subsys/clamd ] && restart || : ;; *) echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}" exit 1 esac exit 0 # chmod 755 /etc/init.d/clamd # chkconfig --add clamd # chkconfig clamd on

   Example 4. clamav

   [root@linuxas3 clamav]# touch /etc/init.d/clamav //内容如下 #!/bin/sh # # Startup / shutdown script for Clam Antivirus CLAMAV=/usr/local/clamav/bin case "$1" in start) ${CLAMAV}/bin/freshclam -d -c 2 -l /var/log/freshclam.log echo -n ' freshclam' ;; stop) /usr/bin/killall freshclam > /dev/null 2>&1 \ && echo -n ' freshclam' ;; *) echo "" echo "Usage: `basename $0` { start | stop }" echo "" exit 64 ;; esac

9. 启动clamav

   [root@linuxas3 clamav]# chmod 755 /etc/init.d/clamav [root@linuxas3 clamav]# /etc/init.d/clamav start or [root@linuxas3 clamav]# service clamav start

10. 添加自动升级脚本

    # crontab