Centos7安装杀毒软件ClamAV
原文链接:https://ismailyenigul.wordpress.com/2015/01/05/install-clamav-on-centos-7/
Clam AntiVirus(ClamAV)是免费而且开放源代码的防毒软件,软件与病毒码的更新皆由社群免费发布。目前ClamAV主要是使用在由
Linux、FreeBSD等Unix-like系统架设的邮件服务器上,提供电子邮件的病毒扫描服务.
安装EPEL源
(http://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/)
Clamav可以通过EPEL源来安装,所以要首先安装EPEL,可以采用两种方法来安装:
第一种,通过命令行安装
[root@server_for_product ~]# yum install epel-release
第二种,使用下载好的安装包进行安装
[root@server_for_product ~]# cd /tmp
[root@server_for_product tmp]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
ls *.rpm
[root@server_for_product tmp]# yum install epel-release-7.noarch.rpm
刷新安装源并查看是否已经安装
[root@server_for_product ~]# yum repolist
看到以下字样就代表安装完成
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64
查看EPEL源含有的安装包
[root@server_for_product ~]# yum --disablerepo="*" --enablerepo="epel" list available | less
安装ClamAV
在安装了EPEL源后,运行下面的命令安装ClamAV
[root@server_for_product ~]# yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y
在两个配置文件/etc/freshclam.conf和/etc/clamd.d/scan.conf中移除“Example”字符
[root@server_for_product ~]#sed -i -e “s/^Example/#Example/” /etc/freshclam.conf
[root@server_for_product ~]#sed -i -e “s/^Example/#Example/” /etc/clamd.d/scan.conf
手动更新病毒库
[root@server_for_product ~]# freshclam
顺便一提,freshclam命令通过文件/etc/cron.d/clamav-update来自动运行,该文件的内容
|
Adjust this line...
MAILTO=root
It is ok to execute it as root; freshclam drops privileges and becomes
user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
|
但默认情况下是禁止了自动更新功能,需要移除文件/etc/sysconfig/freshclam最后一行的配置才能启用
|
Adjust this line...
MAILTO=root
It is ok to execute it as root; freshclam drops privileges and becomes
user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
[root@server_for_product kylin]# ^C
[root@server_for_product kylin]# tail /etc/sysconfig/freshclam
This option accepts two special values:
'disabled-warn' ... disables the automatic freshclam update and
gives out a warning
'disabled' ... disables the automatic freshclam silently
FRESHCLAM_DELAY=
!!!!! REMOVE ME !!!!!!
REMOVE ME: By default, the freshclam update is disabled to avoid
REMOVE ME: network access without prior activation
FRESHCLAM_DELAY=disabled-warn # REMOVE ME
|
记得移除上面红色字体
定义服务器类型(本地或者TCP),在这里定义为使用本地socket,将文件/etc/clam.d/scan.conf中的这一行前面的注释符号去掉:
LocalSocket /var/run/clamd.scan/clamd.sock
配置开机启动
[root@server_for_product ~]# systemctl enable clamd@scan
[root@server_for_product ~]# ln -s ‘/usr/lib/systemd/system/clamd@scan.service’ ‘/etc/systemd/system/multi-user.target.wants/clamd@scan.service’
启动并检查服务状态
[root@server_for_product ~]# systemctl start clamd@scan
[root@server_for_product ~]# systemctl status clamd@scan
看到active字样就表示安装成功
备注
如果在手动更新病毒库的时候遇到错误:Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working.
此时就要删除掉旧的镜像地址文件
[root@server_for_product ~]# rm -f /var/lib/clamav/mirrors.dat
再手动更新一次病毒库
[root@server_for_product ~]# freshclam
更新病毒库
freshclam
扫描方法
clamscan -r /etc --max-dir-recursion=5 -l /root/etcclamav.log
clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log
clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log
clamscan -r --remove /usr/bin/bsd-port
clamscan -r --remove /usr/bin/
clamscan -r --remove /usr/local/zabbix/sbin
查看日志发现
/bin/netstat: Linux.Trojan.Agent FOUND为病毒
grep FOUND /root/usrclamav.log
/usr/bin/.sshd: Linux.Trojan.Agent FOUND
/usr/sbin/ss: Linux.Trojan.Agent FOUND
/usr/sbin/lsof: Linux.Trojan.Agent FOUND
扫描所有用户的主目录就使用 clamscan -r /home
· 扫描您计算机上的所有文件并且显示所有的文件的扫描结果,就使用 clamscan -r /
· 扫描您计算机上的所有文件并且显示有问题的文件的扫描结果,就使用 clamscan -r --bell -i /
执行下面命令扫描根目录下面的所有文件。如下所示:56个文件被感染了。基本上都是Linux.Trojan.Agent和Linux.Backdoor.Gates等。
/opt/clamav/bin/clamscan -r --bell -i
