ClamAV本来是为了Postfix邮件网关而开发的防毒软件,主要目的是对邮件队列里面的邮件进行病毒查杀。然后,这个防毒模块独立出来成为一个提供病毒、恶意软件、蠕虫的查杀能力的开源软件,成为了Linux环境下实现文件安全的主要选择。�

部署ClamAV

  1. 添加EPEL源
    # ClamAV的RHEL/CentOS源是直接用epel来发布的
    yum cleanall
    yum makecache
    yum install -y git python3-pip
    yum install -y epel-release

    # 添加华为云源
    sed -i "s/#baseurl/baseurl/g" /etc/yum.repos.d/epel.repo
    sed -i "s/metalink/#metalink/g" /etc/yum.repos.d/epel.repo
    sed -i "s@https\?://download.example/pub@https://repo.huaweicloud.com@g" /etc/yum.repos.d/epel.repo

    yum makecache
    yum upgrade -y
  2. 安装ClamAV
    yum install -y clamav clamav-update clamd 
  3. 启动服务
    # 刷新服务列表
    systemctl daemon-reload
    # 启动自动更新病毒库,默认更新周期是每月一次
    systemctl enable clamav-freshclam.service
    # 启动扫描服务
    systemctl enable clamd@scan.service

建立内部病毒特征库

  1. 部署cvdupdate
    # 安装Nginx
    # 配置站点目录为/var/www
    yum install -y nginx
    mkdir -p /var/www
    chown nginx:nginx /var/www

    # cvdupdate是思科公司(这个思科就是那个思科)开发的一个ClamAV病毒库镜像工具
    pip3 install cvdupdate
    # 执行病毒库存储位置
    cvd config set --dbdir /var/www
    # 修改官方源为亚马逊的S3镜像
    sed -i "s@https://database.clamav.net@https://pivotal-clamav-mirror.s3.amazonaws.com@g" ~/.cvdupdate/config.json

    cvd update
    2021-07-09 17:28:06 cvdupdate-1.0.2 INFO main.cvd is up-to-date. Version: 59
    2021-07-09 17:28:06 cvdupdate-1.0.2 INFO daily.cvd is up-to-date. Version: 26225
    2021-07-09 17:28:06 cvdupdate-1.0.2 INFO bytecode.cvd is up-to-date. Version: 333

配置CLamAV

  1. 添加内网更新源
    # 默认使用https,若使用http协议需要写明http://xxx.yyy.zzz,否则则不需要
    sed -i "s@database.clamav.net@http://192.168.248.150/clamav@g" /etc/freshclam.conf

    [root@elasticnode1 ~]# freshclam
    ClamAV update process started at Fri Jul 9 18:29:37 2021
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.103.2 Recommended version: 0.103.3
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
    daily database available for download (remote version: 26225)
    Time: 0.5s, ETA: 0.0s [========================>] 102.43MiB/102.43MiB
    Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-4cfdfa4231c3496ffee7793166ed2602.tmp-daily.cvd' ...
    Database test passed.
    daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder: raynman)
    main database available for download (remote version: 59)
    Time: 0.5s, ETA: 0.0s [========================>] 112.40MiB/112.40MiB
    Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-cf8d5312f458ec6b897d0fbb3af11892.tmp-main.cvd' ...
    Database test passed.
    main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
    bytecode database available for download (remote version: 333)
    Time: 0.0s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB
    Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-e205410803d9f55beb3855e58f5ec7d2.tmp-bytecode.cvd' ...
    Database test passed.
    bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

    # 启动更新服务
    systemctl start clamav-freshclam.service
  2. 配置ClamAV服务
    # 创建日志文件
    touch /var/log/clamd.scan

    # 修改clamd配置文件
    sed -i 's/#LogFile \/var/LogFile \/var/g' /etc/clamd.d/scan.conf
    sed -i 's/#LocalSocket \/run/LocalSocket \/run/g' /etc/clamd.d/scan.conf
    sed -i 's/#LocalSocketMode/LocalSocketMode/g' /etc/clamd.d/scan.conf

    # 启动服务
    systemctl start clamd@scan.service
  3. 功能测试
    # 下载测试病毒包
    wget http://www.eicar.org/download/eicar.com

    # 手动查杀
    clamscan --infected --remove --recursive .
    # 结果
    /root/eicar.com: Win.Test.EICAR_HDB-1 FOUND
    /root/eicar.com: Removed.

    ----------- SCAN SUMMARY -----------
    Known viruses: 8543862
    Engine version: 0.103.2
    Scanned directories: 1
    Scanned files: 9
    Infected files: 1
    Data scanned: 0.02 MB
    Data read: 0.01 MB (ratio 2.00:1)
    Time: 17.424 sec (0 m 17 s)
    Start Date: 2021:07:09 18:45:02
    End Date: 2021:07:09 18:45:19

与Wazuh结合

  1. 安装Wazuh Agent

    Wazuh默认自带clamav的规则和解码器,所以只要安装wazuh-agent即可。

  2. Kibana展示

    clamav