ClamAV是一个可用于Linux平台上的开源杀毒引擎,可检测木马、病毒、恶意软件和其他恶意的威胁。
官网:http://www.clamav.net/
一、CentOS环境安装
# yum install -y epel-release
# yum install -y clamav
二、病毒库更新检查:freshclam
# freshclam ClamAV update process started at Fri Sep 22 17:43:55 2017 main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-23862.cdiff [100%] daily.cld updated (version: 23862, sigs: 1743102, f-level: 63, builder: neo) bytecode.cld is up to date (version: 312, sigs: 74, f-level: 63, builder: neo) Database updated (6309425 signatures) from db.local.clamav.net (IP: 203.178.137.175)
三、帮助文档
# clamscan --help Clam AntiVirus Scanner 0.99.2 By The ClamAV Team: http://www.clamav.net/about.html#credits (C) 2007-2015 Cisco Systems, Inc. --help -h Print this help screen --version -V Print version number --verbose -v Be verbose --archive-verbose -a Show filenames inside scanned archives --debug Enable libclamav's debug messages --quiet Only output error messages --stdout Write to stdout instead of stderr --no-summary Disable summary at end of scanning --infected -i Only print infected files --suppress-ok-results -o Skip printing OK files --bell Sound bell on virus detection --tempdir=DIRECTORY Create temporary files in DIRECTORY --leave-temps[=yes/no(*)] Do not remove temporary files --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR --official-db-only[=yes/no(*)] Only load official signatures --log=FILE -l FILE Save scan report to FILE --recursive[=yes/no(*)] -r Scan subdirectories recursively --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match --cross-fs[=yes(*)/no] Scan files and directories on other filesystems --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always) --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always) --file-list=FILE -f FILE Scan files from FILE --remove[=yes/no(*)] Remove infected files. Be careful! --move=DIRECTORY Move infected files into DIRECTORY --copy=DIRECTORY Copy infected files into DIRECTORY --exclude=REGEX Don't scan file names matching REGEX --exclude-dir=REGEX Don't scan directories matching REGEX --include=REGEX Only scan file names matching REGEX --include-dir=REGEX Only scan directories matching REGEX --bytecode[=yes(*)/no] Load bytecode from the database --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode --bytecode-timeout=N Set bytecode timeout (in milliseconds) --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications --exclude-pua=CAT Skip PUA sigs of category CAT --include-pua=CAT Load PUA sigs of category CAT --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card) --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both) --structured-ssn-count=N Min SSN count to generate a detect --structured-cc-count=N Min CC count to generate a detect --scan-mail[=yes(*)/no] Scan mail files --phishing-sigs[=yes(*)/no] Signature-based phishing detection --phishing-scan-urls[=yes(*)/no] URL-based phishing detection --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found --phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module) --phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module) --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics. --algorithmic-detection[=yes(*)/no] Algorithmic detection --scan-pe[=yes(*)/no] Scan PE files --scan-elf[=yes(*)/no] Scan ELF files --scan-ole2[=yes(*)/no] Scan OLE2 containers --scan-pdf[=yes(*)/no] Scan PDF files --scan-swf[=yes(*)/no] Scan SWF files --scan-html[=yes(*)/no] Scan HTML files --scan-xmldocs[=yes(*)/no] Scan xml-based document files --scan-hwp3[=yes(*)/no] Scan HWP3 files --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav) --detect-broken[=yes/no(*)] Try to detect broken executable files --block-encrypted[=yes/no(*)] Block encrypted archives --block-macros[=yes/no(*)] Block OLE2 files with VBA macros --nocerts Disable authenticode certificate chain verification in PE files --dumpcerts Dump authenticode certificate chain in PE files --max-filesize=#n Files larger than this will be skipped and assumed clean --max-scansize=#n The maximum amount of data to scan for each container file (**) --max-files=#n The maximum number of files to scan for each container file (**) --max-recursion=#n Maximum archive recursion level for container file (**) --max-dir-recursion=#n Maximum directory recursion level --max-embeddedpe=#n Maximum size file to check for embedded PE --max-htmlnormalize=#n Maximum size of HTML file to normalize --max-htmlnotags=#n Maximum size of normalized HTML file to scan --max-scriptnormalize=#n Maximum size of script file to normalize --max-ziptypercg=#n Maximum size zip to type reanalyze --max-partitions=#n Maximum number of partitions in disk image to be scanned --max-iconspe=#n Maximum number of icons in PE file to be scanned --max-rechwp3=#n Maximum recursive calls to HWP3 parsing function --pcre-match-limit=#n Maximum calls to the PCRE match function. --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function. --pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching. --enable-stats Enable statistical reporting of malware --disable-pe-stats Disable submission of individual PE sections in stats submissions --stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server --stats-host-id=UUID Set the Host ID used when submitting statistical info. --disable-cache Disable caching and cache checks for hash sums of scanned files. (*) Default scan settings (**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data.
四、病毒扫描:clamscan(递归扫描+扫描路径输出)
# clamscan -r /root/ --stdout /root/.cshrc: OK /root/.abrt/applet_dirlist: Empty file /root/ossec-hids-2.8.3.tar.gz: OK /root/virusDemo/virus/s.zip: Win.Trojan.HollandGirl-1 FOUND /root/.gconfd/saved_state: OK /root/rootkit.exe: Empty file /root/clam_log_170922.txt: OK /root/virusDemo/virus/l.zip: Win.Trojan.Radyum-2 FOUND /root/.imsettings.log: OK /root/virusDemo/virus/n.zip: Win.Trojan.Nympho-2 FOUND /root/chkrootkit-0.52/ifpromisc.c: OK /root/chkrootkit-0.52/chkrootkit.lsm: OK /root/chkrootkit-0.52/COPYRIGHT: OK ... ----------- SCAN SUMMARY ----------- Known viruses: 6303718 Engine version: 0.99.2 Scanned directories: 342 Scanned files: 3927 Infected files: 23 Data scanned: 133.68 MB Data read: 87.24 MB (ratio 1.53:1) Time: 38.355 sec (0 m 38 s)