1.ClamAV杀毒软件的安装[root@zabbix-agent ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@zabbix-agent ~]# yum -y install epel-release
Installed:
epel-release.noarch 0:7-9
Complete!
[root@zabbix-agent ~]# yum clean all
[root@zabbix-agent ~]# yum makecache
[root@zabbix-agent ~]# yum repolist
repo id repo name status
base/7/x86_64 CentOS-7 - Base 9,591
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 12,201
extras/7/x86_64 CentOS-7 - Extras 329
updates/7/x86_64 CentOS-7 - Updates 1,651
repolist: 23,772
[root@zabbix-agent ~]# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Installed:
clamav.x86_64 0:0.99.2-13.el7 clamav-data.noarch 0:0.99.2-13.el7
clamav-devel.x86_64 0:0.99.2-13.el7 clamav-filesystem.noarch 0:0.99.2-13.el7
clamav-lib.x86_64 0:0.99.2-13.el7 clamav-scanner-systemd.noarch 0:0.99.2-13.el7
clamav-server.x86_64 0:0.99.2-13.el7 clamav-server-systemd.noarch 0:0.99.2-13.el7
clamav-update.x86_64 0:0.99.2-13.el7
Dependency Installed:
clamav-scanner.noarch 0:0.99.2-13.el7 keyutils-libs-devel.x86_64 0:1.5.8-3.el7 krb5-devel.x86_64 0:1.15.1-8.el7
libcom_err-devel.x86_64 0:1.42.9-10.el7 libkadm5.x86_64 0:1.15.1-8.el7 libselinux-devel.x86_64 0:2.5-11.el7
libsepol-devel.x86_64 0:2.5-6.el7 libtool-ltdl.x86_64 0:2.4.2-22.el7_3 libverto-devel.x86_64 0:0.2.5-4.el7
nmap-ncat.x86_64 2:6.40-7.el7 openssl-devel.x86_64 1:1.0.2k-8.el7 pcre-devel.x86_64 0:8.32-17.el7
zlib-devel.x86_64 0:1.2.7-17.el7
Updated:
dracut.x86_64 0:033-502.el7_4.1 systemd.x86_64 0:219-42.el7_4.4
Dependency Updated:
dracut-config-rescue.x86_64 0:033-502.el7_4.1 dracut-network.x86_64 0:033-502.el7_4.1 e2fsprogs.x86_64 0:1.42.9-10.el7
e2fsprogs-libs.x86_64 0:1.42.9-10.el7 krb5-libs.x86_64 0:1.15.1-8.el7 libcom_err.x86_64 0:1.42.9-10.el7
libgudev1.x86_64 0:219-42.el7_4.4 libselinux.x86_64 0:2.5-11.el7 libselinux-python.x86_64 0:2.5-11.el7
libselinux-utils.x86_64 0:2.5-11.el7 libsepol.x86_64 0:2.5-6.el7 libss.x86_64 0:1.42.9-10.el7
openssl.x86_64 1:1.0.2k-8.el7 openssl-libs.x86_64 1:1.0.2k-8.el7 pcre.x86_64 0:8.32-17.el7
systemd-libs.x86_64 0:219-42.el7_4.4 systemd-sysv.x86_64 0:219-42.el7_4.4 zlib.x86_64 0:1.2.7-17.el7
Complete!
在两个配置文件/etc/freshclam.conf和/etc/clamd.d/scan.conf中移除“Example”字符
[root@zabbix-agent ~]# cp /etc/freshclam.conf /etc/freshclam.conf.bak
[root@zabbix-agent ~]# sed -i -e "s/^Example/#Example/" /etc/freshclam.conf
[root@zabbix-agent ~]# cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bak
[root@zabbix-agent ~]# sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf
[root@zabbix-agent ~]# vim /etc/clamd.d/scan.conf
LocalSocket /var/run/clamd.scan/clamd.sock
2.病毒库更新
2.1关闭自动更新
freshclam命令通过文件/etc/cron.d/clamav-update来自动运行,该文件的内容[root@zabbix-agent ~]# vim /etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root
## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
但默认情况下是禁止了自动更新功能,需要移除文件/etc/sysconfig/freshclam最后一行的配置才能启用[root@zabbix-agent ~]# vim /etc/sysconfig/freshclam
# FRESHCLAM_DELAY=
定义服务器类型(本地或者TCP),在这里定义为使用本地socket,将文件/etc/clam.d/scan.conf中的这一行前面的注释符号去掉:[root@zabbix-agent ~]# vim /etc/clamd.d/scan.conf
#LocalSocket /var/run/clamd.scan/clamd.sock
2.2下载病毒库
将main.cvd\daily.cvd\bytecode.cvd三个文件下载后上传到/var/lib/clamav目录下[root@zabbix-agent clamav]# pwd
/var/lib/clamav
[root@zabbix-agent clamav]# ll
total 113136
-rw-r--r-- 1 clamupdate clamupdate 76781 Jun 13 2016 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate 6626001 Jun 13 2016 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 109143933 Jun 13 2016 main.cvd
将原有病毒库文件删除,更新为下载最新版本。
[root@zabbix-agent clamav]# ll
total 158088
-rw-r--r-- 1 root root 153228 Jan 12 21:56 bytecode.cvd
-rw-r--r-- 1 root root 43830800 Jan 12 21:57 daily.cvd
-rw-r--r-- 1 root root 117892267 Jan 12 21:57 main.cvd
[root@zabbix-agent clamav]# vim /etc/freshclam.conf
DatabaseDirectory /var/lib/clamav 将注释#号去掉
[root@zabbix-agent clamav]# systemctl enableclamd@scan.service
[root@zabbix-agent system]# ln -s '/usr/lib/systemd/system/clamd@scan.service' '/etc/systemd/system/multi-user.target.wants/clamd@scan.service'
2.3更新病毒库
建立clam-freshclam.service服务[root@zabbix-agent ~]# vim /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target
[root@zabbix-agent ~]# systemctl start clam-freshclam.service
[root@zabbix-agent ~]# systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-01-12 22:34:43 CST; 8s ago
Process: 2533 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)
Main PID: 2534 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─2534 /usr/bin/freshclam -d -c 4
Jan 12 22:34:43 zabbix-agent systemd[1]: Starting freshclam scanner...
Jan 12 22:34:43 zabbix-agent systemd[1]: Started freshclam scanner.
Jan 12 22:34:43 zabbix-agent freshclam[2534]: freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 22:34:43 zabbix-agent freshclam[2534]: ClamAV update process started at Fri Jan 12 22:34:43 2018
Jan 12 22:34:43 zabbix-agent freshclam[2534]: main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jan 12 22:34:44 zabbix-agent freshclam[2534]: Downloading daily-24213.cdiff [100%]
Jan 12 22:34:44 zabbix-agent freshclam[2534]: Downloading daily-24214.cdiff [100%]
Jan 12 22:34:46 zabbix-agent freshclam[2534]: Downloading daily-24215.cdiff [100%]
Jan 12 22:34:49 zabbix-agent freshclam[2534]: daily.cld updated (version: 24215, sigs: 1823104, f-level: 63, builder: neo)
Jan 12 22:34:50 zabbix-agent freshclam[2534]: bytecode.cvd is up to date (version: 319, sigs: 75, f-level: 63, builder: neo)
Hint: Some lines were ellipsized, use -l to show in full.
[root@zabbix-agent ~]# freshclam
ClamAV update process started at Fri Jan 12 22:37:24 2018
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 24215, sigs: 1823104, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 319, sigs: 75, f-level: 63, builder: neo)
[root@zabbix-agent ~]# systemctl enable clam-freshclam.service
Created symlink from /etc/systemd/system/multi-user.target.wants/clam-freshclam.service to /usr/lib/systemd/system/clam-freshclam.service.
[root@zabbix-agent ~]#cp /usr/share/clamav/template/clamd.conf /etc/clamd.conf
[root@zabbix-agent ~]#vim /etc/clamd.conf
#Example
TCPSocket 3310
TCPAddr 127.0.0.1
[root@zabbix-agent ~]# /usr/sbin/clamd restart
[root@zabbix-agent ~]# clamdscan -V
ClamAV 0.99.2/24262/Sun Jan 28 09:21:42 2018
3.启动服务[root@zabbix-agent ~]# systemctl start clamd@scan.service
[root@zabbix-agent ~]# systemctl status clamd@scan.service
● clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-01-12 22:53:43 CST; 3s ago
Main PID: 2935 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─2935 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes
Jan 12 22:53:43 zabbix-agent systemd[1]: Started Generic clamav scanner daemon.
Jan 12 22:53:43 zabbix-agent systemd[1]: Starting Generic clamav scanner daemon...
Jan 12 22:53:43 zabbix-agent clamd[2935]: Received 0 file descriptor(s) from systemd.
Jan 12 22:53:43 zabbix-agent clamd[2935]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 22:53:43 zabbix-agent clamd[2935]: Running as user clamscan (UID 994, GID 991)
Jan 12 22:53:43 zabbix-agent clamd[2935]: Log file size limited to 1048576 bytes.
Jan 12 22:53:43 zabbix-agent clamd[2935]: Reading databases from /var/lib/clamav
Jan 12 22:53:43 zabbix-agent clamd[2935]: Not loading PUA signatures.
Jan 12 22:53:43 zabbix-agent clamd[2935]: Bytecode: Security mode set to "TrustSigned".
[root@zabbix-agent ~]# systemctl enable clamd@scan.service
4.查杀病毒
扫描所有用户的主目录就使用[root@zabbix-agent ~]# clamscan -r /home
扫描您计算机上的所有文件并且显示所有的文件的扫描结果,就使用[root@zabbix-agent ~]# clamscan -r /
----------- SCAN SUMMARY -----------
Known viruses: 6383388
Engine version: 0.99.2
Scanned directories: 10373
Scanned files: 30631
Infected files: 0
Total errors: 15881
Data scanned: 1520.95 MB
Data read: 2276.20 MB (ratio 0.67:1)
Time: 236.625 sec (3 m 56 s)
扫描您计算机上的所有文件并且显示有问题的文件的扫描结果,就使用[root@zabbix-agent ~]# clamscan -r --bell -i /
----------- SCAN SUMMARY -----------
Known viruses: 6383388
Engine version: 0.99.2
Scanned directories: 10373
Scanned files: 30631
Infected files: 0
Total errors: 15881
Data scanned: 1520.95 MB
Data read: 2276.20 MB (ratio 0.67:1)
Time: 198.461 sec (3 m 18 s)
查杀当前目录并删除感染的文件[root@zabbix-agent ~]# clamscan -r --remove
clamscan常用参数-r/--recursive[=yes/no]所有文件
--log=FILE/-l FILE增加扫描报告
clamscan -l /var/log/clamscan.log /
--move [路径]移动病毒文件至
--remove [路径]删除病毒文件
--quiet只输出错误消息
--infected/-i只输出感染文件
--suppress-ok-results/-o跳过扫描OK的文件
--bell扫描到病毒文件发出警报声音
--unzip(unrar)解压压缩文件扫描
5.计划任务
说明
基本格式
* * * * * command
第1列表示分钟1~59每分钟用*或者*/1表示
第2列表示小时1~23(0表示0点)
第3列表示日期1~31
第4列表示月份1~12
第5列表示星期0~6(0表示星期天)
第6列要运行的命令[root@zabbix-agent ~]# crontab -e
0 23 * * 6 /usr/bin/clamscan --infected -r / -l /var/log/clamscan.log
[root@zabbix-agent ~]# vim /etc/crontab
0 23 * * 6 /usr/bin/clamscan --infected -r / -l /var/log/clamscan.log
[root@zabbix-agent ~]# crontab -l -u root
0 23 * * 6 /usr/bin/clamscan --infected -r / -l /var/log/clamscan.log
[root@zabbix-agent ~]# systemctl start crond.service
[root@zabbix-agent ~]# systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-01-12 22:25:20 CST; 1h 27min ago
Main PID: 614 (crond)
CGroup: /system.slice/crond.service
└─614 /usr/sbin/crond -n
Jan 12 22:25:20 zabbix-agent systemd[1]: Started Command Scheduler.
Jan 12 22:25:20 zabbix-agent systemd[1]: Starting Command Scheduler...
Jan 12 22:25:20 zabbix-agent crond[614]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 83% if used.)
Jan 12 22:25:20 zabbix-agent crond[614]: (CRON) INFO (running with inotify support)
Jan 12 23:40:01 zabbix-agent crond[614]: (*system*) RELOAD (/etc/crontab)
[root@zabbix-agent ~]# systemctl enable crond.service