以linux-centos7系统为例讲述ClamAV的使用
1、说明
ClamAV是基于病毒扫描的命令行工具,支持clamdscan、clamscan两个命令:
clamscan:通用命令,不依赖服务,命令参数较多,执行速度较慢
clamdscan:是一个搭配clamd常驻服务的扫描命令,因执行效率较高,所以在项目中使用此命令对文件进行查杀,clamdscan命令主要问题是可用的参数较少(因为部分功能是由 clamd 控制的)。
2、开启并检查clamd服务
- 使用clamdscan命令需要先开启clamd服务(ClamAV安装之后默认不开启clamd),开启方式,修改clamd配置
2.开启clamd服务
systemctl start clamd@scan #启动clamd服务
systemctl enable clamd@scan #停止clamd服务
# 查看clamd联通性命令: clamdscan -p 3 返回PONG代表正常
3、使用方法
使用clamdscan命令形式 :
指定文件 clamdscan scandParam file1 file2
指定文件夹 clamdscan scandParam folder
scandParam:代表扫描的参数(采用原系统的配置参数),说明如下
1、使用demo
- 执行命令:
clamdscan --infected --fdpass --config-file=/etc/clamd.d/scan.conf --no-summary --stdout file.txt #file.txt换成需要检测的文件
- 解析结果
如果命令执行后有输出,代表存在受感染的文件。输出的格式:
文件全路径:受感染的病毒名称 FOUND 可以通过正则进行解析
4、python代码封装
class ClamavSecurity(Antivirus):
_name = "Clam AntiVirus Scanner (Linux)"
# ==================================
# Constructor and destructor stuff
# ==================================
def __init__(self, *args, **kwargs):
# class super class constructor
super(ClamavSecurity, self).__init__(*args, **kwargs)
# scan tool variables
self._scan_args = (
"--infected " # only print infected files
"--fdpass " # avoid file access problem as clamdameon
# is runned by clamav user
"--config-file=/etc/clamd.d/scan.conf "
"--no-summary " # disable summary at the end of scanning
"--stdout " # do not write to stderr
)
self._scan_patterns = [
re.compile(r'(?P<file>.*): (?P<name>[^\s]+) FOUND', re.IGNORECASE)
]
# ==========================================
# Antivirus methods (need to be overriden)
# ==========================================
def get_version(self):
"""return the version of the antivirus"""
result = None
if self.scan_path:
cmd = self.build_cmd(self.scan_path, "--config-file=/etc/clamd.d/scan.conf ", '--version')
retcode, stdout, stderr = self.run_cmd(cmd)
if not retcode:
matches = re.search(r'(\d+(\.\d+)+)', stdout, re.IGNORECASE)
if matches:
result = matches.group().strip()
return result
def get_database(self):
"""return list of files in the database"""
# NOTE: we can use clamconf to get database location, but it is not
# always installed by default. Instead, hardcode some common paths and
# locate files using predefined patterns
search_paths = [
'/var/lib/clamav', # default location in debian
]
database_patterns = [
'main.cvd',
'daily.c[lv]d', # *.cld on debian and on
# *.cvd on clamav website
'bytecode.c[lv]d', # *.cld on debian and on
# *.cvd on clamav website
'safebrowsing.c[lv]d', # *.cld on debian and on
# *.cvd on clamav website
'*.hdb', # clamav hash database
'*.mdb', # clamav MD5, PE-section based
'*.ndb', # clamav extended signature format
'*.ldb', # clamav logical signatures
]
results = []
for pattern in database_patterns:
result = self.locate(pattern, search_paths, syspath=False)
results.extend(result)
return results if results else None
def get_scan_path(self):
"""return the full path of the scan tool"""
paths = self.locate("clamdscan")
return paths[0] if paths else None
def clam_scan(self, result):
clam_scan = ClamavSecurity()
try:
if clam_scan.scan(self.task.target) == 1:
result["positives"] += 1
except (TypeError, OSError):
log.warning("To check whether the ClamAV has been installed!")