ClamAV

Clam AntiVirus 是一款 UNIX 下開源的 (GPL) 反病毒工具包。它提供了包括一個靈活且可擴展的多線程守護進程，一個命令行掃描程序及用於自動更新數據庫的高級工具在內的多個實用程序。由於 ClamAV 主要用在與 Windows 桌面連接的文件及郵件伺服器上，它的核心用途為通過內置特徵檢測 Windows 病毒和惡意程序。

更新病毒庫[編輯 | 編輯原始碼]

通過下列命令更新病毒庫:

# freshclam

如果你處於代理後，需編輯 /etc/clamav/freshclam.conf 並更新 HTTPProxyServer，HTTPProxyPort，HTTPProxyUsername 和 HTTPProxyPassword 的信息。

病毒庫保存在下列文件中：

/var/lib/clamav/daily.cld
/var/lib/clamav/main.cld
/var/lib/clamav/bytecode.cvd

啟動/啟用 clamav-freshclam.service 或 clamav-freshclam-once.timer 來保持病毒庫為最新。

clamav-freshclam.service 將啟動 freshclam 為守護進程模式，默認每天進行 12 次檢查（每 2 小時一次）。檢查頻率可以在 /etc/clamav/freshclam.conf 中進行修改。

clamav-freshclam-once.timer 將啟動 freshclam 為每天檢查一次。檢查頻率可在 /usr/lib/systemd/system/clamav-freshclam-once.timer 中進行修改。

注意：

以守護進程模式啟動的 freshclam 在每次啟動服務時會進行檢查。
每小時檢查超過 1 次將被 CDN 屏蔽 24 小時。
.timer 單元將遵循計劃配置，與設備重啟或服務重啟無關。

啟動守護進程[編輯 | 編輯原始碼]

該操作將把所有病毒特徵加載到內存中。以 2024 年 2 月為例，這些特徵共將佔用至少 1.6GB 內存空間。在定期更新特徵時，將短時佔用多一倍的內存空間。

注意：

在首次啟動服務前需要先運行 freshclam，否則將出現報錯，並無法正常啟動 ClamAV。
如果你只需要使用獨立掃描器進行掃描，就無需啟動守護進程。更多信息可參考下方的掃描病毒部分。

對應的服務是 clamav-daemon.service。啟動它並啟用使它自動在啟動時運行。

測試[編輯 | 編輯原始碼]

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl https://secure.eicar.org/eicar.com.txt | clamscan -

The output must include:

stdin: Win.Test.EICAR_HDB-1 FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

添加更多病毒庫/特徵庫[編輯 | 編輯原始碼]

ClamAV 可以使用來自其他存儲庫或安全廠商的病毒/特徵庫。

可通過安裝 clamav-unofficial-sigs^AUR（參見 GitHub 描述）或是 python-fangfrisch^AUR（參見線上文檔）來添加最重要的部分。兩者都會添加來自如 MalwarePatrol，SecuriteInfo，Yara，Linux Malware Detect 等著名供應商的特徵/病毒庫。

注意： 必須啟動 clamav-freshclam.service 才能從 ClamAV 鏡像更新官方特徵信息。

選項 #1：配置 Fangfrisch[編輯 | 編輯原始碼]

Fangfrisch 在設計上目標成為更安全，靈活和方便的 clamav-unofficial-sigs 替代品，且無需太多配置（/etc/fangfrisch/fangfrisch.conf）。

最重要的是，與 clamav-unofficial-sigs 不同，Fangfrisch 用不需要以 root 權限運行

通過以下命令創建庫結構：

# sudo -u clamav /usr/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb

啟用 fangfrisch.timer（系統層級）。

選項 #2：配置 clamav-unofficial-sigs[編輯 | 編輯原始碼]

啟用 clamav-unofficial-sigs.timer。

這將根據 /etc/clamav-unofficial-sigs 目錄下的配置文件信息定期更新非官方特徵信息。

可通過如下方法手動更新特徵：

# clamav-unofficial-sigs.sh

可參考 /etc/clamav-unofficial-sigs/user.conf 來修改默認設置。

MalwarePatrol 病毒庫[編輯 | 編輯原始碼]

如果你想使用 MalwarePatrol 病毒庫，需要先在 https://www.malwarepatrol.net/free-guard-upgrade-option^{[失效連結 2023-07-30 ⓘ]} 註冊賬號。

在 /etc/clamav-unofficial-sigs/user.conf 中，修改以下內容來啟用該功能：

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # 输入收据编号
malwarepatrol_product_code="8" # 免费账号设为 8，高级客户设为 15
malwarepatrol_list="clamav_basic" # clamav_basic 或是 clamav_ext
malwarepatrol_free="yes" # 免费账号设为 yes，高级客户设为 no

來源：https://www.malwarepatrol.net/clamav-configuration-guide/

掃描病毒[編輯 | 編輯原始碼]

有兩種方法進行按需掃描：

使用獨立掃描器[編輯 | 編輯原始碼]

clamscan 可用以掃描文件, 用户目錄亦或是整個系統：

$ clamscan myfile
$ clamscan --recursive --infected /home/archie
# clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

如果希望 clamscan 刪除感染的文件，請使用 --remove 參數。
使用 -l path/to/file 參數可以將 clamscan 的日誌寫入 log 文件。

如果希望 clamscan 刪除感染的文件，請使用 --remove 參數，也可以使用 --move=/dir 來隔離文件。

你可能會想要 clamscan 掃描大文件，在這一情況下，可將 {{ic|1=--max-filesize=4000M} 和 --max-scansize=4000M 添加到命令中。'4000M' 指的是最大值，可按需降低。

-l /path/to/file 選項將把 clamscan 的日誌輸出為文本文件，方便定位受感染文件。

使用守護進程[編輯 | 編輯原始碼]

clamdscan 與上一選項類似，但使用了守護進程，因此必須要守護進程運行中才能使用。由於守護進程會讀取 /etc/clamav/clamd.conf 中指定的配置，大多數選項都將被忽略。

使用 milter[編輯 | 編輯原始碼]

Milter will scan your sendmail server for email containing virus. Adjust /etc/clamav/clamav-milter.conf to your needs. For example:

/etc/clamav/clamav-milter.conf

MilterSocket /tmp/clamav-milter.socket
MilterSocketMode 660
FixStaleSocket yes
User clamav
MilterSocketGroup clamav
PidFile /run/clamav/clamav-milter.pid
TemporaryDirectory /tmp
ClamdSocket unix:/run/clamav/clamd.ctl
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

/etc/systemd/system/clamav-milter.service

[Unit]
Description='ClamAV Milter'
After=clamav-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start clamav-milter.service.

For Postfix add the following lines to /etc/postfix/main.cf:

/etc/postfix/main.cf

smtpd_milters = unix:/tmp/clamav-milter.socket
milter_default_action = tempfail

Check journalctl if the permission to access clamav-milter.socket for postfix is set accordingly, if not, add user postfix to group clamav.

OnAccessScan[編輯 | 編輯原始碼]

(Original source: https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html)

On-access scanning will scan the file while reading, writing or executing it.

警吿： At this point (November 2021), on-access scanning in ClamAV is still immature, you might see unexplained clamd crashes, and containerized processes do not get the protection. Therefore, it is debatable whether it is a security improvement or not. Do not enable it unless regulations, contracts, or your own curiosity force you to do so.

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8), which is true for official Arch Linux kernel packages. Check if fanotify has been enabled before enabling on-access scanning.

$ zgrep FANOTIFY /proc/config.gz

First, edit the /etc/clamav/clamd.conf configuration file by adding the following to the end of the file (you can also change the individual options).

警吿： Please note the following warning about clamd port security if changing other parts of the file. Generally use an local unix socket but note that this port is not authenticated or protected. See https://docs.clamav.net/manual/Usage/Scanning.html#clamd-v0101 for more details in the Daemon and then ClamD section.

/etc/clamav/clamd.conf

# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /
OnAccessExcludePath /proc
OnAccessExcludePath /run
OnAccessExcludePath /sys

# Alternatively, add some directories instead of mount points
# OnAccessIncludePath /home

# Prevention doesn't work with OnAccessMountPath.
# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
# Including /var while activating prevention is also not recommended, because
# this would slow down package installation by a factor of 1000.
OnAccessPrevention false

# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true

# Exclude the UID of the scanner itself from checking, to prevent loops
OnAccessExcludeUname clamav

# Optionally, also exclude root-owned processes
# OnAccessExcludeRootUID true

# Specify an action to perform when clamav detects a malicious file
# it is possible to specify an inline command too
VirusEvent /etc/clamav/virus-event.bash

# WARNING: for security reasons, clamd should NEVER run as root.
# Previous instructions in this wiki included this line, remove it:
# User root    # REMOVE THIS
# Add this instead:
User clamav

Next, allow the clamav user to run notify-send as any user with custom environment variables via sudo:

/etc/sudoers.d/clamav

clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send

Next, create the file /etc/clamav/virus-event.bash, make it executable and add the following:

/etc/clamav/virus-event.bash

#!/bin/bash
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    USERID=${ADDRESS#/run/user/}
    /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
        /usr/bin/notify-send -i dialog-warning "Virus found!" "$ALERT"
done

This allows you to change/specify the message when a virus has been detected by clamd's on-access scanning service.

Restart the clamav-daemon.service.

By default, clamonacc passes clamav the names of just-accessed files for scanning. This is a problem, because files inaccessible to the clamav user cannot be scanned this way. Instead, it is possible to instruct clamonacc (which always runs as root) to use file descriptor passing. Edit clamav-clamonacc.service with the following:

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log

Lastly, you will need to start/enable the clamav-clamonacc.service.

If you get AppArmor denials about clamd, set the profile to a complain-only mode:

# aa-complain clamd

小貼士[編輯 | 編輯原始碼]

使用多線程運行[編輯 | 編輯原始碼]

使用 clamscan[編輯 | 編輯原始碼]

When scanning a file or directory from command line using clamscan only single CPU thread is used. This may be ok in cases when timing is not critical or you do not want computer to become sluggish. If there is a need to scan large directory or USB drive quickly you may want to use all available CPUs to speed up the process.

clamscan is designed to be single-threaded, so xargs can be used to run the scan in parallel:

$ find /home/archie -type f -print0 | xargs -0 -P $(nproc) clamscan

In this example the -P parameter for xargs runs clamscan in as many processes as there are CPUs (reported by nproc) at the same time. --max-lines and --max-args options will allow even finer control of batching the workload across the threads.

使用 clamdscan[編輯 | 編輯原始碼]

If you already have clamd daemon running clamdscan can be used instead (see #Starting the daemon):

$ clamdscan --multiscan --fdpass /home/archie

Here the --multiscan parameter enables clamd to scan the contents of the directory in parallel using available threads. --fdpass parameter is required to pass the file descriptor permissions to clamd as the daemon is running under clamav user and group.

The number of available threads for clamdscan is determined in /etc/clamav/clamd.conf via MaxThreads parameter clamd.conf(5). Even though you may see that the number of MaxThreads specified is more than one (current default is 10), when you start the scan using clamdscan from command line and do not specify --multiscan option, only one effective CPU thread will be used for scanning.

啟用 TCPSocket[編輯 | 編輯原始碼]

If you enable TCPSocket in /etc/clamav/clamd.conf, you must edit clamav-daemon.socket too (see FS#57669). The systemd socket file needs to be configured with a matching port and IP address:

/etc/systemd/system/clamav-daemon.socket.d/override.conf

[Socket]
ListenStream=
ListenStream=/run/clamav/clamd.ctl
ListenStream=127.0.0.1:3310

And finally restart clamav-daemon.socket to see a Clamd binding at TCP port 3310:

# ss -tulpn | grep clamd

tcp   LISTEN 0      4096       127.0.0.1:3310      0.0.0.0:*    users:(("clamd",pid=599,fd=4),("systemd",pid=1,fd=44))

疑難解答[編輯 | 編輯原始碼]

注意： 確保運行 clamscan 的用户擁有病毒庫文件（/var/lib/clamav/*.c?d）的讀取權限。

Error: Clamd was NOT notified[編輯 | 編輯原始碼]

如果你在運行 freshclam 命令之後出現下列信息：

WARNING: Clamd was NOT notified: Cannot connect to clamd through 
/var/lib/clamav/clamd.sock connect(): No such file or directory

為 clamav 添加一個 sock 文件：

警吿： 參考 #OnAccessScan 中的警吿了解 clamd 端口安全的相關信息。

# touch /run/clamav/clamd.ctl
# chown clamav:clamav /run/clamav/clamd.ctl

然後，編輯 /etc/clamav/clamd.conf，去掉該行註釋:

LocalSocket /run/clamav/clamd.ctl

保存文件並重啟 clamav-daemon.service。

Error: No supported database files found[編輯 | 編輯原始碼]

當啟動守護進程時出現下列錯誤信息：

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/clamav/freshclam.conf setting DatabaseDirectory and /etc/clamav/clamd.conf setting DatabaseDirectory. /etc/clamav/freshclam.conf pointing to /var/lib/clamav, but /etc/clamav/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamav/clamd.conf and replace with the same DatabaseDirectory as in /etc/clamav/freshclam.conf. After that clamav will start up successfully.

Error: Can't create temporary directory[編輯 | 編輯原始碼]

如果提示如下錯誤並給出包含 UID 和 GID 的提示，

# can't create temporary directory

請修改權限：

# chown UID:GID /var/lib/clamav && chmod 755 /var/lib/clamav

參考[編輯 | 編輯原始碼]

Wikipedia:ClamAV

安裝[編輯 | 編輯原始碼]