20200220
參考:
《ClamAV》
《clamtk, 按需病毒掃描器,用於Linux系統,易於使用,重量輕》
官方下載離線安裝包:
http://www.clamav.net/downloads
https://github.com/dave-theunsub/clamtk
https://github.com/dave-theunsub/clamtk-gnome
目的:
安裝Linux下使用ClamAV,主要還是掃描Windows病毒,畢竟在Windows下干擾太多了。
Deepin15.11下在線安裝ClamAV:
sudo apt-get install clamav-daemon clamav-docs libclamunrar7
注:
1、clamav-daemon,clamav-daemon將會建立一個名爲'clamav'的帳戶。如果你安裝clamav,要自己建賬戶。推薦
clamav-docs,ClamAV說明文檔。可選
libclamunrar7,支持ClamAV掃描壓縮的RAR文件。推薦
其他依賴在apt-get install 時會自動安裝。
2、默認配置文件位置:
/etc/clamav/clam.conf
/etc/clamav/freshclam.conf
3、默認log文件位置(需要root權限寫入):
/var/log/clamav/clamav.log
/var/log/clamav/freshclam.log
4、缺點:不能顯示進度百分比。
安裝後必須更新:
sudo freshclam
使用命令掃描:
clamscan -r /指定路徑
clamscan -r --bell -i /指定路徑
clamscan -r --bell -i /指定路徑 -l /指定log文件位置
clamscan -r --bell -i -o /指定路徑 -l /指定log文件位置
-r 遞歸掃描
--bell 報警聲
-i 只顯示受感染的文件
-l 指定log文件位置(需要提前創建文件)
-o 跳過掃描OK的文件
--remove 刪除被感染文件(不推薦)
--move 移動病毒文件至指定目錄
--quiet 只輸出錯誤消息
--unzip(unrar)解壓壓縮文件掃描
注意:檢查log文件寫入是否需要root權限寫入,需要就在命令前加sudo。
安裝第三方GUI——ClamTK:
sudo apt-get install clamtk clamtk-gnome
使用ClamTK掃描:
sudo clamtk
注:
1、默認log文件需要root權限寫入,所以要用root權限運行ClamTK。
2、clamtk-gnome安裝後需重啓Nautilus,在深度文件管理器無法生效。
3、優點:可以顯示掃描數量和百分比。
缺點:sudo掃描後,歷史也沒有記錄。一個窗口只能執行一個掃描。不能顯示細節。
PS:
完整命令格式
clamscan -h
Clam AntiVirus: Scanner 0.100.2
By The ClamAV Team: https://www.clamav.net/about.html#credits
(C) 2007-2018 Cisco Systems, Inc.
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also-
dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)] Always block (flag) SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)] Always block (flag) cloaked URLs (phishing module)
--partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block (flag) encrypted archives
--block-macros[=yes/no(*)] Block (flag) OLE2 files with VBA macros
--block-max[=yes/no(*)] Block (flag) files that exceed max file size, max scan size, or max recursion limit
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
Pass in - as the filename for stdin.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
配置文件:
vi /etc/clamav/clam.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
vi /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
PS:
1、有些Windows下Avast、Symantec沒報的,ClamAV卻報了,只能說結果僅供參考。
2、不放心可以上報到這裏掃描:https://www.virscan.org/language/zh-cn/