建立内网Linux防病毒系统

ClamAV本来是为了Postfix邮件网关而开发的防毒软件，主要目的是对邮件队列里面的邮件进行病毒查杀。然后，这个防毒模块独立出来成为一个提供病毒、恶意软件、蠕虫的查杀能力的开源软件，成为了Linux环境下实现文件安全的主要选择。�

部署ClamAV

添加EPEL源

# ClamAV的RHEL/CentOS源是直接用epel来发布的
yum cleanall
yum makecache
yum install -y git python3-pip
yum install -y epel-release

# 添加华为云源
sed -i "s/#baseurl/baseurl/g" /etc/yum.repos.d/epel.repo
sed -i "s/metalink/#metalink/g" /etc/yum.repos.d/epel.repo
sed -i "s@https\?://download.example/pub@https://repo.huaweicloud.com@g" /etc/yum.repos.d/epel.repo

yum makecache
yum upgrade -y

安装ClamAV

yum install -y clamav clamav-update clamd

启动服务

# 刷新服务列表
systemctl daemon-reload
# 启动自动更新病毒库,默认更新周期是每月一次
systemctl enable clamav-freshclam.service
# 启动扫描服务
systemctl enable clamd@scan.service

建立内部病毒特征库

部署cvdupdate

# 安装Nginx
# 配置站点目录为/var/www
yum install -y nginx
mkdir -p /var/www
chown nginx:nginx /var/www

# cvdupdate是思科公司(这个思科就是那个思科)开发的一个ClamAV病毒库镜像工具
pip3 install cvdupdate
# 执行病毒库存储位置
cvd config set --dbdir /var/www
# 修改官方源为亚马逊的S3镜像
sed -i "s@https://database.clamav.net@https://pivotal-clamav-mirror.s3.amazonaws.com@g" ~/.cvdupdate/config.json

cvd update
2021-07-09 17:28:06 cvdupdate-1.0.2 INFO main.cvd is up-to-date. Version: 59
2021-07-09 17:28:06 cvdupdate-1.0.2 INFO daily.cvd is up-to-date. Version: 26225
2021-07-09 17:28:06 cvdupdate-1.0.2 INFO bytecode.cvd is up-to-date. Version: 333

配置CLamAV

添加内网更新源

# 默认使用https，若使用http协议需要写明http://xxx.yyy.zzz，否则则不需要
sed -i "s@database.clamav.net@http://192.168.248.150/clamav@g" /etc/freshclam.conf

[root@elasticnode1 ~]# freshclam
ClamAV update process started at Fri Jul  9 18:29:37 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.103.2 Recommended version: 0.103.3
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
daily database available for download (remote version: 26225)
Time:    0.5s, ETA:    0.0s [========================>]  102.43MiB/102.43MiB
Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-4cfdfa4231c3496ffee7793166ed2602.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time:    0.5s, ETA:    0.0s [========================>]  112.40MiB/112.40MiB
Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-cf8d5312f458ec6b897d0fbb3af11892.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode database available for download (remote version: 333)
Time:    0.0s, ETA:    0.0s [========================>]  286.79KiB/286.79KiB
Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-e205410803d9f55beb3855e58f5ec7d2.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

# 启动更新服务
systemctl start clamav-freshclam.service

配置ClamAV服务

# 创建日志文件
touch /var/log/clamd.scan

# 修改clamd配置文件
sed -i 's/#LogFile \/var/LogFile \/var/g' /etc/clamd.d/scan.conf
sed -i 's/#LocalSocket \/run/LocalSocket \/run/g' /etc/clamd.d/scan.conf
sed -i 's/#LocalSocketMode/LocalSocketMode/g' /etc/clamd.d/scan.conf

# 启动服务
systemctl start clamd@scan.service

功能测试

# 下载测试病毒包
wget http://www.eicar.org/download/eicar.com

# 手动查杀
clamscan --infected --remove --recursive .
# 结果
/root/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/root/eicar.com: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 8543862
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 9
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 17.424 sec (0 m 17 s)
Start Date: 2021:07:09 18:45:02
End Date:   2021:07:09 18:45:19

与Wazuh结合

安装Wazuh Agent

Wazuh默认自带clamav的规则和解码器，所以只要安装wazuh-agent即可。
Kibana展示