Skip to content

ClamAV i skanowanie URL

Jak przeskanować za pomocą Linuxa i oprogramowania ClamAV zawartość zdalnej witryny internetowej.
 
Zacznijmy od początku, czyli od instalacji ClamAV. Przykładowo na CentOS lub innej RedHat podobnej dystrybucji:
# yum install clamav.x86_64
 
Następnie instalujemy pakiet odpowiedzialny za automatyczną aktualizację sygnatur dla silnika skanującego:
# yum install clamav-update.x86_64
 
Wymuszamy pobranie aktualnych sygnatur:
# freshclam 
ERROR: Please edit the example config file /etc/freshclam.conf
ERROR: Can't open/parse the config file /etc/freshclam.conf
Ups! W pliku /etc/freshclam.conf musimy jeszcze zakomentować „Example” na początku:
# Comment or remove the line below.
# Example
i uruchomiamy ponownie
# freshclam 
ClamAV update process started at Thu Jun 23 09:56:42 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.1 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 212.7.0.71)
Trying host database.clamav.net (62.245.181.53)...
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 62.245.181.53)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 157.25.5.183)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
Trying host database.clamav.net (130.133.110.67)...
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 130.133.110.67)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
WARNING: Mirror 217.18.205.108 is not synchronized.
Trying again in 5 secs...
ClamAV update process started at Thu Jun 23 09:57:24 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.1 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Trying host database.clamav.net (157.25.5.183)...
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 157.25.5.183)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 158.129.196.3)
Trying host database.clamav.net (85.254.217.235)...
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 85.254.217.235)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
WARNING: getfile: daily-21479.cdiff not found on remote server (IP: 195.30.97.3)
WARNING: getpatch: Can't download daily-21479.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 158.129.196.3)
Trying host database.clamav.net (62.245.181.53)...
Downloading daily.cvd [100%]
daily.cvd updated (version: 21775, sigs: 335268, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 281, sigs: 51, f-level: 63, builder: neo)
ERROR: Corrupted database file /var/lib/clamav/main.cvd: Can't verify database integrity
Corrupted database file renamed to /var/lib/clamav/main.cvd.broken
Trying again in 5 secs...
ClamAV update process started at Thu Jun 23 09:58:53 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.1 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
Downloading main.cvd [100%]
main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 21775, sigs: 335268, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 281, sigs: 51, f-level: 63, builder: neo)
Database updated (4554109 signatures) from database.clamav.net (IP: 195.30.97.3)
Teraz poszło znacznie lepiej 🙂
 
Przykładowo, spróbujmy rekurencyjne przeskanować zawartość katalogu /home,
# clamscan -r /home/
następnie rekurencyjne skanowanie katalogu /home i powiadomienie jedynie o zainfekowanych plikach (opcja -i)
# clamscan -r -i /home/
No i w końcu czas na tytułowe skanowanie stron z podaniem URL’a.
Przy użyciu wget wykonujemy rekurencyjne pobranie całej strony z przykładowego URL, w tym przykładzie zawartość zapisujemy do katalogu /tmp/www.majcher.net/
$ wget -e robots=off -r -H -D majcher.net --random-wait -p -P /tmp/www.majcher.net http://www.majcher.net
i skanujemy jak uprzednio to co właśnie zapisaliśmy
$ clamscan -r -i /tmp/www.majcher.net/
/tmp/www.majcher.net/majcher.net/wp-content/uploads/2016/06/eicar_com.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4548716
Engine version: 0.99.1
Scanned directories: 159
Scanned files: 237
Infected files: 1
Data scanned: 10.59 MB
Data read: 9.89 MB (ratio 1.07:1)
Time: 8.147 sec (0 m 8 s)
 
Przy częstszym użyciu warto to dopisać zmienną i uprościć do jednej linii bash’a, np.:
$ DOMAIN=majcher.net; wget -e robots=off -r -H -D $DOMAIN --random-wait -p -P /tmp/$DOMAIN http://www.$DOMAIN ; clamscan -r -i /tmp/$DOMAIN

A tutaj link do testowej sygnatury: eicar_com

Facebook Comments

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *