シンプルな設定だと、Cronなどで定期的にScanを行う。

Postfixやsendmailと連携しメールのスキャンも可能。

インストールについては公式ページを参考に行います

http://www.clamav.net/documents/installing-clamav#rhel


epelリポジトリからインストールします。epelリポジトリの設定はこちらを参照ください。

# yum --enablerepo=epel install clamav clamav-data clamav-devel clamav-scanner-systemd clamav-server-systemd clamd clamav-update

 

初期設定を行います。

/etc/clamd.d/scan.conf 
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example       ←コメントアウトする

 ・
 ・

# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes   ←コメントを外す

# TCP port address.
# Default: no
TCPSocket 3310     ←コメントを外す

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
TCPAddr 127.0.0.1   ←コメントを外す

・
・

# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
ExcludePath ^/proc/  ←コメントを外す
ExcludePath ^/sys/   ←コメントを外す

・
・

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User root       ←clamscanユーザからrootへ変更

 

データベースのダウンロード先を複数にする

/etc/freshclam.conf 
・
・
# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror db.local.clamav.net     ←追加
DatabaseMirror database.clamav.net
DatabaseMirror db.us.clamav.net       ←追加
・
・

 

ウィルスデータベースが古いとWarningが出るので、最新化を行う

# freshclam
ClamAV update process started at Fri Sep  7 22:14:55 2018
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 24910, sigs: 2077810, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 327, sigs: 91, f-level: 63, builder: neo)
Database updated (6644150 signatures) from database.clamav.net (IP: 104.16.187.138)
#

 

clamdを起動し、自動起動を有効にします。

# systemctl start clamd@scan
# systemctl enable clamd@scan

 

なおログに「ScanOnAccess: Internal error (failed to read data) ... Permission denied」が出力される場合にはSELinuxも合わせて確認ください。

 

ためしにウィルススキャンをしてみます

# clamscan --infected --remove --recursive /tmp

----------- SCAN SUMMARY -----------
Known viruses: 6638459
Engine version: 0.100.1
Scanned directories: 2
Scanned files: 3
Infected files: 3
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 16.339 sec (0 m 16 s)
#

 

自動で/etc/cron.d/clamav-updateが追加されます。中身を見ると3時間おきにデータベースの最新化チェックされるようになっています。

/etc/cron.d/clamav-update 
## Adjust this line...
MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamupdate' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep

 

 

テスト用のウィルスを配置して、スキャンテストします

# cd /tmp
# curl -O https://www.eicar.org/download/eicar.com
# clamscan --infected --remove --recursive /tmp
/tmp/eicar.com: Eicar-Test-Signature FOUND
/tmp/eicar.com: Removed.
/tmp/test/eicar.com: Eicar-Test-Signature FOUND
/tmp/test/eicar.com: Removed.
/tmp/eicar.com.1: Eicar-Test-Signature FOUND
/tmp/eicar.com.1: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6638459
Engine version: 0.100.1
Scanned directories: 2
Scanned files: 3
Infected files: 3
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 16.339 sec (0 m 16 s)
#

 

リアルタイムスキャンを有効にします。こちらはウィルス発見時にファイル修復・削除はせず、ログに出力するだけとなります。削除する場合には手動でスキャンする必要があります。

/etc/clamd.d/scan.conf 



##
## On-access Scan Settings
##

# Enable on-access scanning. Currently, this is supported via fanotify.
# Clamuko/Dazuko support has been deprecated.
# Default: no
ScanOnAccess yes        ←コメントを外す

# Set the  mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt the DDD system. This will notify
# only. It can be used multiple times.
# (On-access scan only)
# Default: disabled
OnAccessMountPath /       ←コメントを外す
#OnAccessMountPath /home/user

# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
OnAccessMaxFileSize 0      ←コメントを外して、0にする

# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line. (On-access scan only)
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.
# (On-access scan only)
# Default: disabled
#OnAccessExcludePath /home/bofh

# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan.  Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no


 

clamdを再起動します。

# systemctl restart clamd@scan

 

参考:https://www.server-memo.net/server-setting/clamav/epel-clamav-install.html