Outils d'utilisateurs

Outils du Site


clamav

CLAMAV - antivirus - ici POUR UNE DEBIAN LENNY

Sous l'amical piratage du site de palmito ici :
http://palmito-linux.ht.cx/tuto-debian-clamav.html

Quoi? un anti virus sous Linux?! Certains crieront que cela ne sert à rien alors que d'autres soutiendront que nous ne sommes jamais assez prudent…

La seule chose qui me fait installer un anti virus c'est que je déteste participer à la diffusion de saletés (pour rester poli ;-)) sur internet,

 ne pas contaminer mes amis tournant sous windows plus qu'ils ne le sont déjà ;-)

Pour commencer une petite installation :

      # apt-get install clamav

Sans plus de soucis…

Introduction à clamav mode expert

Une erreur commune en matière de sécurité consiste à croire que Gnu-Linux étant peu utilisé, il n'intéresse aucun pirate.
Il ne faut pas oublier que les distributions basées sur GNU/Linux sont utilisées sur une grande partie des serveurs web, et

  constituent de facto une cible privilégiée pour de nombreuses attaques.

L'existence d'antivirus dédiés à Gnu-Linux amène à s'intéresser aux possibilités d'existence et de propagation des virus sous Gnu-Linux.

Configuration de freshclam

Freshclam est la partie de clamav qui met à jour la base de données des Virus.

On édite le fichier freshclam.conf :

 # nano /etc/clamav/freshclam.conf

Ce qui donne :

##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
 
# Comment or remove the line below.
#Example
 
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
 
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log
 
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 2M
 
# Log time with each message.
# Default: no
LogTime yes
 
# Enable verbose logging.
# Default: no
LogVerbose yes
 
# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes
 
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
 
# This option allows you to save the process identifier of the daemon
# Default: disabled
PidFile /var/run/freshclam.pid
 
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
 
# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes
 
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
DNSDatabaseInfo current.cvd.clamav.net
 
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
#DatabaseMirror db.XY.clamav.net
 
# database.clamav.net is a round-robin record which points to our most 
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net
 
# How many attempts to make before giving up.
# Default: 3 (per mirror)
MaxAttempts 5
 
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
 
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
CompressLocalDatabase yes
 
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
 
# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
 
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
 
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
 
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd /etc/clamav/clamd.conf
 
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
 
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
 
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
 
# Don't fork into background.
# Default: no
#Foreground yes
 
# Enable debug messages in libclamav.
# Default: no
#Debug yes
 
# Timeout in seconds when connecting to database server.
# Default: 30
ConnectTimeout 60
 
# Timeout in seconds when reading from database server.
# Default: 30
ReceiveTimeout 60
 
# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# This feature requires LogTime and LogFile to be enabled in clamd.conf.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf
 
# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code
 
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://code.google.com/support/bin/answer.py?answer=70015
# and http://safebrowsing.clamav.net for more information.
# Default: disabled
#SafeBrowsing yes

Configuration de clamav

On édite le fichier clamd.conf :

 # nano /etc/clamav/clamd.conf
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
 
 
# Comment or remove the line below.
#Example
 
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
 
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
LogFileUnlock yes
 
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 2M
 
# Log time with each message.
# Default: no
LogTime yes
 
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean yes
 
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
 
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
 
# Enable verbose logging.
# Default: no
LogVerbose yes
 
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid
 
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /tmp
 
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
 
# The daemon can work in local mode, network mode or both. 
# Due to security reasons we recommend the local mode.
 
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/lib/clamav/clamd.sock
 
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
 
# TCP port address.
# Default: no
#TCPSocket 3310
 
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
#TCPAddr 127.0.0.1
 
# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30
 
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
 
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
StreamMaxLength 10M
 
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
 
# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 20
 
# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 300
 
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
CommandReadTimeout 5
 
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
SendBufTimeout 200
 
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
MaxQueue 200
 
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
 
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
ExcludePath ^/proc/
ExcludePath ^/sys/
 
# Maximum depth directories are scanned at.
# Default: 15
MaxDirectoryRecursion 20
 
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
 
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
 
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
 
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
 
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
 
# Initialize supplementary group access (clamd must be started by root).
# Default: no
#AllowSupplementaryGroups no
 
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
 
# Don't fork into background.
# Default: no
#Foreground yes
 
# Enable debug messages in libclamav.
# Default: no
#Debug yes
 
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
 
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
 
# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
 
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
 
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
 
 
##
## Executable files
##
 
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
#ScanPE yes
 
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
#ScanELF yes
 
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
 
 
##
## Documents
##
 
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
ScanOLE2 yes
 
# This option enables scanning within PDF files.
# Default: yes
ScanPDF yes
 
 
##
## Mail files
##
 
# Enable internal e-mail scanner.
# Default: yes
ScanMail yes
 
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
#	   Never use it on loaded servers.
# Default: no
MailFollowURLs no
 
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
#	   Never use it on loaded servers.
# Default: no
ScanPartialMessages yes
 
 
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes
 
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
 
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
 
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
 
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first, 
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
 
##
## Data Loss Prevention (DLP)
##
 
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
 
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
 
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
 
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
 
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
 
 
##
## HTML
##
 
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
ScanHTML yes
 
 
##
## Archives
##
 
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes
 
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
 
 
##
## Limits
##
 
# The options below protect your system against Denial of Service attacks
# using archive bombs.
 
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
MaxScanSize 150M
 
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
MaxFileSize 30M
 
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Value of 0 disables the limit.
# Default: 16
MaxRecursion 10
 
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
MaxFiles 15000
 
 
##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
##	    up your system!!!
##
 
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
# Default: no
#ClamukoScanOnAccess yes
 
# Set access mask for Clamuko.
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes
 
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students
 
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#ClamukoExcludePath /home/bofh
 
# Don't scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M

Mise à jour de la base de données

Tout simplement (en root évidemment) :

 # freshclam

Résultat :

ClamAV update process started at Tue Nov 17 11:19:32 2009
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.2 Recommended version: 0.95.3
DON T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cvd is up to date (version: 10030, sigs: 105552, f-level: 44, builder: guitar)

Pas de panique concernant le warning, cela signifie simplement que vous n'avez pas installé la dernière version de clamav (donc les sources).

Lancement du scan

Scanner le répertoire courant :

 # clamscan 

Scanner tout le système :

 # clamscan -r /

Scanner tout le système et logger :

 # ionice -c3 -n15 nice -n 19 clamscan --infected -r / 2>/dev/null >> /var/log/clamav/analyse.log

On utilise les options :

 On ionice et nice

pour éviter de surcharger notre système, sinon les accès disque augmenteront la charge et le processus clamav va “plomber” notre système.
De plus, on n'affiche que les fichiers infectés !

Résultat pour un répertoire local :

Résultat pour un scan complet :

(oui j'ai plein de virus windows pour les vilains :-P)

Automatisation

Le daemon a besoin de tourner pour mettre la base automatiquement à jour :

 /etc/rc.d/clamav start

Les fichiers de la base de données de virus sont stockés ici :

 /var/lib/clamav/daily.cvd
 /var/lib/clamav/main.cvd

Quelques commandes en vrac :

  • Scanner intégralement sont /home:
      # clamscan -r /home/votre_home
  • Pour supprimer un éventuel fichier infecté:
      # clamscan --remove /le/chemin/du/fichier/infecté
  • Biper sur les virus:
      # clamscan -r --bell /chemin/scan
  • Scanner le disque complet:
      # clamscan -r /

Mise à jour de clamav

La commande pour la mise à jour:

      # freshclam

Petit souci…clamav me retournait à chaque fois le même message d'erreur:

      LibClamAV Warning: **************************************************
      LibClamAV Warning: ***  The virus database is older than 7 days.  ***
      LibClamAV Warning: ***        Please update it IMMEDIATELY!       ***
      LibClamAV Warning: **************************************************

Pourtant il me semblait bien avoir mis à jour clamav avec freshclam o_O'

C'est en faisant quelques recherches que j'ai fait la connaissance de “debian-volatile

Meuh non, rholala… Ça c'est juste un message qui vous dit que vous n'avez pas la dernière version de clamav (typiquement avec gentoo ou à partir des dernières sources pas ce genre de message). Merci gutts !

Debian volatile késako????

Pour résumer vite fait, c'est un dépôt qui va permettre, par exemple à clamav d'avoir sa base de définition de virus à jour

Si ce n'est déjà fait, ajoutez le dépôt volatile pour Lenny/stable :

Suivi d'un p'tit:

      # apt-get update && apt-get upgrade

Votre clamav est maintenant à jour et prêt à inspecter les recoins de votre pc pour ne pas contaminer vos amis windowsiens, qui, soit dit en passant, pourront quand même vous remercier de vous soucier de leurs p'tites santés ;-)

Précisions :

Sous la tutelle de Melodie

On met un antivirus dans les cas suivants :

  • si on a un serveur de fichiers,
  • si on a un serveur mail etc…
  • sur une passerelle auquel accède une autre machine sous Windows,
  • si on a un dual-boot Windows,
Nota :

Pratique, on peut faire une détection de virus sur la partition Ntfs tandis que le système Windows n'est pas actif, et donc si un virus est présent, il ne peut pas se déployer et activer un système de défense destiné à le cacher.

clamassassin

Il existe aussi clamassassin, qui peut être installé en complément:

 # apt-get install clamassassin

http://packages.debian.org/search?keywords=clamassassin&searchon=names&suite=stable&section=all

  Adaptateur de filtre de virus dans des courriels pour ClamAV

clamsmtp

et puis clamsmtp:

 # apt-get install clamsmtp

http://packages.debian.org/search?keywo

  Mandataire SMTP qui vérifie la présence de virus

clamtk

Ainsi que clamtk:

 # apt-get install clamtk

http://packages.debian.org/search?keywords=clamtk&searchon=names&suite=stable&section=all

  Interface graphique pour ClamAV

klamav

et klamav:

 # apt-get install klamav

http://packages.debian.org/search?keywords=klamav&searchon=names&suite=stable&section=all

Interface pour ClamAV sous KDE

Liste complète des paquet Clamav

Une liste complète de tous les paquets associés à Clamav ici : http://packages.debian.org/search?keywords=Clamav&searchon=all&suite=all&section=all

gutts

Ce tuto est très très inspiré de celui du wiki de Debian-Facile ici : CLAMAV

clamav.txt · Dernière modification: 2009/12/31 07:56 par smolski