clamav antivirus + milter 구성

clamav 는 Open-Source antivirus 솔루션이며, 방대하게 이용되고 있다.

clamav 는 CORE 엔진이며, clamav-milter 는 sendmail MTA 로 전송되는 메일의 구문이나, 첨부 파일에서 바이러스 패턴을 검색하는 역할을 한다.

CentOS, Fedora 등의 배포본을 이용한다면, yum -y install clamav* 와 같이 간단히 설치 및 구동이 가능하나,

본 페이지에서는 배포되는 소스를 이용하여, clamav-0.94.2 버전을 설치를 해보겠다.


1. 패키지 다운로드 및 컴파일

    [root@localhost root]# ./configure --prefix=/usr/local/clamav --enable-milter

    [root@localhost root]# make && make install

    와 같이 /usr/local/clamav 에 컴파일이 완료되었다.


2. clamav 환경 설정; 라인이 길므로 아래와 동일하게 /usr/local/clamav/etc/ 폴더에 각각의 파일을 생성한다.

[root@localhost root]# cat /usr/local/clamav/etc/clamd.conf

##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##



# Comment or remove the line below.

#Example


# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /tmp/clamd.log


# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: no

#LogFileUnlock yes


# Maximum size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M


# Log time with each message.

# Default: no

LogTime yes


# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: no

LogClean yes


# Use system logger (can work together with LogFile).

# Default: no

#LogSyslog yes


# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL


# Enable verbose logging.

# Default: no

#LogVerbose yes


# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

#PidFile /var/run/clamd.pid


# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp


# Path to the database directory.

# Default: hardcoded (depends on installation options)

DatabaseDirectory /usr/local/clamav


# The daemon can work in local mode, network mode or both.

# Due to security reasons we recommend the local mode.


# Path to a local socket file the daemon will listen on.

# Default: disabled (must be specified by a user)

LocalSocket /tmp/clamd.socket


# Remove stale socket after unclean shutdown.

# Default: yes

#FixStaleSocket yes


# TCP port address.

# Default: no

#TCPSocket 3310


# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: no

#TCPAddr 127.0.0.1


# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30


# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.


# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximum attachment size.

# Default: 10M

#StreamMaxLength 20M


# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000


# Maximum number of threads running at the same time.

# Default: 10

#MaxThreads 20


# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300


# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60


# Don't scan files and directories matching regex

# This directive can be used multiple times

# Default: scan all

#ExcludePath ^/proc/

#ExcludePath ^/sys/


# Maximum depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20


# Follow directory symlinks.

# Default: no

#FollowDirectorySymlinks yes


# Follow regular file symlinks.

# Default: no

#FollowFileSymlinks yes


# Perform a database check.

# Default: 1800 (30 min)

#SelfCheck 600


# Execute a command when virus is found. In the command string %v will

# be replaced with the virus name.

# Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"


# Run as another user (clamd must be started by root for this option to work)

# Default: don't drop privileges

User clamav


# Initialize supplementary group access (clamd must be started by root).

# Default: no

#AllowSupplementaryGroups no


# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM yes


# Don't fork into background.

# Default: no

#Foreground yes


# Enable debug messages in libclamav.

# Default: no

#Debug yes


# Do not remove temporary files (for debug purposes).

# Default: no

#LeaveTemporaryFiles yes


# Detect Possibly Unwanted Applications.

# Default: no

#DetectPUA yes


# Exclude a specific PUA category. This directive can be used multiple times.

# See http://www.clamav.net/support/pua for the complete list of PUA

# categories.

# Default: Load all categories (if DetectPUA is activated)

#ExcludePUA NetTool

#ExcludePUA PWTool


# Only include a specific PUA category. This directive can be used multiple

# times.

# Default: Load all categories (if DetectPUA is activated)

#IncludePUA Spy

#IncludePUA Scanner

#IncludePUA RAT


# In some cases (eg. complex malware, exploits in graphic files, and others),

# ClamAV uses special algorithms to provide accurate detection. This option

# controls the algorithmic detection.

# Default: yes

#AlgorithmicDetection yes



##

## Executable files

##


# PE stands for Portable Executable - it's an executable file format used

# in all 32 and 64-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: yes

#ScanPE yes


# Executable and Linking Format is a standard format for UN*X executables.

# This option allows you to control the scanning of ELF files.

# Default: yes

#ScanELF yes


# With this option clamav will try to detect broken executables (both PE and

# ELF) and mark them as Broken.Executable.

# Default: no

#DetectBrokenExecutables yes



##

## Documents

##


# This option enables scanning of OLE2 files, such as Microsoft Office

# documents and .msi files.

# Default: yes

#ScanOLE2 yes


# This option enables scanning within PDF files.

# Default: yes

#ScanPDF yes



##

## Mail files

##


# Enable internal e-mail scanner.

# Default: yes

#ScanMail yes


# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#          Never use it on loaded servers.

# Default: no

#MailFollowURLs no


# Scan RFC1341 messages split over many emails.

# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.

# WARNING: This option may open your system to a DoS attack.

#          Never use it on loaded servers.

# Default: no

#ScanPartialMessages yes



# With this option enabled ClamAV will try to detect phishing attempts by using

# signatures.

# Default: yes

#PhishingSignatures yes


# Scan URLs found in mails for phishing attempts using heuristics.

# Default: yes

#PhishingScanURLs yes


# Always block SSL mismatches in URLs, even if the URL isn't in the database.

# This can lead to false positives.

#

# Default: no

#PhishingAlwaysBlockSSLMismatch no


# Always block cloaked URLs, even if URL isn't in database.

# This can lead to false positives.

#

# Default: no

#PhishingAlwaysBlockCloak no


# Allow heuristic match to take precedence.

# When enabled, if a heuristic scan (such as phishingScan) detects

# a possible virus/phish it will stop scan immediately. Recommended, saves CPU

# scan-time.

# When disabled, virus/phish detected by heuristic scans will be reported only at

# the end of a scan. If an archive contains both a heuristically detected

# virus/phish, and a real malware, the real malware will be reported

#

# Keep this disabled if you intend to handle "*.Heuristics.*" viruses

# differently from "real" malware.

# If a non-heuristically-detected virus (signature-based) is found first,

# the scan is interrupted immediately, regardless of this config option.

#

# Default: no

#HeuristicScanPrecedence yes


##

## Data Loss Prevention (DLP)

##


# Enable the DLP module

# Default: No

#StructuredDataDetection yes


# This option sets the lowest number of Credit Card numbers found in a file

# to generate a detect.

# Default: 3

#StructuredMinCreditCardCount 5


# This option sets the lowest number of Social Security Numbers found

# in a file to generate a detect.

# Default: 3

#StructuredMinSSNCount 5


# With this option enabled the DLP module will search for valid

# SSNs formatted as xxx-yy-zzzz

# Default: yes

#StructuredSSNFormatNormal yes


# With this option enabled the DLP module will search for valid

# SSNs formatted as xxxyyzzzz

# Default: no

#StructuredSSNFormatStripped yes



##

## HTML

##


# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: yes

#ScanHTML yes



##

## Archives

##


# ClamAV can scan within archives and compressed files.

# Default: yes

#ScanArchive yes


# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: no

#ArchiveLimitMemoryUsage yes


# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: no

#ArchiveBlockEncrypted no



##

## Limits

##


# The options below protect your system against Denial of Service attacks

# using archive bombs.


# This option sets the maximum amount of data to be scanned for each input file.

# Archives and other containers are recursively extracted and scanned up to this

# value.

# Value of 0 disables the limit

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 100M

#MaxScanSize 150M


# Files larger than this limit won't be scanned. Affects the input file itself

# as well as files contained inside it (when the input file is an archive, a

# document or some other kind of container).

# Value of 0 disables the limit.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 25M

#MaxFileSize 30M


# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deeply the process should be continued.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Value of 0 disables the limit.

# Default: 16

#MaxRecursion 10


# Number of files to be scanned within an archive, a document, or any other

# container file.

# Value of 0 disables the limit.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 10000

#MaxFiles 15000



##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system!!!

##


# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: no

#ClamukoScanOnAccess yes


# Set access mask for Clamuko.

# Default: no

#ClamukoScanOnOpen yes

#ClamukoScanOnClose yes

#ClamukoScanOnExec yes


# Set the include paths (all files inside them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students


# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/bofh


# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M


[root@localhost root]# cat /usr/local/clamav/etc/freshclam.conf


##

## Example config file for freshclam

## Please read the freshclam.conf(5) manual before editing this file.

##



# Comment or remove the line below.

#Example


# Path to the database directory.

# WARNING: It must match clamd.conf's directive!

# Default: hardcoded (depends on installation options)

DatabaseDirectory /usr/local/clamav


# Path to the log file (make sure it has proper permissions)

# Default: disabled

UpdateLogFile /var/log/freshclam.log


# Maximum size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M


# Log time with each message.

# Default: no

#LogTime yes


# Enable verbose logging.

# Default: no

#LogVerbose yes


# Use system logger (can work together with UpdateLogFile).

# Default: no

#LogSyslog yes


# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL


# This option allows you to save the process identifier of the daemon

# Default: disabled

#PidFile /var/run/freshclam.pid


# By default when started freshclam drops privileges and switches to the

# "clamav" user. This directive allows you to change the database owner.

# Default: clamav (may depend on installation options)

#DatabaseOwner clamav


# Initialize supplementary group access (freshclam must be started by root).

# Default: no

#AllowSupplementaryGroups yes


# Use DNS to verify virus database version. Freshclam uses DNS TXT records

# to verify database and software versions. With this directive you can change

# the database verification domain.

# WARNING: Do not touch it unless you're configuring freshclam to use your

# own database verification domain.

# Default: current.cvd.clamav.net

#DNSDatabaseInfo current.cvd.clamav.net


# Uncomment the following line and replace XY with your country

# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.

#DatabaseMirror db.XY.clamav.net


# database.clamav.net is a round-robin record which points to our most

# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is

# not working. DO NOT TOUCH the following line unless you know what you

# are doing.

DatabaseMirror database.clamav.net


# How many attempts to make before giving up.

# Default: 3 (per mirror)

#MaxAttempts 5


# With this option you can control scripted updates. It's highly recommended

# to keep it enabled.

# Default: yes

#ScriptedUpdates yes


# By default freshclam will keep the local databases (.cld) uncompressed to

# make their handling faster. With this option you can enable the compression;

# the change will take effect with the next database update.

# Default: no

#CompressLocalDatabase no


# Number of database checks per day.

# Default: 12 (every two hours)

#Checks 24


# Proxy settings

# Default: disabled

#HTTPProxyServer myproxy.com

#HTTPProxyPort 1234

#HTTPProxyUsername myusername

#HTTPProxyPassword mypass


# If your servers are behind a firewall/proxy which applies User-Agent

# filtering you can use this option to force the use of a different

# User-Agent header.

# Default: clamav/version_number

#HTTPUserAgent SomeUserAgentIdString


# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for

# multi-homed systems.

# Default: Use OS'es default outgoing IP address.

#LocalIPAddress aaa.bbb.ccc.ddd


# Send the RELOAD command to clamd.

# Default: no

#NotifyClamd /path/to/clamd.conf


# Run command after successful database update.

# Default: disabled

#OnUpdateExecute command


# Run command when database update process fails.

# Default: disabled

#OnErrorExecute command


# Run command when freshclam reports outdated version.

# In the command string %v will be replaced by the new version number.

# Default: disabled

#OnOutdatedExecute command


# Don't fork into background.

# Default: no

#Foreground yes


# Enable debug messages in libclamav.

# Default: no

#Debug yes


# Timeout in seconds when connecting to database server.

# Default: 30

#ConnectTimeout 60


# Timeout in seconds when reading from database server.

# Default: 30

#ReceiveTimeout 60


# When enabled freshclam will submit statistics to the ClamAV Project about

# the latest virus detections in your environment. The ClamAV maintainers

# will then use this data to determine what types of malware are the most

# detected in the field and in what geographic area they are.

# This feature requires LogTime and LogFile to be enabled in clamd.conf.

# Default: no

#SubmitDetectionStats /path/to/clamd.conf


# Country of origin of malware/detection statistics (for statistical

# purposes only). The statistics collector at ClamAV.net will look up

# your IP address to determine the geographical origin of the malware

# reported by your installation. If this installation is mainly used to

# scan data which comes from a different location, please enable this

# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)

# of the country of origin.

# Default: disabled

#DetectionStatsCountry country-code


3. clamav DATABASE 패턴 UP-TO-DATE

    [root@localhost root]# /usr/local/clamav/bin/freshclam

    해당 DATABASE 패턴은 /usr/local/clamav 디렉토리에 mirrors.dat, daily.cld, main.cvd 3개가 생성된다.


4. clamav 구동

    [root@localhost root]# /usr/local/clamav/sbin/clamd &

    와 같이 UP-TO-DATE 된 DATABASE 를 clamav 가 구동하였다.


5. clamav DATABASE 자동 업데이트를 위해서 CRONTAB 에 아래와 같이 등록한다.ㅣ

    [root@localhost root]# echo "30 * * * * root /usr/local/clamav/bin/freshclam" >> /etc/crontab && /etc/init.d/crond restart

6. clamav-milter 설정 및 구동

    sendmail MTA 에 활성화를 위해서는 /etc/mail/sendmail.mc 파일을 갱신해야한다.

    아래와 같이 /etc/mail/sendmail.mc 파일의 최하단에 2 라인을 추가한다.

    [root@localhost root]# vi /etc/mail/sendmail.mc

        INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl

        define(`confINPUT_MAIL_FILTERS', `clamav')

    [root@localhost root]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf


    이제 clamav-milter 를 구동하고, sendmail 을 restart 한다.

    [root@localhost root]# /usr/local/clamav/sbin/clamav-milter --max-children=100 -lo /var/run/clamav/clmilter.sock &

    [root@localhost root]# /etc/init.d/sendmail restart


7. 모든 구성이 완료되었으며, clamav-milter 가 감지한 메일은 메일 제목에 Virus Intercepted 라는 제목으로 해당 메일이 전송된다.


8. 만일 File Server 나 배포되는 /home 디렉토리에서 바이러스를 검사하고 싶다면 아래와 같이 하면 된다.

    [root@localhost root]# /usr/local/clamav/bin/clamscan -r /home

    클린 파일들은 OK 라고 출력되며, 바이러스에 감염된 파일은 해당 바이러스명이 출력된다.


9. 부팅시에 자동으로 구동되도록 아래와 같은 라인을 /etc/rc.d/rc.local 파일에 추가한다.

    /usr/local/clamav/sbin/clamav-milter --max-children=100 -lo /var/run/clamav/clmilter.sock &

    /usr/local/clamav/sbin/clamd &



출처 : 호스트웨이 (http://faq.hostway.co.kr/Linux_Mail/1335)

TAGS.

Comments 0