Linux安全:使用Python构建集中式病毒扫描机制
Clam AntiVirus(ClamAV)是免费而且开放源代码的防毒软件,软件病毒与病毒库的更新全是社区免费发布。官网地址:(http://www.clamav.net/lang/en)。ClamAV目前未系统提供病毒扫描】查杀等服务。pyClamad((http:xael.org))是一个Python第三方模块,可以让Python直接使用ClamAV的守护进程clamd,来实现高校的病毒检测功能。python这个第三方模块有点老了,然后我在使用的时候,不是很顺利,参考了多篇文章之后,做了一个记录,看到的小白可以尝试一下,路过的大佬还请不吝赐教!
# 工具准备
pyClamad模块安装方法如下:
```
# 一、客户端(病毒扫描源)安装
# 1 安装epel扩展源
yum install -y epel-release
# 2 安装依赖
yum install -y clamav clamd clamav-update# 安装相关包
chkconfig --levels 235 clamd on # 添加扫描守护进程clamd系统服务
/usr/bin/freshclam # 更新病毒库,建议配置到crontab定期更新
# 更新守护进程监听IP配置文件,根据不同环境自行修改监听的IP,"0.0.0.0"为监听所有主机IP。
# sed -i -e '/^TCPAddr/{ s/127.0.0.1/0.0.0.0/;}' /etc/clamd.conf
/etc/init.d/clamd start# 启动扫描进程
# 3 检查软件版本
which freshclam
freshclam --version
which clamscan
clamscan --version
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511093633995.png" alt="image-20240511093633995" style="zoom:50%;" />
```
# 扫描当前目录
clamscan --remove ./
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511094909602.png" alt="image-20240511094909602" style="zoom:50%;" />
```
# 2.主控端部署pyClamad环境
pip install pyclamd
```
# 代码实践
!(https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511095540495.png)
!(https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511101348093.png)
```python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import time
import pyclamd
from threading import Thread
class Scan(Thread):
def __init__(self,IP,scan_type,file):
"""构造方法,参数初始化"""
Thread.__init__(self)
self.IP = IP
self.scan_type = scan_type
self.file = file
self.connstr = ""
self.scanresult = ""
def run(self):
"""多进程run方法"""
try:
cd = pyclamd.ClamdNetworkSocket(self.IP,3310)
if cd.ping():# 探测连通性
self.connstr = self.IP + " connect "
cd.reload()# 重载calmd病毒库的特征,建议更新病毒库再reload
if self.scan_type == "contscan_file":# 选择不同的扫描模式
self.scanresult = "{0}\n".format(cd.contscan_file(self.file))
elif self.scan_type == "multiscan_file":
self.scanresult = "{0}\n".format(cd.multiscan_file(self.file))
elif self.scan_type == "scan_file":
self.scanresult = "{0}\n".format(cd.scan_file(self.file))
time.sleep(1)# 线程挂起1秒
else:
self.connstr = self.IP + "ping error,exit" # 连接不通
return
exceptException as e:
self.connstr = self.IP + " " + str(e)
IPs = ['192.168.1.0','192.168.2.1']# 扫描主机列表
scantype = "multiscan_file" # 选择扫描模式
scanfile = "/data/www"# 指定扫描路径
i = 1
threadnum = 2 # 指定启动线程数
scanlist = [] # 存储扫描Scan类线程对象列表
for ip in IPs:
currp = Scan(ip,scantype,scanfile) # 创建扫描Scan类对象,参数(IP,扫描模式,扫描路径)
scanlist.append(currp)# 追加对象到列表
if i % threadnum == 0 or i ==len(IPs): # 当到达指定的线程数或者IP列表数后启动、退出线程
for task in scanlist:
task.start()
for task in scanlist:
task.join() # 等待所有子线程退出,并输出扫描结果
print(task.connstr) # 打印服务器连接信息
print(task.scanresult) # 打印扫描结果
scanlist = []
i += 1
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511163541427.png" alt="image-20240511163541427" style="zoom:50%;" />
1. **clamd服务未运行**:确保clamd服务在您的服务器上已经启动。您可以使用如下命令来检查服务状态:
```bash
sudo service clamd status
```
如果服务没有运行,您需要启动它:
```bash
sudo service clamd start
```
如果不行,看列表有没有,如果没有,说明没有装好
```bash
systemctl list-unit-files --type=service
```
```bash
sudo systemctl start 对应服务
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240511170742915.png" alt="image-20240511170742915" style="zoom: 50%;" />
2. **clamd配置**:检查clamd服务的配置文件(通常位于`/etc/clamd.conf`或`/etc/clamd.d/scan.conf`),确保`TCPAddr`和`TCPSocket`选项正确设置。`TCPAddr`应该设置为服务器的IP地址或`0.0.0.0`(表示监听所有地址),`TCPSocket`应该设置为`3310`。
我出现了上面两个问题,一是相关服务没有开启,而是配置文件仅仅取消注释了IP地址,忽略了`TCPSocket`应该为`3310`也要取消注释
- 启动clamd@scan扫描服务,服务启动不了的话,可以查看/var/log/clamd.scan
```bash
systemctl enable clamd@scan
systemctl start clamd@scan
systemctl status clamd@scan
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240512163012217.png" alt="image-20240512163012217" style="zoom:50%;" />
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240512163040525.png" alt="image-20240512163040525" style="zoom:50%;" />
## 生成测试病毒样
`pyClamd`提供了一个`EICAR()`方法,该方法可以快速生成病毒样本,用于测试。复制文件到扫描目录中:
```ruby
>>> import pyclamd
>>> cd = pyclamd.ClamdAgnostic()
>>> cd.EICAR()
b'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
>>>
```
> tip:可以看到输出的是一个python字节串。虽然是病毒样本,但是我们并没有去执行它,所以是无害的,大家不要担心机器中毒!!
```python
void = open('/data/www/EICAR','w').write(cd.EICAR().decode())
```
<img src="https://daokun-hexo.oss-cn-hangzhou.aliyuncs.com/img_for_hexo/image-20240512185434980.png" alt="image-20240512185434980" style="zoom:50%;" />
参考文章
1. (https://blog.csdn.net/carefree2005/article/details/122705554)
2. Python自动化运维-第四章-刘天斯
3. (https://www.cnblogs.com/wenghaojie/p/15224317.html)
4. (https://cloud.tencent.com/developer/article/1569680)
5. (https://zhuanlan.zhihu.com/p/266731354)
6. (https://blog.csdn.net/stone_fall/article/details/108291549)
7. [基于「ClamAv」通过python进行病毒检测(2)-- pyClamd控制clamd详解 - 简书 (jianshu.com)](https://www.jianshu.com/p/62e6def1bd2a)
页:
[1]