ClamAV

From aldeid
Jump to: navigation, search
Draft.png
DRAFT
This page is still a draft. Thank you for your understanding.

Description

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Installation

From packages

$ sudo aptitude install clamav clamav-freshclam

From sources

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/clamav/clamav/0.97.6/clamav-0.97.6.tar.gz
$ tar xzvf clamav-0.97.6.tar.gz
$ cd clamav-0.97.6/
$ ./configure
$ make
$ sudo make install

Usage

clamscan

--help, -h
Print this help screen
--version, -V
Print version number
--verbose, -v
Be verbose
--debug
Enable libclamav's debug messages
--quiet
Only output error messages
--stdout
Write to stdout instead of stderr
--no-summary
Disable summary at end of scanning
--infected, -i
Only print infected files
--bell
Sound bell on virus detection
--tempdir=DIRECTORY
Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)]
Do not remove temporary files
--database=FILE/DIR, -d FILE/DIR
Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)]
Only load official signatures
--log=FILE, -l FILE
Save scan report to FILE
--recursive[=yes/no(*)], -r
Scan subdirectories recursively
--cross-fs[=yes(*)/no]
Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2]
Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2]
Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE, -f FILE
Scan files from FILE
--remove[=yes/no(*)]
Remove infected files. Be careful!
--move=DIRECTORY
Move infected files into DIRECTORY
--copy=DIRECTORY
Copy infected files into DIRECTORY
--exclude=REGEX
Don't scan file names matching REGEX
--exclude-dir=REGEX
Don't scan directories matching REGEX
--include=REGEX
Only scan file names matching REGEX
--include-dir=REGEX
Only scan directories matching REGEX
--bytecode[=yes(*)/no]
Load bytecode from the database
--bytecode-unsigned[=yes/no(*)]
Load unsigned bytecode
--bytecode-timeout=N
Set bytecode timeout (in milliseconds)
--detect-pua[=yes/no(*)]
Detect Possibly Unwanted Applications
--exclude-pua=CAT
Skip PUA sigs of category CAT
--include-pua=CAT
Load PUA sigs of category CAT
--detect-structured[=yes/no(*)]
Detect structured data (SSN, Credit Card)
--structured-ssn-format=X
SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N
Min SSN count to generate a detect
--structured-cc-count=N
Min CC count to generate a detect
--scan-mail[=yes(*)/no]
Scan mail files
--phishing-sigs[=yes(*)/no]
Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no]
URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)]
Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)]
Always block SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)]
Always block cloaked URLs (phishing module)
--algorithmic-detection[=yes(*)/no]
Algorithmic detection
--scan-pe[=yes(*)/no]
Scan PE files
--scan-elf[=yes(*)/no]
Scan ELF files
--scan-ole2[=yes(*)/no]
Scan OLE2 containers
--scan-pdf[=yes(*)/no]
Scan PDF files
--scan-html[=yes(*)/no]
Scan HTML files
--scan-archive[=yes(*)/no]
Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)]
Try to detect broken executable files
--block-encrypted[=yes/no(*)]
Block encrypted archives
--max-filesize=#n
Files larger than this will be skipped and assumed clean
--max-scansize=#n
The maximum amount of data to scan for each container file (**)
--max-files=#n
The maximum number of files to scan for each container file (**)
--max-recursion=#n
Maximum archive recursion level for container file (**)
--max-dir-recursion=#n
Maximum directory recursion level

Use cases

Update signatures

$ $ sudo freshclam
ClamAV update process started at Sat Mar  2 21:48:29 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily.cvd [ 12%]

Scan a file

$ clamscan /data/exploits/winfixer.exe
/data/exploits/winfixer.exe: Worm.Autorun-7661 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1044387
Engine version: 0.97.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.03 MB
Data read: 0.03 MB (ratio 1.00:1)
Time: 1.998 sec (0 m 1 s)

Scan a directory

$ clamscan /data/exploits/
/data/exploits/arru.exe: OK
/data/exploits/setup[1].exe: OK
/data/exploits/nuxninqynkow.exe: OK
/data/exploits/MsMxEng.exe: Trojan.Buzus-6212 FOUND
/data/exploits/ARPPRODUCTICON.exe: OK
/data/exploits/nopenico.exe: OK
/data/exploits/Captain Coucou!.JPG: OK
/data/exploits/ptrvta.exe: OK
/data/exploits/360Tray.exe: OK
/data/exploits/vgwisb.exe: OK
/data/exploits/ose00000.exe: OK
/data/exploits/alicsrv.exe: OK
/data/exploits/Dc30.exe: OK
/data/exploits/Persomod.exe: OK
/data/exploits/tm2002.exe: OK
/data/exploits/teasing.exe: OK
/data/exploits/ICBCEBankAssist.exe: OK
/data/exploits/hod.exe: Worm.Autorun-2205 FOUND
/data/exploits/ext_1.exe: OK
/data/exploits/My IP Address.exe: OK
/data/exploits/Skycn_1.2.1.exe: OK
/data/exploits/panjxg.exe: OK
/data/exploits/6C82D104845D404ED19B40607B07D287.ico: OK