Centos
Clamav 安裝 Centos 8
我已經按照他們網站上的安裝指南在 Centos 8 上安裝了 ClamAV。
我已經執行了freshclam,效果很好,但是如果我嘗試進行掃描,我會收到以下錯誤:
clamdscan /home ERROR: Could not connect to clamd on LocalSocket /tmp/clamd.socket: No such file or directory ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s)
我嘗試在網上針對不同的 LocalSocket 文件遵循許多建議,但它們都產生相同的結果或更糟。
這是我的配置文件
## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /tmp/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. If LogFileMaxSize is enabled, log # rotation (the LogRotate option) will always be enabled. # Default: 1M LogFileMaxSize 10M # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no #LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable verbose logging. # Default: no LogVerbose yes # Enable log rotation. Always enabled when LogFileMaxSize is enabled. # Default: no #LogRotate yes # Enable Prelude output. # Default: no #PreludeEnable yes # # Set the name of the analyzer used by prelude-admin. # Default: ClamAV #PreludeAnalyzerName ClamAV # Log additional information about the infected file, such as its # size and hash, together with the virus name. #ExtendedDetectionInfo yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled #PidFile /var/run/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). #TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) #DatabaseDirectory /var/lib/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly no # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /tmp/clamd.socket # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clam #LocalSocketGroup clamav # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) LocalSocketMode 660 # Remove stale socket after unclean shutdown. # Default: yes #FixStaleSocket yes # TCP port address. # Default: no #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. This option can be specified multiple # times if you want to listen on multiple IPs. IPv6 is now supported. # Default: no #TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 200 #MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 #MaxThreads 20 # Waiting for data from a client socket will timeout after this time (seconds). # Default: 120 #ReadTimeout 300 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 30 #CommandReadTimeout 30 # This option specifies how long to wait (in milliseconds) if the send buffer # is full. # Keep this value low to prevent clamd hanging. # # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by # MaxThreads threads). # It is recommended to have this value at least twice MaxThreads if possible. # WARNING: you shouldn't increase this too much to avoid running out of file # descriptors, the following condition should hold: # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual # max is 1024). # # Default: 100 #MaxQueue 200 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Don't scan files and directories matching regex # This directive can be used multiple times # Default: scan all #ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems yes # Perform a database check. # Default: 600 (10 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clamscan # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject # any ALLMATCHSCAN command as invalid. # Default: yes #AllowAllMatchScan no # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for # the complete list of PUA categories. # Default: Load all categories (if DetectPUA is activated) #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: Load all categories (if DetectPUA is activated) #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # This option causes memory or nested map scans to dump the content to disk. # If you turn on this option, more data is written to disk and is available # when the LeaveTemporaryFiles option is enabled. #ForceToDisk yes # This option allows you to disable the caching feature of the engine. By # default, the engine will store an MD5 in a cache of any files that are # not flagged as virus or that hit limits checks. Disabling the cache will # have a negative performance impact on large scans. # Default: no #DisableCache yes # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to detect abnormal patterns and behaviors that # may be malicious. This option enables alerting on such heuristically # detected potential threats. # Default: yes #HeuristicAlerts yes # Allow heuristic alerts to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only # at the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ## ## Heuristic Alerts ## # With this option clamav will try to detect broken executables (both PE and # ELF) and alert on them with the Broken.Executable heuristic signature. # Default: no #AlertBrokenExecutables yes # Alert on encrypted archives _and_ documents with heuristic signature # (encrypted .zip, .7zip, .rar, .pdf). # Default: no #AlertEncrypted yes # Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, # .rar). # Default: no #AlertEncryptedArchive yes # Alert on encrypted archives with heuristic signature (encrypted .pdf). # Default: no #AlertEncryptedDoc yes # With this option enabled OLE2 files containing VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #AlertOLE2Macros yes # Alert on SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # Default: no #AlertPhishingSSLMismatch yes # Alert on cloaked URLs, even if URL isn't in database. # This can lead to false positives. # Default: no #AlertPhishingCloak yes # Alert on raw DMG image files containing partition intersections # Default: no #AlertPartitionIntersection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option # allows ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. If you turn off this option, the original files will still be # scanned, but without additional processing. # Default: yes #ScanPE yes # Certain PE files contain an authenticode signature. By default, we check # the signature chain in the PE file against a database of trusted and # revoked certificates if the file being scanned is marked as a virus. # If any certificate in the chain validates against any trusted root, but # does not match any revoked certificate, the file is marked as whitelisted. # If the file does match a revoked certificate, the file is marked as virus. # The following setting completely turns off authenticode verification. # Default: no #DisableCertCheck yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanELF yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanOLE2 yes # This option enables scanning within PDF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanPDF yes # This option enables scanning within SWF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanSWF yes # This option enables scanning xml-based document files supported by libclamav. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanXMLDOCS yes # This option enables scanning of HWP3 files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanHWP3 yes ## ## Mail files ## # Enable internal e-mail scanner. # If you turn off this option, the original files will still be scanned, but # without parsing individual messages/attachments. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. # You will need to periodically clean up $TemporaryDirectory/clamav-partial # directory. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #ScanPartialMessages yes # With this option enabled ClamAV will try to detect phishing attempts by using # HTML.Phishing and Email.Phishing NDB signatures. # Default: yes #PhishingSignatures no # With this option enabled ClamAV will try to detect phishing attempts by # analyzing URLs found in emails using WDB and PDB signature databases. # Default: yes #PhishingScanURLs no ## ## Data Loss Prevention (DLP) ## # Enable the DLP module # Default: No #StructuredDataDetection yes # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz # Default: yes #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped yes ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes # If you turn off this option, the original files will still be scanned, but # without additional processing. #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # If you turn off this option, the original files will still be scanned, but # without unpacking and additional processing. # Default: yes #ScanArchive yes ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of time to a scan may take. # In this version, this field only affects the scan time of ZIP archives. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result allow scanning # of certain files to lock up the scanning process/threads resulting in a # Denial of Service. # Time is in milliseconds. # Default: 120000 #MaxScanTime 300000 # This option sets the maximum amount of data to be scanned for each input # file. Archives and other containers are recursively extracted and scanned # up to this value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: setting this limit too high may result in severe damage to the system. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 # Maximum size of a file to check for embedded PE. Files larger than this value # will skip the additional analysis step. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10M #MaxEmbeddedPE 10M # Maximum size of a HTML file to normalize. HTML files larger than this value # will not be normalized or scanned. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10M #MaxHTMLNormalize 10M # Maximum size of a normalized HTML file to scan. HTML files larger than this # value after normalization will not be scanned. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 2M #MaxHTMLNoTags 2M # Maximum size of a script file to normalize. Script content larger than this # value will not be normalized or scanned. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 5M #MaxScriptNormalize 5M # Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger # than this value will skip the step to potentially reanalyze as PE. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 1M #MaxZipTypeRcg 1M # This option sets the maximum number of partitions of a raw disk image to be # scanned. # Raw disk images with more partitions than this value will have up to # the value number partitions scanned. Negative values are not allowed. # Note: setting this limit too high may result in severe damage or impact # performance. # Default: 50 #MaxPartitions 128 # This option sets the maximum number of icons within a PE to be scanned. # PE files with more icons than this value will have up to the value number # icons scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact # performance. # Default: 100 #MaxIconsPE 200 # This option sets the maximum recursive calls for HWP3 parsing during # scanning. HWP3 files using more than this limit will be terminated and # alert the user. # Scans will be unable to scan any HWP3 attachments if the recursive limit # is reached. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact # performance. # Default: 16 #MaxRecHWP3 16 # This option sets the maximum calls to the PCRE match function during # an instance of regex matching. # Instances using more than this limit will be terminated and alert the user # but the scan will continue. # For more information on match_limit, see the PCRE documentation. # Negative values are not allowed. # WARNING: setting this limit too high may severely impact performance. # Default: 100000 #PCREMatchLimit 20000 # This option sets the maximum recursive calls to the PCRE match function # during an instance of regex matching. # Instances using more than this limit will be terminated and alert the user # but the scan will continue. # For more information on match_limit_recursion, see the PCRE documentation. # Negative values are not allowed and values > PCREMatchLimit are superfluous. # WARNING: setting this limit too high may severely impact performance. # Default: 2000 #PCRERecMatchLimit 10000 # This option sets the maximum filesize for which PCRE subsigs will be # executed. Files exceeding this limit will not have PCRE subsigs executed # unless a subsig is encompassed to a smaller buffer. # Negative values are not allowed. # Setting this value to zero disables the limit. # WARNING: setting this limit too high or disabling it may severely impact # performance. # Default: 25M #PCREMaxFileSize 100M # When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or # MaxRecursion limit will be flagged with the virus # "Heuristics.Limits.Exceeded". # Default: no #AlertExceedsMax yes ## ## On-access Scan Settings ## # Don't scan files larger than OnAccessMaxFileSize # Value of 0 disables the limit. # Default: 5M #OnAccessMaxFileSize 10M # Max number of scanning threads to allocate to the OnAccess thread pool at # startup. These threads are the ones responsible for creating a connection # with the daemon and kicking off scanning after an event has been processed. # To prevent clamonacc from consuming all clamd's resources keep this lower # than clamd's max threads. # Default: 5 #OnAccessMaxThreads 10 # Max amount of time (in milliseconds) that the OnAccess client should spend # for every connect, send, and recieve attempt when communicating with clamd # via curl. # Default: 5000 (5 seconds) # OnAccessCurlTimeout 10000 # Toggles dynamic directory determination. Allows for recursively watching # include paths. # Default: no #OnAccessDisableDDD yes # Set the include paths (all files inside them will be scanned). You can have # multiple OnAccessIncludePath directives but each directory must be added # in a separate line. # Default: disabled #OnAccessIncludePath /home #OnAccessIncludePath /students # Set the exclude paths. All subdirectories are also excluded. # Default: disabled #OnAccessExcludePath /home/user # Modifies fanotify blocking behaviour when handling permission events. # If off, fanotify will only notify if the file scanned is a virus, # and not perform any blocking. # Default: no #OnAccessPrevention yes # When using prevention, if this option is turned on, any errors that occur # during scanning will result in the event attempt being denied. This could # potentially lead to unwanted system behaviour with certain configurations, # so the client defaults this to off and prefers allowing access events in # case of scan or connection error. # Default: no #OnAccessDenyOnError yes # Toggles extra scanning and notifications when a file or directory is # created or moved. # Requires the DDD system to kick-off extra scans. # Default: no #OnAccessExtraScanning yes # Set the mount point to be scanned. The mount point specified, or the mount # point containing the specified directory will be watched. If any directories # are specified, this option will preempt (disable and ignore all options # related to) the DDD system. This option will result in verdicts only. # Note that prevention is explicitly disallowed to prevent common, fatal # misconfigurations. (e.g. watching "/" with prevention on and no exclusions # made on vital system directories) # It can be used multiple times. # Default: disabled #OnAccessMountPath / #OnAccessMountPath /home/user # With this option you can whitelist the root UID (0). Processes run under # root with be able to access all files without triggering scans or # permission denied events. # Note that if clamd cannot check the uid of the process that generated an # on-access scan event (e.g., because OnAccessPrevention was not enabled, and # the process already exited), clamd will perform a scan. Thus, setting # OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the # root user from triggering a scan (unless OnAccessPrevention is enabled). # Default: no #OnAccessExcludeRootUID no # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files without triggering scans or permission # denied events. # This option can be used multiple times (one per line). # Using a value of 0 on any line will disable this option entirely. # To whitelist the root UID (0) please enable the OnAccessExcludeRootUID # option. # Also note that if clamd cannot check the uid of the process that generated an # on-access scan event (e.g., because OnAccessPrevention was not enabled, and # the process already exited), clamd will perform a scan. Thus, setting
此外 clamd@scan 不會啟動:
systemctl status clamd@scan.service ● clamd@scan.service - clamd scanner (scan) daemon Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2020-03-20 16:43:51 GMT; 14s ago Process: 1851 ExecStart=/usr/sbin/clamd --foreground=yes (code=exited, status=203/EXEC) Main PID: 1851 (code=exited, status=203/EXEC) Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Main process exited, code=exited, status=203/EXEC Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Failed with result 'exit-code'. Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Service RestartSec=100ms expired, scheduling restart. Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Scheduled restart job, restart counter is at 5. Mar 20 16:43:51 server.com systemd[1]: Stopped clamd scanner (scan) daemon. Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Start request repeated too quickly. Mar 20 16:43:51 server.com systemd[1]: clamd@scan.service: Failed with result 'exit-code'. Mar 20 16:43:51 server.com systemd[1]: Failed to start clamd scanner (scan) daemon.
“clamd will not start”文章中提到了一些解決方案,可能有助於解決這個“
ERROR: Could not connect to clamd on LocalSocket
”問題。一種解決方案提到確保配置文件中的這兩行都沒有被註釋掉
LocalSocket /tmp/clamd.socket FixStaleSocket yes
還要執行這些命令
mkdir /var/run/clamd chown root:<same group name that clamd runs as> /var/run/clamd
然後重新啟動
clamd
服務並考慮通過yum
.此外,OP 創建了一個用於 clamd in
/usr/lib/systemd/system
with的系統單元ExecStart = /usr/local/sbin/clamd
。此外,還提到執行
cat /etc/passwd
以查看 clamav 使用者的權限並將權限更改回 clamav 使用者。chown -R clamav.clamav /var/log/clamav/ chown -R clamav.clamav /var/run/clamav/ chown -R clamav.clamav /var/lib/clamav/
支持資源