python 使用ClamAV实现病毒扫描（pyClamad）

Posted 2020-11-07

首先安装clamav

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

sed -i  's/^Example/#Example/g' /etc/freshclam.conf        #必须关闭Example 否则启动会失败

sed -i  's/^Example/#Example/g' /etc/clamd.d/scan.conf

systemctl enable [email protected]

ln -s /usr/lib/systemd/system/[email protected] /etc/systemd/system/multi-user.target.wants/[email protected]

修改配置

cat /etc/clamd.d/scan.conf |grep -v "#"|grep -v "^$"

LogSyslog yes

LocalSocket /var/run/clamd.scan/clamd.sock        #使用本地socket

TCPAddr 0.0.0.0        #监听地址

User clamscan

AllowSupplementaryGroups yes

更新病毒库

/usr/bin/freshclam  

启动

systemctl start [email protected]

systemctl status [email protected]

##注意：被检测的机器必须安装并启动[email protected]    3310端口正常  才能被下面例子中的脚本检测

安装pyClamd

下载模块

打开 https://pypi.org/project/pyClamd/#files

wget https://files.pythonhosted.org/packages/13/73/97a0518b59f1b6aefa2ac851566038d2c9128f8a5503bcf4cd0adf8b0072/pyClamd-0.4.0.tar.gz

tar zxf pyClamd-0.4.0.tar.gz

cd pyClamd-0.4.0

python setup.py install

检测脚本示例：

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import time
import pyclamd
from threading import Thread

class Scan(Thread):
        def __init__ (self,IP,scan_type,file):
                Thread.__init__(self)
                self.IP=IP
                self.scan_type=scan_type
                self.file=file
                self.connstr=""
                self.scanresult=""

        def run(self):
                try:
                        cd=pyclamd.ClamdNetworkSocket(self.IP,3310)
                        if cd.ping():
                                self.connstr=self.IP+" connection [ok]"
                                cd.reload()
                                if self.scan_type=="contscan_file":
                                        self.scanresult="{0}\n".format(cd.contscan_file(self.file))
                                elif self.scan_type=="multiscan_file":
                                        self.scanresult="{0}\n".format(cd.multiscan_file(self.file))
                                elif self.scan_type=="scan_file":
                                        self.scanresult="{0}\n".format(cd.scan_file(self.file))
                                time.sleep(1)
                        else:
                                self.connstr=self.IP+" ping error,exit"
                                return
                except Exception,e:
                        self.connstr=self.IP+" "+str(e)

IPS=['192.168.1.124','192.168.1.116']
scantype="multiscan_file"
scanfile="/home/python/test"
i=1

threadnum=2
scanlist=[]

for ip in IPS:
        currp=Scan(ip,scantype,scanfile)
        scanlist.append(currp)
        if i%threadnum==0 or i==len(IPS):
                for task in scanlist:
                        task.start()
                for task in scanlist:
                        task.join()
                        print task.connstr
                        print task.scanresult
                scanlist=[]
        i+=1

执行命令 生产病毒测试文件

Python 2.7.5 (default, Oct 11 2015, 17:47:16) 
[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> cd=pyclamd.ClamdNetworkSocket()
>>> void = open('/home/python/test/EICAR','w').write(cd.EICAR())
>>>

执行脚本检测病毒

python clamd.py
192.168.1.124 connection [ok]
{u'/home/python/test/EICAR': ('FOUND', 'Eicar-Test-Signature')}

192.168.1.116 Could not reach clamd using network (192.168.16.116, 3310)

信息显示1.124机器上发现病毒测试文件

1.116机器上没有连接成功         #被检测机器上必须安装clamav 并启动了3310端口