mod_clamav

mod_clamav

다운로드

https://fossies.org/linux/www/apache_httpd_modules/mod_clamav-0.23.tar.gz

원문 (설치 참고)

https://dokuwiki.tachtler.net/doku.php?id=tachtler:apache_http_server_centos_6_-_mod_clamav_-_virenscanner_einbindung

설치 (tested aws centos6)

사전 준비

yum install epel-release

yum install gcc httpd httpd-devel clamav clamav-devel make wget clamd

wget https://fossies.org/linux/www/apache_httpd_modules/mod_clamav-0.23.tar.bz2

tar xvfj mod_clamav-0.23.tar.bz2

설치

./configure --with-apache=/usr/sbin/httpd --with-apxs=/usr/sbin/apxs
make
make install

설치 확인

[root@ip-172-31-44-231 mod_clamav-0.23]# ll /usr/lib64/httpd/modules/mod_clamav.so
-rwxr-xr-x 1 root root 172278 2019-10-16 11:25 /usr/lib64/httpd/modules/mod_clamav.so

[root@ip-172-31-44-231 mod_clamav-0.23]# cat /etc/httpd/conf/httpd.conf | grep clamav
LoadModule clamav_module      /usr/lib64/httpd/modules/mod_clamav.so

샘플 (conf) 파일 복사

[root@ip-172-31-44-231 mod_clamav-0.23]# cp sample.conf /etc/httpd/conf.d/
[root@ip-172-31-44-231 mod_clamav-0.23]# cp safepatterns.conf /etc/httpd/conf/

sample.conf : 설정파일
safepatterns.conf : 화이트리스트?

sample.conf 수정

#
# sample mod_clamav configuration
#
# (c) 2004 Dr. Andreas Mueller, Beratung und Entwicklung
#
# $Id: sample.conf,v 1.1 2004/03/21 23:25:53 afm Exp $
#

# during make install, includes the module in httpd.conf, so the fllowing
# load directive is very seldom needed
#LoadModule clamav_module      modules/mod_clamav.so

# specify the directory where the module should place files durin download
ClamavTmpdir    /var/tmp

# the db directory is only needed in local mode
ClamavDbdir     /usr/lib/clamav

# bypass scanning of jpeg images
ClamavSafetypes image/jpg

# make sure we use the clamav daemon on socket /tmp/clamd
ClamavMode      daemon
ClamavSocket    /var/run/clamav/clamd.sock

# send something to the browser every 10 seconds, and don't scan more than
# 1 MB of large files
ClamavTrickleInterval   10
ClamavTrickleSize       1024
ClamavSizelimit         20480000

# names for shared memory and mutex. Note that we don't know exactly what
# apache does in the background. However, we should make sure that apache
# can create these files if necessary
ClamavShm       logs/clamav.shm
ClamavMutex     logs/clamav.lock

# if the daemon crashes, we will have a problem connecting to it. Since
# we don't have any PCs, we are not very paranoid about this
ClamavAcceptDaemonproblem       on

#  we would laike to get a more complete log file
ClamavExtendedLogging   on
LogFormat "%t %!304{clamav:status}n %{clamav:details}n %{clamav:virusname}n request=\"%r\", status=%>s, sent=%!304b, delay=%!304D" clamav_stats
CustomLog logs/scan_log clamav_stats

# make sure proxy data is filtered
<Proxy *>
    SetOutputFilter     CLAMAV
</Proxy>

# define the location for status information
<Location /clamav>
        SetHandler      clamav
        allow from all
</Location>

# safe patterns is much better than ClamavSavetypes
Include conf/safepatterns.conf

# we have a customized message in case we find a virus
ClamavMessage "
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<title>%i found virus</title>
</head>
<body text="#000000" bgcolor="#ffffff">
<basefont size="4">
<h1><center>%i found virus</center></h1>
<p>The virus <b>%v</b> was found while downloading <i>%u</i>.
The transfer has been aborted.</p>
</basefont>
</body>
</html>
"

결론적으로 설치 및 적용은 하였으나 Virus 검출 실패 (현재 설정 파일 공유)

httpd.conf

LoadModule clamav_module      /usr/lib64/httpd/modules/mod_clamav.so

sample.conf

<IfModule mod_clamav.c>

# specify the directory where the module should place files durin download
ClamavTmpdir    /var/tmp

# the db directory is only needed in local mode
ClamavDbdir     /var/lib/clamav

# bypass scanning of jpeg images
ClamavSafetypes image/jpg

# make sure we use the clamav daemon on socket /tmp/clamd
ClamavMode      daemon
ClamavSocket    /var/run/clamav/clamd.sock
#ClamavMode      local
#ClamavPort 3310

# send something to the browser every 10 seconds, and don't scan more than
# 1 MB of large files
ClamavTrickleInterval   1
ClamavTrickleSize       1024
ClamavSizelimit         20480000

# names for shared memory and mutex. Note that we don't know exactly what
# apache does in the background. However, we should make sure that apache
# can create these files if necessary
ClamavShm       /tmp/clamav.shm
ClamavMutex     /tmp/clamav.lock

# if the daemon crashes, we will have a problem connecting to it. Since
# we don't have any PCs, we are not very paranoid about this
ClamavAcceptDaemonproblem       on

#  we would laike to get a more complete log file
ClamavExtendedLogging   on
LogFormat "%t %!304{clamav:status}n %{clamav:details}n %{clamav:virusname}n request=\"%r\", status=%>s, sent=%!304b, delay=%!304D" clamav_stats
CustomLog logs/scan_log clamav_stats

Include conf/clamav-safe.conf
Include conf/clamav-msg.conf
</IfModule>

clamav-safe.conf

#
# Start of ClamavSafepatterns
#
# The first entry matches all objects that contain only ASCII
# characters (0x20<=char<=0x74 qnd CR,LF,TAB) in the first
# 16 bytes. All other entries are derived from the magic
# patterns of the file(1) utility.
#
# (c) 2004 Andreas Steinmetz, contributed to the mod_clamav project
# $Id: safepatterns.conf,v 1.2 2004/03/18 23:36:20 afm Exp $
#
<IfModule mod_clamav.c>
# This pattern means that text is acceptable. This causes all .html (with
# java script included), all *.js and *.vbs to be bypassed. Maybe not
# very secure, hence switched of by default. BTW, with this enabled
# eicar.com will no longer be recognized, as eicar.com is a text file.
#ClamavSafepattern text

# with some paranoia, you will not trust a PDF, since at least in principle
# it has the ability to run certain scripts
ClamavSafepattern pdf "%PDF"
ClamavSafepattern dvi "\xf7\x02"
# image formats are quite safe
ClamavSafepattern jpeg-jfif "\xff\xf8\x00\x00\x00\x00JFIF" "\xff\xff\x00\x00\x00\x00"
ClamavSafepattern jpeg-exif "\xff\xf8\x00\x00\x00\x00Exif" "\xff\xff\x00\x00\x00\x00"
ClamavSafepattern jpeg-2000 "\x00\x00\x00\x0c\x6a\x50\x20\x20\x0d\x0a\x87\x0a"
ClamavSafepattern gif87a "GIF87a"
ClamavSafepattern gif89a "GIF89a"
ClamavSafepattern png "\x89PNG\x0d\x0a\x1a\x0a"

# streaming formats: they are a real pain with trend micro viruswall
ClamavSafepattern mpeg-video "\x00\x00\x01\xb3"
ClamavSafepattern mpeg-system "\x00\x00\x01\xba"
ClamavSafepattern mpeg-transport "\x47\x40\x00\x10" "\xff\x5f\xff\x1f"
ClamavSafepattern mpeg1-l3 "\xff\xfa" "\xff\xfe"
ClamavSafepattern mpeg1-l2 "\xff\xfc" "\xff\xfe"
ClamavSafepattern mpeg2-l3 "\xff\xf2" "\xff\xfa"
ClamavSafepattern mpeg2-l2 "\xff\xf4" "\xff\xfc"
ClamavSafepattern dif "\x1f\x07\x00"
ClamavSafepattern asf "\x30\x26\xb2\x75"
ClamavSafepattern mng "\x8aMNG\x0d\x0a\x1a\x0a"
ClamavSafepattern riff "RIFF"
ClamavSafepattern ogg "OggS"
ClamavSafepattern realaudio "\x2e\x72\x61\xfd"
ClamavSafepattern realmedia ".RMF"
ClamavSafepattern midi "MThd"
ClamavSafepattern quicktime "MOVI"
ClamavSafepattern quicktime "moov"
ClamavSafepattern quicktime "mdat"
ClamavSafepattern flash "FWS"
ClamavSafepattern smjpeg "\x00\x0aSMJPEG" 
ClamavSafepattern flac "fLaC"
ClamavSafepattern sunaudio ".snd"
ClamavSafepattern decaudio "\x2e\x73\x64\x00"
ClamavSafepattern mp3-id3v2 "ID3"
ClamavSafepattern nesaudio "NESM\x1a"
ClamavSafepattern ac3 "\x0b\x77"
ClamavSafepattern iff "FORM"
ClamavSafepattern tiff-le "II\x2a\x00"
ClamavSafepattern tiff-be "MM\x00\x2a"
ClamavSafepattern miff "id=ImageMagick"
ClamavSafepattern bmp "BM"

# There does exist some Java malware, so you may not want to enable this,
# it is turned of by default
#ClamavSafepattern java "\xca\xfe\xba\xbe"
</IfModule>
#
# End of ClamavSafepatterns
#

clamav-msg.conf

<IfModule mod_clamav.c>
ClamavMessage "\
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\
<html>\
<head>\
<title>%i found virus</title>\
</head>\
<body text=\"#000000\" bgcolor=\"#ffffff\">\
<basefont size=\"4\">\
<h1><center>%i found virus</center></h1>\
<p>The virus <b>%v</b> was found while downloading <i>%u</i>.\
The transfer has been aborted.</p>\
</basefont>\
</body>\
</html>\
"
</IfModule>

httpd.conf

<VirtualHost *:80>
  ServerAdmin 
  DocumentRoot 
  ServerName   
  ServerAlias  
  ErrorLog 
  CustomLog 
  SetOutputFilter     CLAMAV
</VirtualHost>

apache error log (지속적으로 계속 발생)

[Mon Oct 21 11:24:51 2019] [error] [client 아이피] [19343] cannot create mutex /tmp/clamav.lock, referer: http://홈페이지 주소

결국 성공 못함