ClamAV installation use and API examples

ClamAV is an open source antivirus engine developed by the Sourcefire organization, and Sourcefire is also the owner of the snort intrusion detection engine. ClamAV provides a faster and more flexible framework for detecting malicious code and software products. Can be used as an existing desktop, file server, mail server and other anti-virus scanning software in the context of anti-virus scanning software tools or alternative products. Also included in the ClamAV package are the LIBCLAMAV library and the command line executable interface. The Freshclam command line tool is also provided to ensure the update of the feature library.

The latest version of ClamAV can be obtained in http://www.clamav.net/download/sources/. It can also be installed automatically through the program manager. In the Ubuntu system, you can install it automatically by entering a command:

$ apt-get Install ClamAV Clamav-freshclam

Let's talk about the ClamAV installation process (using the clamav-0.98.6 version):

(1) Download and unzip the clamav-0.98.6.tar.gz:

# tar vxf clamav-0.98.6.tar.gz

(2) Add user groups ClamAV and group members ClamAV:

# Groupadd ClamAV

# useradd–g ClamAV ClamAV

(3) Enter the extracted directory (the source file is placed in/USR/LOCAL/SRC), and configure the software as follows:

#./configure--prefix=/usr/local/clamav

An error occurred: OpenSSL not found

The development package for OpenSSL is not installed and can be installed:

Apt-get Install Libssl-dev

(4) Compile, install:

Make

Make install

At this point, you cannot use the./clamscan to scan can file, because no feature library can be loaded into the system, the program by default in the Share Directory ClamAV folder load feature library, you need to manually add a ClamAV folder under the above path, and ensure that CLAMAV users can read and write to the folder.

(5) Add two log files under the/var/log/directory: Clam.log and Clam-update.log, the owner is the ClamAV user, and the read and write permissions are guaranteed.

(6) Modify/usr/local/clamav/etc/clam.conf will start the line with "Example" with # comment out.

(7) Modify/usr/local/clamav/etc/freshclam.conf will start the line with "Example" with # comment out. Modify Updatelogfile/var/log/freshclam.log to Updatelogfile/var/log/clam-update.log

(8) Upgrade the virus database with Freshclam:

$ freshclam

Freshclam run, the share directory under the ClamAV folder already has the latest feature library files, the following can be used to scan the file with the Clamscan command

LIBCLAMAV Library API

The LIBCLAMAV Library API provides a variety of function interfaces for virus scanning. The LIBCLAMAV library uses a virus scanning method (Virus Scanner). The feature strings extracted from the virus are organized together with a certain format and signature protection forms the virus database, and the ClamAV used by the virus database is generally suffixed with a. CVD file.

Before using LIBCLAMAV, you must call the Cl_init () function to initialize, and after the initialization succeeds, you can call the Cl_engine_new () function to create a new scan engine. After the scan is finished, you need to call Cl_engine_free () to release the engine structure. The prototypes of these three functions are as follows:

int cl_init (unsigned int options);
struct Cl_engine *cl_engine_new (void);
int Cl_engine_free (struct cl_engine *engine);

Cl_init () and Cl_engine_free () two functions if the call succeeds, it returns cl_success, and if another code is returned, the function call fails.

The arguments of the Cl_init function are passed into the cl_init_default.

Cl_engine_new () If the call succeeds, it returns a pointer to the struct cl_engine struct, or null if it fails.

Once the new scan engine is available, the feature library needs to be loaded, and CLAMAV provides two functions:

const char *cl_retdbdir (void);
int cl_load (const char *path, struct cl_engine *engine,
unsigned int *signo, unsigned int options);

Cl_retdbdir returns the default path for the ClamAV feature library.

The Cl_load function loads a single signature file, or several feature files (the given argument is a folder), based on the specific feature library path given. The second parameter is passed to Cl_engine_new, the third parameter is the number of signatures that are loaded, and the last parameter is the loaded option, which is generally passed into the cl_db_stdopt.

After completing the above steps, you need to call the Cl_engine_compile () function to prepare for the final file scan before the function prototype is:

int cl_engine_compile (struct cl_engine *engine);

Now, you can scan the file, the file scanning function is Cl_scanfile, the function prototype is:

int cl_scanfile (const char *filename, const char **virname,
unsigned long int *scanned, const struct Cl_engine *engine,
unsigned int options);

One thing to note about this function is that virname in the function points to the memory of the engine structure that represents the target scan file name and cannot be released directly. The last parameter is passed in to Cl_scan_stdopt, which is configured by default.

There is also a function that does not describe:

Cl_strerror (), you can convert the error code returned by the correlation function that is not a cl_success value to a string that describes the error.

Here is an example program that uses Libclamav's API function to scan a file, just shows how to use the API for file scanning of the simplest process, the path, such as the use of hard-coded, the actual use can be modified accordingly.

Experiment with a sample file, compile with parameter-lclamav, and ensure that you can find the required. So files and clamav.h files, and get the results as follows:

More details Next Update

ClamAV installation use and API examples