Building a centralized virus-scanning mechanism through Python

Clam AntiVirus (Clam AV) is a free and open source antivirus software, software and virus database update by the open source community free release, currently Clamdav mainly for Linux, Uinux system provides virus scanning Avira Pyclamad is a python third-party module that allows Python to use the ClamAV virus scanning daemon CLAMD directly for an efficient virus detection function.

One, to achieve centralized virus scanning

1. Client (virus scan source) Install CLAMAVP CLAMD Service related package

# yum Install ClamAV CLAMD clamav-update-y

# Chkconfig CLAMD on

Update virus Database

#/usr/bin/freshclam

Change profile Modify listener address to all networks, start service

# sed-i-E '/^tcpaddr/{s/127.0.0.1/0.0.0.0/;} '/etc/clamd.conf

#/ETC/INIT.D/CLAMD Start

2, the main control side installation PYCLAMD Module reference:http://xael.org/pages/pyclamd-en.html

# pip Install PYCLAMD

To verify the installation results:

PYCLAMDpyclamd.  Clamdagnostic()CD.  Ping()True        

How it works: The Management Server sends multi-threaded instructions through Python to connect to the 3310 port of the Business Server, perform a virus scan, and then return the results to the Management server. The Business Server must install the CLAMD related package and start the service listener on port 3310 to receive instructions normally, and can customize the corresponding scanning strategy for different business environments, such as scan object, description mode, scan path, debug frequency, etc.

Implementation code: simplel.py

1 #!/usr/bin/env Python 2 #-*-coding:utf-8-*-3 Import time 4 import PYCLAMD 5 from threading import Thread 6 class Sc An (Thread): #继承多线程Thread类 7 def __init__ (self,ip,scan_type,file): 8 "" "Construction Method" "" 9 thread.__init__ (self) Ten SE Lf. IP = IP11 Self.scan_type=scan_type12 self.file = file13 self.connstr= "" self.scanresult= "" Def Run (s ELF): 16 "" "Multi-Process Run Method" "" Try:18 cd = Pyclamd. Clamdnetworksocket (self. ip,3310) 19 "" Detection Connectivity "" "If Cd.ping (): Self.connstr=self. ip+ "Connection [OK]" 22 "" "Overload clamd virus Signature Library" "" Cd.reload () 24"" "to determine the scan mode" ""If self.scan_type== "Contscan_file": self.scanresult= "{0}\n". Format (Cd.contscan_file (self.file)) 27         Elif self.scan_type== "Multiscan_file": self.scanresult= "{0}\n". Format (Cd.multiscan_file (self.file)) 29 Elif self.scan_type== "Scan_file": self.scanresult= "{0}\n". Format (Cd.scan_file (Self.file)) to Tim E.sleep (1) else:33 self.connstr=self. ip+ "Ping error,exit" return35 except exception,e:36 self.connstr=self. Ip+ "" +str (e) PNs ips=[' 172.16.65.201 ', ' 172.16.65.202 ']#扫描主机的列表Scantype= "Multiscan_file"#指定扫描模式, Support Multiscan_file, Contscan_file, Scan_fileScanfile= "/usr/local/bin"#指定扫描路径i=141 threadnum=2#指定启动的线程数Scanlist = [] #存储Scan类线程对象列表43 for IP in ips:44 "" "brings data values into class, instantiates object" "" "" CURRP = Scan (ip,scantype,scanfile) scanl Ist.append (CURRP) #追加对象到列表47 "" "when the specified number of threads or IP list is reached, start the thread" "" If I%threadnum==0 or I==len (IPs): In the Scanlist for task  : Task.start () #启动线程51 for task in scanlist:52 Task.join () #等待所有子线程退出 and output scan results in print Task.connstr #打印服务器连接信息54 print Task.scanresult #打印结果信息55 scanlist = [] AboutI+=1

After installing the PYCLAMD module on the ClamAV installed, the EICAR () method is used to generate a file with a virus signature/tmp/eicar with the following code: ( or copy the existing blue code below )

>>> Import pyclamd

>>> cd = pyclamd. Clamdagnostic()

>>> void = open ('/tmp/eicar ', ' W '). Write (CD. EICAR ())

Generate a string with a virus signature as follows, copy the file/tmp/eicar to the target host's scan directory for testing.
# Cat/tmp/eicar
X5o! p% @AP [4\pzx54 (p^) 7CC) 7} $EICAR-standard-antivirus-test-file! $H +h*

Finally, start the scanner, in this practice process to enable two threads, according to the target host data can be arbitrarily modified, the code run the result is as follows:
[email protected] pyclamd]# python simplel.py
172.16.65.200 Connection [OK]
{u '/usr/local/bin/eicar ': (' FOUND ', ' eicar-test-signature ')

Reference: Http://www.tuicool.com/articles/uQZzyqA

------------------------------------------------------------------

PYCLAMD Module Common Method Description:

PYCLAMD provides two key classes, one for the Clamdnetworksocket () class, implementation using the network socket operation CLAMD, and the other for the Clamdunixsocket () class, The implementation uses the UNIX socket class operation CLAMD. Two classes are defined in exactly the same way that this section is described in the Clamdnetworksocket () class.

__init__ (self,host= ' 127.0.0.1 ', Port=3310,timeout=none) method, is the initialization method of the Clamdnetworksocket class, with/etc/ The Tcpsocket parameter in the clamd.conf configuration file should be consistent; timeout is the time-out for the connection.

The Contscan_file (Self,file) method implements a scan of the specified file or directory, an error occurred during scanning, or a virus is not terminated, and the parameter file (string type) is the absolute path of the specified file or directory.

The Multiscan_file (Self,file) method enables multithreading to scan a specified file or directory, a multi-core environment is faster, an error occurs during a scan, or a virus is found to be not terminated, and the parameter file (string type) is the absolute path to the specified file or directory.

The Scan_file (Self,file) method implements a scan of the specified file or directory, an error occurred while scanning, or the virus terminates, and the parameter file (string type) is the absolute path to the specified file or directory.

The Shutdown (self) method, which implements forcing the CLAMD process to close and exits.

The stats (self) method, which gets the current state of the Clamscan.

The Reload (self) method, forcing the CLAMD virus signature library to be overloaded, is recommended for reload operations before scanning.

The EICAR (self) method, which returns the EICAR test string, generates a string with a virus signature for easy testing.

Building a centralized virus-scanning mechanism through Python