>
Excerpt from: ClamAV virus scanner for Http://www.shangshuwu.cn/index.php/Linux security system
ClamAV is a typical anti-virus software with extensive and GPL-license open source code that supports a wide range of platforms, such as Windows, Linux, UNIX, and other applications, such as mail clients and servers, HTTP virus scanning agents, and so on. ClamAV source code can be downloaded from http://www.clamav.net.
This chapter analyzes the ClamAV client, server and virus database update upgrade application, focusing on the Linux under the C language programming in many classical usages.
Directory [Hide] 1 1 ClamAV Overview 2 2 ClamAV compile installation and use 2.1 2.1 CLAMD background and Clamdscan Client 2.2 2.2 Clamav-milter Mail Scanner 2.3 2.3 Establish virus Library Automatic Update 2.4 2.4 li Bclamav Library API 3 3 CLAMD Server 3.1 3.1 application command parameter Analysis 3.2 3.2 CLAMD server entry function CLAMD 3.3 3.3 Set system limits and determine resource Usage 3.4 3.4 Profile Resolution 3.5 3.5 log file Drill Make 3.6 3.6 Use the syslog mechanism output debugging information 3.7 3.7 User group and file permission settings 3.8 3.8 Process background 3.9 3.9 use socket for interprocess communication 3.9.1 (1) CLAMD Server socket Connection 3.9.2 (2) Clam D send and receive data from Socket 3.9.3 (3) Socket descriptor multiplexing 3.9.4 (4) Use temporary socket to transfer data 3.10 3.10 subprocess Execute system commands and environment variable settings 3.11 3.11 thread 3.11.1 (1) thread creation and thread properties 3 .11.2 (2) thread end 3.11.3 (3) Cancel thread 3.11.4 (4) Thread wait 3.11.5 (5) Mutex 3.11.6 (6) thread data 3.12 3.12 thread Pool 3.13 3.13 Signal Processing 3.14 3.14 ONACC ESS Scan virus Thread Clamukoth 3.15 3.15 Server process automatic Restart protection 3.15.1 (1) Cron timing mechanism 3.15.2 (2) CLAMD background process periodic check 3.15.3 (3) Run script CLAMD 4 4 Libclamav Library API 4.1 4.1 virus Library Mount 4.2 4.2 Virus Scan 5 5 client Side Application 5.1 5.1 Clamdscan Client 5.2 5.2 qtclamavclient client application 6 6 virus Library upgrade Freshclam 6.1 6 .1 virus Library regularly updated 6.2 6.2 Domain Name information query 6.2.1 (1) DNS message format and domain name query function 6.2.2 (2) Download management function Downloadmanager 6.2.3 (3) Domain name query function txtquery 6.3 6.3 HTTP protocol Download Virus library files |
1 ClamAV Overview
Computer anti-virus methods generally have comparative method, file checksum method, virus scanning method and virus behavior monitoring method.
The virus comparison method has the length comparison method, the content comparison method, the memory comparison method, the interruption comparison method, and so on, the length comparison method is compares the file the length to change, the content comparison method is compares the document content to change and the file update date whether changes, the memory comparison method is the normal system memory space whether changes, The interrupt comparison method is to compare whether the interrupt vectors of the system are changed.
Virus comparisons often only indicate that the system has been changed, and it is difficult to determine whether a program that changes the system is a virus or a virus name.
The file checksum method is that the contents of the normal file are computed for its checksum, and officers transferred Guevara and written to the other files are saved. Later use the file to check the inspection and, or periodically check the file checksum to see if the file has changed. This method can only explain the changes in the file, but cannot accurately describe whether it is a virus. This method is often used to protect the system's registry or system configuration files.
Virus scanning (Virus Scanner) is the scanning of detected files or memory with a specific string in the virus body. If a specific string of viruses is in the scanned file, it is assumed that the file is infected with the virus represented by the string. The character strings extracted from the virus are organized together in a certain format and signed to protect them to form a virus library. Virus signature string or character must be able to identify the virus and must be able to separate the virus from the normal non-viral program area, so for virus scanning method, virus signature extraction is critical, at the same time, the virus database needs to be constantly updated to add new virus signatures.
Virus scanning is the most common method of anti-virus software, it is very effective to scan known virus, and can accurately report the name of virus, and can remove virus from infected files according to virus characteristics. But the unknown virus is not detectable.
Virus programs are also commonly used to encrypt or compress, or put in a compressed package, therefore, virus scanning should also have the corresponding decryption and decompression methods.
Virus behavior monitoring method is based on the abnormal operation of the virus to determine whether the program infected with the virus. This method does not accurately confirm whether it is a virus, but it can predict some unknown viruses.
ClamAV is an anti-virus tool under UNIX for e-mail scanning of mail gateways. It provides multithreaded backgrounds, command-line scanners, and automated library upgrade tools over the Internet. It also includes a shared library of virus scanners.
ClamAV is a GPL-license open source software that supports fast scanning, on-access (file access) scans that can detect more than 35000 viruses, including worms (worms), Trojans (Trojan horses), Microsoft Office and Macoffice macro viruses, and so on. It also scans compressed files, including zip, RAR (2.0), tar, and many other formats, with powerful mail scanners, advanced database updates that support digital signatures, and DNS based on database version queries.
The ClamAV tools are already in Gnu/linux, Solaris, FreeBSD, OpenBSD 2, AIX 4.1/4.2/4.3/5.1hpux 11.0, SCO UNIX, IRIX 6.5.20f, Mac OS X, BeOS, Cobalt MIPS boxes, Cygwin, Windows Services for Unix 3.5 (Interix), and other operating system platforms are tested, but some of the features in some operating systems are not supported.
ClamAV includes Clamscan virus application, CLAMD backend, Clamdscan client, Libclamav Library, Clamav-milter mail scanner application sections. The composition of the ClamAV tool is shown in Figure 1.
Clamscan virus application can directly in the command line to check the file or directory of viruses; CLAMD use Libclamav Library to find the virus, it's a thread responsible for on-access killing virus, Clamdscan client through the CLAMD backstage to check the virus, It can replace the Clamscan application; The LIBCLAMAV library provides CLAMAV interface functions, which are called by other applications for killing viruses, clamav-milter mail scanners connect to SendMail tools, and use CLAMD to detect email viruses.
ClamAV uses Dazuko software to carry out on-access killing virus, Dazuko software Dazuko kernel module can use LSM, system call hook and Redirfs module for file access interception, The Dazuko Library of the Dazuko software reports the intercepted files to the CLAMD backstage and scans the virus by CLAMD.
Figure 1 ClamAV Tool composition Figure 2 ClamAV compile installation and use
Compile the ClamAV should include the Zlib library, many programs in the compression or decompression function will use this library. Additional requirements include the bzip2 and Bzip2-devel libraries, the GNU MP 3 library. The GMP pack allows Freshclam to verify the data signature of the virus library, and you can download the GNU MP in http://www.swox.com/gmp/.
The following steps are compiled for installing CLAMAV under Linux:
(1) Download clamav-0.88.tar.gz
(2) Extract the package
# tar Xvzf clamav-0.88.tar.gz
(3) into the ClamAV directory after decompression
# CD clamav-0.88
(4) Add user groups ClamAV and group members ClamAV
# Groupadd ClamAV
# useradd-g clamav-s/bin/false-c "Clam AntiVirus" ClamAV
(5) Assuming your home directory is/home/gary, configure the software as follows:
$./
Configure--prefix
=/
home/
gary/
ClamAV--disable-clamav
(6) Compiling, installing
# make
# make install
(7) Add two log files in the/var/log/directory: Clam.log and Clam-update.log, change the owner to the newly added ClamAV user and set the appropriate file read and write permissions.
(
7
)
Add two log files in the/var/log/
directory: Clam.log and Clam-update.log, Change the owner to a newly added ClamAV user and set the appropriate file read and write permissions.
# touch/var/log/clam-update.log #
chmod 600/var/log/clam-update.log #
Chown clamav/var/log/ Clam-update.log #
touch/var/log/clam.log #
chmod 600/var/log/clam.log
# chown clamav/var/log/ Clam.log
(8) Modify/etc/clam.conf will start with the "Example" line with the # comment out.
#Example
Then enter at the command line: CLAMD starts the virus daemon.
#clamd
(9) Modify/etc/freshclam.conf will start with the "Example" line with the # comment out.
#Example
Modify Updatelogfile/var/log/freshclam.log
For Updatelogfile/var/log/clam-update.log
(10) Upgrade virus library with Freshclam:
#freshclam
(11) Killing files in the current directory
Clamscan
(12) Killing all files and directories of the current directory.
Clamscan-r
(13) Killing Dir directory,
Clamscan dir
(14) All files and directories under directory dir.
Clamscan-r dir
(15) See Help information
Clamscan--help
2.1 CLAMD Backend and Clamdscan client
CLAMD is a multithreaded background that uses the LIBCLAMAV library to scan file viruses, which works in two network modes: listening on UNIX (local) sockets and TCP sockets. The background is configured by the clamd.conf file. By setting up Cron's work, check that CLAMD starts running at intervals and starts it automatically after CLAMD dies. There are scripting examples in the contrib/clamdwatch/directory.
Clamdscan is a simple CLAMD client, and in many cases you can use it instead of Clamscan, which relies only on CLAMD, although it accepts the same command-line options as Clamscan, but most options are ignored because these options are already configured in clamd.conf.
An important feature of CLAMD is the On-access virus scan based on Dazuko module, which intercepts access to file systems and triggers CLAMD to scan files for viruses. The Dazuko module is available on http://dazuko.org.
A thread named Clamuko in the CLAMD is responsible for communicating with Dazuko.
The Dazuko module is compiled as follows:
$ tar zxpvf dazuko-
a.b
tar
. GZ
$ cd dazuko-
a.b
. C
$ make Dazuko
Or
$ make
DAZUKO-SMP (
for SMP kernel)
$ su
# insmod dazuko.o
# cp dazuko.o/lib/modules/' uname-r '/misc< c13/># depmod-a
To automatically join this module for Linux startup, you can add "Dazuko" entries to/etc/modules, or add commands modprobe Dazuko to some startup files.
You must also create a new device as follows:
$ cat
/
proc/
Devices |
grep
Dazuko
254
Dazuko
$ su-
c
"mknod-m 600/dev/dazuko C 254 0"
2.2 Clamav-milter Mail scanner
Nigel Horne Company's Clamav-milter is a very fast email scanner for sendmail tools. It is written in C language and relies only on Libclamav or CLAMD.
By adding the following line to the/ETC/MAIL/SENDMAIL.MC, you can connect the Clamav-milter to the SendMail:
Input_mail_filter (
' clmilter ', ' S
=local
:/
var/
run/clamav/clmilter.sock
,
F
=, T
=s:4m; R:4m ')
dnl
define ('
confinput_mail_filters ', ' clmilter ')
If you are running CLAMD with-external, check that the entries in clamd.conf are as follows:
Localsocket/var/run/clamav/clamd.sock
Next, start Clamav-milter in the following ways:
/usr/local/sbin/clamav-milter-lo/var/run/clamav/clmilter.sock
Then restart the sendmail.
2.3 Create virus Library Automatic Update
Freshclam is the default database update for CLAMAV, which can work in two ways:
(1) Interactive mode: Use the command line to interact.
(2) The way of the background process: it does not need to intervene to run independently.
Freshclam is started by a superuser and drops permissions, switching to ClamAV users. Freshclam uses Database.clamav.net polling dispatch (Round-robin) DNS to automatically select a database mirror. Freshclam supports database version validation through DNS, and it also supports proxy servers (together with authentication), digital signatures, and error descriptions.
ClamAV uses the Freshclam tool to periodically check the publication of the new database and keep the database updated.
You can also create freshclam.log files, modify the Freshclam.log to ClamAV-owned log files, and modify the following methods:
# touch/var/log/freshclam.log #
chmod 600/var/log/freshclam.log #
Chown clamav/var/log/freshclam.log
Edit freshclam.conf files or clamd.conf files (if they are fused together), configure Updatelogfile to point to the created log file.
The following methods are used to run Freshclam at a later stage:
# freshclam–d
You can also use cron background automatic timing to run Freshclam by adding the following line to Crontab:
N * * * * */usr/local/bin/freshclam--quiet
where n should be the data between 3~57, which means checking the new virus database every n hours.
Proxy server through configuration file configuration, when Httpproxypassword is activated, Freshclam need strict license, the method listed as follows:
Httpproxyserver myproxyserver.com
httpproxyport 1234
httpproxyusername myusername
Mypass
The databasemirror in the configuration file specifies the database server, and Freshclam will attempt to download it from this server up to the maximum number of times. The default database mirroring is database.clamav.net, in order to download the database from the most recent mirror, you should use the Db.xx.clamav.net configuration freshclam,xx to represent your country code. For example, if your server is in "Ascension Island", you should add the following line to the freshclam.conf:
Dnsdatabaseinfo current.cvd.clamav.net
databasemirror db.ac.clamav.net
databasemirror database.clamav.net
Two characters Fu home code on the http://www.iana.org/cctld/cctld-whois.htm can be found.
2.4 Libclamav Library API
Each application that uses the LIBCLAMAV library must include the Clamav.h header file as follows:
#include <clamav.h>
Examples of the use of the LIBCLAMAV Library API are shown in CLAMSCAN/MANAGER.C, which describes API functions.
(1) Loading library
The functions of the initialization library are listed below:
int
cl_loaddb (
const
Char
*
filename,
struct
cl_node * *
root,
unsigned
int
*
signo)
;
int
cl_loaddbdir (
const
Char
*
dirname,
struct
cl_node * *
root,
unsigned
int
*
signo)
;
Const
Char
*
cl_retdbdir (
void
)
;
Where the function CL_LOADDB loads the selected database, the function Cl_loaddbdir loads all the databases from the directory dirname, and the function returns the directory path of the default (hard-coded hardcoded) database. After initialization, an internal database is represented by the parameter root, root must be initialized to NULL, and the loaded signature sequence is signo by the parameter, and if the signature count is not concerned, the parameter signo is set to null. When the function Cl_loaddb and Cl_loaddbdir Mount succeeds, it returns 0, and when it fails, returns a negative number.
The function CL_LOADDB usage is as follows:
...
struct
cl_node *
root =
NULL;
int
ret,
signo =
0
;
ret =
Cl_loaddbdir (
cl_retdbdir (
)
,
&
root,
&
Signo)
;
(2) Error handling
Using the function Cl_strerror to convert the error code to a readable message, the function Cl_strerror returns a string using the following method:
If
(
ret)
{
//ret is an error code, is a negative number
printf
(
"Cl_loaddbdir () Error:%s/n
"
,
Cl_strerror (
ret)
)
;
Exit (
1
)
;
}
(3) initializing the internal transmission of the database
function Cl_build is used to initialize the internal transfer path of the database, which is listed as follows:
int
cl_build (
struct
cl_node *
root)
;
function Cl_build using the following methods:
If
(
ret =
cl_build (
root)
)
printf
(
"Cl_build () Error:%s/n
"
,
cl_strerror (
ret)
)
;
(4) Database reload
It is important to keep an update of the internal database instance, you can use the function cluster Cl_stat to check the database changes, the function cluster Cl_stat listed as follows:
int
cl_statinidir (
const
Char
*
dirname,
struct
cl_stat *
dbstat)
;
int
cl_statchkdir (
const
struct
cl_stat *
dbstat)
;
int
cl_statfree (
struct
cl_stat *
dbstat)
;
Call the function Cl_statinidir initialize the struct Cl_stat variable as follows:
...
struct
cl_stat dbstat;
memset (
&
Dbstat,
0
,
sizeof
(
struct
cl_stat)
)
;
Cl_statinidir (
dbdir,
&
dbstat)
;
You only need to call function Cl_statchkdir to check the changes in the database as follows:
If
(
cl_statchkdir (
&
dbstat)
= =
1
)
{
//database changed
reload_database ...;
Reload Database
Cl_statfree (
&
dbstat)
;
Cl_statinidir (
cl_retdbdir (
)
,
&
dbstat)
;
}
This structure needs to be reinitialized after the database is reloaded.
(5) Data scanning function
You can use the following function to scan a buffer, descriptor, or file:
int
Cl_scanbuff (
const