一、CentOS7下ClamAV的问题
1、ClamAV过期不能更新病毒库
在Centos7.9系统下,通过默认的yum仓库安装的ClamAV版本通常较旧(如0.103.11),这会导致其无法从官方更新病毒库,安全防护能力大打折扣。
执行安装和更新命令后,会看到明确的版本过时警告和CDN速率限制的提示:
[root@master ~]# yum -y install clamav
[root@master ~]# freshclam --version
ClamAV 0.103.11
[root@master ~]# freshclam
ClamAV update process started at Wed Jan 28 16:08:54 2026
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.103.11 Recommended version: 1.0.9
DON‘T PANIC! Read https://docs.clamav.net/manual/Installing.html
WARNING: FreshClam previously received error code 429 or 403 from the ClamAV Content Delivery Network (CDN).
This means that you have been rate limited or blocked by the CDN.
1. Verify that you‘re running a supported ClamAV version.
See https://docs.clamav.net/faq/faq-eol.html for details.
2. Run FreshClam no more than once an hour to check for updates.
FreshClam should check DNS first to see if an update is needed.
3. If you have more than 10 hosts on your network attempting to download,
it is recommended that you set up a private mirror on your network using
cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
CDN and your own network.
4. Please do not open a ticket asking for an exemption from the rate limit,
it will not be granted.
WARNING: You are still on cool-down until after: 2026-01-29 14:35:19
2、安装新版本1.5.1又会出现GLIBC版本过低的报错
如果我们尝试手动安装新版本(如1.5.1)的ClamAV,则会遇到系统底层库不兼容的问题,运行 freshclam 时会报出一系列 GLIBC 版本找不到的错误:
[root@manager ~]# freshclam
freshclam: /lib64/libc.so.6: version `GLIBC_2.28‘ not found (required by /usr/local/lib64/libfreshclam.so.2)
freshclam: /lib64/libc.so.6: version `GLIBC_2.25‘ not found (required by /usr/local/lib64/libfreshclam.so.2)
freshclam: /lib64/libm.so.6: version `GLIBC_2.27‘ not found (required by /usr/local/lib64/libclamav.so.11)
freshclam: /lib64/libc.so.6: version `GLIBC_2.28‘ not found (required by /usr/local/lib64/libclamav.so.11)
freshclam: /lib64/libc.so.6: version `GLIBC_2.27‘ not found (required by /usr/local/lib64/libclamav.so.11)
freshclam: /lib64/libc.so.6: version `GLIBC_2.18‘ not found (required by /usr/local/lib64/libclamav.so.11)
freshclam: /lib64/libc.so.6: version `GLIBC_2.25‘ not found (required by /usr/local/lib64/libclamav.so.11)
Linux系统的核心程序(bash、ls、systemd等)都依赖系统默认的GLIBC版本,强行升级会直接导致这些程序无法运行,很可能引发系统瘫痪且难以恢复。因此,在生产环境中升级GLIBC是一个高风险操作,通常不被建议。
二、在Docker容器中运行ClamAV
既然直接安装存在兼容性问题,那么利用 容器化 技术来隔离环境就成了一种优雅的解决方案。通过Docker,我们可以轻松运行最新版的ClamAV,而无需担心宿主机的库依赖。
1、创建compose文件和病毒库存在的目录
首先,创建一个用于存放Docker Compose配置和病毒库数据持久化的目录结构。
mkdir -p /opt/stacks/clamav/database
cd /opt/stacks/clamav
cat > compose.yaml <<EOF
services:
clamav:
stdin_open: true
tty: true
environment:
- TZ=Asia/Shanghai
volumes:
- type: bind
source: ./database
target: /var/lib/clamav
- type: bind
source: /usr/local/src/
target: /scandir
image: clamav/clamav:1.5.1
networks: {}
EOF
# 创建病毒测试文件
echo ‘X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*‘ > /usr/local/src/eicar.txt
这里我们做了两件事:
- 编写了一个
compose.yaml 文件,定义了一个ClamAV服务。关键点在于:
- 使用官方镜像
clamav/clamav:1.5.1。
- 将本地的
./database 目录挂载到容器的 /var/lib/clamav,用于持久化病毒库文件。
- 将主机的
/usr/local/src/ 目录挂载到容器的 /scandir,作为待扫描的目录。
- 在
/usr/local/src/ 目录下创建了一个 eicar.txt 文件,其内容是国际通用的防病毒测试代码(EICAR),用于验证扫描功能是否正常工作。
2、启动和运行ClamAV
使用Docker Compose启动ClamAV容器,并查看启动日志。
docker compose up -d
docker compose logs
如果看到日志中最后出现“socket found, clamd started”,说明ClamAV的后台守护进程(clamd)已经成功启动。
clamav-1 | Starting Freshclamd
clamav-1 | Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Thu Jan 29 09:21:42 2026
clamav-1 | daily.cld database is up-to-date (version: 27895, sigs: 354862, f-level: 90, builder: jospalme)
clamav-1 | main.cvd database is up-to-date (version: 63, sigs: 3287027, f-level: 90, builder: tomjudge)
clamav-1 | bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Socket for clamd not found yet, retrying (15/1800) ...Thu Jan 29 09:21:57 2026 -> Limits: Global time limit set to 120000 milliseconds.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: Global size limit set to 419430400 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: File size limit set to 104857600 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: Recursion level limit set to 17.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: Files limit set to 10000.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxPartitions limit set to 50.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxIconsPE limit set to 100.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: MaxRecHWP3 limit set to 16.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: PCREMatchLimit limit set to 100000.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: PCRERecMatchLimit limit set to 2000.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Limits: PCREMaxFileSize limit set to 104857600.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Archive support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Image (graphics) scanning support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Detection using image fuzzy hash enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> AlertExceedsMax heuristic detection disabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Heuristic alerts enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Portable Executable support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> ELF support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Mail files support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> OLE2 support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> PDF support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> SWF support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> HTML support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> XMLDOCS support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> HWP3 support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> OneNote support enabled.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Self checking every 600 seconds.
clamav-1 | Thu Jan 29 09:21:57 2026 -> Set stacksize to 1048576
clamav-1 | socket found, clamd started.
同时,从日志开头的几行可以看到 daily.cld、main.cvd、bytecode.cvd 这三个病毒库文件都处于“up-to-date”状态,这意味着容器内的ClamAV已经成功将病毒库更新到了最新版本。
三、使用ClamAV查杀病毒
容器运行起来后,我们有了几种不同的病毒查杀方式,每种方式各有其适用场景和优缺点。
1、直接使用主机侧老版本的clamav客户端查杀
这是一种“借鸡生蛋”的巧妙方法。由于我们在运行容器时,已经将容器内最新的病毒库持久化到了主机的 /opt/stacks/clamav/database 目录下,因此我们可以直接使用主机上旧版本的 clamscan 客户端,但通过 --database 参数指定使用这个新的病毒库路径来进行扫描。
clamscan --database=/opt/stacks/clamav/database -r /opt/stacks/clamav
执行后,输出结果会显示扫描过程,并成功检测出我们之前放置的测试病毒文件 eicar.txt。
/usr/local/src/ss5-3.8.9-8.tar.gz: OK
/usr/local/src/sendEmail-v1.56.tar.gz: OK
/usr/local/src/jdk-8u361-linux-x64.tar.gz: OK
/usr/local/src/agent-linux-amd64-v3.5.2.tar.gz: OK
/usr/local/src/categraf-v0.3.70-linux-amd64.tar.gz: OK
/usr/local/src/ClwDRClient64.test.10.100.100.70.2.0.240120.sh: OK
/usr/local/src/nodepass_1.1.1_linux_amd64.tar.gz: OK
/usr/local/src/LICENSE: OK
/usr/local/src/README.md: OK
/usr/local/src/README_zh.md: OK
/usr/local/src/v1.0.0.zip: OK
...
/usr/local/src/openssh-10.0p2-rpms-el7-x64.tar.gz: OK
/usr/local/src/openssl-3.3.1-rpms-el7.tar.gz: OK
/usr/local/src/clamav-1.5.1.tar.gz: OK
/usr/local/src/eicar.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3626837
Engine version: 0.103.11
Scanned directories: 1
Scanned files: 18
Infected files: 1
Data scanned: 129.84 MB
Data read: 547.43 MB (ratio 0.24:1)
Time: 23.371 sec (0 m 23 s)
Start Date: 2026:01:29 11:02:39
End Date: 2026:01:29 11:03:02
这种方式的优点:
- 非常灵活,可以直接在主机上指定任意目录进行扫描,无需操作容器。
- 方便集成到主机侧的脚本或定时任务中。
存在的潜在问题:
- 主机侧的
clamscan 客户端版本较低(0.103.11),其引擎的查杀能力(如解包、启发式检测深度)可能不如新版本。
- 旧版本客户端对新病毒库中某些新增的病毒特征码的识别和查杀效果不确定,可能存在兼容性问题。
2、在容器内运行Clamscan查杀主机侧目录
在启动容器时,我们已经将主机目录 /usr/local/src/ 挂载到了容器内的 /scandir。因此,我们可以直接在容器内部使用新版本的 clamscan 命令来扫描这个挂载的目录。
docker compose exec clamav clamscan -r /scandir
命令执行时,会先加载病毒库,然后开始扫描。从下面的输出可以看到,引擎版本已变为1.5.1。
Loading: 12s, ETA: 0s [========================>] 3.63M/3.63M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/scandir/ss5-3.8.9-8.tar.gz: OK
/scandir/sendEmail-v1.56.tar.gz: OK
/scandir/jdk-8u361-linux-x64.tar.gz: OK
/scandir/agent-linux-amd64-v3.5.2.tar.gz: OK
/scandir/categraf-v0.3.70-linux-amd64.tar.gz: OK
/scandir/ClwDRClient64.test.10.100.100.70.2.0.240120.sh: OK
/scandir/nodepass_1.1.1_linux_amd64.tar.gz: OK
/scandir/LICENSE: OK
/scandir/README.md: OK
/scandir/README_zh.md: OK
...
/scandir/openssl-3.3.1-rpms-el7.tar.gz: OK
/scandir/clamav-1.5.1.tar.gz: OK
/scandir/eicar.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3627278
Engine version: 1.5.1
Scanned directories: 1
Scanned files: 18
Infected files: 1
Data scanned: 312.92 MiB
Data read: 547.46 MiB (ratio 0.57:1)
Time: 39.873 sec (0 m 39 s)
Start Date: 2026:01:29 10:59:13
End Date: 2026:01:29 10:59:53
这种方式的优点:
- 使用了完整的新版本ClamAV引擎,查杀能力有保障。
存在的缺点:
- 每次执行
clamscan 时都需要重新加载整个病毒库到内存,对于频繁或批量扫描的场景,会产生额外的延迟,效率低于常驻内存的 clamdscan。
- 灵活性较差。如果需要扫描主机上不同的目录,必须修改
compose.yaml 中的卷挂载配置并重启容器,更适合于固定检查某个特定目录(如上传目录、共享目录)的场景。
3、在容器内运行Clamdscan查杀主机侧目录
clamdscan 是 clamscan 的客户端版本,它通过socket连接到一个已经运行在后台的 clamd 守护进程进行扫描。由于病毒库已经常驻在 clamd 进程的内存中,因此 clamdscan 的扫描速度非常快。
docker compose exec clamav clamdscan /scandir
执行命令,可以看到扫描速度很快,但遇到了一个权限错误。
/scandir/www.123.com+1-key.pem: Access denied. ERROR
/scandir/eicar.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Total errors: 1
Time: 43.325 sec (0 m 43 s)
Start Date: 2026:01:29 10:55:11
End Date: 2026:01:29 10:55:54
这种方式的优点:
存在的缺点:
- 权限问题:
clamd 进程在容器内通常以非root用户(如clamav)运行。当它尝试读取主机挂载过来的、权限设置严格(如仅属主可读)的文件时,会因为“Access denied”而扫描失败。这在扫描包含密钥、配置文件等敏感文件的目录时尤为明显。
- 同第二种方式一样,灵活性不足,需要扫描其他目录时需调整容器配置。
方法对比与选择建议
| 查杀方式 |
优点 |
缺点 |
适用场景 |
| 主机clamscan+新库 |
最灵活,无需操作容器 |
客户端版本旧,可能存在能力/兼容性问题 |
对查杀引擎版本不敏感,但需要灵活扫描任意目录的临时任务 |
| 容器内clamscan |
使用全新引擎,能力完整 |
每次加载库有延迟;需调整容器配置来切换目录 |
对查杀能力要求高,且扫描目录相对固定的场景(如每日巡检固定文件夹) |
| 容器内clamdscan |
速度最快,效率极高 |
权限限制严格;需调整容器配置来切换目录 |
对扫描速度要求高,且待扫描目录及文件权限开放的场景 |
你可以根据实际需求,选择最合适的一种或组合使用多种方法。例如,对于常规的、范围不定的扫描任务,使用方法一较为便捷;对于重要的、固定的数据存储位置,可以配置一个专用的ClamAV容器,使用方法三进行定期高速扫描。
发表于 昨天 06:48
|
查看: 1|
回复: 0
