ClamAV (Clam Anti-Virus)를 통한 악성코드 감지

From_A_To_Z·2023년 12월 28일
0

0. ClamAV 란?

시스코 시스템즈에서 지원하는 오픈소스 백신 소프트웨어 (https://www.clamav.net/)

장점

  • 상대적으로 적은 리소스 사용
  • 리눅스를 비롯한 다양한 OS에서 사용 가능
  • 병렬 파일 스캔 가능 (CLI 기반)
  • 오픈소스 (GPLv2)

단점

  • 치료 기능이 없음 (삭제만 가능)
  • 별도 REST API 제공 X
  • 상용 솔루션과 비교했을 때 Zero-Day 취약점 대응이 어려움

1. ClamAV 설치 / 정의 업데이트

$ apt-get install clamav # ClamAV 설치
$ dpkg-reconfigure clamav-freshclam # ClamAV 환경 설정 (Proxy 설정 등)
$ freshclam # ClamAV DB 업데이트

2. ClamAV Virus & Malware 검사

디렉토리 단위 Scan

$ clamscan -r /home/choi/
...
/home/choi/vendor/psr/http-message/LICENSE: OK
/home/choi/vendor/psr/http-message/README.md: OK
/home/choi/vendor/psr/http-message/docs/PSR7-Usage.md: OK
/home/choi/vendor/psr/http-message/docs/PSR7-Interfaces.md: OK
/home/choi/vendor/psr/http-message/CHANGELOG.md: OK
 
----------- SCAN SUMMARY -----------
Known viruses: 8678933
Engine version: 0.103.8
Scanned directories: 1605
Scanned files: 5622
Infected files: 0
Data scanned: 784.09 MB
Data read: 818.85 MB (ratio 0.96:1)
Time: 278.026 sec (4 m 38 s)
Start Date: 2023:11:22 15:52:33
End Date:   2023:11:22 15:57:11
단일 파일 Scan
$ clamscan /mnt/d/manager-17.jar
/mnt/d/manager-17.jar: OK
 
----------- SCAN SUMMARY -----------
Known viruses: 8678933
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 38.55 MB
Data read: 18.40 MB (ratio 2.10:1)
Time: 30.934 sec (0 m 30 s)
Start Date: 2023:11:22 16:05:17
End Date:   2023:11:22 16:05:48

→ 단일 파일 테스트임에도 30초 정도의 테스트 시간 발생
→ 기존 API에 Scan 로직 추가 시 시간 지연 발생 가능성 높음

악성 코드 Scan (테스트 파일)

악성 코드 테스트용 패키지 설치 후 테스트 진행 (clamav-testfiles)

$ clamscan -r /usr/share/clamav-testfiles
/usr/share/clamav-testfiles/clam.chm: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.ea05.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam_cache_emax.tgz: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.mbox.uu: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.newc.cpio: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.sis: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-upack.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-fsg.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.ole.doc: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam_ISmsi_ext.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.szdd: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.cab: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-v3.rar: OK
/usr/share/clamav-testfiles/clam_IScab_ext.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.rtf: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-upx.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.tar.gz: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.impl.zip: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-nsis.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-aspack.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.zip: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-petite.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam_IScab_int.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.ea06.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.bz2: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.arj: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.pdf: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-wwpack.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.d64.zip: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-mew.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.mbox.base64: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.bz2.zip: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-yc.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.bin-le.cpio: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.html: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.bin-be.cpio: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-pespin.exe: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.7z: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.exe.binhex: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.mail: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.ppt: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam-v2.rar: OK
/usr/share/clamav-testfiles/clam.tnef: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam.odc.cpio: Clamav.Test.File-6 FOUND
/usr/share/clamav-testfiles/clam_ISmsi_int.exe: Clamav.Test.File-6 FOUND
 
----------- SCAN SUMMARY -----------
Known viruses: 8678933
Engine version: 0.103.8
Scanned directories: 1
Scanned files: 46
Infected files: 44
Data scanned: 14.02 MB
Data read: 6.21 MB (ratio 2.26:1)
Time: 27.251 sec (0 m 27 s)
Start Date: 2023:11:22 16:40:59
End Date:   2023:11:22 16:41:26

→ 악성 코드 테스트용 파일 대상으로 Scan 시 정상적으로 악성코드 탐지하는 것 확인

profile
What goes around comes around.

0개의 댓글