본문 바로가기

Linux/보안

백신 프로그램 - antivir


AntiVir
- 리눅스 바이러스 스캐너 프로그램으로 최신 리눅스 바이러스를 검색한다.

-------------------------------------------------------------------

http://www.avira.com/

http://www.free-av.com/

antivir-workstation-pers.tar.gz : (다운로드)

-------------------------------------------------------------------



1. 다운 및 압축 해제

 
[root@server3 ~]# cd Desktop
[root@server3 Desktop]# ls
antivir-workstation-pers.tar.gz
[root@server3 Desktop]# tar xvfz antivir-workstation-pers.tar.gz
antivir-workstation-pers-2.1.12-19/
antivir-workstation-pers-2.1.12-19/.installrc
antivir-workstation-pers-2.1.12-19/LICENSE
antivir-workstation-pers-2.1.12-19/LICENSE.DE
antivir-workstation-pers-2.1.12-19/README
antivir-workstation-pers-2.1.12-19/hbedv.key
antivir-workstation-pers-2.1.12-19/install
antivir-workstation-pers-2.1.12-19/bin/

- 중략

antivir-workstation-pers-2.1.12-19/vdf/antivir0.vdf
antivir-workstation-pers-2.1.12-19/vdf/antivir1.vdf
antivir-workstation-pers-2.1.12-19/vdf/antivir2.vdf
antivir-workstation-pers-2.1.12-19/vdf/antivir3.vdf

[root@server3 Desktop]# mv antivir-workstation-pers-2.1.12-19/ /usr/local/src




2. 설치

 
[root@server3 Desktop]# cd /usr/local/src
[root@server3 src]# ls
antivir-workstation-pers-2.1.12-19
[root@server3 src]# cd antivir-workstation-pers-2.1.12-19
[root@server3 antivir-workstation-pers-2.1.12-19]# ls
LICENSE     README  contrib  etc  hbedv.key  legal  script
LICENSE.DE  bin     doc      gui  install    pgp    vdf
[root@server3 antivir-workstation-pers-2.1.12-19]# vi README

[root@server3 antivir-workstation-pers-2.1.12-19]# ./install

Starting Avira AntiVir Workstation (UNIX) 2.1.12-19 installation...
 
Before installing this software, you must agree to the terms
of the license.
 
Use the arrow keys to scroll through the license. When you
are finished reading, press 'q' to exit the viewer.
 
Press <ENTER> to view the license. - 라이센스를 본다.

Avira GmbH

End-user License Agreement (EULA)

This Software has been copyrighted for the

Avira GmbH
Tjark Auerbach
Chief Executive Officer
Lindauer Str. 21
88069 Tettnang, Germany
www.avira.de

hereinafter "Licensor".

The unauthorised reproduction or unauthorised sale of this Software
or parts thereof is liable to prosecution. Such conduct can be
prosecuted under criminal or civil law and result in severe penalties
and/or claims for damages. The Licensor hereby authorises you
- hereinafter Licensee - to use this Software within the context
of the following licensing conditions:

�1 Subject of the Licence Concession

1) Subject of the contract is the existing computer programme;
in this case the activated full version including the licence
file necessary for activation, (the "Software"), as well as the
programme description, operating instructions and other pertinent
materials (the "documentation").

- 중략

�10 Miscellaneous

1) Any changes in, and/or supplements to this contract, including
this clause, must be made in writing. Verbal supplements to this
contract shall under no circumstances be made. General Terms
and Conditions of Business of the Licensee are not part of this
contract and have no legal force where this contractual relationship
is concerned.

2) If a provision of this contract ceases to be effective or proves
to be not feasible, and the attainment of the object of this
contract is nevertheless still not essentially impossible, the
lawfulness of any remaining provisions shall remain unaffected.
Both parties shall replace the provision which is ineffective
or not feasible by one which, in a legally valid and economical
manner, comes closest to the sense and purpose of the ineffective
provision.

3) The laws of the German Federal Republic apply to this contract.
Place of jurisdiction for merchants (who are Licensees) is the
registered office of the Licensor.

4) In the case of delivery in EU countries, price calculation
without VAT can only occur if the Licensee has provided his/her
VAT ID.


Avira GmbH
Lindauer Str. 21 | 88069 Tettnang | Germany
Telephone: +49 (0) 7542-500 0
Fax: +49 (0) 7542-525 10
E-mail: info@avira.de
Internet: http://www.avira.de
 
Do you agree to the license terms? [n] y - 라이센스에 동의할 것인지를 물어본다.
 
 
creating /usr/lib/AntiVir ... done
1) installing command line scanner - 바이러스 정의 파일 (*.vdf) 복사
copying bin/antivir to /usr/lib/AntiVir/ ... done
 
NOTICE: This system has a prelinker. Prelinking the
        antivir binary will not work correctly. Either
        disable prelinking or add /usr/lib/AntiVir as an
        excluded prelink path.
 
        For example, add '-b /usr/lib/AntiVir'
        to /etc/prelink.conf
 
copying vdf/antivir0.vdf to /usr/lib/AntiVir/ ... done
copying vdf/antivir1.vdf to /usr/lib/AntiVir/ ... done
copying vdf/antivir2.vdf to /usr/lib/AntiVir/ ... done
copying vdf/antivir3.vdf to /usr/lib/AntiVir/ ... done
 
Enter the path to your key file: [hbedv.key]
copying hbedv.key to /usr/lib/AntiVir/hbedv.key ... done
copying script/configantivir to /usr/lib/AntiVir/ ... done
linking /usr/bin/antivir to /usr/lib/AntiVir/antivir ... done
installation of command line scanner complete
 
 
2) installing internet update daemon
An internet update daemon is available with version 2.1.12-19 of
Avira AntiVir Workstation (UNIX). This is a program that will run in the background
and automatically check for updates (internet access is required).
Instead of installing the internet update daemon, you may also
manually check for updates using:
 
     antivir --update
 
Please read the README file for more information about updating and
which method best suits you.
 
Would you like to install the internet update daemon? [n] y - 인터넷 업데이트 데몬 설지 여부 결정
copying script/avupdater to /usr/lib/AntiVir/ ... done
checking for existing /etc/avupdater.conf ... not found
copying etc/avupdater.conf to /etc/ ... done
 
Would you like to create a link in /usr/sbin for avupdater ? [y] - 업데이트를 위해 링크 파일을 생성할 것인지를 결정
linking /usr/sbin/avupdater to /usr/lib/AntiVir/avupdater ... done
 
Would you like the internet update daemon to start automatically? [y] - 자동 업데이트를 할 것인지를 결정(명령어로도 업데이트 가능하다.)
setting up startup script ... done
installation of the internet update daemon complete
 
 
3) installing AvGuard
Version 2.1.12-19 of Avira AntiVir Workstation (UNIX) is capable of on-access,
real-time scanning of files. This provides the ultimate protection
against viruses and other unwanted software. The on-access scanner
(called AvGuard) is based on Dazuko, a free software project providing
access control. In order to use AvGuard you will need to compile Dazuko
for your kernel. Please refer to contrib/dazuko/HOWTO-Dazuko for
information about how to do this. There are several ways in which you
can install AvGuard.
 
        module     - Dazuko will be loaded by the avguard script
 
        kernel     - Dazuko is always loaded
                     (and should not be loaded by the avguard script)
 
        no install - do not install AvGuard at this time
 
Note: Dazuko currently only works with GNU/Linux, FreeBSD and Solaris
      systems. If you are interested in helping us port Dazuko to
      OpenBSD, feel free to check out the Dazuko Project at:
      http://www.dazuko.org
 
available options: m k n
 
How should AvGuard be installed? [n] n

- AvGuard 를 설치 할 것인지를 결정
- AvGuard 는 Dazuko 커널 모듈을 사용하는 Gaurd 툴로서 기타 사용백신처럼 항상 램에 상주하면서 시스템의 메모리에 바이러스의 감염여부를 감시하고, 디렉토리 및 파일의 거사 기능을 제공한다.
- AvGuard 를 설치하기 위해서는 Dazuko 패키지가 설치되어 있어야 한다. Dazuko 패키지를 설치후 다시 ./install 해 준후 m, k를 선택한다.

AvGuard will NOT be installed. See contrib/dazuko/HOWTO-Dazuko
for more information about Dazuko.
 
 
4) installing GUI (+ SMC support)
 
Note: The AntiVir Security Management Center (SMC) requires this
      feature, even if you do not intend to use the GUI.
 
This product comes with a GUI that allows you to monitor realtime
activity, view logs, and configure the product. This tool is optional
(not required) for the product to run.
 
The GUI requires Sun Java 1.4.x or higher.
 
Would you like to install the GUI (+ SMC support)? [y] 

- GUI 프로그램을 설치 할 것인지를 결정
- SMC는 Security Management Center의 약자로서 Antivir에서 만든 GUI Tool이다. 이 프로그램은 실시간으로 동작상태와 로그 파일을 보여주며, 프로그램 옵션을 변경할 수 있다. 단 java 1.4.x 이상이 설치되어 있어야 사용할 수 있다.

-------------------------------------------------------------------

JAVA 버전 확인

[root@server3 security]# java -version
java version "1.6.0_11"
Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
Java HotSpot(TM) Client VM (build 11.0-b16, mixed mode, sharing)

-------------------------------------------------------------------

checking for existing /etc/avguard.conf ... not found
copying etc/avguard.conf-gui to /etc/avguard.conf ... done
copying common gui files to /usr/lib/AntiVir/gui ... done
copying platform dependant gui files to /usr/lib/AntiVir/gui ... done
copying script/antivir-gui to /usr/lib/AntiVir/ ... done
linking /usr/bin/antivir-gui to /usr/lib/AntiVir/antivir-gui ... done
installation of GUI complete
 
 
5) configuring AntiVir Updater
 
Your connection to the internet might require special configuration
settings (such as HTTP proxy settings). You may also want the
updater to log to specific files or send email notification. You
now have the opportunity to set these options.
 
Would you like to configure the AntiVir updater now? [y] - Antivir 환경설정을 지금 업데이트 할 것인지 결정

EmailTo                                                         (1 of 4)
=======
You may configure the AntiVir Updater to send out an email message
whenever an update was successful or an error with the update occurred.
 
available options: y n
 
Would you like email notification about updates? [n] y - Antivir에서 발생하는 문제들을 email로 받을 것인지 결정
What email address will receive notifications? [] root@server3.co.kr - email 주소 입력

LogTo                                                           (2 of 4)
=====
In addition to logging update activity through syslog, you may also
specify your own log file for messages that are generated by the.
AntiVir Updater. This can make it simpler to review past activity
without having to sift through syslog files.
 
available options: y n
 
Would you like the updater to log to a custom file? [y] - Antivir 의 로그파일을 생성할 것인지를 결정
What will be the log file name with absolute path (it must begin with '/')
? [/var/log/avupdater.log] - 로그파일 저장 경로 결정


AutoUpdateEvery2Hours/AutoUpdateDaily                           (3 of 4)
=====================================
AntiVir is equipped with an Internet Update Daemon. At specified
intervals, AntiVir will connect to an update server to check for newer
versions of the AntiVir engine or the data files. If a newer
version is available, AntiVir will automatically download and install
the updates without requiring any special attention. This allows AntiVir
to be kept current against attacks and problems.
 
AntiVir can be configured to check for updates every 2 hours (2) or
once a day (d). You can also choose to disable the Internet Update
Daemon (n).
 
Note: Updates can also be done manually from the command line:
           antivir --update
      You may prefer to disable the Internet Update Daemon and
      instead perform regular updates using a cron(8) job.
 
      Using the startup script for the Internet Update Daemon when
      it is disabled will result in an error.
 
available options: 2 d n
 
How often should AntiVir check for updates? [2] n - 얼마나 자주 업데이트 할 것인지를 결정


HTTPProxyServer/HTTPProxyPort                                 (4 of 4)
=============================
If this machine is sitting behind an HTTP proxy server, you will need to
configure AntiVir with the appropriate proxy settings. Internet access
is required in order to make updates.
 
available options: y n
 
Does this machine use an HTTP proxy server? [n] - 현재 시스템이 proxy server를 사용하고 있는지를 물어본다.

AntiVir Configuration
=====================
Here are the configuration settings you have specified. Look them over
to make sure they are correct.
 
email notification:           root@server3.co.kr
specific logfile:             /var/log/avupdater.log
update frequency:             never (deactivated)
http proxy server:            none
 
available options: y n
 
Save configuration settings? [y] - 환경 설정을 저장할 것인지 결정

* SUCCESS *
 
Configuration successfully saved to.
/etc/avupdater.conf - /etc/avupdater.conf 파일에 저장되었다.
 
Press <ENTER> to continue.


Running Internet Update Daemon
==============================
In order for the Internet Update Daemon to be active on your
system, you must run the software. This can be done manually each
time the system is booted with the command:
 
/usr/lib/AntiVir/avupdater start
 
You can have it start automatically by adding avupdater to your
startup scripts. Depending on your system, this can vary. Consult
your system documentation on startup scripts.
 
During the installation, you had the option to set the updater to
start automatically.
 
available options: y n
 
Would you like to apply the new configuration? [y]

AntiVir Status: avupdater not running.
 
Here are some commands that you should remember...
 
configure updater:    /usr/lib/AntiVir/configantivir
start update daemon:  /usr/lib/AntiVir/avupdater start
stop update daemon:   /usr/lib/AntiVir/avupdater stop
update daemon status: /usr/lib/AntiVir/avupdater status
 
Press <ENTER> to continue.

Installation of the following features complete:
     AntiVir command line scanner
     AntiVir Internet Update Daemon
     AntiVir Guard (previously installed)
     AntiVir GUI
 
 
Note: It is highly recommended that you perform an update now to
      ensure up-to-date protection. This can be done by running:
 
      antivir --update
 
Be sure to read the README file for additional information.
Thank you for your interest in Avira AntiVir Workstation (UNIX).




3. 실행

 
[root@server3 antivir-workstation-pers-2.1.12-19]# ls
LICENSE     README  contrib  etc  hbedv.key  legal  script
LICENSE.DE  bin     doc      gui  install    pgp    vdf
[root@server3 antivir-workstation-pers-2.1.12-19]# cd bin
[root@server3 bin]# ls
antivir      freebsd5       linux_glibc22_ppc   solaris_sparc
antivir.asc  linux_glibc20  linux_glibc22_s390  solaris_x86
freebsd      linux_glibc22  openbsd_elf
[root@server3 bin]# cd ..
[root@server3 antivir-workstation-pers-2.1.12-19]# antivir --help

Usage is: antivir [options] [path[\*.ext]] [*.ext]
where options are:
 --help .......... display this help text (abbreviation: -h or -?)
 --scan-mode=<mode> applies "extlist", "smart" or "all" scan methods:
                   extlist scans files according to their filename extension,
                   smart detects which files to scan from their name/content,
                   all scans all files regardless of their name or content
 --allfiles ...... synonymous for --scan-mode=all
 --version ....... show version information
 --info .......... show list of recognized forms
 --update ........ update antivir
 --check ......... used with --update to check for updates
 --temp=<dir> .... specify the directory for temporary files
 --pid-dir=<dir> . specify the directory for PID files
 --home-dir=<dir>  location of executable, VDF and key files
 -C <filename> ... name of configuration file
 -s .............. scan subdirectories
 --scan-in-archive files in archives will be extracted and scanned
 -z .............. synonymous for --scan-in-archive (scan in archives, too)
 --archive-max-size=N, --archive-max-recursion=N, --archive-max-ratio=N
                   anti DoS feature: do not scan archive content which would
                   exceed the given file size, nesting level or compression
                   factor limits on extraction (0 means unlimited)
 --archive-max-count=N  anti DoS feature: do not scan archive content which
                   has more than N files in a recursion level
 --scan-in-mbox .. scan mailbox folders, too (might be time consuming!)
 --heur-macro .... enable macro heuristics
 --heur-nomacro .. disable macro heuristics
 --heur-level=N .. setup heuristics level: 0=off, 1-3=low-high
 -nolnk .......... do not follow symbolic links
 -onefs .......... do not cross file systems while following links
 -noboot ......... do not check any boot records
 -nombr .......... do not check any master boot records
 -nobreak ........ disable Ctl-C and Ctrl-Break
 -nodef  ......... do only check the given file types (eg. *.DOC)
 -cf<filename> ... activate CRC check and name the database
 -cv ............. calculate CRC over the whole file length (default 16k)
 -cn ............. insert new files into the database
 -cu ............. recalculate CRC values and update the database
 -v .............. scan files completely (slower with possible false alerts)
 -nopack ......... do not scan inside packed files
 -e [-del | -ren]  repair concerning files if possible
                   [-del] non-repairable files will be deleted
                   [-ren] non-repairable files will be renamed
 -ren ............ rename concerning files (*.COM->*.XXX,...)
 -del ............ delete concerning files
 --moveto=<dir> .. quarantine concerning files
 -dmdel .......... delete documents containing suspicious macros
 -dmdas .......... delete all macros if one appears to be suspicious
 -dmse ........... set exit code to 101 if any macro was found
 -r1 ............. just log infections and warnings
 -r2 ............. log all scanned paths in addition
 -r3 ............. log all scanned files
 -r4 ............. select verbose log mode
 -rs ............. select single-line alert messages
 -rf<filename> ... name of log file
                   %d = day, %m = month, %y = year (two digits each)
 -ra ............. append new log data to existing file
 -ro ............. overwrite existing log file
 -q .............. quiet mode
 -lang[:|=]DE .... use German texts
 -lang[:|=]EN .... use English texts
 -once ........... run only once a day
 -if<dateiname> .. antivir uses the given ini file
 --with-<type> ... detect other (non-virus but unwanted) software, too;
                   type may be e.g. "dial", "joke", "game", etc,
                   there is a --with-alltypes shortcut
 --without-<type>  like --with-<type>, but disables this type
 --alltypes ...... synonymous for --with-alltypes (obsolete)
 --alert-urls=<yes|no> print URL for more detailed information on alerts
 --warnings-as-alerts  exit with a return code as if a concerning file
                   had been found when warnings have been issued
 --exclude=<file>  exclude files or directories from scan
 --log-email=<addr>  send out scan report by email, too
 @<rspfile> ...... read parameters from the file <rspfile>
                   with each option in a separate line

list of return codes:
   0: Normal program termination, nothing found, no error
   1: Found concerning file or boot sector
   2: An alert was found in memory
   3: Suspicious file found
 100: antivir only has displayed this help text
 101: A macro was found in a document file
 102: The option -once was given and antivir already ran today
 200: Program aborted, not enough memory available
 201: The given response file could not be found
 202: Within a response file another @<rsp> directive was found
 203: Invalid option
 204: Invalid (non-existent) directory given at command line
 205: The log file could not be created
 210: antivir could not find a necessary dll file
 211: Programm aborted, because the self check failed
 212: The file antivir.vdf could not be read
 213: An error occured during initialization
 214: License key not found

[root@server3 antivir-workstation-pers-2.1.12-19]# antivir --update

AntiVir / Linux Version 2.1.12-19
Copyright (c) 2008 by Avira GmbH.
All rights reserved.


Warning: the file "antivir.vdf" is more than 14 days old
email notification is not available with this license
checking for updates

on disk       |  upd server 
--------------+--------------
02.01.12.19   <  02.01.12.113 [antivir]
06.40.00.00   <  07.01.00.00  [antivir0.vdf]
07.00.03.02   <  07.01.01.113 [antivir1.vdf]
07.00.03.62   <  07.01.01.207 [antivir2.vdf]
07.00.03.68   <  07.01.01.222 [antivir3.vdf]
--------------+--------------
antivir 100% |*******************************| 2525 KB  252.54 KB/s   0:00 ETA
antivir0.vdf 100% |**************************|   14 MB  399.19 KB/s   0:00 ETA
antivir1.vdf 100% |**************************| 2752 KB  229.33 KB/s   0:00 ETA
antivir2.vdf 100% |**************************| 1327 KB  331.96 KB/s   0:00 ETA
antivir3.vdf 100% |**************************|  146 KB   24.36 KB/s   0:00 ETA

on disk       |  upd server 
--------------+--------------
02.01.12.113  =  02.01.12.113 [antivir]
07.01.00.00   =  07.01.00.00  [antivir0.vdf]
07.01.01.113  =  07.01.01.113 [antivir1.vdf]
07.01.01.207  =  07.01.01.207 [antivir2.vdf]
07.01.01.222  =  07.01.01.222 [antivir3.vdf]
--------------+--------------

02.01.12.19 --> 02.01.12.113 the scanner [the application]  (/usr/lib/AntiVir/antivir)
07.00.03.68 --> 07.01.01.222 the VDF database (inc)  (/usr/lib/AntiVir/antivir0.vdf, /usr/lib/AntiVir/antivir1.vdf, /usr/lib/AntiVir/antivir2.vdf, /usr/lib/AntiVir/antivir3.vdf)

AntiVir successfully updated itself

[root@server3 ~]# antivir / -s --allfiles - 디렉토리 모든 파일 검사
AntiVir / Linux Version 2.1.12-113
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

VDF version: 7.1.1.222 created 03  2월 2009                                   

For private, non-commercial use only.
AntiVir license: 149996 for Avira AntiVir PersonalEdition Classic             

auto excluding /sys/ from scans (is a special fs)
auto excluding /proc from scans (is a special fs)
checking drive/path (list): / 

- 중략




4.  Antivir GUI

 
[root@server3 bin]# antivir-gui

WARNING: root is not in `antivir' group

ERROR: Can't connect to an X server. Please try the following:

- generate or merge `.Xauthority'. You can merge with:
  $ xauth merge <path-to-user-with-X-rights>/.Xauthority

-------------------------------------------------------------------

해결책

1. WARNING: root is not in `antivir' group

[root@server3 ~]# vi /etc/group
antivir:x:708:root  - antivir 계정에 root 계정을 그룹으로 추가해준다. 로그아웃 후 재 로그인 해준다.


2. ERROR: Can't connect to an X server. Please try the following:

[root@server3 ~]# touch .Xauthority - /root/폴더에 생성해 준다.


3. [root@server3 bin]# antivir-gui - 다시 실행한다.