Linux上安装McAfee杀毒软件
背景
为了满足客户的安全需求,我司需要至少使用两种杀毒软件对交付的应用服务程序进行安全检查。因此,在ClamAV的基础上,我们还需要另外一种Linux版本的杀毒软件。不幸的是,无论使用baidu或者google检索出的所有免费可用杀毒软件大多已经没有Linux版本了,要么交付不菲的费用、要么产品下线、要么必须安装GTK桌面。
最后,在我们的认知范围内,可以选择的产品是Mcafee Endpoint Security,也就是他家的企业版杀毒软件。理由一个是可以免费试用,一个是可以单机使用。
另外,在检索的过程中发现国内的Linux版本杀毒软件有一个360的安全卫士Linux版,还有一个火绒企业版的Linux客户端。印象里面奇安信的天擎系统也有Linux的agent。不过,试用国产软件的后续麻烦事多,就不叨扰了。
获取
- Mcafee提供试用软件包下载;
- Endpoint Security 提供Windows、Mac、Linux三种版本的客户端;
- 客户端可以搭配EPO服务器进行统一下发和管理,也可以以Standalone的形式来运行
吐槽
- M家的免费试用包获取有时间间隔,如果你下错了,每次无论你选择那个产品,出来的下载链接都是指向原先选的那个产品的;
- M家明明有专门面向Linux单机运行的command on linux产品,就是不给你试用,必须下载企业版杀毒软件的Linux客户端(虽然也可以standalone试用);
- 软件包里面完全是套娃,tar.gz里面套tar.gz再套一层tar.gz;
- EPO集中管理的部署事无巨细、standalone形式安装指引基本没有用,连蒙带猜才安装成功;
- 压缩包不知所谓的给了x权限,可能是和该包是在Mac上打包的有关系?给人很不严肃的感觉。
试用
安装
- 本次测试使用64位CentOS7
- 上传测试包 ENSL1069_Eval.zip
- 执行解压缩
[root@antivirus ~]# unzip ENSL1069_Eval.zip [root@antivirus ~]# tree ENSL1069_Eval ENSL1069_Eval ├── ensl_1066_ig_0-00_en-us.PDF # 安装指引 ├── ensl_1066_pg_0-00_en-us.PDF # 使用指引 ├── ensl_1069_rn_0-00_en-us.pdf # 发行说明 ├── MA562LNX │ ├── MFEma.x86_64.deb │ ├── MFEma.x86_64.rpm # Mcafee客户端 │ ├── MFErt.i686.deb │ └── MFErt.i686.rpm # Mcafee运行库 ├── MCAFEE_LLC.PUB.TAR # 发行密钥 └── McAfeeTP-10.6.9-121-Eval-standalone.tar.gz # 独立安装包 [root@antivirus ~]# tar zxvf McAfeeTP-10.6.9-121-Eval-standalone.tar.gz ./install-mfetp.sh # 安装脚本 ./McAfeeTP-10.6.9-121-standalone.linux.tar.gz # 安装软件 # 解压缩软件安装包可得到如下包 # 安装无须解包,安装脚本会自动解包 [root@antivirus ~]# tree standalone/ standalone/ ├── license.txt # 版权信息 ├── McAfeeESP-10.6.9-126.deb ├── McAfeeESP-10.6.9-126.x86_64.rpm # 主程序 ├── McAfeeESPAac-10.6.9-126.deb ├── McAfeeESPAac-10.6.9-126.x86_64.rpm # ├── McAfeeESPFileAccess-10.6.9-126.deb ├── McAfeeESPFileAccess-10.6.9-126.x86_64.rpm # 文件检测模块 ├── McAfeeRt-10.6.9-126.deb ├── McAfeeRt-10.6.9-126.x86_64.rpm #rookit检测模块 ├── McAfeeTP-10.6.9-121.deb ├── McAfeeTP-10.6.9-121.x86_64.rpm # 进程检测模块 └── validate-mfeesp.sh # 升级脚本 - 以管理员权限进行安装
# 手动安装 [root@antivirus ~]# rpm -Uvh ENSL1069_Eval/MA562LNX/MFErt.i686.rpm [root@antivirus ~]# rpm -Uvh ENSL1069_Eval/MA562LNX/MFEma.x86_64.rpm # 脚本安装 [root@antivirus ~]# ./install-mfetp.sh # accpet 授权信息 ………… Installed: McAfeeESP.x86_64 0:10.6.9-126 McAfeeESPAac.x86_64 0:10.6.9-126 McAfeeESPFileAccess.x86_64 0:10.6.9-126 McAfeeRt.x86_64 0:10.6.9-126 McAfeeTP.x86_64 0:10.6.9-121 Complete! Successfully installed McAfeeTP-10.6.9-121.x86_64.rpm Schedule for Default DAT and Engine update task was successfully added Successfully enabled GTI Enabling OAS, please wait for some time OAS was successfully enabled Access Protection was specifically disabled during installation McAfeeTP is ready for use now - 检查服务状态
[root@antivirus ~]# service mfetpd status Redirecting to /bin/systemctl status mfetpd.service ● mfetpd.service - McAfee Endpoint Security for Linux Threat Prevention Loaded: loaded (/usr/lib/systemd/system/mfetpd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2021-11-23 06:09:59 EST; 2min 39s ago Docs: man:mfetpd(8) Process: 4928 ExecStartPre=/opt/McAfee/ens/tp/scripts/cgroup-mount-helper.sh systemd (code=exited, status=0/SUCCESS) Process: 3952 ExecStartPre=/opt/McAfee/ens/tp/scripts/fileaccess-control-wrapper.sh systemd (code=exited, status=0/SUCCESS) Process: 3950 ExecStartPre=/opt/McAfee/ens/tp/scripts/aac-control-wrapper.sh systemd (code=exited, status=0/SUCCESS) Main PID: 4939 (mfetpd) CGroup: /system.slice/mfetpd.service ├─4939 /opt/McAfee/ens/tp/bin/mfetpd ├─4971 /opt/McAfee/ens/tp/bin/mfetpd ├─4973 /opt/McAfee/ens/tp/bin/mfetpd └─4981 /opt/McAfee/ens/tp/bin/mfetpd Nov 23 06:09:58 antivirus systemd[1]: Starting McAfee Endpoint Security for Linux Threat Prevention... Nov 23 06:09:59 antivirus fileaccess-control-wrapper.sh[3952]: Re-using modules 3.10.0-693.21.1.el7.x86_64/mfe_fileaccess_100609126.ko Nov 23 06:09:59 antivirus systemd[1]: Started McAfee Endpoint Security for Linux Threat Prevention.使用
- 使用管理员程序进入程序路径
[root@antivirus ~]# cd /opt/McAfee/ens/tp/bin/ - 开启文件保护
[root@antivirus bin]# ./mfetpcli --getapstatus Access Protection: Disabled [root@antivirus bin]# ./mfetpcli --setapstatus enable AP Enabled Successfully [root@antivirus bin]# ./mfetpcli --getapstatus Access Protection: Enabled - 查看扫描设定
[root@antivirus bin]# ./mfetpcli --getoasconfig --summary On-Access Scan: Enabled and Compliant Profile Setting: Standard Maximum scan time: 45 GTI: Enabled GTI Sensitivity Level: Medium - 运行任务
# 查看当前任务 [root@antivirus bin]# ./mfetpcli --listtasks ------------------------------------------------------------------------------------------------------------------------------------- |Index Task Name Task Type Task Status Last Run | ------------------------------------------------------------------------------------------------------------------------------------- |1 quick scan # 快速扫描 ODS Not Started Not Applicable | |2 full scan # 全盘扫描 ODS Not Started Not Applicable | |3 Default Client Update task # 升级 DAT and Engine Update Aborted Tue 23 Nov 2021 06:10:10 AM EST | # 添加自定义任务 [root@antivirus bin]# ./mfetpcli --addodstask --name checktmp --scanpaths /tmp ODS Task was successfully added [root@antivirus bin]# ./mfetpcli --listtasks ------------------------------------------------------------------------------------------------------------------------------------- |Index Task Name Task Type Task Status Last Run | ------------------------------------------------------------------------------------------------------------------------------------- |1 quick scan ODS Not Started Not Applicable | |2 full scan ODS Not Started Not Applicable | |3 Default Client Update task DAT and Engine Update Aborted Tue 23 Nov 2021 06:10:10 AM EST | |4 checktmp ODS Not Started Not Applicable | ------------------------------------------------------------------------------------------------------------------------------------- [root@antivirus bin]# ./mfetpcli --runtask --index 4 Task was successfully started # 执行全盘扫描 [root@antivirus bin]# ./mfetpcli --runtask --index 2 Task was successfully started [root@antivirus bin]# ./mfetpcli --listtasks #参加下表,可以全盘扫描任务为进行中,自定义任务为运行完成 ------------------------------------------------------------------------------------------------------------------------------------- |Index Task Name Task Type Task Status Last Run | ------------------------------------------------------------------------------------------------------------------------------------- |1 quick scan ODS Not Started Not Applicable | |2 full scan ODS Running Tue 23 Nov 2021 06:39:01 AM EST | |3 Default Client Update task DAT and Engine Update Aborted Tue 23 Nov 2021 06:10:10 AM EST | |4 checktmp ODS Completed Tue 23 Nov 2021 06:37:30 AM EST | -------------------------------------------------------------------------------------------------------------------------------------报告
- 路径
# 查看任务结果有两个位置 /var/McAfee/ens/log/tp/odsreport/ /var/McAfee/ens/log/tp/mfetpd.log - 内容
# 简略日志报告 [root@antivirus ~]# tail -f -n 27 /var/McAfee/ens/log/tp/mfetpd.log Nov 23 06:38:59 antivirus INFO AMODSBroker [4939] Received command to start the task - full scan Nov 23 06:38:59 antivirus INFO ScanFactoryBroker [4939] Starting the ODS Scan Manager Nov 23 06:39:00 antivirus INFO AMODSBroker [4939] Starting ODS Collector for the task - full scan Nov 23 06:39:01 antivirus INFO AMODSBroker [4939] Successfully started the thread to monitor the ODS Collector Process - 5334 for the ODS Task name - full scan Nov 23 06:39:01 antivirus INFO TaskManager [4939] Task - full scan was successfully startedNov 23 06:40:18 antivirus ERROR GTIQueryManager [4939] Exception received during GTI communication: Error encountered during GTI lookup.Nov 23 06:40:18 antivirus INFO GTIQueryManager [4939] GTI reachability has been temporarily disabled for ODS (buffered queue). Nov 23 06:40:29 antivirus INFO AMODSBroker [4939] ODS Collector child process exited normally for the Task name - full scan Nov 23 06:40:29 antivirus INFO AMODSBroker [4939] All GTI Requests have been processed for the task - full scan Nov 23 06:40:29 antivirus INFO AMODSBroker [4939] Notified ODS Scan Request Queue monitoring thread to exit for the Task name - full scan Nov 23 06:40:29 antivirus INFO AMODSBroker [4939] Thread that was monitoring ODS Scan Request Queue from the ODS Collector Process for the task - full scan is exiting now after processing 47439 requests. Nov 23 06:40:30 antivirus INFO AMODSBroker [4939] Received the last report update from ods scanmanager Nov 23 06:40:30 antivirus INFO AMODSBroker [4939] Final Report for ODS Task - Task Name : full scan Total Requests : 49315 No of files skipped : 1871 No. of Good files : 47401 No. of Cache hit : 6 No of Files Excluded: 0 No. of Infections : 0 Timeout : 0 ScanError : 37 No of files cleaned : 0 No of files deleted : 0 Time taken : 90.353583s Engine version : 6010.8670 DAT version : 999.0 # 自定义任务执行日志 [root@antivirus odsreport]# cat checktmp.log EVENT = ODS_START | NAME = checktmp | TIME = 1637667450 | USER = 0 EVENT = ODS_STOP | NAME = checktmp | TIME = 1637667452 | USER = 0 EVENT = ODS_SUMMARY | Task Name : checktmp Start time : Tue 23 Nov 2021 06:37:30 AM EST End time : Tue 23 Nov 2021 06:37:32 AM EST Total Requests : 3 No of files skipped : 1 No. of Good files : 2 No. of Cache hit : 0 No of Files Excluded : 0 No. of Infections : 0 Timeout : 0 ScanError : 0 No of files cleaned : 0 No of files deleted : 0 Time taken : 2.023543s Engine version : 6010.8670 DAT version : 999.0 INFO ScanFactory [5273] ODS Scan Manager is shutting down gracefully其他
卸载
[root@antivirus ~]# cd /opt/McAfee/ens/tp/scripts [root@antivirus scripts]# ./uninstall-mfetp.sh Uninstall McAfee Endpoint Security for Linux Threat Prevention ? (yes or no) : yes Detected rpm based distribution warning: /opt/McAfee/ens/tp/etc/prefs.xml saved as /opt/McAfee/ens/tp/etc/prefs.xml.rpmsave finished McAfeeTP removal Successfully uninstalled McAfee Endpoint Security for Linux Threat Prevention. finished McAfeeESPFileAccess removal Successfully uninstalled McAfee Endpoint Security Kernel Modules for Linux. finished McAfeeESPAac removal Successfully uninstalled McAfee Endpoint Security Kernel Modules for Linux. Detected rpm based distribution McAfee Endpoint Security Platform File Access for Linux is already uninstalled. McAfee Endpoint Security Arbitrary Access Control is already uninstalled. finished McAfeeESP removal Successfully uninstalled McAfee Endpoint Security Platform for Linux. finished McAfeeRt removal Successfully uninstalled McAfee Runtime for Linux. McAfee FMP for Linux is already uninstalled. [root@antivirus scripts]# rpm -e MFEcma MFErt Stopping and unregistering MA start up script... Stopping dependent services ... stopping ma service... Removed symlink /etc/systemd/system/multi-user.target.wants/mcafee.ma.service. warning: /etc/ma.d/mainfo.ini saved as /etc/ma.d/mainfo.ini.rpmsave warning: /etc/ma.d/EPOAGENT3000/config.xml saved as /etc/ma.d/EPOAGENT3000/config.xml.rpmsave warning: /etc/ma.d/CMNUPD__3000/config.xml saved as /etc/ma.d/CMNUPD__3000/config.xml.rpmsave Removing /var/McAfee/agent directory Removing /var/McAfee/.msgbus/* directory Restarting stopped services ... Deleting user(mfe) and group (mfe) Runtime uninstalled successfully
网络部署
1.添加以下包至本地YUM库
McAfeeESP-10.6.9-126.x86_64.rpm
McAfeeESPAac-10.6.9-126.x86_64.rpm
McAfeeESPFileAccess-10.6.9-126.x86_64.rpm
McAfeeRt-10.6.9-126.x86_64.rpm
McAfeeTP-10.6.9-121.x86_64.rpm
MFEma.x86_64.rpm
MFErt.i686.rpm
2.执行yum install -y McAfeeTPAll articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.