Discussion:
[clamav-users] Secure download/verification of clamav database?
Luke Massa
2018-10-23 19:17:26 UTC
Permalink
Hello all,

I have looked through the documentation and the source code, and there doesn’t seem to be a way to download the clamav database in a secure way (i.e. with https), is that the case?

Furthermore, I don’t see any mechanism by which the clamav database is verified against a known trusted key/authority. The sigtool utility verifies that the database file has file integrity, but I don’t see any mechanism that prevents someone from injecting a totally different, internally self-consistent, database file, and for my client to trust it as a legitimate list of signatures. That is, the downloaded code does not contain a trusted gpg key, nor does there appear to be any calls out to trusted gpg/ssl certificates on my machine.

By this I do not mean is the source code signed (i.e. http://lists.clamav.net/pipermail/clamav-users/2018-January/005786.html), this is specifically about the .cvd files.

In short, is there any way I can setup clamav/freshclam and be confident that a malicious user isn’t adding/removing signatures from the upstream mirrors?

- Luke Massa
Noel Jones
2018-10-24 15:59:59 UTC
Permalink
Post by Luke Massa
In short, is there any way I can setup clamav/freshclam and be
confident that a malicious user isn’t adding/removing signatures
from the upstream mirrors?
The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.



_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.n
Luke Massa
2018-10-24 17:10:33 UTC
Permalink
But what are they signed *by*? If it’s using a public/private keypair, where is the public key? Is it baked into freshclam/clamd/clamscan somewhere?

- Luke
Post by Noel Jones
Post by Luke Massa
In short, is there any way I can setup clamav/freshclam and be
confident that a malicious user isn’t adding/removing signatures
from the upstream mirrors?
The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.
_______________________________________________
clamav-users mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s&e=
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
Noel Jones
2018-10-24 18:01:02 UTC
Permalink
Baked in.
Post by Luke Massa
But what are they signed *by*? If it’s using a public/private keypair, where is the public key? Is it baked into freshclam/clamd/clamscan somewhere?
- Luke
Post by Noel Jones
Post by Luke Massa
In short, is there any way I can setup clamav/freshclam and be
confident that a malicious user isn’t adding/removing signatures
from the upstream mirrors?
The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.
_______________________________________________
clamav-users mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s&e=
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

htt
Luke Massa
2018-10-24 18:30:42 UTC
Permalink
Ah I see it now!

For those following along, in libclamav/dsig.c, there is an implementation of RSA inspired by http://www.erikyyy.de/yyyRSA/, and the public parameters of an RSA key are hard-coded in that file.

Thanks again!
- Luke

On Oct 24, 2018, at 2:01 PM, Noel Jones <***@megan.vbhcs.org<mailto:***@megan.vbhcs.org>> wrote:

Baked in.



On 10/24/2018 12:10 PM, Luke Massa wrote:
But what are they signed *by*? If it’s using a public/private keypair, where is the public key? Is it baked into freshclam/clamd/clamscan somewhere?

- Luke

On Oct 24, 2018, at 11:59 AM, Noel Jones <***@megan.vbhcs.org<mailto:***@megan.vbhcs.org>> wrote:

On 10/23/2018 2:17 PM, Luke Massa wrote:

In short, is there any way I can setup clamav/freshclam and be
confident that a malicious user isn’t adding/removing signatures
from the upstream mirrors?

The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.



_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU&e=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg&e=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI&s=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s&e=


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw&s=YqDbJ5kZYvxQHOP-sACfz78f7ksWTA0FWGIW6sn2YIg&e=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw&s=UCsMk2EqhvAnRMT3eZ27uwIYg4tN7po2zR9DntwAa7E&e=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwIGaQ&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc&m=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw&s=j7KoiDSpXjDR4mNDh03CIdjyop5B4yn_B6z3WwZWatU&e=
Loading...