[clamav-users] secure download of .cvd files ?

Discussion:

Henrik Hoeg Thomsen1

2018-08-31 09:00:06 UTC

Do clamav offer a encrypted download alternative to the unencrypted http
based wget used to update the signatue database?

wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/daily.cvd
wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/main.cvd

---------------------------------------------------------------------------------------------------------------
Henrik Høg Thomsen
Senior IT Specialist - IBM - IPG
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216
tlf +45 51638561 mail ***@dk.ibm.com

Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216

Arnaud Jacques

2018-08-31 09:53:48 UTC

Permalink

Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
> Do clamav offer a encrypted download alternative to the unencrypted http
> based wget used to update the signatue database?

May be : https://packages.microsoft.com/clamav/
Should be enough reliable.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Henrik Hoeg Thomsen1

2018-08-31 11:38:51 UTC

Permalink

Thank you Arnaud.
This will mitigate my compliance issue.

---------------------------------------------------------------------------------------------------------------
Henrik Høg Thomsen
Senior IT Specialist - IBM - IPG
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216
tlf +45 51638561 mail ***@dk.ibm.com

From: Arnaud Jacques <***@securiteinfo.com>
To: clamav-***@lists.clamav.net
Date: 2018/08/31 11:53
Subject: Re: [clamav-users] secure download of .cvd files ?
Sent by: "clamav-users" <clamav-users-***@lists.clamav.net>

Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
> Do clamav offer a encrypted download alternative to the unencrypted http

> based wget used to update the signatue database?

May be :
https://packages.microsoft.com/clamav/

Should be enough reliable.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web :
https://www.securiteinfo.com

Facebook :
https://www.facebook.com/pages/SecuriteInfocom/132872523492286

Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216

Al Varnell

2018-08-31 10:08:26 UTC

Permalink

I'm not aware of any, but all database components are verified for authenticity by freshclam after download.

-Al-

On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
> Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database?
>
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd

Arnaud Jacques

2018-08-31 11:07:02 UTC

Permalink

That's why I asked in 2014 about freshclam support of SSL :

http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html

Le 31/08/2018 à 12:08, Al Varnell a écrit :
> I'm not aware of any, but all database components are verified for
> authenticity by freshclam after download.
>
> -Al-
>
> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>> Do clamav offer a encrypted download alternative to the unencrypted
>> http based wget used to update the signatue database?
>>
>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
>> <http://db.local.clamav.net:4/>/daily.cvd
>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
>> <http://db.local.clamav.net:4/>/main.cvd
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Joel Esler (jesler)

2018-08-31 11:09:56 UTC

Permalink

You should be able to do it it now. However, freshclam doesn’t support ssl. When we get ssl built into freshclam, https redirection would be available.

But I couldn’t do it before with the mirrors the way they were. We can now.

Sent from my iPhone

> On Aug 31, 2018, at 07:07, Arnaud Jacques <***@securiteinfo.com> wrote:
>
> That's why I asked in 2014 about freshclam support of SSL :
>
> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>
>
>> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>> I'm not aware of any, but all database components are verified for authenticity by freshclam after download.
>> -Al-
>>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>> Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database?
>>>
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd
>> _______________________________________________
>> clamav-users mailing list
>> clamav-***@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.44.39.76.46
> E-mail : ***@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
>
> Securiteinfo.com
> La Sécurité Informatique - La Sécurité des Informations.
> 266, rue de Villers
> 60123 Bonneuil en Valois
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clam

Al Varnell

2018-08-31 11:21:03 UTC

Permalink

OK, well then it's almost the same as it was back in 2014.

-Al-

On Fri, Aug 31, 2018 at 04:09 AM, Joel Esler (jesler) wrote:
>
> You should be able to do it it now. However, freshclam doesnât support ssl. When we get ssl built into freshclam, https redirection would be available.
>
> But I couldnât do it before with the mirrors the way they were. We can now.
>
> Sent from my iPhone
>
>> On Aug 31, 2018, at 07:07, Arnaud Jacques <***@securiteinfo.com> wrote:
>>
>> That's why I asked in 2014 about freshclam support of SSL :
>>
>> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>>
>>
>>> Le 31/08/2018 Ã 12:08, Al Varnell a Ã©crit :
>>> I'm not aware of any, but all database components are verified for authenticity by freshclam after download.
>>> -Al-
>>>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>>> Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database?
>>>>
>>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd
>>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-***@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> http://www.clamav.net/contact.html#ml
>>
>> --
>> Cordialement / Best regards,
>>
>> Arnaud Jacques
>> GÃ©rant de SecuriteInfo.com
>>
>> TÃ©lÃ©phone : +33-(0)3.44.39.76.46
>> E-mail : ***@securiteinfo.com
>> Site web : https://www.securiteinfo.com
>> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
>> Twitter : @SecuriteInfoCom
>>
>> Securiteinfo.com
>> La SÃ©curitÃ© Informatique - La SÃ©curitÃ© des Informations.
>> 266, rue de Villers
>> 60123 Bonneuil en Valois
>> _______________________________________________
>> clamav-users mailing list
>> clamav-***@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

Al Varnell

2018-08-31 11:15:25 UTC

Permalink

And the answer is the same as it was then. There is nothing to be gained by supporting https. There is nothing sensitive about the database. Each component is verified as genuine after downloaded. And the impact on the servers is less.

-Al-

On Fri, Aug 31, 2018 at 04:07 AM, Arnaud Jacques wrote:
>
> That's why I asked in 2014 about freshclam support of SSL :
>
> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>
>
> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>> I'm not aware of any, but all database components are verified for authenticity by freshclam after download.
>> -Al-
>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>> Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database?
>>>
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd

Joel Esler (jesler)

2018-08-31 11:33:30 UTC

Permalink

Agreed. But it wasn’t something we could support. Now we can. It that it matters, but at least we can now.

Sent from my iPhone

> On Aug 31, 2018, at 07:16, Al Varnell <***@mac.com> wrote:
>
> And the answer is the same as it was then. There is nothing to be gained by supporting https. There is nothing sensitive about the database. Each component is verified as genuine after downloaded. And the impact on the servers is less.
>
> -Al-
>
>> On Fri, Aug 31, 2018 at 04:07 AM, Arnaud Jacques wrote:
>>
>> That's why I asked in 2014 about freshclam support of SSL :
>>
>> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>>
>>
>>> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>>> I'm not aware of any, but all database components are verified for authenticity by freshclam after download.
>>> -Al-
>>>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>>> Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database?
>>>>
>>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd
>>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clam

Michael Orlitzky

2018-08-31 12:37:00 UTC

Permalink

On 08/31/2018 05:00 AM, Henrik Hoeg Thomsen1 wrote:
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net

This is probably exploitable by anyone on the system to gain root. If I
create the file /tmp/daily.cvd (remember that /tmp is world-writable),

$ touch -d '2018-01-01 00:00:00' /tmp/daily.cvd

Then your update job will write to my file:

$ sudo wget -q -m -nd -P /tmp http://db.local.clamav.net:/daily.cvd
...

Thanks to the "-m" flag, I still own that file, and I can write whatever
bad stuff I want in there after you verify its contents:

$ ls -lh /tmp/daily.cvd
-rw-r--r-- 1 mjo mjo 48M 2018-08-31 00:46 /tmp/daily.cvd

There are various reports floating around showing how clamav is not
robust against malicious signatures (potentially leading to root
access); but regardless it's a pretty bad thing that anyone on the
machine can overwrite all of your signatures with malicious ones.

To fix it: if you're going to use a file under /tmp, then use a secure
function like mktemp() to obtain it. But if you're running this job as a
specific user, you might as well give him a special place to work like
/var/tmp/clamav-updates that is accessible only to that user. The
problem is unique to /tmp because of it's world-writable permissions.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reindl Harald

2018-08-31 13:08:43 UTC

Permalink

Am 31.08.18 um 14:37 schrieb Michael Orlitzky:
> To fix it: if you're going to use a file under /tmp, then use a secure
> function like mktemp() to obtain it. But if you're running this job as a
> specific user, you might as well give him a special place to work like
> /var/tmp/clamav-updates that is accessible only to that user. The
> problem is unique to /tmp because of it's world-writable permissions

smart users wrap freshclam into a systemd-oneshot-service and the first
option below makes the /tmp issue a no-brainer to begin with

PrivateTmp=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX
RestrictRealtime=yes
SystemCallArchitectures=x86-64
SystemCallFilter=~acct adjtimex clock_adjtime delete_module
fanotify_init finit_module init_module io_destroy io_getevents iopl
ioperm io_setup io_submit io_cancel kcmp kexec_load mbind migrate_pages
mount move_pages open_by_handle_at perf_event_open pivot_root
process_vm_readv process_vm_writev ptrace remap_file_pages swapoff
swapon umount2 uselib vmsplice
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Continue reading on narkive:

Search results for '[clamav-users] secure download of .cvd files ?' (Questions and Answers)

replies

How do you remove XP Antispyware 2009?

started 2010-04-15 18:31:02 UTC

security

replies

How to remove Xp-Police-Anti-virus ?

started 2009-08-20 23:05:26 UTC

security