[clamav-users] Secure download/verification of clamav database?
Luke Massa
lmassa at tripadvisor.com
Tue Oct 23 19:17:26 UTC 2018
Hello all,
I have looked through the documentation and the source code, and there doesn’t seem to be a way to download the clamav database in a secure way (i.e. with https), is that the case?
Furthermore, I don’t see any mechanism by which the clamav database is verified against a known trusted key/authority. The sigtool utility verifies that the database file has file integrity, but I don’t see any mechanism that prevents someone from injecting a totally different, internally self-consistent, database file, and for my client to trust it as a legitimate list of signatures. That is, the downloaded code does not contain a trusted gpg key, nor does there appear to be any calls out to trusted gpg/ssl certificates on my machine.
By this I do not mean is the source code signed (i.e. http://lists.clamav.net/pipermail/clamav-users/2018-January/005786.html), this is specifically about the .cvd files.
In short, is there any way I can setup clamav/freshclam and be confident that a malicious user isn’t adding/removing signatures from the upstream mirrors?
- Luke Massa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181023/0ed01afe/attachment.htm>
More information about the clamav-users
mailing list