On 07/25/2011 12:36 PM, Nathan Gibbs wrote:
[snip]
- before publishing the signatures, we will test them for
false positives against our false positive file collection.
- before publishing the signatures, we'll verify that the latest two major
versions of ClamAV can load them correctly.
- the signatures will be digitally signed and packaged into a single
.cvd compressed file.
Because as covered on the devel list, us lowly users can't be allowed to
sign our own sigs.
:-)
Is this or is this not open source software?
I like the idea of having the sigs checked by ClamAV first and signed by
them. A concern I have is that a great way to defeat AV would be to
sabotage the database. The software itself would say "Hey, I am running
great and doing scans properly" even if critical sigs have been removed
so that viruses can be passed on.
I would have concerns with the update engine taking unknown, even if
signed, databases and loading them with no notifications.
This is just my two cents.
- there will be no ".UNOFFICIAL" suffix in the detection names.
That can be masked with open source software.
:-)
- a custom prefix will be added to the detection names, identifying the
organization which published the signature.
- updates will be distributed both as full CVD files and cdiff
incremental updates. Users will benefit from lower network traffic.
- the .cvd and .cdiff files will be distributed through the
ClamAV mirror network.
- the service should result in faster remediation of false positives.
Good QA, accountability, distribution, how convenient.
Now what if I want to produce and sign my own cvd's for my own use, and
not hand them to you first.
- ClamAV users will be able to download the third party databases
using freshclam, by adding a single line to freshclam.conf, what
should make signature maintenance significantly easier.
Of course, the convenience of it all.
Or you guys could just release the cvd signing methodology as Open
Source like the rest of the project.
The service is still in beta, you are welcome to contact Luca Gibelli
<luca*clamav.net> if you intend to join the beta program.
We especially welcome those who already distribute their own unofficial
signatures to join. A list of databases distributed by the new service
will be available at http://www.clamav.net/download/cvd/3rdparty
This may be a viable option if I am developing sigs for everyone to use.
Leveraging the official testing / distribution framework would be great.
If I require cvd validation on the endpoints, and am producing sigs for
a limited use application, this solution is worthless.
Just open source the cvd signing methodology.
If you are creating your own databases for your own use, why would
signing be a requirement? Signing is really (in my understanding) to
verify the data when being transported / hosted by outside parties. i.e.
If I own the entire infrastructure and not relying on outside sources
and I am getting forged / non-official / non-self-built databases, I
have much bigger problems than worrying about whether the databases have
been signed.
We will be happy to answer any questions you might have.
Why not just Open Source the db signing methodology?
Maybe have a fine "setting up a local cvd signing server" doc.
A lot of us do the local mirror thing already anyways.
PS: twitter is not a requirement
Liked the twitter reference :-)
--
Jim Preston
[email protected]
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
