On 7/26/2011 2:03 PM, Jim Preston wrote: > On 07/25/2011 12:36 PM, Nathan Gibbs wrote: >> >> Because as covered on the devel list, us lowly users can't be allowed to >> sign our own sigs. >> :-) >> Is this or is this not open source software? >> > > I like the idea of having the sigs checked by ClamAV first and signed by > them. A concern I have is that a great way to defeat AV would be to > sabotage the database. The software itself would say "Hey, I am running > great and doing scans properly" even if critical sigs have been removed > so that viruses can be passed on. > > I would have concerns with the update engine taking unknown, even if > signed, databases and loading them with no notifications. > > This is just my two cents.
A good concern. >> >> This may be a viable option if I am developing sigs for everyone to use. >> Leveraging the official testing / distribution framework would be great. >> >> If I require cvd validation on the endpoints, and am producing sigs for >> a limited use application, this solution is worthless. >> >> Just open source the cvd signing methodology. >> > > If you are creating your own databases for your own use, why would > signing be a requirement? Signing is really (in my understanding) to > verify the data when being transported / hosted by outside parties. i.e. > If I own the entire infrastructure and not relying on outside sources > and I am getting forged / non-official / non-self-built databases, I > have much bigger problems than worrying about whether the databases have > been signed. Pleases read the thread on the devel mailing list. http://lurker.clamav.net/thread/20110627.064208.dc61d1be.en.html#20110627.064208.dc61d1be Quick recap. A guy on the clamav-devel list needs to build custom sigs for his own environment, and needs to distribute them as signed cvd's. The Clamav Team said "you can't create digitally signed CVD files, this can only be done by the ClamAV team. " The Guy said. "Why not? snip As I said, this is a completely isolated environment and the whole thing is not even about virus/malware detection but what I want to achieve with this is to exploit clamav's ability to quickly scan over data (recursively unpacking of archives etc.), then "quarantining" the desired fragments of data for later processing. I specifically *do* need signed CVD however in order to assure, that only the proper internal authority can change the sigs. (The data to be detected and "quarantined" are selected certificates and CSRs in various forms)." As I stated previously. Open source the signing methodology and / or code. This is an open source project, Right? Someone can't use this project to meet their needs because not everything in the project has been open sourced. Saying that "you can't create digitally signed CVD files, this can only be done by the ClamAV team. " flies in the face of what open source is all about. Lets just get this over with already and declare that building an OS + Applications for PC's can be only done by Micro$oft. This is just basic consistency & honesty here. You DON'T build an open source project then KEEP part of the code for yourself. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
