Hello all, I have looked through the documentation and the source code, and there doesn’t seem to be a way to download the clamav database in a secure way (i.e. with https), is that the case?
Furthermore, I don’t see any mechanism by which the clamav database is verified against a known trusted key/authority. The sigtool utility verifies that the database file has file integrity, but I don’t see any mechanism that prevents someone from injecting a totally different, internally self-consistent, database file, and for my client to trust it as a legitimate list of signatures. That is, the downloaded code does not contain a trusted gpg key, nor does there appear to be any calls out to trusted gpg/ssl certificates on my machine. By this I do not mean is the source code signed (i.e. http://lists.clamav.net/pipermail/clamav-users/2018-January/005786.html), this is specifically about the .cvd files. In short, is there any way I can setup clamav/freshclam and be confident that a malicious user isn’t adding/removing signatures from the upstream mirrors? - Luke Massa
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
