On Apr 12, 2007, at 3:55 PM, Tomasz Kojm wrote: > On Thu, 12 Apr 2007 16:42:07 -0600 (MDT) > James Bourne <[EMAIL PROTECTED]> wrote: >> Yes it may be possible, but that's still no excuse for clamd to >> bail when >> presented with two sets of data files, one invalid and one valid. > > There's no perfect solution to this problem. The only good one I > could think > of is an option to clamscan/clamd that would only allow loading of > digitally > signed databases and ignore all the rest. Of course, external dbs > (sane, > msrbl, etc.) would no longer be supported in such a mode.
It seems to me that there are two issues here, not one, and that we don't have to achieve a perfect solution to both in order to still improve the situation. By this I mean that it would be nice if clamd/freshclam could confirm whether a DB file has been downloaded completely and correctly, perhaps by encoding the filesize and checksum into the header of the cvd/ndb/inc files. (In fact, I think that if GNU MP is available, ClamAV already does such sanity checking-- sigtool seems to show a MD5 and digital signature from .cvd files, at least. But there seems to be a problem where some of the time, if freshclam's attempt to get an update results in a failed download, it does not revert back to using the former version of the database. This seems to be the failure mode with the recent major update that has spawned much email to the list recently.) The second issue is whether a given DB file is trusted. There are plenty of public-key systems available-- using X.509 certs and having the local admin list which server keys are trusted, and have database downloads or updates happen only if freshclam can negotiate a TLS session with a server cert which is trusted would do; another choice, which probably would be easier on the update servers, would be to use GnuPG/OpenPGP/etc and have published .sig file for the cvd/ndb/inc files-- have freshclam invoke "gpg --verify", which tests both the integrity of the DB file, and checks whether the local admin has added the signer of the file to their keyring to indicate that they trust that person to publish updates. So if I want to utilize the Sane or MSRBL databases, and they were published with a .sig file, it would be up to me to import the signing key into the clamav (or vscan or whatever user account ClamAV runs as)'s keyring. -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
