Re: [clamav-users] secure download of .cvd files ?

2018-09-04 Thread Reindl Harald 



Am 31.08.18 um 14:37 schrieb Michael Orlitzky:
> To fix it: if you're going to use a file under /tmp, then use a secure
> function like mktemp() to obtain it. But if you're running this job as a
> specific user, you might as well give him a special place to work like
> /var/tmp/clamav-updates that is accessible only to that user. The
> problem is unique to /tmp because of it's world-writable permissions

smart users wrap freshclam into a systemd-oneshot-service and the first
option below makes the /tmp issue a no-brainer to begin with

PrivateTmp=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX
RestrictRealtime=yes
SystemCallArchitectures=x86-64
SystemCallFilter=~acct adjtimex clock_adjtime delete_module
fanotify_init finit_module init_module io_destroy io_getevents iopl
ioperm io_setup io_submit io_cancel kcmp kexec_load mbind migrate_pages
mount move_pages open_by_handle_at perf_event_open pivot_root
process_vm_readv process_vm_writev ptrace remap_file_pages swapoff
swapon umount2 uselib vmsplice
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Michael Orlitzky 
On 08/31/2018 05:00 AM, Henrik Hoeg Thomsen1 wrote:
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net

This is probably exploitable by anyone on the system to gain root. If I
create the file /tmp/daily.cvd (remember that /tmp is world-writable),

  $ touch -d '2018-01-01 00:00:00' /tmp/daily.cvd

Then your update job will write to my file:

  $ sudo wget -q -m -nd -P /tmp http://db.local.clamav.net:/daily.cvd
  ...

Thanks to the "-m" flag, I still own that file, and I can write whatever
bad stuff I want in there after you verify its contents:

  $ ls -lh /tmp/daily.cvd
  -rw-r--r-- 1 mjo mjo 48M 2018-08-31 00:46 /tmp/daily.cvd

There are various reports floating around showing how clamav is not
robust against malicious signatures (potentially leading to root
access); but regardless it's a pretty bad thing that anyone on the
machine can overwrite all of your signatures with malicious ones.

To fix it: if you're going to use a file under /tmp, then use a secure
function like mktemp() to obtain it. But if you're running this job as a
specific user, you might as well give him a special place to work like
/var/tmp/clamav-updates that is accessible only to that user. The
problem is unique to /tmp because of it's world-writable permissions.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Henrik Hoeg Thomsen1 
Thank you Arnaud.
This will mitigate my compliance issue.



---
Henrik Høg Thomsen
Senior IT Specialist - IBM - IPG
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216 
tlf +45 51638561 mail h...@dk.ibm.com




From:   Arnaud Jacques 
To: clamav-users@lists.clamav.net
Date:   2018/08/31 11:53
Subject:Re: [clamav-users] secure download of .cvd files ?
Sent by:"clamav-users" 





Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
> Do clamav offer a encrypted download alternative to the unencrypted http 

> based wget used to update the signatue database?

May be : 
https://packages.microsoft.com/clamav/

Should be enough reliable.

-- 
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : 
https://www.securiteinfo.com

Facebook : 
https://www.facebook.com/pages/SecuriteInfocom/132872523492286

Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users



Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq


http://www.clamav.net/contact.html#ml





Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Joel Esler (jesler) 
Agreed. But it wasn’t something we could support.   Now we can.   It that it 
matters, but at least we can now.  

Sent from my iPhone

> On Aug 31, 2018, at 07:16, Al Varnell  wrote:
> 
> And the answer is the same as it was then. There is nothing to be gained by 
> supporting https. There is nothing sensitive about the database. Each 
> component is verified as genuine after downloaded. And the impact on the 
> servers is less.
> 
> -Al-
> 
>> On Fri, Aug 31, 2018 at 04:07 AM, Arnaud Jacques wrote:
>> 
>> That's why I asked in 2014 about freshclam support of SSL :
>> 
>> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>> 
>> 
>>> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>>> I'm not aware of any, but all database components are verified for 
>>> authenticity by freshclam after download.
>>> -Al-
 On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
 Do clamav offer a encrypted download alternative to the unencrypted http 
 based wget used to update the signatue database?
 
 wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
 /daily.cvd
 wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
 /main.cvd 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Al Varnell 
OK, well then it's almost the same as it was back in 2014.

-Al-

On Fri, Aug 31, 2018 at 04:09 AM, Joel Esler (jesler) wrote:
> 
> You should be able to do it it now.  However, freshclam doesn’t support ssl.  
> When we get ssl built into freshclam, https redirection would be available.  
> 
> But I couldn’t do it before with the mirrors the way they were.   We can now. 
>  
> 
> Sent from my iPhone
> 
>> On Aug 31, 2018, at 07:07, Arnaud Jacques  wrote:
>> 
>> That's why I asked in 2014 about freshclam support of SSL :
>> 
>> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
>> 
>> 
>>> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>>> I'm not aware of any, but all database components are verified for 
>>> authenticity by freshclam after download.
>>> -Al-
 On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
 Do clamav offer a encrypted download alternative to the unencrypted http 
 based wget used to update the signatue database?
 
 wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
 /daily.cvd
 wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
 /main.cvd 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> http://www.clamav.net/contact.html#ml
>> 
>> -- 
>> Cordialement / Best regards,
>> 
>> Arnaud Jacques
>> Gérant de SecuriteInfo.com
>> 
>> Téléphone : +33-(0)3.44.39.76.46
>> E-mail : a...@securiteinfo.com
>> Site web : https://www.securiteinfo.com
>> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
>> Twitter : @SecuriteInfoCom
>> 
>> Securiteinfo.com
>> La Sécurité Informatique - La Sécurité des Informations.
>> 266, rue de Villers
>> 60123 Bonneuil en Valois
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Al Varnell 
And the answer is the same as it was then. There is nothing to be gained by 
supporting https. There is nothing sensitive about the database. Each component 
is verified as genuine after downloaded. And the impact on the servers is less.

-Al-

On Fri, Aug 31, 2018 at 04:07 AM, Arnaud Jacques wrote:
> 
> That's why I asked in 2014 about freshclam support of SSL :
> 
> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
> 
> 
> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>> I'm not aware of any, but all database components are verified for 
>> authenticity by freshclam after download.
>> -Al-
>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>> Do clamav offer a encrypted download alternative to the unencrypted http 
>>> based wget used to update the signatue database?
>>> 
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
>>> /daily.cvd
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
>>> /main.cvd 





smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Joel Esler (jesler) 
You should be able to do it it now.  However, freshclam doesn’t support ssl.  
When we get ssl built into freshclam, https redirection would be available.  

But I couldn’t do it before with the mirrors the way they were.   We can now.  

Sent from my iPhone

> On Aug 31, 2018, at 07:07, Arnaud Jacques  wrote:
> 
> That's why I asked in 2014 about freshclam support of SSL :
> 
> http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
> 
> 
>> Le 31/08/2018 à 12:08, Al Varnell a écrit :
>> I'm not aware of any, but all database components are verified for 
>> authenticity by freshclam after download.
>> -Al-
>>> On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
>>> Do clamav offer a encrypted download alternative to the unencrypted http 
>>> based wget used to update the signatue database?
>>> 
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
>>> /daily.cvd
>>> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
>>> /main.cvd 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
> 
> -- 
> Cordialement / Best regards,
> 
> Arnaud Jacques
> Gérant de SecuriteInfo.com
> 
> Téléphone : +33-(0)3.44.39.76.46
> E-mail : a...@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> 
> Securiteinfo.com
> La Sécurité Informatique - La Sécurité des Informations.
> 266, rue de Villers
> 60123 Bonneuil en Valois
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Arnaud Jacques 

That's why I asked in 2014 about freshclam support of SSL :

http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html


Le 31/08/2018 à 12:08, Al Varnell a écrit :
I'm not aware of any, but all database components are verified for 
authenticity by freshclam after download.


-Al-

On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
Do clamav offer a encrypted download alternative to the unencrypted 
http based wget used to update the signatue database?


wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
/daily.cvd
wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
/main.cvd 



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Al Varnell 
I'm not aware of any, but all database components are verified for authenticity 
by freshclam after download.

-Al-

On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
> Do clamav offer a encrypted download alternative to the unencrypted http 
> based wget used to update the signatue database? 
> 
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
> /daily.cvd 
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: 
> /main.cvd 


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] secure download of .cvd files ?

2018-08-31 Thread Arnaud Jacques 




Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
Do clamav offer a encrypted download alternative to the unencrypted http 
based wget used to update the signatue database?


May be : https://packages.microsoft.com/clamav/
Should be enough reliable.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] secure download of .cvd files ?

2018-08-31 Thread Henrik Hoeg Thomsen1 
Do clamav offer a encrypted download alternative to the unencrypted http 
based wget used to update the signatue database?

wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/daily.cvd 
wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/main.cvd 



---
Henrik Høg Thomsen
Senior IT Specialist - IBM - IPG
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216 
tlf +45 51638561 mail h...@dk.ibm.com

Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: 65305216___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml