My team is currently evaluating AV solutions and we're interesting in using ClamAV. However, due to policy requirements the updates need to be downloaded via a secure protocol (e.g. https). Yes, I'm aware that this is pointless because the signature of downloaded CVDs is verified to identify/prevent tampering, but the policy requirement still stands for us. Has anyone considered supporting HTTPS for retrieving updates? I don't see any mention of it in the archives so I'm guessing no...
1. I see that the code in manager.c is hard-coded to use http. I could update that to read an option from the config file for either http or https and then pull updates from our own https mirror... 2. Due to the same policy requirements, our mirror will also have to get *its *definitions via a secure protocol. Considering that manager.c is hard-coded to use http, I assume there are no https mirrors out there, correct? Alternatively the sync method for public mirrors (rsync overssh) would meet that need, but that would require us to make the mirror public, which I'm not sure we could do. Appreciate any answers/feedback -- Matt Bearup _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
