FJ wrote: > Hello everyone! Hi.
> Please pardon my relative ClamAV ignorance but I am new to the > community -- with an ardent desire to learn more! > > We are currently looking into distributing the excellent ClamXav GUI to > clients on our network. However, that application, that relies on > Freshclam to update the Clamav definitions does not make use of digital > signatures, meaning the definitions are downloaded in a somehow > insecure manner. No, it has a lot of security included. > As far as I understand, Freshclam downloads definitions only, not > executables. However, I was wondering whether it would be possible to > trick Freshclam into downloading content that would be potentially > dangerous or damaging for the computer or Clamav itself -- through a > corrupt mirror or DNS poisoning, for example? In other words, what are > the risks associated with running Freshclam without digital signatures > support? The database that freshclam updates is digitally signed, see the manual, section 6.5; also related is that if you don't have GNU's gmp _and_ you force compilation of the package then you end up with no support for digital signatures, see FAQ http://clamav.net/faq.html question 20 which is about the warning you'll see in that case. >From the above you can see that freshclam/clamscan/clamdscan/clamd do protect client installations by only upgrading/using databases with valid signatures. >From a (computation) theoretical perspective there will always be a way to >break any security provision, from the practical perspective only those ways that don't cost too much will be used ... so don't be surprised if someone finds a way, there will always be a risk no matter how small. And your last question, if you choose to run clamav without digital signatures you do that under your own responsibility. HTH -- René Berber _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
