Tomasz Kojm wrote: > On Wed, 16 Apr 2008 16:38:05 +0100 > Brian Morrison <[EMAIL PROTECTED]> wrote: > >> Does the unsigned .cld file mean that an attack vector could be to edit >> the .cld file and thus corrupt it? I can see that the cdiff signing >> protects the path between the database servers and freshclam, but that >> protection is not available once on an end-user system. > > freshclam makes sure that everything it downloads and installs comes from > trusted sources. But if someone takes control over your database directory, > then he do any kind of harm (remove or replace the entire database, add new > signatures, etc.) >
Yes, I realise that. I run clamd under user clamav, hence it's probably easier to access /var/lib/clamav/* than it would be if owned by root. Is the overhead of expanding a compressed signed database really that high? I imagine that most of the signatures are held in memory and you only need to read from disk at startup and when freshclam notifies clamd of updated signatures. On a very busy server I can see it might cause a problem, but on less loaded systems it could be acceptable. -- Brian _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
