Mailing List Archive

On Tue, 21 Jun 2011 04:48:44 +0200 Fritz Elfert <fritz@fritz-elfert.de>
wrote:
> Hi,
>
> In a completely isolated network environment, I want to setup my own
> CVD-Database server and create my own special signatures. If looking at
> the source of sigtool, it connects to some "signing"-server using
> manually supplied credentials, then sends several sign requests and
> retrieves the results.
>
> What I can't figure out: Where is the source of that "signing"-server
> resp. which algorithm does it use for signing?
>
> Hopefully somebody can shed some light on that...

Hi Fritz,

you can't create digitally signed CVD files, this can only be done by
the ClamAV team.

However, with the development version of ClamAV you can create unsigned
containers (*.cud files).

A quick example on how to create such a file (please keep in mind this
will only work with clamav-devel, also only the development version of
clamscan/clamd will be able to load such a container):

/tmp$ mkdir db
/tmp$ cd db
/tmp/db$ sigtool --unpack-current daily
/tmp/db$ ls
COPYING daily.db daily.ftm daily.hdu daily.ign daily.info
daily.mdb daily.ndb daily.pdb daily.zmd
daily.cfg daily.fp daily.hdb daily.idb daily.ign2 daily.ldb
daily.mdu daily.ndu daily.wdb

/tmp/db$ sigtool-devel --build daily.cud --unsigned
WARNING: build: Signatures in daily db files: 126823, loaded by
libclamav: 127496
Total sigs: 127496
Builder name: test
Created daily.cud

/tmp/db$ clamscan -d daily.cud /etc/passwd
/etc/passwd: OK

----------- SCAN SUMMARY -----------
Known viruses: 126257
Engine version: devel-clamav-0.97-150-g83c82f1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.356 sec (0 m 0 s)

Then you can distrubute daily.cud via a local web server and point
clients to it by adding the following line to freshclam.conf:

DatabaseCustomURL http://my.local.server.com/daily.cud

Alternatively, you can distrubute it via NFS or so:

DatabaseCustomURL file:///mnt/nfs/daily.cud

Of course, you can use any name for the db, but all internal files
(listed with 'ls' in the example) need to have the same base name as well.

Hope this helps,

--
oo ..... Tomasz Kojm <tkojm@clamav.net>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Tue Jun 21 11:15:19 CEST 2011
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On 21.06.2011 11:33, Tomasz Kojm wrote:
> On Tue, 21 Jun 2011 04:48:44 +0200 Fritz Elfert <fritz@fritz-elfert.de>
> wrote:
>> Hi,
>>
>> In a completely isolated network environment, I want to setup my own
>> CVD-Database server and create my own special signatures. If looking at
>> the source of sigtool, it connects to some "signing"-server using
>> manually supplied credentials, then sends several sign requests and
>> retrieves the results.
>>
>> What I can't figure out: Where is the source of that "signing"-server
>> resp. which algorithm does it use for signing?
>>
>> Hopefully somebody can shed some light on that...
>
> Hi Fritz,
>
> you can't create digitally signed CVD files, this can only be done by
> the ClamAV team.

Why not?
If I use my own PKI and build custom clamav binaries using its public
keys (From a quick look, I guess the CLI_NSTR and CLI_ESTR defines), I
can sign a database and clamav would then accept it as "official". Of
course. the real offial DBs then would be recognized as invalid by those
clamav binaries. I don't care. - As I said, this is a completely
isolated environment and the whole thing is not even about virus/malware
detection but what I want to achieve with this is to exploit clamav's
ability to quickly scan over data (recursively unpacking of archives
etc.), then "quarantining" the desired fragments of data for later
processing. I specifically *do* need signed CVD however in order to
assure, that only the proper internal authority can change the sigs.
(The data to be detected and "quarantined" are selected certificates and
CSRs in various forms).

All I need for that is either the signing server source or at least an
exact description of the signing process (what exactly is hashed, which
algorithm/format, what exactly goes into the compiled-in constants of
the clamav binary). I could reverse engineer those, but I'm currently in
the process of a *quick* evaluation so I'm in a hurry. From looking at
sigtool I guess, it's pretty simple (perhaps just some perl script using
a little bit of openssl stuff).

After all, clamav is OSS, so security by obscurity isn't really an
option - is it?

>
> However, with the development version of ClamAV you can create unsigned
> containers (*.cud files).
Unsigned containers are *not* what I want.

> Hope this helps,
>
Unfortunately not ...

Thanks for your time
-Fritz

On 06/21/2011 02:45 PM, Fritz Elfert wrote:
> detection but what I want to achieve with this is to exploit clamav's
> ability to quickly scan over data (recursively unpacking of archives
> etc.), then "quarantining" the desired fragments of data for later
> processing. I specifically *do* need signed CVD however in order to
> assure, that only the proper internal authority can change the sigs.
> (The data to be detected and "quarantined" are selected certificates and
> CSRs in various forms).

Sounds like something more easily solved by traditional Unix permissions and SSH keys:
- create a user that can write to the ClamAV database directory
- allow it to do scp (or rsync -e ssh) with an SSH key, but not actually login
- update the signatures on your central server and use scp, or rsync -e ssh to securely distribute
the database to all machines running ClamAV

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net