ClamAV updates its database over unencrypted connection

5 respuestas [Último envío]
traxter
Desconectado/a
se unió: 03/23/2018

Hi all,

I hope someone with ClamAV experience and/or technical knowledge can help me with this.

I noticed that the mirror over which the ClamAV database is updated doesn't support https. It is an unencrypted http connection and there seem to be no mirrors supporting https.

I'm wondering if this isn't risky (possible data corruption, MITM attacks, etc.) - especially when it's something as sensitive as anti-virus software.

Is there some kind of verification happening in the background (e.g. like apt verifying downloaded packages with a GPG key)?

Or isn't there a reason to worry at all?

jxself
Desconectado/a
se unió: 09/13/2010

This is probably better for the ClamAV community: https://www.clamav.net/contact

traxter
Desconectado/a
se unió: 03/23/2018

Problem is that the site where I could subscribe for their mailing list doesn't support https either.

Direct contact with the developers seems to be limited to reporting malware, bugs, false positives and submitting signatures. Don't know if reporting it as a bug makes sense, it isn't really one...

tonlee
Desconectado/a
se unió: 09/08/2014

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Do you know about the pgp encryption system? Public and private keys?
https://emailselfdefense.fsf.org/en/

If clamav's public keys got on the computer is a secure manner, it is not
important if later clamav data transfers are https encrypted.

Gpg4usb is a pgp encryption program which has a graphical
user interface.
gpg4usb.org

traxter
Desconectado/a
se unió: 03/23/2018

> Do you know about the pgp encryption system? Public and private keys?

I have basic knowledge about it

> If clamav's public keys got on the computer is a secure manner, it is not
important if later clamav data transfers are https encrypted.

So if I download ClamAV over apt, is ClamAV's key then already included and later used to verify their database updates? If yes, I understand that a plain http connection isn't problematic.

But is this the case or do I have to import their key separately?

tonlee
Desconectado/a
se unió: 09/08/2014

> So if I download ClamAV over apt, is ClamAV's key then already included and later used to verify their database updates?

I cannot tell you.

> Don't know if reporting it as a bug makes sense, it isn't really one

If there is no clamav documention on this question it is an error and
you should file an question to clamav.