| Main Archive Page > Month Archives > clamav-users archives |
Re: [Clamav-users] ClamAV Vulnerability
From: Tomasz Kojm <tkojm_at_nospam>Date: Thu Nov 22 2007 - 01:42:21 GMT
To: clamav-users@lists.clamav.net
On Wed, 21 Nov 2007 19:54:17 -0500
"David F. Skoll" <dfs@roaringpenguin.com> wrote:
> Tomasz Kojm wrote:
>
> > Just to make you feel better - ClamAV includes two special mechanisms
> > that in almost all cases allow us to remotely address such
> > vulnerabilities in 5 minutes eliminating the need for urgent update of
> > the entire package. These special features effectively limit wider usage
> > of any exploits against ClamAV.
>
> Could you elaborate please?
Sure, let's say someone publishes an exploit code against some XYZ module (unpacker, preprocessor, parser, etc.) of libclamav. Depending on the priority of the module we may decide to do one of the following:
- disable the entire XYZ module (via daily.cvd)
- publish special signatures against the exploit code that also change the scan logic of libclamav: at little additional performance cost all files are first scanned in raw mode so it's possible to detect the exploit before it reaches the vulnerable module, also there's no need to disable the entire module
We can stick the "protection" to certain vulnerable releases, eg. 0.90-0.91.1. In order to get out of the umbrella (and get XYZ reactivated or libclamav working as usual) a user of vulnerable version needs to update to new security release (if ready).
Take care, -- oo ..... Tomasz Kojm <tkojm@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Nov 22 02:41:17 CET 2007 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html