Baking Clam(AV)s for Fun & Profit.

ClamAV in a network accessible configuration provides not only remote virus scanning, but also

the potential for DOS, etc.

ClamAV-what it is.

Open Source SoftwareProvides Virus ScanningCurrently owned by Sourcefire

ClamAV-Component Overview What it does.

clamscanStand alone cmd line scanner

freshclamSignature DB update tool

clamdScanning Server

clamdscancmd line scanner ( scanning client )

clamav-milteremail scanning plugin ( scanning client )

The Problem - DesignIn theory

ConfigurationClamd can bind to an IP address

No Access ControlsNo AuthenticationNo connection loggingDiscussed on ClamAV-user mailing list

July 22-23 2011

The Problem - ImplementationIn practice

Availability of Administrative Commands.VERSION

ReconRELOAD

Default Virus DB size is about 50MBContinuous reloads result in High CPU utilization.

SHUTDOWNGuess what that does?A DOS of a networked ClamAV installation.

The Defense

ConfigurationBind to a LOCAL SocketBind to loopback interface

Access Controls - FIREWALLMonitoring

Tools - Shameless Plug

Clambake 0.2 - Enumeration & ( Stress ) TestingCCEE - Adds connection logging to clamd for administrative commandsclamd.monitorGet them all and more for free at http://www.cmpublishers.com/oss

Contact Info

Email: nathan@cmpublishers.comTwitter: @Christ_MediaLinkedin: http://www.linkedin.com/in/nategibbs

Thanks

GodBSides ROCCLAMAV Dev Team & SourcefireFolks on Clamav-users ML