1. Baking Clam(AV)s for
Fun & Profit.
ClamAV in a network accessible configuration
provides not only remote virus scanning, but also
the potential for DOS, etc.
2. ClamAV-what it is.
Open Source Software
Provides Virus Scanning
Currently owned by Sourcefire
3. ClamAV-Component Overview
What it does.
clamscan clamdscan
Stand alone cmd line cmd line scanner (
scanner scanning client )
freshclam clamav-milter
Signature DB update email scanning
tool plugin ( scanning
clamd client )
Scanning Server
4. The Problem - Design
In theory
Configuration
Clamd can bind to an IP address
No Access Controls
No Authentication
No connection logging
Discussed on ClamAV-user mailing list
July 22-23 2011
5. The Problem - Implementation
In practice
Availability of Administrative Commands.
VERSION
Recon
RELOAD
Default Virus DB size is about 50MB
Continuous reloads result in High CPU
utilization.
SHUTDOWN
Guess what that does?
A DOS of a networked ClamAV installation.
7. Tools - Shameless Plug
Clambake 0.2 - Enumeration & ( Stress )
Testing
CCEE - Adds connection logging to clamd
for administrative commands
clamd.monitor
Get them all and more for free at
http://www.cmpublishers.com/oss