Click here to load reader
Upload
nathan-gibbs
View
209
Download
2
Embed Size (px)
DESCRIPTION
Security BSides Rochester BSidesROC 2013 Tea Room Talks 15:30
Citation preview
Baking Clam(AV)s for Fun & Profit.
ClamAV in a network accessible configuration provides not only remote virus scanning, but also
the potential for DOS, etc.
ClamAV-what it is.
Open Source SoftwareProvides Virus ScanningCurrently owned by Sourcefire
ClamAV-Component Overview What it does.
clamscanStand alone cmd line scanner
freshclamSignature DB update tool
clamdScanning Server
clamdscancmd line scanner ( scanning client )
clamav-milteremail scanning plugin ( scanning client )
The Problem - DesignIn theory
ConfigurationClamd can bind to an IP address
No Access ControlsNo AuthenticationNo connection loggingDiscussed on ClamAV-user mailing list
July 22-23 2011
The Problem - ImplementationIn practice
Availability of Administrative Commands.VERSION
ReconRELOAD
Default Virus DB size is about 50MBContinuous reloads result in High CPU utilization.
SHUTDOWNGuess what that does?A DOS of a networked ClamAV installation.
The Defense
ConfigurationBind to a LOCAL SocketBind to loopback interface
Access Controls - FIREWALLMonitoring
Tools - Shameless Plug
Clambake 0.2 - Enumeration & ( Stress ) TestingCCEE - Adds connection logging to clamd for administrative commandsclamd.monitorGet them all and more for free at http://www.cmpublishers.com/oss
Contact Info
Email: [email protected]: @Christ_MediaLinkedin: http://www.linkedin.com/in/nategibbs
Thanks
GodBSides ROCCLAMAV Dev Team & SourcefireFolks on Clamav-users ML