This document is a summary of the security target for the first level security certification (CSPN) of the ClamAV antivirus for certification by the National Agency for Information Systems Security.
A. Introduction
ClamAV is a free, cross platform and open source (GPLv2) toolkit for detecting trojans, viruses, malwares and other malicious threats. It is used in variety of situations, including email and web scanning, and endpoint security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic virus signature database updates. ClamAV Version 0.103.7 (for which the security target is prepared) may hereafter be referred to as the TOE in this document.
ClamAV consists of a virus detection service that works with the virus databases. It uses signature based techniques to detect malware. When a new malware is discovered by researchers, its file signature is extracted and added to the database of the antivirus. During a security scan, the antivirus checks for similar signatures in the files it scans, and if any match is found then it’s detected as malware. So, in order to detect malware and other file-based threats, ClamAV relies on signatures to differentiate clean and malicious files. ClamAV signatures are primarily text-based and conform to one of the ClamAV-specific signature formats associated with a given method of detection. Thus detected malicious files are either moved to a different location or removed from the machine.
The ClamAV project distributes a collection of signatures in the form of CVD files. The CVD file format provides a digitally-signed container that encapsulates the signatures and ensures that they cannot be modified by a malicious third-party. This signature set is actively maintained by Cisco and can be downloaded using the freshclam tool that ships with ClamAV.
B. Features of ClamAV
-
An on demand command line scanner and real-time virus protection.
-
An advanced database updater, with support for scripted updates and digital signatures.
- The virus database gets updated multiple times in a day.
- Built-in support for different standard mail file formats.
-
Scans within archives and compressed files. Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, and others.
-
Built-in support for ELF executables and portable executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor, and others.
-
Built-in support for popular document formats including MS Office and MacOffice files, HTML, Flash, RTF and PDF.
ClamAV can be installed on a desired server and be configured to scan a set of files. The scanning can be on-demand by running the command or can be realtime. It consists of the multi-threaded clamd daemon which scans files for viruses.
ClamAV consists of following tools:
-
clamdscan - a simple scanning client for on-access scanning and provides real-time protection via a clamd instance which scans files when they’re accessed
-
clamdtop - a resource monitoring interface for clamd
-
clamscan - a command-line tool for simple one time scanning tasks
-
signature testing and management - update signature databases, test and analyze file signature bytecodes
For more advanced configuration, the config files at /etc/clamav/freshclam.conf and /etc/clamav/clamd.conf can be modified as per the operational requirement.
Typical Users of ClamAV
Companies: Businesses use ClamAV to scan their day to day business files. As per HG Insights, almost 1,828 companies are using ClamAV.
Individual Users: A large number of individual users use ClamAV for personal data scanning and security.
Software Developers: Software developers use ClamAV to add virus detection capabilities to their applications.
C. Assets
The two types of assets are Business Assets and Support Assets.
- Business Assets
A1. User Files (C, I, A)
User files include all the files of the user or machine containing data, which the user wants to scan and protect from viruses and malware using the TOE.
It is important that the user files are not accessible to any attackers or unauthorized users (confidentiality of the files). Also, the files should not be modified or deleted either by ClamAV or any attacker (integrity of the files). And, the user files under the protection of ClamAV should be available to the users for any purpose they serve primarily (availability of the files).
- Support Assets
A2. ClamAV Daemon (A)
The ClamAV daemon is the process running in the Linux operating system which scans the files and detects any potential viruses and malwares real time.
The daemon should be running at all times to ensure that the user’s machine is protected. Hence, the security property we are concerned about for this asset is availability of the antivirus service.
A3. Signature Databases (A, I)
The signature databases in ClamAV consist of signatures of millions of viruses, worms, trojans, and other malwares. The databases are stored locally in the client’s deployment machine once it is fetched from the clamAV cloud servers. Due to the scope of the analysis, we are keeping only the local databases as our supporting assets.
The signature databases should be available at all times so that the antivirus engine can compare with the computed file signatures in order to detect viruses (availability of the databases). The signatures in the databases should not be tampered or changed since that can cause some malwares to go undetected or raise false positives during the scanning process (integrity of the databases).
A4. Configuration Files (I)
The configuration files include all the files in the /etc/clamav/ in case of apt installation or /usr/local/etc/ in case of source code installation directory in Linux.
The contents of the files dictate how ClamAV service is run with multiple options. So, it is important that these files are not tampered or changed by unauthorized individuals (integrity of the configuration files).
A5. Source Code (I)
Source code means the source code for the ClamAV that is stored in the client’s deployment machine. This code runs as the antivirus engine and the code must be protected against any unauthorized changes in the deployment machine.
It is important that the source code of the antivirus engine and the executable files in the system remain unchanged so that ClamAV functions as it is designed to be (thus integrity of the source code)
The following table summarizes how each of the assets of ClamAV affects the security properties Confidentiality (C), Integrity (I) and Availability (A).
D. Threats
The threats are any known or assumed threats to the assets against which specific protection within the TOE or its environment is required. The potential threat agents in this case are users who are not authorized to use the TOE itself, malicious entities, and unauthenticated remote attackers. These threat agents are assumed to know all the publicly available information about the TOE and the potential methods of attacking the TOE. The assumed level of expertise and potential of the attacker for all the threats is moderate.
T1. Malware/Viruses
An attacker may attempt to introduce malware or viruses into the computers with the aim of gaining unauthorized access to User data, or disruption of operations on that computer, or using that computer to attack additional systems.
Endangered Assets: User Files (Integrity, Confidentiality)
T2 - Information Disclosure
An attacker attempts to access the user files and discloses the information to unauthorized parties through vulnerabilities in ClamAV.
Endangered Assets: User Files (Confidentiality)
T3 - Fraudulent modification of user files
An attacker attempts to modify or delete the user files in the servers that are under the scope of TOE scan. The integrity of these files is important and needs to be taken care of. However, a malicious user attempts to disturb these files by deleting them completely or some part of it affecting the integrity and availability of files.
Endangered Assets: User Files (Integrity, Availability)
T4 - Fraudulent modification of configuration files
An attacker attempts to change the configuration files to set permissions of their choice. Attacker can also replace the source code files to make it work according to their own wish. This affects the integrity of the configuration files and the availability of TOE if an attacker removes or modifies the config files to an unintended setting.
Endangered Assets: Configuration Files (Integrity), ClamAV Daemon
(Availability)
T5 - Fraudulent Modification of TOE source code
An attacker modifies the source code files to insert a malicious code or functionality of their own intention. This affects the integrity of the files and the availability of TOE if an attacker removes some files that are required for its working.
Endangered Assets: Source Code (Integrity)
T6 - Fraudulent modification of databases and signatures
Attackers can manipulate the signatures by either deleting or modifying the databases. To bypass the AV attacker can tamper with the signature in the signature database. When ClamAV scans the infected file, it does not find any match in the database and it shall mark the file as benign.
Endangered Assets: Signature Databases (Integrity, Availability)
T7 - Denial of service
Denial of service (DoS) is an attack that makes the service unavailable to use. Availability of ClamAV protection service is critical, otherwise some files may go unscanned and might contain malware. An attacker can craft some malicious file that when scanned by the ClamAV, occupies a significantly larger amount of resources than needed. As a result, the ClamAV becomes completely or partially unavailable. This affects the availability of the ClamAV.
Endangered Assets: ClamAV Daemon (Availability)
T8 - Local Privilege Escalation
An attacker may gain access to TOE and exploit system privileges to gain access to user files and TOE security functions.
Endangered Assets: User Files (Confidentiality, Integrity)
T9 - Fail to Detect
The TOE may analyze a file but fail to detect it as a malware or a virus if the signature of that virus is not in the database. This threat affects the overall system but the user files are the most affected asset that TOE is protecting.
Endangered Assets: User Files (Integrity)
C. Security Functions
The security functions addressing the threats to TOE are listed in the table below. These are known security functions that are placed to protect ClamAV assets from assumed threats.
F1 – Virus Scans:
The TOE’s main purpose is to run and scan for viruses. Manual on-demand scan and real time scan helps to detect millions of viruses, worms, trojans, ransomwares and other different types of malwares in the system. The ClamOnAcc client for the clamd scanning daemon provides on-access scanning on modern versions of Linux. This includes an optional capability to block file access until a file has been scanned (on-access prevention).
ClamAV can be configured for the actions it can take on the detection of any infected files. The files can either be moved to a separate location or removed. The detection of virus will be logged to TOE audit logs. This helps to protect the system and user files from unauthorized access, disclosures, fraudulent modification and deletion.
F2 – ClamAV Database Updates:
ClamAV databases are updated with the freshclam tool provided by ClamAV. It supports differential updates (instead of transferring the whole CVD file at each update it only transfers the differences between the latest and the current database via a special script), database version checks through DNS, proxy servers, digital signatures, and various error scenarios. These updates help TOE to detect latest vulnerabilties, viruses and malwares.
ClamAV signatures are stored in the form of the CVD file extension. The CVD file format provides a digitally signed container that encapsulates the signatures and ensures that they cannot be modified by a malicious third party. Even if it is modified and corrupted, freshclam will not be updated, instead, it will replace the database with a fresh download. The frequency of database updates and checks is set in the freshclam configuration file.
Moreover, clamscan and clamd will not run unsigned bytecode signatures by default. Users can enable this feature from the configuration file, but it is advised that users should never enable unsigned bytecode signatures in production when using signatures from third-party sources or a malicious bytecode signature author could gain control of your systems.
F3 – Clamconf, tool for checking configuration files:
Clamconf is a tool provided with TOE on installation. Clamconf is used for checking your entire TOE configuration. It displays values used when configuring ClamAV at compilation time, important OS details, the contents (and validity) of configuration files of both clamd and freshclam, along with other important engines, databases, platforms, and build information.
The tool can also be used to check and generate configuration files. In case of corruption or deletion of the configuration files, the user can use this tool to regenerate the configuration files.
F4 – ClamAV service user account (and group):
At the time of installation from Debian packages, ClamAV creates a new service account and group by the name of clam. If the user is installing from the source, it is advised that they should create a ClamAV account and lock access to that account.
Freshclam always runs as the service user account. The configuration file of freshclam is also owned by the clamav service account. So, normal users and root cannot modify or delete the configuration file of freshclam.
The local databases of ClamAV are also owned by the ClamAV service user account. As the access to the ClamAV service user account is locked, you cannot modify files as a normal user. Even if you modify it as the root user, the clamd daemon process will fail to start checking the integrity of the database, showing the error that “cannot load /var/lib/database, cannot verify database integrity, error loading database”.
F5 - Logging:
The TOE logs its actions in different log files inside /var/log/clamav/ directory by default. The TOE records database updates in /var/log/clamav/freshclam.log .The results of the scan can be logged as a report with —log option and the actions of Clamav can be monitored from the log files. The logging helps to detect any incidents or service failures in clamav, fraudulent modification in configuration files and databases and malware detection.
F6 – Use Git version control and security review:
As ClamAV is an open-source project, its code is available on GitHub and developers can contribute to the project. ClamAV uses a pull request (PR) workflow for contributions to the ClamAV Git repository. When the developer submits a pull request, some automated tests get run. Along with this, the ClamAV team reviews the code to ensure that the code is secure and that there is no malicious code added to it that can harm the user file.
ClamAV developer also takes into consideration the issues and emails from the developer. It is advised to developers that are contributing to the community to not release vulnerabilities in GitHub issues because that will affect everyone who has ClamAV installed before the release of the patch. ClamAV provides an email address and recommends developers send vulnerability issues to that email. In consideration of these contributions, ClamAV developers review the code and make considerable changes to eliminate those vulnerabilities in the next release.
F7 – Memory Limiting:
The clamd process uses a lot of memory because it loads the complete database of virus definitions into memory. Exceeded consumption of memory can be vulnerable to a denial of service attack on ClamAV. This process would always get killed when reloading the database after an update. This is because of the concurrent database reload strategy. To handle this issue, a feature is added in the clamd configuration file that will allow the user to enable or disable concurrent database reload according to their needs and system specifications.
Authors: Biplab Gautam, Afeefa Ahmad, Mashal Zainab, Ribiea Ramzan, Faris Fikri Rusli
This report was developed as part of a project in Secure Programming course in my Master’s degree in CyberSecurity in a group of 5 members. View our report here