Thursday, February 11, 2016

Join us as we welcome ClamAV 0.99.1 beta for testing!  Be sure and grab the latest beta release on our official ClamAV download site.  Remember, as we've stated for the past two releases, 0.99.1 will be the last release we place on SourceForge.net, so please transition to using ClamAV.net!

First, a couple release notes:

ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes.

Thanks to the following community members for code submissions used in
ClamAV 0.99.1:

Jim Morris
Andreas Cadhalpun

ChangeLog:

Tue, 2 Feb 2016 14:23:13 -0500 (Kevin Lin)
------------------------------------------
 * add scanning options for scanning xml-based documents
(MSXML, OOXML, HWPML) and HWP3

Fri, 29 Jan 2016 16:17:40 -0500 (Kevin Lin)
------------------------------------------
 * add dconfs for XDP, MBR, GPT, APM, OOXML, MSXML, and HWP formats

Tue, 2 Feb 2016 12:38:27 -0500 (Kevin Lin)
------------------------------------------
 * hwp: scan decompressed data on limits exceeded

Sun, 31 Jan 2016 15:41:54 -0500 (Steven Morgan)
------------------------------------------
 * Fix for signature name length<3 in .ign & .ign2 CVD files.

Fri, 29 Jan 2016 11:21:46 -0500 (Steven Morgan)
------------------------------------------
 * Change RTF file magic from '{\rtf' to '{\rt'

Wed, 27 Jan 2016 14:17:47 -0500 (Mickey Sola)
------------------------------------------
 * bb11444 - zeroing out buffer at allocation to avoid writing uninitialized
bytes to a file

Wed, 20 Jan 2016 16:21:58 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - adding check for compressed input stream

Wed, 13 Jan 2016 14:56:46 -0500 (Kevin Lin)
------------------------------------------
 * clean up and boost accuracy to detecting OOXML documents

Thu, 14 Jan 2016 17:01:01 -0500 (Steven Morgan)
------------------------------------------
 * 11477 - Fix crash when using pcre statistics due to inconsistent memory
management function calls

Thu, 14 Jan 2016 15:31:02 -0500 (Mickey Sola)
------------------------------------------
 * bb11444: adding check to verify a valid number of rounds for rijndael aes
encryption/decryption

Wed, 13 Jan 2016 13:18:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing edge case revealed by unit testing

Tue, 12 Jan 2016 17:20:26 -0500 (Steven Morgan)
------------------------------------------
 * bb11466 - let html be scanned raw when --scan-html=no is in effect.

Tue, 12 Jan 2016 16:14:40 -0500 (Steven Morgan)
------------------------------------------
 * bb11475: fix crash due to memory overlay with crafted 7z files.

Tue, 12 Jan 2016 14:30:41 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing off by one OOB write in htmlnorm

Mon, 11 Jan 2016 14:47:30 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - fixing autoit OOB bufferread

Wed, 6 Jan 2016 14:57:48 -0500 (Mickey Sola)
------------------------------------------
 * sigtool: adding support for decoding cdb sigs

Tue, 5 Jan 2016 13:13:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11467 - fix embedded http links.

Tue, 22 Dec 2015 19:04:42 -0500 (Steven Morgan)
------------------------------------------
 * bb11451 - fix guard macro name collision on AIX.

Tue, 22 Dec 2015 13:36:51 -0500 (Steven Morgan)
------------------------------------------
 * fix regression crash on sid 1005597703 due to uninitialzed
(i.e., garbage initialized) structure.

Mon, 21 Dec 2015 17:39:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11456 - corrects mso stream prefix value for big endian processors.
Patch by Jim Morris.

Thu, 17 Dec 2015 16:16:55 -0500 (Kevin Lin)
------------------------------------------
 * ooxml_hwp: add support for filetyping and preclassification

Thu, 17 Dec 2015 11:04:00 -0500 (Kevin Lin)
------------------------------------------
 * hwpole2: new filetype and handler for hwp embedded ole2 files

Thu, 17 Dec 2015 12:46:38 -0500 (Mickey Sola)
------------------------------------------
 * bb11443 - fixing possible oob dereference when parsing mbox files

Tue, 15 Dec 2015 16:12:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11442 - adding explicit wwunpack oob checks

Tue, 15 Dec 2015 10:53:05 -0500 (Mickey Sola)
------------------------------------------
 * bb11445 - fixing edge case where a null terminator was unintentionally
written into an adjacent buffer.

Wed, 16 Dec 2015 16:13:05 -0500 (Kevin Lin)
------------------------------------------
 * hwpml: use msxml_parser callback scanner for binary data

Wed, 16 Dec 2015 16:12:20 -0500 (Kevin Lin)
------------------------------------------
 * msxml_parser: add callback-based scanning mechanism

Tue, 15 Dec 2015 13:01:40 -0500 (Kevin Lin)
------------------------------------------
 * HWPML: added hwpml_keys for hwpml parsing

Tue, 15 Dec 2015 10:54:20 -0500 (Kevin Lin)
------------------------------------------
 * add HMPML filetype, tab fixes in filetype.c

Mon, 14 Dec 2015 16:34:11 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x: inflate compressed segment and offset tracking

Fri, 11 Dec 2015 17:50:40 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x file header parsing and preclass

Wed, 16 Dec 2015 14:56:56 -0500 (Kevin Lin)
------------------------------------------
 * pcre: fixed minimum pcre version check

Fri, 11 Dec 2015 17:41:38 -0500 (Steven Morgan)
------------------------------------------
 * bb11452 - endianess correction for swf files on sparc -
patch supplied by Jim Morris.

Wed, 9 Dec 2015 12:15:16 -0500 (Mickey Sola)
------------------------------------------
 * bb11424 - correcting buffer alignemnt for riff detection on sparc systems;
patch by Jim Morris

Wed, 9 Dec 2015 00:17:41 +0100 (Andreas Cadhalpun)
------------------------------------------
 * fix detection of libcheck without pkg-config file

Wed, 9 Dec 2015 11:43:35 -0500 (Kevin Lin)
------------------------------------------
 * add HWP5 filetype tracking to preclassification

Tue, 8 Dec 2015 15:05:30 -0500 (Kevin Lin)
------------------------------------------
 * add HWP 3.x internal filetypes

Tue, 8 Dec 2015 14:47:12 -0500 (Kevin Lin)
------------------------------------------
 * add hwp5 contents to preclass set

Fri, 4 Dec 2015 11:55:52 -0500 (Kevin Lin)
------------------------------------------
 * proper identification of HWP file format

Tue, 8 Dec 2015 18:36:48 -0500 (Steven Morgan)
------------------------------------------
 * bb11438 - strengthen file typing for OOXML.

Wed, 2 Dec 2015 14:06:32 -0500 (Mickey Sola)
------------------------------------------
 * bb-11099 - normalization of whitelist signatures

Wed, 2 Dec 2015 16:23:48 -0500 (Steven Morgan)
------------------------------------------
 * github issue #9 - wrong length & offset.

Thursday, December 17, 2015

We'd like to extend a huge thank you to our ClamAV community for helping us make ClamAV 0.99 the largest launch of ClamAV ever!

We generally average around 8,000 downloads a week of ClamAV, since 0.99 has launched (two weeks ago), we've had over 20,000 downloads a week.  

We're pretty happy with this number and can't wait until 0.99 is in everyone's hands, so that all of our millions of users can use the latest detection and features. 

If you haven't updated to ClamAV 0.99, we encourage you to do so as soon as possible, help us keep the momentum going, and keep breaking records!

Tuesday, December 1, 2015

Please join us in welcoming ClamAV 0.99 to the family! The following are the 0.99 release notes:

ClamAV 0.99 contains major new features and changes. YARA rules,
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:


  • Processing of YARA rules (some limitations- see signatures.pdf).
  • Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
  • New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
  • A new ClamAV API callback function that is invoked when a virus is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.
  • Configurable default password list to attempt zip file decryption.
  • TIFF file support.
  • Upgrade Windows pthread library to 2.9.1.
  • A new signature target type for designating signatures to run against files with unknown file types.
  • Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
  • Support for LZMA decompression within Adobe Flash files.
  • Support for MSO attachments within Microsoft Office 2003 XML files.
  • A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
  • Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.


PLEASE NOTE: If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

As always ClamAV can be downloaded from the ClamAV Downloads page on ClamAV.net!  Please provide your feedback via the ClamAV Mailing Lists!

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

Thursday, November 19, 2015

ClamAV 0.99rc2 contains major new features and changes. YARA rules, 
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:

    - Processing of YARA rules(some limitations- see signatures.pdf).
    - Support in ClamAV logical signatures for many of the features
      added for YARA, such as Perl Compatible Regular Expressions,
      alternate strings, and YARA string attributes. See signatures.pdf
      for full details.
    - New and improved on-access scanning for Linux. See the recent blog
      post and clamdoc.pdf for details on the new on-access capabilities.
    - A new ClamAV API callback function that is invoked when a virus 
      is found. This is intended primarily for applications running in 
      all-match mode. Any applications using all-match mode must use 
      the new callback function to record and report detected viruses.    
    - Configurable default password list to attempt zip file decryption.
    - TIFF file support.
    - Upgrade Windows pthread library to 2.9.1.
    - A new signature target type for designating signatures to run
      against files with unknown file types.
    - Improved fidelity of the "data loss prevention" heuristic
      algorithm. Code supplied by Bill Parker.
    - Support for LZMA decompression within Adobe Flash files.
    - Support for MSO attachments within Microsoft Office 2003 XML files.
    - A new sigtool option(--ascii-normalize) allowing signature authors
      to more easily generate normalized versions of ascii files.
    - Windows installation directories changed from \Program Files\Sourcefire\
      ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

PLEASE NOTE:  If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

You can download ClamAV 0.99rc2 from the ClamAV downloads site.  As a reminder, in an upcoming release, we will cease updating the SourceForge release site for ClamAV.  Please start downloading directly from ClamAV.net now.

Thursday, October 15, 2015

ClamAV 0.99 Release Candidate has been posted for download!  Please check out the below release notes:

This the first release of ClamAV that is being done on both ClamAV.net and SourceForge.  If you are a package or mirror maintainer, make sure you start moving your download location from SourceForge over to ClamAV.net.

0.99-rc1
--------

ClamAV 0.99 contains major new features and changes. YARA rules,  Perl Compatible Regular Expressions, revamped on-access scanning for Linux, and other new features join the many great features of ClamAV:


  •     Processing of YARA rules(some limitations- see signatures.pdf).
  •     Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
  •     New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
  •     A new ClamAV API callback function that is invoked when a virus  is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.    
  •     Configurable default password list to attempt zip file decryption.
  •     TIFF file support.
  •     Upgrade Windows pthread library to 2.9.1.
  •     A new signature target type for designating signatures to run against files with unknown file types.
  •     Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
  •     Support for LZMA decompression within Adobe Flash files.
  •     Support for MSO attachments within Microsoft Office 2003 XML files.
  •     A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
  •     Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.


PLEASE NOTE:  If you are using clamd on-access scanning or have applications using all-match mode, you will want to review the changes and make any necessary adjustments before using ClamAV 0.99. Users of windows binaries need to be aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

--
The ClamAV team (http://www.clamav.net/about.html#credits)

Tuesday, October 13, 2015

Those of you that have visited ClamAV.org in the past several hours may have noticed a slight change in our procedures for downloads.  For years, we've been shuttling you over to Sourceforge's download site to download our packages.

That stopped today.  Starting today, we've moved all downloads of ClamAV onto ClamAV.org.

For the next couple of versions (at least 0.99 and a bug fix after), we'll be releasing ClamAV on both platforms to allow for the transition of packages, people's shell scripts, etc.

Starting today, this move should allow for more visibility for us into the platform, metrics around versions, and overall usage.  You will find our current release, all current beta and development releases, as well as previous stable releases.

Please be sure and report any bugs you may find to the web team here at ClamAV at: talosweb@cisco.com

Monday, September 14, 2015

With ClamAV’s second 0.99 beta release comes a revamp of the on-access scanner for Linux. This is the first major update to on-access scanning following the move to fanotify from Dazuko back in the 0.98 release.  A quick overview of features and updates can be found in the table below.


on-access-table.png


The meatiest updates for 0.99 on-access scanning are the recursive directory watching and dynamic watchpoint determination features. Collectively these features make up 0.99’s new dynamic directory determination system (ddd or 3D for short), which allows users to recursively watch any directory and track it for changes, updating fanotify watchpoints on the fly. 


In previous versions, the on-access scanner would watch only immediate children of the specified directory, and recursive monitoring could only be accomplished with custom scripts or manually specified clamd.conf entries. This limitation was partially due to fanotify’s inability to recognize the creation of a subdirectory within a watched parent directory. As a result, potentially malicious files could be freely created and executed one level beneath the parent directory, leaving the on-access scanner none the wiser. What’s more, even if the on-access scanner caught a malicious file, it would fail to stop that file from being executed, read, or opened.


Now, the latest version of on-access scanning has recursive watchingon any directory built-in by default. Additionally, we leverage inotify (a kernel-provided API commonly used to help keep track of filesystem changes) to update fanotify watchpoints as changes occur to all watched directories and their subdirectories. But most critically of all, fanotify will correctly prevent read, open, and execute attempts for any virus found within the watched hierarchy.


Touching on the 3D system for a moment, it’s important to note that special care has been taken to ensure the new feature operates both quickly and efficiently. While there’s still room for improvement, the 3D system manages to preserve ClamAV’s tradition of speedy scanning. To put that into more tangible terms, it’s capable of processing watchpoint updates at a rough rate of 18,000 directories per second. Keep in mind, these metrics were gathered on a VM with decidedly modest hardware, so YMMV.


Of course, being able to watch thousands upon thousands of directories at all necessities dealing with inotify’s default limitations on active watchpoints. Typically, inotify limits users to setting watchpoints on a maximum of 8192 directories. The actual value can be located via /proc/sys/fs/inotify/max_user_watches. If you plan on pointing the on-access scanner at a directory with more than 8192 subdirectories, you’ll need to temporarily update this value as follows:


$ sysctl fs.inotify.max_user_watches=<n>


Where <n> should be replaced with your new max watch limit. If a more permanent solution is necessary, you can pipe an echo command with the new watch limit into tee and directly modify the max_user_watches entry under /proc. This would look something like:


$ echo <n> | sudo tee -a /proc/sys/fs/inotify/max_user_watches


As previously mentioned, this beta release also features changes to how fanotify handles infected files. Previous versions did not leverage fanotify’s ability to block access events. We’ve tweaked things such that fanotify now prevents any infected files from being read or opened, while allowing operations on clean files to continue unimpeded. Obviously, this may be problematic in an environment with one or more false positives, thus the final 0.99 release will allow users to configure the granularity of this feature via clamd.conf.

Along these same lines, those not keen on using the new 3D system will be able to toggle it off in the final release. Doing so will have the on-access scanner fall back to setting non-recursive watchpoints. However, this beta is focused on testing the new 3D system alongside the fanotify blocking features. So for now, on-access scanning will be using the 3D system exclusively. Luckily, the configuration options for these new features are unchanged from the previous release, meaning your current clamd.conf file shouldn’t need updating, so you might as well give it a try and let us know what you think!