Thursday, August 3, 2017

Join us as we welcome ClamAV 0.99.3 beta for testing!  Be sure and grab the beta release on our official ClamAV download site.

Welcome to ClamAV 0.99.3. In this release, we have included many code
submissions from the ClamAV community:

  • Interfaces to the Prelude SIEM open source package for collecting ClamAV virus events.
  • Visual Studio 2015 for building Microsoft Windows binaries.
  • Support libmspack internal code or as a shared object library. The internal library is the default and contains additional integrity checks.
  • Linking with openssl 1.1.0.
  • Numerous code patches, typos, and compiler warning fixes.

Additionally, we have introduced important changes and new features in
ClamAV 0.99.3, including:

  • Deprecating internal LLVM code support. The configure script has changed to search the system for an installed instance of the LLVM development libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode signatures. To use the LLVM Just-In-Time compiler for executing bytecode signatures, please ensure that the LLVM development package at version 3.6 or lower is installed. Using the deprecated LLVM code is possible with the command: './configure --with-system-llvm=no', but it no longer compile on all platforms.
  • Compute and check PE import table hash (a.k.a. "imphash") signatures.
  • Support file property collection and analysis for MHTML files.
  • Raw scanning of PostScript files.
  • Fix clamsubmit to use the new virus and false positive submission web interface.
  • Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when size limitations are exceeded.
  • Improve decoders for PDF files.

The ClamAV community thanks the following individuals for their ClamAV 0.99.3 code submissions:

Sebastian Andrzej Siewior
Keith Jones
Bill Parker
Chris Miserva
Daniel J. Luke
Matthew Boedicker
Michael Pelletier
Anthony Chan
Stephen Welker

Following are issues discovered during release testing. For additional information, please review the corresponding tickets on

11879 - cli_scanmscan() Failed to extract 4 in Windows beta when scanning cab files
11882 - ./configure does not automatically detect libxml2 on FreeBSD 10.3 and 11.0
11884 - 'sudo make install' on FreeBSD 10.3 and 11.0 leaves files owned by root, subsequent make command fails
11885 - clamsubmit not building on FreeBSD 10.3 and 11.0
11887 - Failures of 'make check VG=1' on FreeBSD 10.3 and 11.0

We ask that feedback be provided via the ClamAV mailing lists.

Monday, June 19, 2017

ClamAV Users --

Please take a look at the newest OpenSource project from Cisco Talos, entirely released towards the ClamAV audience, the BASS Automated Signature Synthesizer.

A short preview to the blog post linked above, is the following:

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker. 
Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:

Please check out our project,  check it out, play with it, use it, and help us improve it.

Wednesday, June 7, 2017

As promised, we were able to ship a new Main.cvd and the cdiff for the main.cvd a few minutes ago.

It should have hit the mirrors in the past few minutes. As always, this will increase the amount of traffic on the mirrors from people downloading the file, and should settle down within in the next 12-24 hours.

I’d like to thank our Signature team for working late into the night the past several days in order to get this out on time!

We have tested this Main.cvd and cdiff on all currently supported versions of ClamAV. Please let us know via the clamav-users list if there are any problems.

Tuesday, May 16, 2017

We are currently planning on cutting a new Main.cvd on Wednesday, June 7th, 2017.  After the new Main.cvd is published the "daily" load on the mirrors and your networks should be much lighter.

As always, this will result in a period of heavy downloading following the release, and lighter loads from smaller "daily" cvds after.

We will post an estimated size in an updated post.

Wednesday, February 22, 2017

We took note of this article over on the NVISO Labs blog that basically starts off like this:

Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA engine on it.

A lot of people actually don't know this.  But NVISIO wrote a great article on it and is definitely worth the read if you are interested in doing some hunting with Yara content with ClamAV.

Friday, February 10, 2017

Yesterday, several articles came out through various publications regarding a piece of malware named "MacDownloader".  It appears to be specifically targeting the Defense Industry. Several other research firms attribute the malware to Iranian attackers.

For more information we are publishing links to several blogs below:

and finally the original blog:

Our ClamAV auto detection scripts have published detection for this already:


Please ensure you are scanning your machines regularly!

Thursday, December 15, 2016

Later today (December 15, 2016) we will be implementing a database change within the system that manages the naming of signatures.

I wanted to let you know as some of you may notice that the numbers at the end of the signature names may change slightly.  This won't have any affect on detection, and is an optimization on our backend for detection distribution.

If there are any questions regarding this, please feel free to reach out to us on the ClamAV-Users list.