Friday, June 17, 2016

Recently, a tweet and subsequent blog post on Errata Security describe some features of the ClamAV daemon (clamd) that may be misused toward information disclosures and denial of service attacks. We wanted to take the opportunity to inform the ClamAV community about the clamd configuration that may lead to these issues along with the steps and options for using clamd securely.

clamd is an optional feature of ClamAV providing local or remote host access to ClamAV's scanning engine through the clamd protocol. Several ClamAV commands communicate with clamd using the clamd protocol: clamdscan for virus scanning, clamdtop for clamd resource monitoring, and freshclam, when used in conjunction with clamd, to notify clamd to reload the virus database. Clamav-milter and some third party programs use the clamd protocol as well. The clamd protocol is fully described in the clamd man-page.

This feature, off by default, requires manual configuration.  In order to use clamd, an installation must select a socket type in clamd configuration file, clamd.conf. The installation has two choices for the type of socket. Their configuration parameter names are LocalSocket and TCPSocket. LocalSocket, available on Unix based systems, is not vulnerable to the information disclosure or the DoS. However, all of the programs communicating with clamd must reside on the same host system with clamd. The TCPSocket option enables communication from remote hosts, but care must be taken to protect the ingress network interfaces. An additional clamd parameter, TCPAddr, may be used to designate which network interfaces will accept clamd TCP connection requests. Those interfaces need to be protected, such as though the use of firewall or other network security mechanisms. This will ensure that unwanted clamd requests will be blocked. Additional information on the clamd configuration parameters may be found in the clamd.conf man-page and in the sample clamd configuration file distributed with ClamAV.

Finally, note that the clamscan command, and other software using the libclamav API directly, do not use clamd and therefore are not affected by this configuration.

Thursday, June 16, 2016

As many of you know, over the past several years, we’ve been retooling the entire backend of ClamAV.nets signature management system to handle a more streamlined release method and signature generation system.  Now that this work is complete, we’re reaching out to those of you in our ClamAV community that manage some form of third party ClamAV signature distribution systems.

We would like to potentially incorporate the feeds that you are producing into the official feed coming from our mirror network at ClamAV, out to the community.  We are going to ensure proper attribution for everyone’s work within the signature name.  

We haven’t determined what this will look like, but what we would like to see is the name of the feed, not only in the signature name, but a table to be maintained on ClamAV.net ensuring the proper mapping from signature name to your website (and donation system, if you have one).

We would be responsible for the “dropping” of a False positive prone ClamAV sig from the official db, however, our intention is to notify you of the FP on your sig when it is reported to us at the same time we are notified, so that the signature can be fixed.

This process is ongoing but if you are interested in being added to the list of those already contributing or have additional questions, please contact me at bcouncil@cisco.com

Your comments and concerns are also welcome.  

Wednesday, June 8, 2016

Today I came across this older blog post (almost 10 years old at this point!) about a simple method you can use to create your won Anti-Virus signatures with ClamAV.

The article has a nice walk through of how to dump an attachment out of an email, how to write a simple ndb signature to detect it, and how to deploy it.  I thought this was fairly simple and well done, so I wanted to share.

If you are interested in creating your own detection, this article is worth checking out.

http://blog.adamsweet.org/?p=250

If you want to proceed a step further and submit those signatures back to us, we'll take a look as well, and if you submit the most in a month, we'll send you some nice swag!

Friday, June 3, 2016

We'd like to congratulate our May winner of the monthly ClamAV Community Signature contest:   Arnaud Jacques!

Congratulations and thank you for your contributions!

For more information on how you can get involved in the monthly contest and try and win your ClamAV swag, please see my post on the blog.

Once again, thank you, and congratulations to Arnaud!

Tuesday, May 31, 2016

As a reminder from our post back on May 20th, EOL for ClamAV 0.97 is tomorrow (June 1st).  We'll be removing this version from our test bed and will no longer ensure that signatures work on that version.

If you are on a 0.97 version, please make sure you upgrade as soon as possible.  The current version is available on ClamAV.net.

Thanks.

Friday, May 20, 2016

ClamAV Community,

This notice is to inform you that effective June 1, 2016, ClamAV 0.97 (and all minor versions) is no longer supported in accordance with ClamAV's EOL policy which can be found here:

http://www.clamav.net/documents/end-of-life-policy-eol

EOL for ClamAV essentially means that we will no longer be testing against that version when we write signatures, and we may break something with a future release.  So, while signatures may work past June 1st, we are no longer testing that configuration, so you are on your own.

Please upgrade to the newest version of ClamAV, currently at 0.99.2, available for download.

Thank you for using ClamAV!

Tuesday, May 3, 2016

ClamAV 0.99.2 has been released, and is available for download at ClamAV.net's download site.

Note:  As previously discussed for the last three releases, we are no longer uploading ClamAV to SourceForge for release.  0.99.2 is the first release that is ONLY released on ClamAV.net

Below are the notes from the ChangeLog since 0.99.1:

Thu, 22 Apr 2016 12:45:00 -0500 (Steven Morgan)
------------------------------------------
 * ClamAV 0.99.2 release.

Thu, 31 Mar 2016 17:07:39 -0400 (Kevin Lin)
------------------------------------------
 * 7z: fix for FolderStartPackStreamIndex array index heck

Tue, 29 Mar 2016 16:18:51 -0400 (Steven Morgan)
------------------------------------------
 * bb11547 - print all CDBNAME entries for a zip file when using the
-z flag.

Tue, 2 Sep 2014 22:44:41 +0200 (Sebastian Andrzej Siewior)
------------------------------------------
 * try to minimize the err cleanup path

Tue, 2 Sep 2014 22:44:14 +0200 (Sebastian Andrzej Siewior)
------------------------------------------
 * clamunrar: notice if unpacking comment failed

Wed, 23 Mar 2016 16:39:52 -0400 (Steven Morgan)
------------------------------------------
 * bb9042 - signature manual update.

Wed, 23 Mar 2016 16:14:42 -0400 (Kevin Lin)
------------------------------------------
 * bb#11396 - use temp var for realloc to prevent pointer loss. Patch by
Bill Parker.

Wed, 23 Mar 2016 15:49:56 -0400 (Kevin Lin)
------------------------------------------
 * bb#11397 - fix debug VI hex truncation

Wed, 23 Mar 2016 15:38:21 -0400 (Kevin Lin)
------------------------------------------
 * bb#11398 - freshclam: avoid random data in mirrors.dat. Patch by
Tomasz Kojm.

Wed, 23 Mar 2016 15:28:51 -0400 (Kevin Lin)
------------------------------------------
 * libclamav: print raw certificate metadata

Wed, 23 Mar 2016 14:16:00 -0400 (Kevin Lin)
------------------------------------------
 * bb#11529 - freshclam manager check return code of strdup. Patch by
Sebastian A. Siewior.

Tue, 22 Mar 2016 16:21:59 -0400 (Kevin Lin)
------------------------------------------
 * bb#11261 - additional suppress IP notification when using proxy

Tue, 22 Mar 2016 12:54:52 -0400 (Kevin Lin)
------------------------------------------
 * bb#10983 - fix download and verification of *.cld through PrivateMirrors

Mon, 21 Mar 2016 11:21:08 -0400 (Kevin Lin)
------------------------------------------
 * bb#11261 - suppress IP notification when using proxy

Mon, 21 Mar 2016 11:20:01 -0400 (Kevin Lin)
------------------------------------------
 * bb#11543 - remove redundant mempool assignment

Thu, 17 Mar 2016 11:49:26 -0400 (Kevin Lin)
------------------------------------------
 * bb#11003 - divide out dumpcerts output for better readability

Wed, 16 Mar 2016 15:42:35 -0400 (Kevin Lin)
------------------------------------------
 * bb#11003 - fix dconf and option handling for nocert and dumpcert

Mon, 14 Mar 2016 16:07:45 -0400 (Mickey Sola)
------------------------------------------
 * bb11463 - patch by Jim Morris to increase clamd's soft file descriptor to
its potential maximum on 64-bit systems

Mon, 14 Mar 2016 17:12:20 -0400 (Steven Morgan)
------------------------------------------
 * Move libfreshclam config to m4/reorganization.

Fri, 11 Mar 2016 13:32:31 -0700 (andrey mirtchovski)
------------------------------------------
 * adding libfreshclam

Sun, 13 Mar 2016 23:27:23 -0400 (Tom Judge)
------------------------------------------
 * Add 'cdb' datafile to sigtools list of datafile types.

Fri, 11 Mar 2016 16:02:22 -0500 (Steven Morgan)
------------------------------------------
 * bb11526 - NULL pointer check. Patch by Bill Parker.

Fri, 11 Mar 2016 15:48:01 -0500 (Steven Morgan)
------------------------------------------
 * bb11524 - malloc() NULL pointer check. Patch by Bill Parker.

Thu, 10 Mar 2016 18:26:33 -0500 (Steven Morgan)
------------------------------------------
 * bb1436 - clamscan 'block-macros' option. Patch by Kai Risku.

Wed, 9 Mar 2016 17:07:06 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - initialize cpio name buffer

Wed, 9 Mar 2016 16:43:03 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - initialize mspack decompression buffers

Wed, 9 Mar 2016 12:15:16 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - prevent memory allocations on used pointers (folder objects)

Tue, 8 Mar 2016 16:04:21 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - prevent memory allocations on used pointers (boolvectors)

Tue, 8 Mar 2016 14:37:20 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - initialize ARJ metadata structures

Tue, 8 Mar 2016 14:37:01 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - change cli_malloc with cli_calloc

Mon, 7 Mar 2016 16:25:10 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - check packSizes prior to dereference

Mon, 7 Mar 2016 16:10:09 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - fixed inconsistent folder state on failure

Mon, 7 Mar 2016 15:11:08 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - pre-check on (*unpackSizes) dereference

Mon, 7 Mar 2016 13:56:42 -0500 (Kevin Lin)
------------------------------------------
 * bb11514 - fix on pre-checks on dereferenced array

Fri, 4 Mar 2016 16:57:14 -0500 (Kevin Lin)
------------------------------------------
 * bb11514 - pre-checks on dereferenced array size values (not =0)

Wed, 2 Mar 2016 13:57:03 -0500 (Mickey Sola)
------------------------------------------
 * bb-11514 - adding sanity checks to 7z header parsing

Tue, 1 Mar 2016 12:43:01 -0500 (Kevin Lin)
------------------------------------------
 * bb#11514 - fixed mew source read issue

Fri, 4 Mar 2016 17:05:01 -0500 (Steven Morgan)
------------------------------------------
 * bb11188 - Upgrade to use libtool 2.4.6 for ClamAV building: fixes issues
with MacOSX 10.10 and 10.11.

Tue, 1 Mar 2016 12:34:48 -0500 (Kevin Lin)
------------------------------------------
 * bb#11513 - documentation update on targets

Mon, 29 Feb 2016 16:58:19 -0500 (Kevin Lin)
------------------------------------------
 * filetype consistency

Mon, 29 Feb 2016 11:34:25 -0500 (Kevin Lin)
------------------------------------------
 * move llvm option flag handling to new m4 file

Wed, 24 Feb 2016 13:29:42 -0500 (Kevin Lin)
------------------------------------------
 * hwp5.x: fix for streams without names

Please go and grab the newest ClamAV and begin your download cycles, as always, we encourage bug submissions at https://bugzilla.clamav.net and your feedback on the ClamAV lists.