Tuesday, November 27, 2012

Back in February, Joel Esler who is our Open Source Community Manager, explained how you could contribute rules to Snort. We just wanted to let you know that the VRT is seeking and accepting your contribution on the ClamAV side as well.

One of the best features of ClamAV is the openness of the signatures database. There are very few anti-malware products out there that will allow you see exactly how a signature is constructed and let you use your  own custom signatures. We strive to provide the best protection we can to our users through the official signature releases we provide several times a day. However, the nature of our field makes it that you will at some point (if you haven't already) come across malware for which there are no official signatures to detect it.

That's where your contribution is sought and would be highly appreciated. If you come across malware that isn't detected with the official ClamAV signatures and you have your own signature to detect it, please provide it to us! It will go through our regular QA cycle and we will provide you with personal feedback. Your signature will be tweaked if necessary and tested against our clean files in order to prevent false positives once released. We will also give you credit for the signature your contributed unless you choose to remain anonymous.

You have a few ways of contributing signatures:

- Go to http://www.clamav.net/lang/en/sendvirus/submit-malware/ 

In the description field, provide your signature along with supporting evidence. Attach your sample and submit.

- Submit your password protected zip (a typical password is 'infected') along with your research and signature via email to vrt[at]sourcefire.com

We prefer "body-based" signatures as opposed to "checksum-based" signatures. Hex (body) signatures are based on a fragment of a malware sample's body converted into a hexadecimal string which can be extended using various wildcards. More on how to write ClamAV signatures here and here.

Of course we are always accepting false positive submissions here.

Tuesday, October 9, 2012

For someone just getting started with ClamAV, I noticed this easy to read and understand blog post here.  If you know someone who is just getting started with ClamAV, or you yourself came to this blog looking to get started.  Check that blog post out!

Tuesday, September 25, 2012

We've had much interest in the documents that were contained within our Wiki before we took it down here at ClamAV.  We've managed to salvage the useful pieces of the Wiki and publish them on our github site.  Check it out here:


Tuesday, September 18, 2012

We've been working pretty hard behind the scenes over here on ClamAV, its backend infrastructure, and moving the codebase as well as its detection up the ladder.

In order for us to get some accurate statistics about what you all are seeing out there, in the field, we need as many people as possible to "opt-in" to some statistics gathering features that we have built into the code base.

If you've ever browsed around ClamAV.net, I'm sure you've probably bumped into this page:
http://www.clamav.net/lang/en/download/cvd/malware-stats/ at some point.  These are statistics that are provided by you all, the users of ClamAV, collected and correlated on our backend systems here.  It allows us to see trends across signatures and allows us to check in on what you are seeing in the actual real world.

We need more people to opt-in to this feature.  We are looking at growing the detection rate and feature set of ClamAV's detection functionality, and this type of data will allow us to see where we need to pinpoint resources.

If you can participate in the program, please go here:

Follow the instructions above and you should be good to go!  Thanks!


If you are a Windows user of ClamAV, you'll be happy to know that we have released the Windows builds for ClamAV 0.97.6 to our Sourceforge site here:


Please feel free to download, use, and provide feedback via the ClamAV-Users list here:



Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Tuesday, July 3, 2012

The ClamAv Wiki is currently down.  It hadn't been updated for some time (several years!) and it was time to covert it into something more useable.

We are currently converting the relevant documentation that was in the Wiki into something more useful and it will be forthcoming.

Friday, June 22, 2012

Earlier this week we announced a new chapter for ClamAV with the departure of Tomasz Kojm, Alberto Wu, Luca Gibelli and Edwin Török. While we are sad to see them go, we are grateful for the contributions they have made and are committed to carrying on the project with the community in mind.

As Tomasz mentioned in his own email, ClamAV just had its 10th birthday. Over the years we've been able to integrate ClamAV into our own product suite and it is now used by millions of mail filters, operating systems and millions of file scans per day. It's big, and we want it to be even bigger, with open source commitment at its core.

So, now that we've begun this new chapter, I’d like to introduce you to some new members of the ClamAV team. These folks might be new to ClamAV, but they have been with the Sourcefire Vulnerability Research Team (VRT) for quite some time, and all have worked on other open source projects. Without further ado, they are:

Matthew Olney is the project development lead for ClamAV and lead architect for the Razorback framework. Pulling from his experience as a network and security engineer, he’s also a detection specialist for Snort and a frequent contributor of signatures to the ClamAV engine itself.

Ryan Pentney is the lead bytecode engine developer for ClamAV; a perfect complement to his role as lead developer for file format detection for the Razorback framework. He also is a contributor to both the Snort and ClamAV engines.

Tom Judge has a strong background in systems and security operations. He is a FreeBSD committer, a lead developer for the Razorback framework and a long-time user of ClamAV. On the ClamAV development team, he concentrates on FireAMP integration, virtual machine interfacing and freshclam development.

David Raynor is the core engine developer for ClamAV. He was a developer of a major scalable security system for the United States Department of Homeland Security before coming to Sourcefire.

Nigel Houghton has been with Sourcefire as the lead of the Department of Intelligence Excellence for almost 10 years. Nigel has vast knowledge of programming, operating systems, administration, and security. His team is responsible for the ClamAV supporting infrastructure as well as releasing signature updates.

As I mentioned, all of the above are members of the VRT, led by Matt Watchinski, who has overseen the ClamAV project since Sourcefire acquired it in 2007. We remain committed to continuing the open source nature of the project, pushing the growth of the project even farther.

As always, you can reach us on the ClamAV Mailing lists found here: http://www.clamav.net/lang/en/ml/. We look forward to hearing your ideas and feedback. Thanks for using ClamAV and we look forward to working with you.

Joel Esler
Open Source Community Manager
Senior Research Engineer, VRT

Tuesday, June 19, 2012

Earlier today, Tomasz Kojm sent an email to the ClamAV mailing list on behalf of himself and three of his teammates - Alberto Wu, Luca Gibelli, Edwin Török. As he wrote in his email, since they joined us via acquisition in 2007, we’ve been able to work together on some great projects. And now, as we celebrate the 10-year anniversary of ClamAV, the team has decided to move onto new development projects outside of Sourcefire. From his email:
“...it is time for us to make a change. ClamAV is now mature software and we are confident that Sourcefire will successfully continue its development, move it forward and maintain the integrity of its infrastructure.”
And mature it has. Today the solution has more than 2 million active installations and scans hundreds of millions of files every day. I am incredibly proud of the leadership of Tomasz and the tenacity of his team in all of these development projects. While I am remiss to see them go, I am excited and looking forward to what they come up with next.

Now, what does this mean for you, our ClamAV users and community? The good news is that I will continue to oversee the development project, as I have done since our acquisition of the company in 2007.  Joel Esler, our Open Source community manager, will still be your main point of contact. I do want you to be aware of a few changes to come:
  • ClamAV source package signing. The signing key will no longer be tkojm@clamav.net. It will be research@sourcefire.com. This is the main VRT GPG key, and has been signed by tkojm@clamav.net. 
  • New faces 
    • Matt Olney
    • David Raynor
    • Tom Judge
    • Nigel Houghton
  • 0.97.5 New Release

If you need to reach us for any reason, email vrt@sourcefire.com. In the meantime, please join me in expressing thanks to Tomasz, Alberto, Luca and Edwin for all of their contributions to the ClamAV project.

Friday, June 15, 2012

Just released is version 0.97.5 of ClamAV.  Below is the changelog:

Fri Jun 1 13:15:50 EST 2012 (dar)
 * libclamav: Scan output at end of truncated tar (bb#4625) 

Wed May 30 17:27:00 EST 2012 (dar)
 * libclamav: Fix handling of tar file with malformed header

Fri May 25 13:05:40 EST 2012 (dar)
 * libclamav: Scan chm with invalid handling (bb#4626)

Thu May 10 15:45:56 CEST 2012 (tk)
 * freshclam: give custom dbs higher priority during update

Tue May  8 15:31:51 CEST 2012 (acab)
 * libclamav: detect read races and abort the scan with an error

Tue Apr 10 17:04:20 CEST 2012 (tk)
 * libclamav/pe.c: drop old header check (bb#4699)

We are currently experiencing some problems updating our freshmeat account, however, in the meantime ClamAV, as always, is available from http://www.clamav.net

Monday, May 28, 2012

In this article over at CNET, one of the things they discuss is using An Ubuntu Live CD, included with ClamAV to help repair infected computers.

Article here

Monday, April 9, 2012

The VRT is looking for an Intern to assist with the ClamAV and Razorback projects. If you are a C coder, we'd like to hear from you.

We are looking for resumes sent to research [at] sourcefire.com.  Please let us know that you are interested in the Intern position with the VRT, and that you saw the blog post here on the ClamAV blog!

Wednesday, March 21, 2012

The ClamAuth kernel extension enables ClamAV to provide on-access scanning for Mac OS X 10.5 and later. 

The current version works in a passive mode only - ClamAV will log the detection but won't block access to the infected file. However, it's possible to perform special actions (eg. quarantine files) with the VirusEvent directive of clamd.


1. Run ClamAuth_load to load the kernel extension (you can edit the script to change or add more paths that will be monitored).
2. Add "ClamAuth yes" to your clamd.conf (ClamAV 0.97.4) or "ScanOnAccess yes" (ClamAV-devel)
3. Start clamd with root privileges ('sudo /usr/local/sbin/clamd')

If clamd properly connects to the driver, you should see a line like this in the log file:

ClamAuth: Driver version: 0.3, protocol version: 2

ClamAV is now monitoring the paths specified in ClamAuth_load.

If you have any questions or feedback about this module please send it to the ClamAV mailing list here:

Monday, March 19, 2012

ClamAV 0.97.4 includes minor bugfixes, detection improvements and
initial support for on-access scanning under Mac OS X (see

This update is recommended for all users.

Wed Feb 29 18:35:45 CET 2012 (acab)
 * libclamav/bytecode.c: reset to BYTECODE_AUTO mode at db reload so that
    we don't fail to re-enable or re-disable it again

Tue Jan 17 11:15:57 CET 2012 (acab)
 * misc: performance improvement for HP-UX PA-RISC - patch from 
  Michael Pelletier <michael.v.pelletier*raytheon.com> (bb#3926)

Fri Nov  4 00:52:21 CET 2011 (acab)
 * libclamav/pe.c: parse vinfo where varfileinfo occours before stringfileinfo

Fri Mar  2 19:48:36 CET 2012 (tk)
 * clamd: add support for on-access scanning on OS X with ClamAuth (beta)

Wed Feb 29 17:02:18 EET 2012 (edwin)
 * libclamav/bytecode_api*: Fix Sparc crash (bb #4324)

Tue Feb  7 23:23:48 CET 2012 (tk)
 * libclamav: fix bytecode whitelisting

Wed Jan 25 18:56:44 CET 2012 (tk)
 * libclamav: fix macro detection in OLE2BlockMacros (bb#4269)

Thu Dec  1 15:07:49 CET 2011 (tk)
 * libclamav/readdb.c: allow comments in all db files (bb#3930)

Fri Nov 18 15:23:50 CET 2011 (tk)
 * libclamav/scanners.c: use lsigs when scanning vba data (bb#3922)

Fri Nov 18 15:48:59 EET 2011 (edwin)
 * libclamav/matcher-hash.c: Fix SIGBUS on PA-RISC (big-endian) architectures (bb #3894).

Download : http://downloads.sourceforge.net/clamav/clamav-0.97.4.tar.gz
PGP sig  : http://downloads.sourceforge.net/clamav/clamav-0.97.4.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97.4
ChangeLog: http://www.clamav.net/release-info/changelog/0.97.4

Tuesday, February 28, 2012

Then we want to talk to you! While you can look up the different openings that the Vulnerability Research Team (VRT) has, what you won't see if why you should choose Sourcefire for your next job. This is why I love working here, in no particular order:

1. The people. We come from different backgrounds and bring a wealth of talent and knowledge to the table. Most of us were using computers pre-Internet before we were 10 years old. Back then, our friends were just happy to have a gaming console and didn't see the point of having a computer. We are curious by nature and didn't stop learning when we got our various degrees. When you engage in conversation with the VRT, be assured that there will be someone who knows at least as much as you on any topic. The VRT is made of smart, smart! individuals and we are looking for people who are driven and can fit in the team culture.

2. Open-source philosophy. Whether it's ClamAV, Snort, or Razorback (and their respective signatures/rules), we believe in letting users see and understand what we do, how we do it, and why we do it. This pushes us to excel at our job and always put the customer first.

3. Fun work environment. We are productive and have crunch times, yet we always know how to have fun. Do you know what "tea time" is? "Truffle shuffle"? "Hit box!"? Do you know what it is "to be slothed"? What does it mean when someone calls "car"? Who's the "grammar police"? Come find out :-)

4. Hobbies. If you like biking, riding motorcycles, playing the guitar, photography, playing tennis or soccer, you will likely find an after-hours hangout buddy with similar interest in the VRT.

5. Lunch. Delivered to you every day between 12PM and 2PM. Just choose what you like from 3 different and rotating restaurant menus and lookout for the the daily email that says that your lunch has arrived. For free. Yup, just like that (well technically it's part of your benefits).

6. Training. Whether you want to informally learn about malware or vulnerability research, attend a conference or a week-long training, or formally work towards a Bachelor's or Master's degree, we'll hook you up.

7. Leadership and Innovation. Snort is the de facto standard for Intrusion Detection and Prevention. ClamAV sets the standard for open-source antivirus and anti-malware solutions. Razorback advances complex threat detection and protection.

I could really go on and on about why you should choose us. If you think you have the right skills, if you think you can grow and most importantly if you are driven, contact us with your resume at research at sourcefire dot com.

Wednesday, January 25, 2012

Open Source Fact and Fiction: Sourcefire Stays True To Its Roots

Alan Shimel writes a great article about our new product FireAMP, and it's roots, not only with ClamAV but many other OpenSource technologies. It's a quick read, but really shows what we are trying to do here at Sourcefire and how OpenSource is not only the foundation of our products, but really, is baked into everything that we do here.