Monday, March 14, 2022

ClamAV 0.105.0 release candidate now available

We are excited to announce the ClamAV 0.105.0 release candidate.

Please help us validate this release by providing feedback via the ClamAV mailing list or on our Discord.

This release candidate phase is only expected to last about two to four weeks before the 0.105.0 Stable version will be published. Take this opportunity to verify that 0.105.0 can build and run in your environment. 

There is one known issue:

  • Yara rules containing regex strings will fail to load. The fix for this issue will be in the final release or next release candidate.

Please submit bug reports to the ClamAV project GitHub Issues.  

ClamAV 0.105.0 includes the following improvements and changes.

New Requirements

  • Starting with ClamAV v0.105, the Rust toolchain is required to compile ClamAV.

    You can install the Rust toolchain for your development environment by following the instructions on the rustup website. Some binary package distributions provide up-to-date packages of the Rust toolchain, but many do not. Using rustup ensures that you have the most up-to-date Rust compiler at the time of installation. Keep your toolchain updated for new features and bug/security fixes by periodically executing:

    rustup update 

    Building ClamAV requires, at a minimum, Rust compiler version 1.56, as it relies on features introduced in the Rust 2021 Edition.

    ClamAV's third-party Rust library dependencies are vendored into the release tarball (clamav-<version>.tar.gz) file that we publish on clamav.net/downloads. But, if you build from a Git clone or an unofficial tarball taken from GitHub.com, you will need the internet to download the Rust libraries during the build.

Major changes

  • Increased the default limits for file-size and scan-size:

    • MaxScanSize: 100M -> 400M
    • MaxFileSize: 25M -> 100M
    • StreamMaxLength: 25M -> 100M
    • PCREMaxFileSize: 25M -> 100M
    • MaxEmbeddedPE: 10M -> 40M
    • MaxHTMLNormalize: 10M -> 40M
    • MaxScriptNormalize: 5M -> 20M
    • MaxHTMLNoTags: 2M -> 8M

  • Added image fuzzy hash sub-signatures for logical signatures.

    Image fuzzy hash sub-signatures are a new feature for detecting images known to be used in phishing campaigns or otherwise used when distributing malware.

    Image fuzzy hash sub-signatures follow this format:

    fuzzy_img#<hash>

    For example:

    logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7
    logo.png-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#af2ad01ed42993c7

    This initial implementation does not support matching with a hamming distance. Support for matching with a hamming distance may be added in a future release.

    ClamAV's image fuzzy hash is very close to, but not 100% identical to, the fuzzy hash generated by the Python imagehash package's phash() function. Note that these are only clean-room approximations of the pHash™️ algorithm. ClamAV's image fuzzy hashes are not expected to match the fuzzy hashes generated using other tools. Some images may match, while others do not.

    To generate the image fuzzy hash you can run this command:

    clamscan --gen-json --debug /path/to/file

    The hash will appear in the JSON above the "SCAN SUMMARY" under the object named "ImageFuzzyHash".

  • ClamScan & ClamDScan (Windows only):

    • Added a process memory scanning feature from ClamWin's ClamScan.

      This adds three new options to ClamScan and ClamDScan on Windows:

      • --memory
      • --kill
      • --unload

      Special thanks to:

      • Gianluigi Tiesi for allowing us to integrate the Windows process memory scanning feature from ClamWin into the ClamAV.
      • Grace Kang for integrating the ClamScan feature, and for extending it to work with ClamDScan in addition.

Notable changes

  • Updated the LLVM bytecode runtime support so that it can use LLVM versions 8 through 12 and removed support for earlier LLVM versions. Using LLVM JIT for the bytecode runtime may improve scan performance over the built-in bytecode interpreter runtime, which is the default. If you wish to build using LLVM, you must obtain a complete build of the LLVM libraries including the development headers and static libraries.

    There are some known issues both compiling and running the test suite with some LLVM installations. We are working to further stabilize LLVM bytecode runtime support, and document specific edge cases. Your feedback is welcome.

    For details about building ClamAV with the LLVM bytecode runtime, see the install reference documentation.

  • Added a GenerateMetadataJson option to ClamD. The functionality is equivalent to the clamscan --gen-json option. Scan metadata is useful for file analysis and for debugging scan behavior. If Debug is enabled, ClamD will print out the JSON after each scan. If LeaveTemporaryFiles is enabled, ClamD will drop a metadata.json file in the scan-temp directory. You can customize the scan-temp directory path using the TemporaryDirectory option.

  • The libclamunrar.so library's SO versions now matches that of libclamav.so. The upstream UnRAR library does not have an SO version that we should match. This change is to prevent a possible collision when multiple ClamAV versions are installed.

  • CMake: Added support for using an external TomsFastMath library (libtfm).

    To use an external TomsFastMath library, configure the build with the new option -D ENABLE_EXTERNAL_TOMSFASTMATH=ON. The following CMake variables may also be set as needed:

    • -D TomsFastMath_INCLUDE_DIR=<path> - The directory containing tfm.h.
    • -D TomsFastMath_LIBRARY=<path> - The path to the TomsFastMath library.

    Also updated the vendored TomsFastMath code to version 0.13.1.


Other improvements

  • Freshclam:

    • Improve ReceiveTimeout behavior so that will abort a download attempt if the download is not making significant progress. Previously this limit was an absolute time limit for the download and could abort prematurely for those on a slower connection. Special thanks to Simon Arlott for this improvement.
  • Rewrote the ClamAV database archive incremental-update feature (CDIFF) from scratch in Rust. The new implementation was our first module to be rewritten in Rust. It is significantly faster at applying updates that remove large numbers of signatures from a database, such as when migrating signatures from daily.cvd to main.cvd.

  • Freshclam & ClamD:

    • Increased the maximum line-length for freshclam.conf and clamd.conf from 512-characters to 1024-characters. This change was by request to accommodate very long DatabaseMirror options when using access tokens in the URI.
  • Removed the Heuristics.PNG.CVE-2010-1205 detection. This alert had been placed behind the --alert-broken-media (SCAN_HEURISTIC_BROKEN_MEDIA) option in 0.103.3 and 0.104 because of excessive alerts on slightly malformed but non- malicious files. Now it is completely removed.

  • Added support for building ClamDTop using ncursesw if ncurses can not be found. Patch courtesy of Carlos Velasco.

Bug fixes

  • ClamOnAcc: Fixed a number of assorted stability issues and added niceties for debugging ClamOnAcc. Patches courtesy of Frank Fegert.

  • Fixed an issue causing byte-compare sub-signatures to cause an alert when they match even if other conditions of the given logical signatures were not met.

  • Fixed an issue causing XLM macro false positives when scanning XLS documents containing images if the --alert-macros (AlertOLE2Macros) option was enabled.

  • Fixed an issue preventing multiple matches when scanning in all-match mode.

  • Docker:

    • Fixed an issue exposing the health check port. Patch courtesy of Sammy Chu.
    • Fixed an issue with health check failure false positives during container startup. Patch courtesy of Olliver Schinagl.
    • Set the default time zone to Etc/UTC. The --env parameter can be used to customize the time zone by setting TZ the environment variables. Patch courtesy of Olliver Schinagl.
  • Added support for detecting the curses library dependency even when the associated pkg-config file is not present. This resolves a build issue on some BSD distributions. Patch courtesy of Stuart Henderson.

  • Assorted bug fixes and improvements.

Acknowledgments

The ClamAV team thanks the following individuals for their code submissions:

  • Ahmon Dancy
  • Alexander Sulfrian
  • Carlos Velasco
  • Bernd Kuhls
  • David Korczynski
  • Fabrice Fontaine
  • Frank Fegert
  • Gianluigi Tiesi
  • Giovanni Bechis
  • Grace Kang
  • John Humlick
  • Jordan Ernst
  • JunWei Song
  • mko-x
  • Olliver Schinagl
  • Sammy Chu
  • Sergey Valentey
  • Simon Arlott
  • Stuart Henderson
  • Yann E. Morin