Friday, July 1, 2022

ClamAV bytecode compiler release

ClamAV is releasing an update today that completely overhauls the ClamAV Bytecode Compiler (ClamBC-Compiler). 

A bytecode signature is a form of cross-platform ClamAV plugin. They are distributed and loaded alongside the other ClamAV databases. These signatures are executed as supplemental parsers for specific files, or are triggered by traditional ClamAV signature matches to provide advanced analysis before providing a scan verdict. These serve as a mechanism for writing advanced detection rules and executable unpackers without having to wait to integrate and publish the logic in a full ClamAV feature release. And, more importantly, that means such features can be rapidly upgraded or disabled should a problem arise, without the need to publish a ClamAV critical patch version. They provide an option for the Cisco Talos Malware Research Team to deliver malware detection capabilities that would not otherwise be possible with ClamAV's content-match, hash, and file metadata-based signatures. 

This release, version 0.105.0, mirrors that of the latest ClamAV release. ClamBC-Compiler 0.105.0 carries the source code headers from ClamAV 0.105.0 necessary to build bytecode signatures with all the latest features and fixes found in in ClamAV 0.105.0 and prior.  

But the real milestone here is a celebration of a major ClamBC-Compiler architecture change. In prior versions, the compiler project vendored a sizeable portion of the LLVM project source code, modified so it can build ClamAV bytecode signatures from C (-ish) source. As the LLVM project rapidly evolved, this design made it more difficult to upgrade the ClamBC-Compiler project. Now, ClamBC-Compiler sports a new command-line interface and leverages OS distribution-provided LLVM libraries and the Clang compiler alongside our custom compiler modules. 

This upgrade also includes several improvements to ClamBC-Compiler code quality, quality assurance tests, and test infrastructure. We also fixed a handful of existing compiler bugs.  

ClamBC-Compiler is available as source code on GitHub.com/Cisco-Talos/clamav-bytecode-compiler and as a ready-to-go container on Docker Hub under clamav/clambc-compiler. We look forward to leveraging this new release to deliver new and improved malware detection content.

 

ClamBC-Compiler 0.105.0 Release Notes 

➕ Complete overhaul of the bytecode compiler project. 

  • The clamav compiler passes now build against a system-installed LLVM library. This builds a single shared library (i.e., libclambcc.so).  
  • The compiler application is now a Python script that uses Clang with the bytecode compiler library to run the compiler passes. 

🐛 Fixed bug causing signatures with malloc to fail to run when using system installed LLVM. 

🐛 Fixed the peinfo.c example bytecode source. 

❌ Removed vendored/modified LLVM/Clang 2.7-ish source. 

🌌 Upgraded build system from Autotools to CMake. 

🌌 New Requirements:  

  • LLVM 8  
  • Clang 8  
  • Python 3.6+ 

➕ Support for compiling bytecode signatures from multiple source file. 

🐛 Many assorted bug fixes.