Monday, July 27, 2020

During a recent review of file downloads from our ClamAV CDN network, we've noticed hundreds of IPs that seem to be downloading the daily.cvd and the main.cvd thousands of times a day.

There are about a dozen IPs that are downloading those to files more than 40,000 times a day. This is causing us to transfer about 250TB of data a day. We would encourage any users still doing this to cease as soon as possible. Not only does it waste our bandwidth — as we have much more efficient ways of downloading the updates — but it also wastes your bandwidth, as well.

Freshclam has the ability to download partial files of updates (called cdiffs).  Which are smaller, more incremental updates to the database. This allows users, and us, to manage our downloads in a much more efficient manner. We often receive the complaint, "I have to download the daily.cvd and main.cvd with Python and move the updates to an off-internet system."  That's fine — it's a use case we support. However, you can do the same with freshclam and the small cdiffs.

Furthermore, we also only release updates once a day.  Reducing the number of updates you check for (and, subsequently, download we assume through a crontab or periodic job of some type) would also alleviate this issue.

We will be constantly monitoring this in hopes that people migrate to using freshclam.  Over-abusers (for instance, the top 10 IPs that are downloading main.cvd 40,000 times a day), will be immediately blocked.  Further abusers may also be blocked, without notice.

To mitigate, please complete the following tasks:

1. Use Freshclam instead of Python or whatever downloading script you have cron'd.
2. Reduce the checks to once or twice a day.

Thank you for helping keep the ClamAV network healthy.

Any questions, please see us over on the ClamAV-Users list.

Thursday, July 23, 2020

By Nikhil Hegde.

MassLogger is a .NET executable and an info-stealer having the ability to take screenshots, log keystrokes, etc. The binary features two obfuscated loaders. The first loader decrypts the second using the Rijndael algorithm. The second loader decodes the payload using the values in a Bitmap image. The presence of multiple loaders and obfuscation made it a good choice for a walkthrough of ClamAV signature creation. In this post, we’ll walk through the creation of Clam signatures for this malware. It is our hope that this gives you a closer look at the work we do and reverse-engineer malware.

I picked up the sample hash, 2b7455d2a9434cfe516d9d886248b45f1073c0cc9fef73b15e9a1ef187fe4677 from a tweet by Nocturnus. The sample is available on VirusTotal.

Thursday, July 16, 2020

ClamAV 0.102.4 is out now. Users can head over to clamav.net/downloads to download the release materials.

ClamAV 0.102.4 is a bug patch release to address the following issues:

CVE-2020-3350

Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.

For more information about AV quarantine attacks using links, see RACK911 Lab's report.

CVE-2020-3327

Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481

Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

We will be publishing a release candidate for version 0.103.0 in the next couple of weeks. Stay tuned!

Monday, June 15, 2020

ClamAV has provided a signature database using Google's Safebrowsing API to provide advanced protection against emails with links to suspicious websites.

As of Nov. 11, 2019, we have stopped updating the Safebrowsing signature database because Google announced changes to their Safebrowsing API terms of service.

Google now requires commercial users to use the Google Web Risk API, a for-profit feature, instead of the Safebrowsing API. Though ClamAV itself is free and open-source, we cannot continue to provide Google Safebrowsing data to the general public.

Today, we're pleased to open-source a new tool for users to generate their own safebrowsing signature databases using their personal Safebrowsing API credentials for use in accordance with the policies of the Safebrowsing API user agreement.

Please check out the clamav-safebrowsing repository on Github to get started.


Tuesday, May 12, 2020

Today, we're publishing ClamAV, version 0.102.3. Navigate to ClamAV's downloads page to download the release materials.

ClamAV 0.102.3


ClamAV 0.102.3 is a bug patch release to address the following issues.
  • CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
  • CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.
  • Fixed "Attempt to allocate 0 bytes" error when parsing some PDF documents.
  • Fixed a couple of minor memory leaks.
  • Updated libclamunrar to UnRAR 5.9.2.
Please join us on the ClamAV mailing lists, on irc.freenode.net in #clamav, or on Discord for further discussion. Thanks!

Monday, February 17, 2020

Attn: ClamAV users, we will be upgrading our version of bugzilla on Wednesday, February 19th, at 8:00 EST.

 The impact should be minimal, and should take no longer than a couple hours.

We will notify you when it is back up. Thank you for your patience.

Wednesday, February 5, 2020

Today, we're publishing 0.102.2. Navigate to ClamAV's downloads page to download the release materials.

0.102.2

ClamAV 0.102.2 is a security patch release to address the following issues.
  • CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
  • Significantly improved the scan speed of PDF files on Windows.
  • Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
  • Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file.
  • Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections.
  • Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals.
  • Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit.
  • Fix for freshclam's OnOutdatedExecute config option.
  • Fixes a memory leak in the error condition handling for the email parser.
  • Improved bound checking and error handling in ARJ archive parser.
  • Improved error handling in PDF parser.
  • Fix for memory leak in byte-compare signature handler.
  • Updates to the unit test suite to support libcheck 0.13.
  • Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following people for code contributions and bug reports:

  •     Antoine Deschênes
  •     Eric Lindblad
  •     Gianluigi Tiesi
  •     Tuomo Soini

Please join us on the ClamAV mailing lists for further discussion. Thanks!

Tuesday, December 3, 2019

By Micah Snyder.

Today I'm very excited, and a little bit nervous, to unveil Mussels. Mussels is a cross-platform, general-purpose dependency build automation tool. You might compare it with Vcpkg, Conan, or Buildout. It serves a similar purpose, but the approach is a little different.


How to get Mussels

The Mussels project is hosted on GitHub under Cisco-Talos/Mussels.

By the time this blog post is published, you should be able to install Mussels from PyPI using Pip. You may also clone the Mussels Git repository and use Pip to install it locally.

Install Mussels from PyPI:

python3 -m pip install --user mussels

Install Mussels from a Git clone:

python3 -m pip install --user .

The origin of Mussels

Mussels is something I've been crafting as a hobby project in support of ClamAVⓇ. The need for a dependency management tool became obvious as we were actively engaged in upgrading ClamAV's external dependencies, specifically for Windows builds. Historically, ClamAV maintained a collection of third-party code that was copy-pasted into our own repository with custom Visual Studio project files created to build these libraries. This approach worked and made it simple enough to compile the project.

Maintenance, however, was a bit of a nightmare, so we decided to separate these dependencies out. This meant we'd have new things to build as dependencies of ClamAV, however, and things only got worse the moment we decided to add libcurl as a hard requirement in support of HTTP 1.1/2.0, and TLS/SSL.

All of a sudden, we went from ClamAV requiring just OpenSSL to be built separately from ClamAV, to having to build:
  • zlib
  • bzip2
  • pthread-w32
  • libjson-c
  • OpenSSL (depends on zlib)
  • libxml2 (depends on zlib)
  • libpcre2 (depends on bzip2, zlib)
  • libssh2 (depends on OpenSSL, zlib)
  • NGHTTP2 (depends on libxml2, OpenSSL, zlib)
  • libcurl (depends on OpenSSL, NGHTTP2, libssh2, zlib)
It clearly isn't feasible to build all of this without some sort of automation. Most of these libraries are actively maintained projects that see new releases every couple of months. And it certainly isn't something we wanted to maintain source code copies of inside the ClamAV source repository.

Mussels started out as something really simple that was largely focused on building dependencies for ClamAV on Windows. There were a couple of occasions, however, when I needed to build some new combination of libraries. I quickly threw together a few Mussels recipes to make it happen. With Mussels, things just worked. I'd type mussels build clamav_deps and it was off to the races while I'd wander away to grab some tea and marvel at how easy it all was. That was when I realized I really wanted to productize this Mussels-thing and make it available for the general public. I've spent as much time as I could afford to make Mussels ready for public consumption once I received approval to make it open-source.

How Mussels works

Mussels is intended to simplify the process of building complex applications that have lengthy dependency chains without having to write all new CMake, Meson, Bazel, XCode, or Visual Studio project files. Instead, you write (and share) simple recipes that leverage the original build systems intended by software authors of your external library dependencies.

Recipes are YAML files that detail how to build a given library or application. A recipe defines where to get the software source archive, what other recipes the software depends on for the build, what tools are required to build the software, and of course what commands to run to perform the build.

A simple example recipe:

name: zlib
version: "1.2.11"
url: https://www.zlib.net/zlib-1.2.11.tar.gz
mussels_version: "0.1"
type: recipe
platforms:
  Linux:
    host:
      build_script:
        configure: |
          cmake . -DCMAKE_INSTALL_PREFIX="{install}/{target}"
        make: |
          cmake --build . --config Release
        install: |
          make install
      dependencies: []
      install_paths:
        license/zlib:
          - README
      required_tools:
        - cmake
        - make
        - gcc


Like a recipe, developers may define tools in YAML as well. Tools describe how to identify if a given build tool (like GCC, Cmake, Python, Java, etc.) exists on the current machine.

A simple tool definition:

name: gcc
version: ""
mussels_version: "0.1"
type: tool
platforms:
  Posix:
    path_checks:
      - gcc
    command_checks:
      - command: "gcc --version"
        output_has: "gcc"
    file_checks:
      - /usr/local/bin/gcc
      - /usr/bin/gcc


Recipes and tools may be shared in Git repositories that we call "cookbooks."

Cookbooks can either be public Git repositories, private Git repositories, or simply a local directory containing recipe and tool YAML files. It's really easy to create a new recipe or tool by cloning existing recipes and tools to your local directory and then customizing them to suit your project's needs.

Mussels works on macOS, Linux/Unix, and Windows operating systems. Though it was originally written in support of building C-based application libraries, it's flexible and can be extended to build and assemble any software package.

Running a build with Mussels is as simple as this:
  1. Identify the recipe you wish to build using:
    mussels update
    mussels list -a
  2. Verify that the recipe will suit your needs with:
    mussels recipe show <recipe-name> -V
  3. Clone the recipe to your current directory:
    mussels recipe clone <recipe-name>

    Or, choose to trust the cookbook which provides the recipe:
    mussels cookbook trust <cookbook-name>
  4. Do a dry run, to see what all will be built:
    mussels build <recipe-name> --dry-run
    If you are missing tools required for the build, Mussels will tell you want you will need.
  5. Run the build!
    mussels build <recipe-name>
Hop over to the Mussels README page on GitHub to learn more.
 
You can also join us on Discord.

I hope you will give Mussels a try, and I hope you'll find a way to use Mussels to make development on your project a little bit easier.

For those who have been interested to build the latest version of ClamAV on Windows from source without having to build and assemble all of the dependencies by hand, we've also added the ClamAV Mussels cookbook to the Mussels bookshelf, making our own recipes publicly available for anyone to use or copy.

Friday, November 22, 2019

This serves as notice that we are planning on publishing a new main.cvd and a cdiff Monday, November 25, 2019.

In the past we notified our mirror maintainers to let them know it was going to be a hit on their bandwidth, but now that we have a CDN, the effect should be minimal.  However, we still wanted to give our end users a heads up just in case any questions come up around why ClamAV is taking a bit longer to reload that particular update.

After that update restarts and reloads should happen much faster, and the daily downloads will again shrink.

Wednesday, November 20, 2019

Today we are publishing two patch versions, 0.102.1 and 0.101.5.  Both of these can be found on ClamAV's downloads page, with 0.102.1 as the main release and 0.101.5 under "Previous Stable Releases."

0.102.1

ClamAV 0.102.1 is a security patch release to address the following issues.


  • Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
    • CVE-2019-15961:
      • A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. Reported by Joran Dirk Greef, Ronomon, Cape Town
  • Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support.
  • Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  • Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  • Null-dereference fix in email parser when using the --gen-json metadata option.
  • Fixes for Authenticode parsing and certificate signature (.crb database) bugs.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef
- Reio Remma

0.101.5

ClamAV 0.101.5 is a security patch release that addresses the following issues.


  • Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
    • CVE-2019-15961:
      • A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
  • Added the zip scanning improvements found in v0.102.0 where it scans files using zip records from a sorted catalogue which provides deduplication of file records resulting in faster extraction and scan time and reducing the likelihood of alerting on non-malicious duplicate file entries as overlapping files.
  • Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  • Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  • Null-dereference fix in email parser when using the --gen-json metadata option.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef

Please join us on the ClamAV mailing lists for further discussion!  Thanks!