Thursday, December 17, 2015

ClamAV 0.99 Release is the largest ever!

We'd like to extend a huge thank you to our ClamAV community for helping us make ClamAV 0.99 the largest launch of ClamAV ever!

We generally average around 8,000 downloads a week of ClamAV, since 0.99 has launched (two weeks ago), we've had over 20,000 downloads a week.  

We're pretty happy with this number and can't wait until 0.99 is in everyone's hands, so that all of our millions of users can use the latest detection and features. 

If you haven't updated to ClamAV 0.99, we encourage you to do so as soon as possible, help us keep the momentum going, and keep breaking records!

Tuesday, December 1, 2015

ClamAV 0.99 has been released!

Please join us in welcoming ClamAV 0.99 to the family! The following are the 0.99 release notes:

ClamAV 0.99 contains major new features and changes. YARA rules,
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:


  • Processing of YARA rules (some limitations- see signatures.pdf).
  • Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
  • New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
  • A new ClamAV API callback function that is invoked when a virus is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.
  • Configurable default password list to attempt zip file decryption.
  • TIFF file support.
  • Upgrade Windows pthread library to 2.9.1.
  • A new signature target type for designating signatures to run against files with unknown file types.
  • Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
  • Support for LZMA decompression within Adobe Flash files.
  • Support for MSO attachments within Microsoft Office 2003 XML files.
  • A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
  • Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.


PLEASE NOTE: If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

As always ClamAV can be downloaded from the ClamAV Downloads page on ClamAV.net!  Please provide your feedback via the ClamAV Mailing Lists!

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

Thursday, November 19, 2015

ClamAV 0.99rc2 has been posted!

ClamAV 0.99rc2 contains major new features and changes. YARA rules, 
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:

    - Processing of YARA rules(some limitations- see signatures.pdf).
    - Support in ClamAV logical signatures for many of the features
      added for YARA, such as Perl Compatible Regular Expressions,
      alternate strings, and YARA string attributes. See signatures.pdf
      for full details.
    - New and improved on-access scanning for Linux. See the recent blog
      post and clamdoc.pdf for details on the new on-access capabilities.
    - A new ClamAV API callback function that is invoked when a virus 
      is found. This is intended primarily for applications running in 
      all-match mode. Any applications using all-match mode must use 
      the new callback function to record and report detected viruses.    
    - Configurable default password list to attempt zip file decryption.
    - TIFF file support.
    - Upgrade Windows pthread library to 2.9.1.
    - A new signature target type for designating signatures to run
      against files with unknown file types.
    - Improved fidelity of the "data loss prevention" heuristic
      algorithm. Code supplied by Bill Parker.
    - Support for LZMA decompression within Adobe Flash files.
    - Support for MSO attachments within Microsoft Office 2003 XML files.
    - A new sigtool option(--ascii-normalize) allowing signature authors
      to more easily generate normalized versions of ascii files.
    - Windows installation directories changed from \Program Files\Sourcefire\
      ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

PLEASE NOTE:  If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

You can download ClamAV 0.99rc2 from the ClamAV downloads site.  As a reminder, in an upcoming release, we will cease updating the SourceForge release site for ClamAV.  Please start downloading directly from ClamAV.net now.

Thursday, October 15, 2015

ClamAV 0.99 Release Candidate has been posted!

ClamAV 0.99 Release Candidate has been posted for download!  Please check out the below release notes:

This the first release of ClamAV that is being done on both ClamAV.net and SourceForge.  If you are a package or mirror maintainer, make sure you start moving your download location from SourceForge over to ClamAV.net.

0.99-rc1
--------

ClamAV 0.99 contains major new features and changes. YARA rules,  Perl Compatible Regular Expressions, revamped on-access scanning for Linux, and other new features join the many great features of ClamAV:


  •     Processing of YARA rules(some limitations- see signatures.pdf).
  •     Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
  •     New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
  •     A new ClamAV API callback function that is invoked when a virus  is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.    
  •     Configurable default password list to attempt zip file decryption.
  •     TIFF file support.
  •     Upgrade Windows pthread library to 2.9.1.
  •     A new signature target type for designating signatures to run against files with unknown file types.
  •     Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
  •     Support for LZMA decompression within Adobe Flash files.
  •     Support for MSO attachments within Microsoft Office 2003 XML files.
  •     A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
  •     Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.


PLEASE NOTE:  If you are using clamd on-access scanning or have applications using all-match mode, you will want to review the changes and make any necessary adjustments before using ClamAV 0.99. Users of windows binaries need to be aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

--
The ClamAV team (http://www.clamav.net/about.html#credits)

Tuesday, October 13, 2015

ClamAV.org relaunch, now with on page downloads!

Those of you that have visited ClamAV.org in the past several hours may have noticed a slight change in our procedures for downloads.  For years, we've been shuttling you over to Sourceforge's download site to download our packages.

That stopped today.  Starting today, we've moved all downloads of ClamAV onto ClamAV.org.

For the next couple of versions (at least 0.99 and a bug fix after), we'll be releasing ClamAV on both platforms to allow for the transition of packages, people's shell scripts, etc.

Starting today, this move should allow for more visibility for us into the platform, metrics around versions, and overall usage.  You will find our current release, all current beta and development releases, as well as previous stable releases.

Please be sure and report any bugs you may find to the web team here at ClamAV at: talosweb@cisco.com

Monday, September 14, 2015

ClamAV 0.99b2 On-Access Scanning - Now With 3D!!!

With ClamAV’s second 0.99 beta release comes a revamp of the on-access scanner for Linux. This is the first major update to on-access scanning following the move to fanotify from Dazuko back in the 0.98 release.  A quick overview of features and updates can be found in the table below.


on-access-table.png


The meatiest updates for 0.99 on-access scanning are the recursive directory watching and dynamic watchpoint determination features. Collectively these features make up 0.99’s new dynamic directory determination system (ddd or 3D for short), which allows users to recursively watch any directory and track it for changes, updating fanotify watchpoints on the fly. 


In previous versions, the on-access scanner would watch only immediate children of the specified directory, and recursive monitoring could only be accomplished with custom scripts or manually specified clamd.conf entries. This limitation was partially due to fanotify’s inability to recognize the creation of a subdirectory within a watched parent directory. As a result, potentially malicious files could be freely created and executed one level beneath the parent directory, leaving the on-access scanner none the wiser. What’s more, even if the on-access scanner caught a malicious file, it would fail to stop that file from being executed, read, or opened.


Now, the latest version of on-access scanning has recursive watchingon any directory built-in by default. Additionally, we leverage inotify (a kernel-provided API commonly used to help keep track of filesystem changes) to update fanotify watchpoints as changes occur to all watched directories and their subdirectories. But most critically of all, fanotify will correctly prevent read, open, and execute attempts for any virus found within the watched hierarchy.


Touching on the 3D system for a moment, it’s important to note that special care has been taken to ensure the new feature operates both quickly and efficiently. While there’s still room for improvement, the 3D system manages to preserve ClamAV’s tradition of speedy scanning. To put that into more tangible terms, it’s capable of processing watchpoint updates at a rough rate of 18,000 directories per second. Keep in mind, these metrics were gathered on a VM with decidedly modest hardware, so YMMV.


Of course, being able to watch thousands upon thousands of directories at all necessities dealing with inotify’s default limitations on active watchpoints. Typically, inotify limits users to setting watchpoints on a maximum of 8192 directories. The actual value can be located via /proc/sys/fs/inotify/max_user_watches. If you plan on pointing the on-access scanner at a directory with more than 8192 subdirectories, you’ll need to temporarily update this value as follows:


$ sysctl fs.inotify.max_user_watches=<n>


Where <n> should be replaced with your new max watch limit. If a more permanent solution is necessary, you can pipe an echo command with the new watch limit into tee and directly modify the max_user_watches entry under /proc. This would look something like:


$ echo <n> | sudo tee -a /proc/sys/fs/inotify/max_user_watches


As previously mentioned, this beta release also features changes to how fanotify handles infected files. Previous versions did not leverage fanotify’s ability to block access events. We’ve tweaked things such that fanotify now prevents any infected files from being read or opened, while allowing operations on clean files to continue unimpeded. Obviously, this may be problematic in an environment with one or more false positives, thus the final 0.99 release will allow users to configure the granularity of this feature via clamd.conf.

Along these same lines, those not keen on using the new 3D system will be able to toggle it off in the final release. Doing so will have the on-access scanner fall back to setting non-recursive watchpoints. However, this beta is focused on testing the new 3D system alongside the fanotify blocking features. So for now, on-access scanning will be using the 3D system exclusively. Luckily, the configuration options for these new features are unchanged from the previous release, meaning your current clamd.conf file shouldn’t need updating, so you might as well give it a try and let us know what you think!

Wednesday, September 9, 2015

ClamAV 0.99 Beta 2 has been released!

We are pleased to announce the beta 2 of ClamAV 0.99. In addition to the features we added to 0.99 in beta 1, we've added a few more for the second beta that we'd love for you to test and provide feedback!

0.99-beta2
------

 *Highlights* for the second beta of ClamAV 0.99

  • New and improved on-access scanning for Linux. We will be showcasing a blog post in the near future about these capabilities.
  • Improved support for YARA rules including private rules, referencing other rules, and YARA "include"
  • Configurable default password list to attempt zip file decryption.
  • TIFF support.
  • ./configure options for YARA.
  • Upgrade Windows pthread library to 2.9.1.
  • A new signature target type for uncategorized files.
  • Improved fidelity of the "data loss prevention" algorithm. Code supplied by Bill Parker.
ClamAV 0.99 beta 2 is available for download from our download site under "Development Releases".

Please provide feedback on our ClamAV-Development list, found on our "Contact" page, under Mailing lists.

Please note that we are intentionally pointing you towards ClamAV.net for downloads, as we are planning on moving out permanent download location to ClamAV.net instead of using SourceForge at some point in the future.  More on this transition will be published later.

Tuesday, June 16, 2015

2015 Snort Scholarship is now open!

Annually, Cisco provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.

To be eligible, you must meet the legal criteria found here on our website (at the bottom), sign up for the scholarship here, and following that, on or about July 10, 2015, two winners will be selected.

Good Luck!

Wednesday, June 3, 2015

ClamAV 0.99b Meets YARA!

The first beta release of ClamAV 0.99 is now on SourceForge! ClamAV 0.99 has some important new features to improve malware detection.

First, ClamAV 0.99 supports YARA rules. YARA is another popular open source project for malware detection, analysis, and classification. YARA rules, in a nutshell, contain a list of strings and a powerful logical expression called the YARA condition. A YARA condition is typically composed of logical operations upon the YARA rule’s strings, with many other condition operators available as well. YARA strings come in three flavors: literal text strings (with modifier keywords NOCASE, FULLWORD, WIDE and ASCII), hexadecimal (including wildcard and alternates, similar to substrings in ClamAV’s logical signatures), and regular expressions. The full documentation about YARA rules may be found at http://plusvic.github.io/yara/.

One of the key benefits ClamAV brings to YARA is leveraging ClamAV’s myriad file decomposition capabilities. This enables YARA rules to automatically match on malware residing in any of the compression, archive, document, or packer formats provided by ClamAV.

Using YARA rules with ClamAV is simple - just place your YARA rule files into the ClamAV virus database location. This is /usr/local/share/clamav by default. Alternatively, you can place them in other locations and reference them with the “–database” command line option for clamscan or the clamd.conf “DatabaseDirectory” parameter if you are using clamd and clamdscan.

Additionally in ClamAV 0.99, we have added regular expression support to ClamAV’s logical signatures. This will enable signature authors to more readily reuse regular expression constructs from the Snort rule collection, thus providing more powerful malware detection for ClamAV.

Regular expressions in both YARA rules and ClamAV logical signatures require the Perl Compatible Regular Expressions (PCRE) library. Please ensure PCRE is installed on your system when configuring ClamAV. ClamAV configuration will automatically look for PCRE in /usr/lib and /usr/local/lib. If you have PCRE installed in a different location, use ‘./configure –with-pcre=DIR’ to specify the resident PCRE directory.

There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled:
  • Single byte YARA string components – currently in the ClamAV matcher, all strings, as well as components of strings delimited by wild cards, must be at least two bytes in length
  • External variables – variables referenced in YARA conditions whose value may be set using the ‘yara –d’ command line option.
  • Private rules – YARA rules which do not trigger by themselves. They are intended to match only when referenced by other YARA rules. These use the private keyword.
  • Global rules – YARA rules whose conditions are intended to be in effect for all other YARA rules. These use the global keyword.
  • Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword.
  • Rules precompiled with the YARA compiler – ClamAV only reads YARA rules in the original source form.
  • Rule tags – intended to provide a results filtering mechanism by specifying tag names on YARA rules and then using the ‘yara –t’ command to name the matching rule tags of interest.
  • References to other rules – intended to use the results from other YARA rules in a YARA condition.
  • YARA rules containing only a YARA condition – YARA rules in ClamAV currently must contain at least one string.
So, give it a try, we would love to get your comments and feedback! Please download ClamAV 0.99 “beta 1” from http://sourceforge.net/projects/clamav/files/beta/0.99-beta1/. Some YARA rules may be found at http://yararules.com/.

Monday, May 18, 2015

Lurker is going End of Life

For years, we've had a system named "Lurker" that displayed the archives for our mailing lists, well, we are actually keeping the archives for the mailing lists in two places.  On Lurker, and on mailman itself.  So, we've decided to End of Life the lurker machine, in favor of the mailman system.

The most common place that links to lurker directly is inside of the notification emails that are sent to malware submitters when coverage is written as well as the clamav-virusdb list when the db updates are pushed.

We plan on brining lurker down and changing the links in the alert emails on Friday, May 22, 2015.

Please be patient with us as we remove this system from the ClamAV network.

Wednesday, May 13, 2015

Create your own ClamAV signatures with CASC!

The ClamAV community is growing and we are receiving more user-generated ClamAV signatures through our community signatures mailing list. Thanks to all who have contributed! For those who find the task of writing your own signatures daunting, we have created something you may be interested in.

To aid users in developing better ClamAV signatures faster, I've created the ClamAV Signature Creator (CASC), an IDA Pro plug-in. A quick and easy installation into IDA Pro 6.7 or higher (reduced feature set for IDA Pro 6.6) will have you creating basic ClamAV ndb and ldb signatures in no time. CASC allows users to select aspects of a sample's disassembly, a function block, or a set of strings to create a sub-signature. Each sub-signature can contain user-defined notes to keep track of information contained within the sub-signature. Once you've selected enough sub-signatures to get the job done, or until your heart's content, a ClamAV signature can be created from one or more sub-signatures.

Check out this IDA Pro plug-in on Github and its wiki for documentation.

Wednesday, April 29, 2015

TeslaCrypt -- You can now decrypt it yourself!

TeslaCrypt, another malware family in the list of "lockers" that have come out (Cryptolocker, Cryptwall, etc) is being dropped constantly in several methods, infecting, and generally making people's lives terrible.

That being said, a couple of researchers here on the ClamAV team at Talos took a look at this malware, broke it down for an explanation, and even released a tool to decrypt TeslaCrypt locked drives yourselves.

We've released the tool on our blog post, to include the source code (Open Source, GPLv2), and will be placing the code on our Github page soon.

Please take a look at this blog post if you've been a victim of TeslaCrypt, and if you have comments please leave them on the blog post over on our Talos blog!

Thanks!

ClamAV 0.98.7 has been released!

ClamAV 0.98.7 is here! This release contains new scanning features
and bug fixes.

    - Improvements to PDF processing: decryption, escape sequence
      handling, and file property collection.
    - Scanning/analysis of additional Microsoft Office 2003 XML format.
    - Fix infinite loop condition on crafted y0da cryptor file. Identified
      and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
    - Fix crash on crafted petite packed file. Reported and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
    - Fix false negatives on files within iso9660 containers. This issue
      was reported by Minzhuan Gong.
    - Fix a couple crashes on crafted upack packed file. Identified and
      patches supplied by Sebastian Andrzej Siewior.
    - Fix a crash during algorithmic detection on crafted PE file.
      Identified and patch supplied by Sebastian Andrzej Siewior.
    - Fix an infinite loop condition on a crafted "xz" archive file.
      This was reported by Dimitri Kirchner and Goulven Guiheux.
      CVE-2015-2668.
    - Fix compilation error after ./configure --disable-pthreads.
      Reported and fix suggested by John E. Krokes.
    - Apply upstream patch for possible heap overflow in Henry Spencer's
      regex library. CVE-2015-2305.
    - Fix crash in upx decoder with crafted file. Discovered and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
    - Fix segfault scanning certain HTML files. Reported with sample by
      Kai Risku.
    - Improve detections within xar/pkg files.

As always, we appreciate contributions of bug reports, code fixes,
and sample submissions from the ClamAV community members:

Sebastian Andrzej Siewior
Minzhaun Gong
Dimitri Kirchner
Goulven Guiheux
John E. Krokes
Kai Risku

ClamAV 0.98.7 is always available from ClamAV.net on the downloads page.

Wednesday, February 25, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

I spotted this blog article over on thepcn3rd blog, with a really simple blog article on how to generate ClamAV detection quickly given an md5 for a malicious file.

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment. I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.
The blog highlights a great point about ClamAV and Open Source, the ability to generate your own detection!

Take a look at the blog here.

Monday, February 2, 2015

ClamAV wins the "Community Choice" award for February!

We are honored to announce to our community that ClamAV was chosen for the "Community Choice" award on Sourceforge for the month of February!

A big thanks goes out to all of our users for voting for us, and we look forward to many new innovations in upcoming releases!

An excerpt:

For our February “Community Choice” Project of the Month, the community elected ClamAV, a GPL antivirus toolkit for UNIX that integrates with mail servers. The ClamAV team shared their thoughts about the project’s history, purpose, and direction.
Read our interview over on Sourceforge's webpage for our answers!

Tuesday, January 27, 2015

ClamAV 0.98.6 has been released!

ClamAV 0.98.6 is a bug fix release correcting the following:

  • library shared object revisions.
  • installation issues on some Mac OS X and FreeBSD platforms.
  • includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd.
  • Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team.
  • Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team.
  • Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab.
  • Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328.
  • Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.


Thanks to the following ClamAV community members for code submissions
and bug reporting included in ClamAV 0.98.6:

Sebastian Andrzej Siewior
Felix Groebert
Kevin Szkudlapski
Mark Pizzolato
Daniel J. Luke

Please download the latest release of ClamAV from 0.98.6 from our download page.

Thursday, January 8, 2015

Detection and Prevention of malware upload in Gravity Forms with ClamAV

A nice article over on Kris Chase's blog about the Detection and Prevention of malware uploaded into Gravity Forms with ClamAV.

One of the best and most widely used form building plugins for WordPress is gravity forms.  If you’ve ever needed to allow users to upload files to your site, but you want to make sure those files are not harmful, the following tutorial will help you with just that!

Check out the blog post.