Monday, December 18, 2017

Welcome to ClamAV 0.99.3's beta2 release. In this release, we have included many code
submissions from the ClamAV community:

  • Interfaces to the Prelude SIEM open source package for collecting ClamAV virus events.
  • Visual Studio 2015 for building Microsoft Windows binaries.
  • Support libmspack internal code or as a shared object library. The internal library is the default and contains additional integrity checks.
  • Linking with openssl 1.1.0.
  • Numerous code patches, typos, and compiler warning fixes.

Additionally, we have introduced important changes and new features in
ClamAV 0.99.3, including:

  • Deprecating internal LLVM code support. The configure script has change to search the system for an installed instance of the LLVM development libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode signatures. To use the LLVM Just-In-Time compiler for executing bytecode signatures, please ensure that the LLVM development package at version 3.6 or lower is installed. Using the deprecated LLVM code is possible with the command: './configure --with-system-llvm=no', but it no longer compiles on all platforms.
  • Compute and check PE import table hash (a.k.a. "imphash") signatures.
  • Support file property collection and analysis for MHTML files.
  • Raw scanning of PostScript files.
  • Fix clamsubmit to use the new virus and false positive submission web interface.
  • Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when size limitations are exceeded.
  • Improve decoders for PDF files.


The ClamAV community thanks the following individuals for their ClamAV 0.99.3
code submissions:

Sebastian Andrzej Siewior
Keith Jones
Bill Parker
Chris Miserva
Daniel J. Luke
Matthew Boedicker
Ningirsu
Michael Pelletier
Anthony Chan
Stephen Welker
Marc Deslauriers
Mark Allan
Andreas Schulze
Jonas Zaddach
Georgy Salnikov

We are releasing beta2 for further testing while we resolve our small list of known issues in the background as we are prepping for "General Availability".  If you have the ability to download and use beta2 on your network, please do.  Thanks!

Wednesday, November 1, 2017

ClamAV Community --

ClamAV is currently experiencing an issue with one of our sync servers that provides updates from our infrastructure out to the ClamAV mirrors.

Since end-users receive their updates from the ClamAV mirrors, this means that currently, ClamAV AV updates are currently not available.

Our operations team is currently working on the issue, and we will provide updates as needed.

Monday, October 9, 2017


Hello everyone! My name is Tom McCourt, a newer member to ClamAV on Joel Esler’s team here at Cisco. I hope the community is doing great. I wanted to inform everyone that a survey was created to help gather some information on operating systems and provide some feedback. Here on the ClamAV team, we want to be able to determine what operating systems are being used as well as with what architecture to better maximize our development cycles by increasing our releases, and making ClamAV a better product overall. To do this, we need your help!

The survey can be found at the link below:



There is about 2 weeks left for the survey before we close it out, so be sure to help and submit some information. I will be idling the #clamav IRC chatroom to hopefully assist or talk to the community on what they want to see in the future of the product.

irc info:
irc.freenode.net
#clamav

My name on IRC is Wookiee

Thursday, September 14, 2017

As we are ramping up the feature planning on the next version of ClamAV, and with the recent turmoil that we've overcome (for the most part) with the mirror system.  We decided it would be a fantastic idea to send out a survey to the ClamAV community to gather your thoughts on what you'd like to see in the engine.


We have a lot of fantastic ideas and goals ourselves on making ClamAV more reliable, easier to install, and better to use -- but we want to hear from you!

https://www.research.net/r/WZH2NL5

Please take a look at this survey over on SurveyMonkey, and please give us feedback!

Wednesday, August 23, 2017

This morning, we became aware of an issue with our ClamAV mirror infrastructure that was causing some freshclam instances to fail when trying to download the current updates.

This was a result of one of our mirror sync hosts experiencing an issue.  This was resolved by stopping and restarting all services on the machine.

Currently the sync server is healthy, and all requests should be handled normally.

We apologize for any inconvenience this may have caused, and are working to prevent this from occurring in the future.

Thursday, August 3, 2017

Join us as we welcome ClamAV 0.99.3 beta for testing!  Be sure and grab the beta release on our official ClamAV download site.

Welcome to ClamAV 0.99.3. In this release, we have included many code
submissions from the ClamAV community:

  • Interfaces to the Prelude SIEM open source package for collecting ClamAV virus events.
  • Visual Studio 2015 for building Microsoft Windows binaries.
  • Support libmspack internal code or as a shared object library. The internal library is the default and contains additional integrity checks.
  • Linking with openssl 1.1.0.
  • Numerous code patches, typos, and compiler warning fixes.


Additionally, we have introduced important changes and new features in
ClamAV 0.99.3, including:

  • Deprecating internal LLVM code support. The configure script has changed to search the system for an installed instance of the LLVM development libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode signatures. To use the LLVM Just-In-Time compiler for executing bytecode signatures, please ensure that the LLVM development package at version 3.6 or lower is installed. Using the deprecated LLVM code is possible with the command: './configure --with-system-llvm=no', but it no longer compile on all platforms.
  • Compute and check PE import table hash (a.k.a. "imphash") signatures.
  • Support file property collection and analysis for MHTML files.
  • Raw scanning of PostScript files.
  • Fix clamsubmit to use the new virus and false positive submission web interface.
  • Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when size limitations are exceeded.
  • Improve decoders for PDF files.


The ClamAV community thanks the following individuals for their ClamAV 0.99.3 code submissions:

Sebastian Andrzej Siewior
Keith Jones
Bill Parker
Chris Miserva
Daniel J. Luke
Matthew Boedicker
Ningirsu
Michael Pelletier
Anthony Chan
Stephen Welker

Following are issues discovered during release testing. For additional information, please review the corresponding tickets on bugzilla.clamav.net:

11879 - cli_scanmscan() Failed to extract 4 in Windows beta when scanning cab files
11882 - ./configure does not automatically detect libxml2 on FreeBSD 10.3 and 11.0
11884 - 'sudo make install' on FreeBSD 10.3 and 11.0 leaves files owned by root, subsequent make command fails
11885 - clamsubmit not building on FreeBSD 10.3 and 11.0
11887 - Failures of 'make check VG=1' on FreeBSD 10.3 and 11.0

We ask that feedback be provided via the ClamAV mailing lists.

Monday, June 19, 2017

ClamAV Users --

Please take a look at the newest OpenSource project from Cisco Talos, entirely released towards the ClamAV audience, the BASS Automated Signature Synthesizer.



A short preview to the blog post linked above, is the following:

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker. 
Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:
https://github.com/Cisco-Talos/bass

Please check out our project,  check it out, play with it, use it, and help us improve it.

Wednesday, June 7, 2017

As promised, we were able to ship a new Main.cvd and the cdiff for the main.cvd a few minutes ago.

It should have hit the mirrors in the past few minutes. As always, this will increase the amount of traffic on the mirrors from people downloading the file, and should settle down within in the next 12-24 hours.

I’d like to thank our Signature team for working late into the night the past several days in order to get this out on time!

We have tested this Main.cvd and cdiff on all currently supported versions of ClamAV. Please let us know via the clamav-users list if there are any problems.

Tuesday, May 16, 2017

We are currently planning on cutting a new Main.cvd on Wednesday, June 7th, 2017.  After the new Main.cvd is published the "daily" load on the mirrors and your networks should be much lighter.

As always, this will result in a period of heavy downloading following the release, and lighter loads from smaller "daily" cvds after.

We will post an estimated size in an updated post.

Wednesday, February 22, 2017

We took note of this article over on the NVISO Labs blog that basically starts off like this:

Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA engine on it.

A lot of people actually don't know this.  But NVISIO wrote a great article on it and is definitely worth the read if you are interested in doing some hunting with Yara content with ClamAV.

Friday, February 10, 2017

Yesterday, several articles came out through various publications regarding a piece of malware named "MacDownloader".  It appears to be specifically targeting the Defense Industry. Several other research firms attribute the malware to Iranian attackers.

For more information we are publishing links to several blogs below:

https://blog.malwarebytes.com/threat-analysis/2017/02/macdownloader-malware-targeting-defense-industry/
http://www.csoonline.com/article/3167249/security/mac-malware-possibly-made-in-iran-targets-us-defense-industry.html

and finally the original blog:

https://iranthreats.github.io/resources/macdownloader-macos-malware/

Our ClamAV auto detection scripts have published detection for this already:

Osx.Downloader.MacDownloader-5781857-0

Please ensure you are scanning your machines regularly!