Monday, September 14, 2020

With your feedback on previous candidates, the official release of ClamAV version 0.103.0 is available now on our Downloads page.

ClamAV 0.103.0 highlights

With your feedback on the previous candidates, we've fixed these additional issues:

  • The freshclam PID file was not readable by other users in previous release candidates but is now readable by all.
  • An issue with how freshclam was linked with the autotools build system caused SysLog settings to be ignored.
  • The real-path checks introduced to clamscan and clamdscan in 0.102.4 broke scanning of some files with Unicode filenames and files on network shares for Windows users.
Thanks to the users for your help in fixing these bugs.

Major changes

  • clamd can now reload the signature database without blocking scanning. This multi-threaded database reload improvement was made possible thanks to a community effort.
    • Non-blocking database reloads are now the default behavior. Some systems that are more constrained on RAM may need to disable non-blocking reloads, as it will temporarily consume double the amount of memory. We added a new clamd config option ConcurrentDatabaseReload, which may be set to no.
Special thanks to those who made this feature a reality:
  • Alberto Wu
  • Alexander Sulfrian
  • Arjen de Korte
  • David Heidelberg
  • Ged Haywood
  • Julius Plenz
  • Michael Orlitzky

Notable changes

  • The DLP module has been enhanced with additional credit card ranges and a new engine option that allows ClamAV to alert only on credit cards (and not, for instance, gift cards) when scanning with the DLP module. John Schember developed this feature, with input from Alexander Sulfrian.
  • We added support for Adobe Reader X PDF encryption and overhauled the PNG-scanning tool to detect PNG-specific exploits. We also made a major change to GIF parsing that now makes it more tolerant of problematic files and adds the ability to scan overlays, all thanks to work and patches submitted by Aldo Mazzeo.
  • clamdtop.exe is now available for Windows users. The functionality is somewhat limited when compared to clamdtop on Linux. PDCurses is required to build clamdtop.exe for ClamAV on Windows.
  • The phishing detection module will now print "Suspicious link found!" along with the "Real URL" and "Display URL" each time ClamAV detects phishing. In a future version, we would like to print out alert-related metadata like this at the end of a scan, but for now, this detail will help users understand why a given file is being flagged as phishing.
  • Added new *experimental* CMake build tooling. CMake is not yet recommended for production builds. Our team would appreciate any assistance improving the CMake build tooling so we can one day deprecate autotools and remove the Visual Studio solutions.
    • Please see the new CMake installation instructions found in INSTALL.cmake.md for detailed instructions on how to build ClamAV with CMake.
  • Added --ping and --wait options to the clamdscan and clamonacc client applications.
    • The --ping (-p) command will attempt to ping clamd up to a specified maximum number of attempts at an optional interval. If the interval isn't specified, a default one-second interval is used. It will exit with status code `0` when it receives a PONG from clamd or status code `21` if the timeout expires before it receives a response.
Example:
  • clamdscan -p 120 will attempt to ping clamd 120 at a one-second interval.
    • The --wait (-w) command will wait up to 30 seconds for clamd to start. This option may be used in tandem with the --ping option to customize the max # of attempts and the attempt interval. As with --ping, the scanning client may exit with status code 21 if the timeout expires before a connection is made to clamd.
Example:
  • clamdscan -p 30:2 -w <file> will attempt a scan, waiting up to 60 seconds for clamd to start and receive the scan request.
    • The ping-and-wait feature is particularly useful for those wishing to start clamd and start clamonacc at startup, ensuring that clamd is ready before clamonacc starts. It is also useful for those wishing to start clamd immediately before initiating scans with clamdscan rather than having the clamd service run continuously.
  • Added Excel 4.0 (XLM) macro detection and extraction support. Significantly improved VBA detection and extraction as well. Work courtesy of Jonas Zaddach.
    • This support not yet added to sigtool, as the VBA extraction feature in sigtool is separate from the one used for scanning and will still need to be updated or replaced in the future.
  • Improvements to the layout and legibility of temp files created during a scan. Improvements to legibility and content of the metadata JSON generated during a scan.
To review the scan temp files and metadata JSON, run:

  clamscan --tempdir=<path> --leave-temps --gen-json <target>

Viewing the scan temp files and metadata.json file provides some insight into how ClamAV analyzes a given file and can also be useful to analysts for the initial triage of potentially malicious files.

Other improvements

  • Added ability for freshclam and clamsubmit to override default use of OpenSSL CA bundle with a custom CA bundle. On Linux/Unix platforms (excluding macOS), users may specify a custom CA bundle by setting the CURL_CA_BUNDLE environment variable. On macOS and Windows, users are expected to add CA certificates to their respective system's keychain/certificate store. Patch courtesy of Sebastian A. Siewior.
  • clamscan and clamdscan now print the scan start and end dates in the scan summary.
  • The clamonacc on-access scanning daemon for Linux now installs to sbin instead of bin.
  • Improvements to the freshclam progress bar to ensure the text does not shift around as information changes. The bar will not exceed 80 characters, even on very slow connections. Time is now displayed in Xm XXs (or Xh XXm) for values of 60 seconds or longer. The bytes display now changes units at the proper 1024 B/KiB instead of 2048 B/KiB. Patch courtesy of Zachary Murden.
  • Improve column alignment and line wrap rendering for clamdtop. Also fixed an issue on Windows where clamdtop would occasionally disconnect from clamd and fail to reconnect. Patch courtesy of Zachary Murden.
  • Improvements to the AutoIT parser.
  • Loosened the curl version requirements in order to build and use clamonacc. You may now build ClamAV with any version of libcurl. However, clamonacc's file descriptor-passing (FD-passing) capability will only be available with libcurl 7.40 or newer. FD-passing is ordinarily the default way to perform scans with clamonacc, as it is significantly faster than streaming.
  • Added LZMA and BZip2 decompression routines to the bytecode signature API.
  • Disabled embedded type recognition for specific archive and disk image file types. This change reduces file type misclassification and improves scan time performance by reducing duplicated file scanning.
  • Use pkg-config to detect libpcre2-8 before resorting to pcre2-config or pcre-config.
    Patch courtesy of Michael Orlitzky.

Bug fixes

  • Fixed issue scanning directories on Windows with clamdscan.exe that was introduced when mitigating against symlink quarantine attacks.
  • Fixed behavior of freshclam --quiet option. Patch courtesy of Reio Remma.
  • Fixed behavior of freshclam's OnUpdateExecute, OnErrorExecute, and OnOutdatedExecute config options on Windows when in daemon-mode so it can handle multiple arguments. Patch courtesy of Zachary Murden.
  • Fixed an error in the heuristic alert mechanism that would cause a single detection within an archive to alert once for every subsequent file scanned, potentially resulting in thousands of alerts for a single scan.
  • Fixed clamd, clamav-milter, and freshclam to create PID files before dropping privileges, to avoid the possibility of an unprivileged user from changing the PID file so that a service manager will kill a different process. This change does make the services unable to clean up the PID file on exit.
  • Fixed the false positive (.fp) signature feature. In prior versions, the hash in a false positive signature would be checked only against the current layer of a file being scanned. In 0.103, every file layer is hashed, and the hashes for each in the scan recursion list are checked. This ensures that .fp signatures containing a hash for any layer in the scan leading up to the alert will negate the alert.
    • As an example, a hash for a zip containing the file which alerts would not prevent the detection in prior versions. Only the hash of the embedded file would work. For some file types where the outermost is always an archive, eg. docx files, this made .fp signatures next to useless. For certain file types where the scanned content was a normalized version of the original content, eg. HTML, the normalized version was never hashed and this meant that .fp signatures never worked.
  • Fixed Trusted & Revoked Windows executable (PE) file signature rules (.crb) maximum functionality level (FLEVEL) which had been being treated as the minimum FLEVEL. These signatures enable ClamAV to trust executables that are digitally signed by trusted publishers or to alert on executables signed with compromised signing-certificates. The minimum and maximum FLEVELS enable or disable signatures at load time depending on the current ClamAV version.
  • Fixed a bug wherein you could not build ClamAV with --enable-libclamav-only if curl was not installed on the system.
  • Various other bug fixes, improvements and documentation improvements.

New Requirements

  • Autotools (automake, autoconf, m4, pkg-config, libtool) are now required to build from a Git clone because the files generated by these tools have been removed from the Git repository. To generate these files before you compile ClamAV, run autogen.sh. Users building with autotools from the release tarball should be unaffected.

Acknowledgments

The ClamAV team thanks the following individuals for their code submissions:

  • Aldo Mazzeo
  • Ángel
  • Antonino Cangialosi
  • Clement Lecigne
  • Jamie Biggar
  • Jan Smutny
  • Jim Klimov
  • John Schember
  • Jonathan Sabbe
  • lutianxiong
  • Michael Orlitzky
  • Reio Remma
  • Sebastian A. Siewior
  • Zachary Murden 


Tuesday, September 1, 2020

Thanks to everyone who looked at our first release candidate for ClamAV 0.103.0 over the past few weeks. With your help, we found and fixed a few major issues. 

To make sure everything is in order, we published a second release candidate for ClamAV 0.103.0 Tuesday evening.

This second release candidate fixes a couple major issues and a handful of other issues that were reported these past two weeks. Some notable bug fixes and improvements added since our first release candidate include:

  • Fixed clamd and clamav-milter service/daemon start issue when starting as root and switching users. This issue discussed in the mailing list and reported on Bugzilla.
  • Fixed a build issue when libcheck is not installed. This issue reported on Bugzilla.
  • Fixed a Windows issue using the clamscan.exe & clamdscan.exe's --remove option. This issue reported on Bugzilla.
  • Added pkg-config support for finding pcre2 and ncurses when using the Autotools build system. pcre2 pkg-config support contributed by Michael Orlitzky via GitHub.com.
  • Reverted the change that requires Bison & Flex when building from a Git clone. Bison & Flex-generated sources will remain in our Git repository. When building with CMake, they can be re-generated by enabling "maintainer mode."
  • Fixed bugs in the ARJ and XAR archive parsers.

To see the full list of changes new in ClamAV 0.103, please see the 0.103.0-rc1 announcement.

Once again, we would very much appreciate your time evaluating this second release candidate. Please share your experience with us on the ClamAV mailing list, in #clamav on irc.freenode.net, or on our Discord, which is bridged with our IRC. Please continue to submit bugs to our Bugzilla

Tuesday, August 18, 2020

Today, we are pleased to announce the ClamAV 0.103.0 release candidate.

Please help us validate this release. We need your feedback, so let us know what you find and join us on the ClamAV mailing list, in #clamav on irc.freenode.net, or on our Discord, which is bridged with our IRC.

Please submit bugs to our Bugzilla

ClamAV 0.103.0 includes the following improvements and changes.

Monday, July 27, 2020

During a recent review of file downloads from our ClamAV CDN network, we've noticed hundreds of IPs that seem to be downloading the daily.cvd and the main.cvd thousands of times a day.

There are about a dozen IPs that are downloading those to files more than 40,000 times a day. This is causing us to transfer about 250TB of data a day. We would encourage any users still doing this to cease as soon as possible. Not only does it waste our bandwidth — as we have much more efficient ways of downloading the updates — but it also wastes your bandwidth, as well.

Freshclam has the ability to download partial files of updates (called cdiffs).  Which are smaller, more incremental updates to the database. This allows users, and us, to manage our downloads in a much more efficient manner. We often receive the complaint, "I have to download the daily.cvd and main.cvd with Python and move the updates to an off-internet system."  That's fine — it's a use case we support. However, you can do the same with freshclam and the small cdiffs.

Furthermore, we also only release updates once a day.  Reducing the number of updates you check for (and, subsequently, download we assume through a crontab or periodic job of some type) would also alleviate this issue.

We will be constantly monitoring this in hopes that people migrate to using freshclam.  Over-abusers (for instance, the top 10 IPs that are downloading main.cvd 40,000 times a day), will be immediately blocked.  Further abusers may also be blocked, without notice.

To mitigate, please complete the following tasks:

1. Use Freshclam instead of Python or whatever downloading script you have cron'd.
2. Reduce the checks to once or twice a day.

Thank you for helping keep the ClamAV network healthy.

Any questions, please see us over on the ClamAV-Users list.

Thursday, July 23, 2020

By Nikhil Hegde.

MassLogger is a .NET executable and an info-stealer having the ability to take screenshots, log keystrokes, etc. The binary features two obfuscated loaders. The first loader decrypts the second using the Rijndael algorithm. The second loader decodes the payload using the values in a Bitmap image. The presence of multiple loaders and obfuscation made it a good choice for a walkthrough of ClamAV signature creation. In this post, we’ll walk through the creation of Clam signatures for this malware. It is our hope that this gives you a closer look at the work we do and reverse-engineer malware.

I picked up the sample hash, 2b7455d2a9434cfe516d9d886248b45f1073c0cc9fef73b15e9a1ef187fe4677 from a tweet by Nocturnus. The sample is available on VirusTotal.

Thursday, July 16, 2020

ClamAV 0.102.4 is out now. Users can head over to clamav.net/downloads to download the release materials.

ClamAV 0.102.4 is a bug patch release to address the following issues:

CVE-2020-3350

Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.

For more information about AV quarantine attacks using links, see RACK911 Lab's report.

CVE-2020-3327

Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481

Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

We will be publishing a release candidate for version 0.103.0 in the next couple of weeks. Stay tuned!

Monday, June 15, 2020

ClamAV has provided a signature database using Google's Safebrowsing API to provide advanced protection against emails with links to suspicious websites.

As of Nov. 11, 2019, we have stopped updating the Safebrowsing signature database because Google announced changes to their Safebrowsing API terms of service.

Google now requires commercial users to use the Google Web Risk API, a for-profit feature, instead of the Safebrowsing API. Though ClamAV itself is free and open-source, we cannot continue to provide Google Safebrowsing data to the general public.

Today, we're pleased to open-source a new tool for users to generate their own safebrowsing signature databases using their personal Safebrowsing API credentials for use in accordance with the policies of the Safebrowsing API user agreement.

Please check out the clamav-safebrowsing repository on Github to get started.


Tuesday, May 12, 2020

Today, we're publishing ClamAV, version 0.102.3. Navigate to ClamAV's downloads page to download the release materials.

ClamAV 0.102.3


ClamAV 0.102.3 is a bug patch release to address the following issues.
  • CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
  • CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.
  • Fixed "Attempt to allocate 0 bytes" error when parsing some PDF documents.
  • Fixed a couple of minor memory leaks.
  • Updated libclamunrar to UnRAR 5.9.2.
Please join us on the ClamAV mailing lists, on irc.freenode.net in #clamav, or on Discord for further discussion. Thanks!

Monday, February 17, 2020

Attn: ClamAV users, we will be upgrading our version of bugzilla on Wednesday, February 19th, at 8:00 EST.

 The impact should be minimal, and should take no longer than a couple hours.

We will notify you when it is back up. Thank you for your patience.

Wednesday, February 5, 2020

Today, we're publishing 0.102.2. Navigate to ClamAV's downloads page to download the release materials.

0.102.2

ClamAV 0.102.2 is a security patch release to address the following issues.
  • CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
  • Significantly improved the scan speed of PDF files on Windows.
  • Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
  • Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file.
  • Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections.
  • Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals.
  • Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit.
  • Fix for freshclam's OnOutdatedExecute config option.
  • Fixes a memory leak in the error condition handling for the email parser.
  • Improved bound checking and error handling in ARJ archive parser.
  • Improved error handling in PDF parser.
  • Fix for memory leak in byte-compare signature handler.
  • Updates to the unit test suite to support libcheck 0.13.
  • Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following people for code contributions and bug reports:

  •     Antoine Deschênes
  •     Eric Lindblad
  •     Gianluigi Tiesi
  •     Tuomo Soini

Please join us on the ClamAV mailing lists for further discussion. Thanks!