The ClamAV 1.5.0 beta is now available. You may find the source code and installers for this release at clamav.net/downloads or on the ClamAV GitHub release page.
The beta phase is expected to last two to four weeks before we publish the stable release or else publish a release candidate. This will depend on how many changes are required to stabilize this version. Please take this time to evaluate ClamAV 1.5.0.
Please help us validate this release by providing feedback via GitHub issues, via the ClamAV mailing list or on our Discord.
IMPORTANT: A major feature of the 1.5 release is a FIPS-compliant method for verifying the authenticity of CVD signature database archives and CDIFF signature database patch files. The feature is ready to test in this beta, but we are not yet distributing the associated “.cvd.sign” signature files for the daily, main, and bytecode databases. Because these files aren’t available, ClamAV will fall back to using the legacy MD5-based RSA signature check. In other words, Freshclam will continue to fail on FIPS-enabled systems, for now. However, the unit tests do include a test signing key and certificate pair along with tests to exercise signing and verification using the FIPS-compliant method.
Note: Windows builds on GitHub Actions, which use VCPkg to provide C library dependencies, are failing at this time.
Tip: If you are downloading the source from the GitHub release page, the package labeled "clamav-1.5.0-beta.tar.gz" does not require an internet connection to build. All dependencies are included in this package. However, if you download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, then an internet connection will be required during the build to download additional Rust dependencies.
For Docker users, there is no specific Docker tag for the beta, but you can use the clamav:unstable or clamav:unstable_base tags.
ClamAV 1.5.0 includes the following improvements and changes:
Major changes
- Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
- Added the ability to record URLs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but don't want to record HTML URL's. The ClamScan command-line option is “--json-store-html-urls=no”. The clamd.conf config option is “JsonStoreHTMLUrls no”.
- Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
- Added FIPS-compliant CVD signing/verification with external .sign files.
Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory (e.g. <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is “-D CVD_CERTS_DIRECTORY=PATH”.
Added sign/verify commands to Sigtool.
New options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is: --cvdcertsdir PATH
- The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is: CVD_CERTS_DIR
The config option for Freshclam and ClamD is: CVDCertsDirectory PATH
Added two new APIs to the public clamav.h header:
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
The original cl_cvdverify and cl_cvdunpack are deprecated.
Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
Other improvements
- Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or possible crashes if encountering a file with that many layers of recursion.
- Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
- Improve support for extracting malformed .zip archives. This change is courtesy of Frederick Sell.
- Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is the courtesy of Maxim Suhanov.
- Added file type recognition for some kinds of AI model files.
The file type appears as a string parameter for these callback functions:
- clcb_pre_cache
- clcb_pre_scan
- clcb_file_inspection
When scanning these files, the `type` parameter will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
Bug fixes
- Technical debt: Reduced email multipart message parser complexity.
- Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
- Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g. Windows).
- Windows: Fix a build issue when the same library dependency is found in two different locations.
- Fix an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer
Acknowledgments
Special thanks to the following people for code contributions and bug reports:
- b1tg
- Frederick Sell
- KamathForAIX
- Mark Carey at SAP
- Maxim Suhanov
- TITAN Team
- Yoann Lecuyer
