ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

 Today, we are releasing the following critical patch versions for ClamAV:

• 0.103.8
• 0.105.2
• 1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for the remote code execution vulnerability and remote information leak vulnerability.

Edit: We are aware that technical details for CVE-2023-20032 and a proof-of-concept sample to demonstrate the buffer overflow are publicly available.

The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.

1.0.1

ClamAV 1.0.1 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Fix an allmatch detection issue with the preclass bytecode hook.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828

0.105.2

ClamAV 0.105.2 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a colon (:).

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/695

• Moved the ClamAV Docker files for building containers to a new Git repository. The Docker files are now in https://github.com/Cisco-Talos/clamav-docker. This change enables us to fix issues with the images and with the supporting scripts used to publish and update the images without committing changes directly to files in the ClamAV release branches.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/765

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/829

0.103.8

ClamAV 0.103.8 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830

ClamAV Bugzilla new ticket creation will redirect to GitHub Issues

In early 2021, we made a decision to switch to using GitHub directly. Before then, our primary Git repository was sequestered to the Cisco corporate network. The public GitHub repository was just a mirror. That made it tougher for us to connect to and work with contributors from the ClamAV community. Our daily routines drew our attention away from GitHub.

At the same time, we also settled on a plan for how we could test using GitHub Issues for ClamAV bug reports. Initially, this would supplement our aging Bugzilla server. While Bugzilla requires users to make an account on our server, enabling GitHub Issues would open up bug reporting to the wider GitHub community that already has an account.

Since enabling GitHub Issues at the start of June, we have found that using GitHub Issues has been a very positive experience. At this point, most of our reports come in through GitHub Issues. With the aid of issue templates, the quality of bug reports coming through GitHub Issues has also been of a higher caliber than those coming through Bugzilla. With users following guidance in the template, the bug reports are generally easier to triage and respond to intelligently. 

All that being said, we will disable Bugzilla ticket creation so we can focus all new bug reports towards GitHub Issues. Effective immediately, the new ticket creation form on bugzilla.clamav.net will redirect users to the new issue creation page on our primary ClamAV repository on GitHub.com.

Existing open tickets on Bugzilla will remain open for now, and the Bugzilla server is expected to remain available through 2022 as we complete this transition. 

If you have an open ticket on Bugzilla and would like to help migrate it to GitHub Issues, we would appreciate the help. If you choose to migrate any tickets from Bugzilla to GitHub Issues, please add references in each ticket and close the original Bugzilla ticket(s) to assist our team with the ticket queue maintenance.

Thank you!

Micah

Freshclam, cdiffs and bandwidth are your friends

During a recent review of file downloads from our ClamAV CDN network, we've noticed hundreds of IPs that seem to be downloading the daily.cvd and the main.cvd thousands of times a day.

There are about a dozen IPs that are downloading those to files more than 40,000 times a day. This is causing us to transfer about 250TB of data a day. We would encourage any users still doing this to cease as soon as possible. Not only does it waste our bandwidth — as we have much more efficient ways of downloading the updates — but it also wastes your bandwidth, as well.

Freshclam has the ability to download partial files of updates (called cdiffs).  Which are smaller, more incremental updates to the database. This allows users, and us, to manage our downloads in a much more efficient manner. We often receive the complaint, "I have to download the daily.cvd and main.cvd with Python and move the updates to an off-internet system."  That's fine — it's a use case we support. However, you can do the same with freshclam and the small cdiffs.

Furthermore, we also only release updates once a day.  Reducing the number of updates you check for (and, subsequently, download we assume through a crontab or periodic job of some type) would also alleviate this issue.

We will be constantly monitoring this in hopes that people migrate to using freshclam.  Over-abusers (for instance, the top 10 IPs that are downloading main.cvd 40,000 times a day), will be immediately blocked.  Further abusers may also be blocked, without notice.

To mitigate, please complete the following tasks:

1. Use Freshclam instead of Python or whatever downloading script you have cron'd.
2. Reduce the checks to once or twice a day.

Thank you for helping keep the ClamAV network healthy.

Any questions, please see us over on the ClamAV-Users list.

Understanding and transitioning to ClamAV's new On-Access scanner

We have a new On-Access scanner for ClamAV that separates functionality from clamd into a new application called clamonacc.

This post is for technically inclined users who have used ClamAV’s On-Access scanner in the past (0.99 - 0.101.3), and wish to transition to a newer version (>= 0.102.0). While this overview may be somewhat useful for new On-Access users, we first recommend setting up your environment using the official documentation, then returning here only if your use case is not met.

This post is also for anyone who may simply be trying to install ClamAV from source, on an older system, with an older version of Curl. If that’s the case, skip ahead to the section titled The Breakdown for your fix.

Things That Haven’t Changed

With a change this big, it’s easier to start with what’s the same. Here’s a list of the important things:

• Fanotify and inotify still required
• Clamd still needs to be run and clamd.conf still used by default
• All working “OnAccessXYZ” clamd.conf configuration options still valid and work as expected
• Only Linux systems are supported

The New Stuff

Now for the real reason you’re here: what’s different and how that affects you. Well, let’s start with the differences, and then I’ll break down each item to help you gain a fuller understanding of the new system.

• Curl (version >= 7.45) required for installation
• VirusEvent and Extra Scanning features re-enabled
• Client application called clamonacc which interfaces with a clamd server
• Command-line options
• Separate and cleaner logging
• Configuration option for excluding users via username
• Configurable multi-threaded event handling architecture
• Configuration options which allow tweaks to network communication and error handling

The Breakdown

Curl (version >= 7.45) required for installation:

This is only relevant if you are installing from source, but it is worth noting. If your curl version is out of date, the installation will fail with an error message stating that you need a version of curl >= 7.45 when you run:

$ > ./configure

If your OS package maintainers do not provide a version of curl newer than 7.45, we recommend installing the latest version of curl (and its headers) from the source.

Alternatively, if you don’t need On-Access capabilities, you can skip installation on your system using the “./configure” flag “--disable-clamonacc”. If you are using a non-Linux system, installation of clamonacc will automatically be disabled.

VirusEvent and Extra Scanning features re-enabled:

Previous versions of the On-Access Scanner had disabled the VirusEvent and Extra Scanning features. The VirusEvent feature allowed users to kick-off a custom shell script whenever clamd found a malicious object. Extra Scanning was a feature tied to inotify which used its expanded and more mature event detection to fill the gaps left (at the time) by fanotify event coverage. With Extra Scanning enabled, users can catch "create" and "move to" events, which up until kernel version 5.1, were not available for capture with the fanotif api. Without Extra Scanning, On-Access scanning will capture all "access" and "open" events only.

Both VirusEvent and Extra Scanning features were disabled due to resource consumption issues when running the On-Access Scanner for long periods of time. However, the new On-Access Scanner has been re-architected with a long-running use-case at the forefront. As a result, it is more reliable, error tolerant, and much, much better at cleaning up after itself. All of this allows us to re-enable the Extra Scanning feature with confidence.

Similarly, due to the new separation between clamd and clamonacc, VirusEvent scripts should now work as expected. This is not so much, “re-enabling the feature” as it is a direct (albeit planned and intended) result of this new separation. Like with clamdscan, VirusEvent will be kicked off by the clamd process, not the new clamonacc application.

Client application called clamonacc which interfaces with a clamd server:

The biggest change to On-Access Scanning is its separation from the clamd server application. With this separation comes more flexibility in deployment options, better stability and up-time for both applications, and a much improved potential attack surface.

Regarding flexibility, the application can be run on the same machine as a clamd instance, or for resource sensitive deployments clamonacc can “phone home” to a central clamd instance. Even better, multiple clamonacc instances on multiple systems can all receive verdicts from a single, centrally located clamd instance. This offloads verdicts to a single location, and scanning/protection tasking to a much lighter-weight application.

However, while such a deployment is possible, it requires streaming over a TCP socket connection, which comes with a number of drawbacks. First, this version of ClamAV requires users to secure their own TCP sockets. We are moving to change this in the future, (the new curl requirement is a step in that direction) but it’s still important to note. Second, the version of clamonacc (and clamd) released with 0.102.0 is not optimized for sending files and receiving verdicts via a network stream. While there are plans to alleviate this, expect full file contents to be sent across the configured socket each time clamonacc requires a clamd verdict. This will obviously have a network impact on a distributed deployment. Third, and finally, caching still needs to be implemented on the clamonacc client side to reduce the number of overall network scan requests.

All that said, smart network engineering, and a targeted clamonacc configuration which only watches necessary files/directory and excludes the right UIDs and/or unames might let you mitigate or overcome these hurdles quite nicely.

Another benefit to this separation is increased stability for both clamd and clamonacc. During our testing, clamonacc was able to recover gracefully from just about every issue that arose--whether anticipated or not--while still providing necessary protections. Similarly during the course of development and testing, clamd was not affected by any clamonacc failure. That said, this does not mean that clamonacc cannot affect clamd at all, or vice-versa. These applications do not exist in a vaccuum and must necessarily interact with one another during normal operation.

With that in mind, one major goal of this rework was improving clamd’s security posture. In versions prior to 0.102, On-Access Scanning was tied directly into clamd, and thus required users to run clamd with elevated privileges (often root). This came with a host of security concerns given the size of clamd's attack surface. By separating clamonacc from clamd, a system admin need only ensure clamd has the read and access permissions necessary to deal with any file descriptors clamonacc may pass along. Of course, clamonacc still requires elevated permissions due to the fanotify interfaces used, but compared to clamd, clamonacc's attack surface is much smaller.

Command-line options:

In order of appearance when you run clamonacc with “--help” these are the command line options and their uses:

   --help

As one would expect, prints the version number, a command line usage example, and a very abbreviated explanation of each available command line option, alongside their shorter forms.

    --version              

Attempts a connection to the clamd server and requests clamd’s version, such that a version mismatch between server and client might be identified. If a clamd server is not found, the local client version is printed to the console instead.

    --verbose

This is akin to clamd’s or clamscan’s --debug option, but isn’t quite so noisy as either of those. By default, clamonacc does not print any output after daemonizing, so you will have to pair this option with --log or --foreground to use it.

    --log=FILE

FILE should be a full path to the logfile you wish clamonacc to use. Without this option, clamonacc will not keep a log. With this option, clamonacc will only output some information to the console if --foreground is enabled. As of the release of 0.102, it is a known bug that clamonacc lacks log rotation.

    --foreground

Forces clamonacc not to daemonize into the background and instead print output and verdicts to the console.

    --watch-list=FILE

This is the command line analogue to the “OnAccessIncludePath” configuration option. The file provided via FILE will be parsed at startup and all valid paths will have watch points placed on them. FILE must be a proper path, it must be a text file, and each path in the text file must be a full path to a valid directory. You must separate multiple paths in the text file with a newline. If you run clamonacc with --verbose, it will let you know if you got any of this wrong, but it will still startup, choosing to ignore invalid input instead of failing out.

    --exclude-list=FILE

This is the command line analogue for “OnAccessExcludePath”. Everything that holds true for --watch-list holds true for --exclude-list, except the end result is that the provided paths within the text file will not have watch points placed on them when clamonacc starts up.

    --remove

Works the same way as clamdscan’s --remove option. In the event that a file is found to be malicious, clamonacc will make a best attempt at removal.

    --move=DIRECTORY
    --copy=DIRECTORY

Works as you'd expect, each also sharing clamdscan’s core functionality. If clamd returns with a malicious, the clamonacc process will either move or copy it into the given path. These three options are mutually exclusive.

    --config-file=FILE

When loading configuration options, clamonacc checks for clamd.conf in ClamAV’s default install location. You can force clamonacc to use a configuration file in a location of your choice by using this option instead. This option is especially useful if you have broken up clamd and clamonacc configuration options into their own separate files.

    --allmatch

Every time a scan request is made, clamonacc will tell the clamd server to run in all-match mode when rendering verdicts.

    --fdpass

This is a niche option with an unclear usecase, but we preserved in case older clamdscan users may know of a specific usecase we do not. Generally, if you are running clamd on the same system as clamonacc, you will be using a local unix socket and file descriptor passing is enabled by default. One theoretical (untested) use, is passing file descriptors along a socket between containers or between a container and the host.

    --stream 

Typically, the only time you would use this option is when you could otherwise pass file descriptors instead. Even if clamonacc and clamd were optimized for streaming, file descriptor passing would be the better, and faster method. It’s only use (besides debugging), is avoiding permission issues that arise when passing file descriptors to clamd.

Separate and cleaner logging:

On-Access Scanning no longer uses the same log file as clamd. To make clamonacc print its output to a logfile, run clamonacc with the command “--log=FILE” where “FILE” is the name you wish to give the log file. Without this command, by default, clamonacc will fork into the background without printing any output. Regardless of whether a log file has been specified, Clamonacc will still protect your system according to any configurations made and all command line options passed. And no matter the logging situation, all VirusEvents will trigger from clamd as expected.

If you do choose to enable logging, know that On-Access logging has been cleaned up considerably in the move from 0.101 to 0.102. After startup, you will see only verdicts for malicious files and errors in their log. That’s it.

If the “--verbose” command is supplied at startup, significantly more output will be available to you. This information is primarily useful for troubleshooting purposes and developers. Therefore, only consider using it if you run into a recurring problem during application runtime.

Configuration option for excluding users via username:

A feature included on user request, this allows simple exclusion of any user and more flexible permission management. The option to use this feature is called “OnAccesExcludeUname” and you can use it as many times as you’d like.

Another exclusion useful option that existed in 0.101 and continues to exist in 0.102, but may seem out of place to some users, is “OnAccessExcludeRootUID”, which is a boolean option that--as it says on the box--will exclude all events triggered by a processes under the root UID “0” from being scanned. This option was added strictly as a workaround to an option parsing limitation, which entirely disabled the “OnAccessExcludeUID” option when set to “0”.

Configurable multi-threaded event handling architecture:

Clamonacc has been re-architectured to follow a multi-supplier, single-consumer queue model for event processing. It accomplishes this by keeping an active thread pool to handle verdict receipts, which is managed by a thread that kicks off work for the pool whenever new entries are added to the event queue it maintains. Currently, that event queue is set up to be fed and grown with distilled information from fanotify, and inotify event monitoring threads, but in theory, the event queue could very easily be fed from other sources down the road--should the need or desire arise.

The clamonacc will startup with five worker threads available to consume events from the queue. However, if your system has the resources for it, you can drastically improve the performance of clamonacc by raising that number with the “OnAccessMaxThreads” options. If you do this, you will likely also want to increase values on “MaxThreads” and “MaxQueue” as well to ensure your clamd instance can keep up.

Configuration options which allow tweaks to network communication and error handling:

With the separation came increased inter-process complexity. And with that complexity arose more potential error cases. Of particular note are the new configuration options surrounding network communications between clamd and clamonacc applications. Two options are provided for tweaking network communication behavior to better suit your environment:

• OnAccessCurlTimeout
• OnAccessRetryAttempts

By default, each connection attempt made by clamonacc will timeout after five seconds and will not attempt to reconnect. In case of connection failure or timeout due to known, intermittent network constraints, you may force clamonacc to reattempt the connection by setting the OnAccessRetryAttempts to the number of retries you’d like clamonacc to make before giving up and reporting an error.

Users experienced with the prevention will now be wondering what happens in such a case? Will the file remain locked? Will clamonacc release its access hold automatically in case of failure?

Clamonacc is configured to allow all access attempts if an error occurs while prevention is enabled. However, you can change this behavior by enabling the “OnAccessDenyOnError” configuration option. When this option is enabled alongside “OnAccessPrevention”, clamonacc will deny process access to a file if any error is encountered during the scanning process.

As you can imagine, this is potentially a very dangerous setting and must be used with care to avoid locking your system out of important resources due to something so mundane as a clamd permission issue, or a brief network outage.

Wrap Up

That’s the bulk of it. A lot has changed from a technical standpoint, and while the amount of information shared above might seem overwhelming at first glance, from an operational standpoint there isn’t too much more you need to worry about. Be mindful of your UID/uname excludes, make sure clamd has the right permissions, lock down your TCP ports, be aware of your resource limitations and the knobs you’ve been given to tweak software performance, and you should have your deployment up in no time.

Finally, as I said before, if there’s anything that changed which I didn’t go over above, please leave a comment below so I can address your concern.

Happy clamming.

Want to improve your ClamAV experience? Here are some common mistakes we see with FreshClam

At Cisco Talos, we regularly get questions on how to get the most out of ClamAV. Therefore, we wanted to point out some common mistakes that users make in hopes that we can make using ClamAV easier, and more effective, for everyone.

Downloading the signatures

We want to emphasize the importance of using FreshClam to download the signatures instead of Wget, Python, or similar scripting libraries. A lot of folks from the community are attempting to download the daily, bytecode, and the main CVDs using scripting tools. While we understand the desire to do so, FreshClam has been engineered to take advantage of the fact that our publishing system provides "diff" files, or only what has changed since the last update.

This provides faster updates to the world, reduces our overhead on the server side, and lowers our overall bandwidth. This problem was not made apparent until we consolidated the mirror infrastructure to our CDN (Cloudflare). We are now able to observe download problems across our infrastructure.

For example, we have roughly 20 individual IPs that are attempting to download the whole main.cvd, daily.cvd, and bytecode.cvd files roughly, eight times a minute. Imagine what would happen if we were able to get users to stop doing that and use FreshClam. We are currently pushing about 54TB a day in updates to our users — you have to wonder how much that would drop if everyone was using FreshClam.

ClamAV supported versions

We took a look at the top 10 "User-Agents" that are downloading updates.

ClamAV/0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

ClamAV/0.99.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

ClamAV/0.98.7 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

ClamAV/0.100.0 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

ClamWin/0.99.1 (OS: win32, ARCH: i386, CPU: i386)

ClamWin/0.99.4 (OS: win32, ARCH: i386, CPU: i386)

ClamAV/0.99.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

Wget/1.12 (linux-gnu)

ClamAV/0.96-exp (OS: linux-gnu, ARCH: i386, CPU: i686)

Since we already covered Wget and tools like that, let's move on to older versions of ClamAV.

As you can see, the top two versions are the most recent versions and essentially, the last major version back. These are Ubuntu/Debian users. We work very closely with the package maintainer for those distributions, and we can see the shift in versions when they update.

Let's shift our focus to No. 10 in the list above. ClamAV/0.96-exp, an experimental version of ClamAV back in the 0.96 days, before CVD diff'ing was released. Obviously, this is an errant cronjob (someone attempting to run FreshClam once a minute). Again, we are asking users to please update to a new version of ClamAV, which will, in turn, update your version of FreshClam (to support diff'ing).

We took the logs, removed Wget, curl and other scripting tools, only focusing on actual FreshClam installations, only focusing on versions of ClamAV.  Basically, asking our logs, "How many different versions of ClamAV are there out there?"

297

After ClamAV is installed, then what? How do I update the database?

You will want to edit freshclam.conf.example by commenting out the "example" text with a pound symbol (#).

Once that is done, run a 'freshclam' via command line and the database should update.

We also want to remind people that we do monitor IRC, so if you need help — give us a shout.

Community members and staff idle the channel and try to help to the best of our abilities.

IRC information

Service: irc.freenode.net
Channel: #clamav

How do you submit bugs to ClamAV?

Please visit https://bugzilla.clamav.net/.

If you are having Mirror issues

If you are running into an issue when using FreshClam to download the signatures, it could be the mirror.dat file. Try deleting this file, and then running FreshClam again.

In the "configure" file of FreshClam, you can set your mirror as 'database.clamav.net' instead of using a country code (db.xy.clamav.net).  In a future version of ClamAV, we will improve/remove the mentions of country based mirrors. Use database.clamav.net as the central point for your downloads.

If you want to contribute to documentation

Our documentation is also open-source. Feel free to edit it as need be, and submit the changes to our Git repository.

Mirror Sync Outage for ClamAV AV updates

ClamAV Community --

ClamAV is currently experiencing an issue with one of our sync servers that provides updates from our infrastructure out to the ClamAV mirrors.

Since end-users receive their updates from the ClamAV mirrors, this means that currently, ClamAV AV updates are currently not available.

Our operations team is currently working on the issue, and we will provide updates as needed.

CVD Download issues for August 23, 2017

This morning, we became aware of an issue with our ClamAV mirror infrastructure that was causing some freshclam instances to fail when trying to download the current updates.

This was a result of one of our mirror sync hosts experiencing an issue.  This was resolved by stopping and restarting all services on the machine.

Currently the sync server is healthy, and all requests should be handled normally.

We apologize for any inconvenience this may have caused, and are working to prevent this from occurring in the future.

ClamAV Signature Interface maintenance is now complete! New Main.cvd!

Our ClamAV Signature Interface maintenance is now complete.  While we apologize for the delay, the rollout of the the new Signature Interface inside of ClamAV will result in several new features for the community, and I wanted to tell you about some of them:

First, the first new “main.cvd” in about two years.  This main.cvd has been completely re-written from scratch, and while the function of the “main” is largely the same, it’s been rewritten to not only enforce order to the signatures, but naming convention as well.  For example:

W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
Adware.Smshoax has moved to Win.Adware.Smshoax

Re-naming of the signatures may affect a local user’s whitelist.  If you have excluded certain signatures in the past that are now firing, we ask that you both submit the file to us for false positive remediation (if you believe it to be a false positive), and rename the signature whitelist on your side.

This new main is 109Mb in size, and contains 4 million signatures for ClamAV.  Now that the main.cvd has been rewritten, it is now easier for us to create diffs, which means upgrading the main more often, and making the “daily.cvd” smaller more often.

Second,  we now have the ability to offer different types of CVDs.  For instance, we now have the ability to distribute 3rd party signatures that are officially signed by ClamAV, but updated through the ClamAV global mirror network.  If we wanted to separate out “policy” type signatures from the daily.cvd into their own cvd, we can now do that.

Third, while we have not removed some of the older signature formats, we did convert those older signatures to the newer formats to empty those older “cvd”s out.

For example:
“db" signatures were consolidated into “ndb" signatures
“zmd" and “rmd"  archive signatures we moved to the “cdb" container signature format

These formats are not new, they simply have never been published before. This includes other formats such as “hsb", “msb", “sfp", and “crb".  The older formats are supported for now, we are simply no longer publishing them.

Fourth, newer features, like the ability to write signatures based on the SHA256 of a file have been added to the system, and we can now publish that type of detection.

We’d like to thank you for your patience.

ClamAV 0.98 has been released!

ClamAV 0.98 includes many new features, across many different components
of ClamAV. There are new scanning options, extensions to the libclamav API,
support for additional filetypes, and internal upgrades.

- Signature improvements: New signature targets have been added for
PDF files, Flash files and Java class files. (NOTE: Java archive files
(JAR) are not part of the Java target.) Hash signatures can now specify
a '*' (wildcard) size if the size is unknown. Using wildcard size
requires setting the minimum engine FLEVEL to avoid backwards
compatibility issues. For more details read the ClamAV Signatures
guide.

- Scanning enhancements: New filetypes can be unpacked and scanned,
including ISO9660, Flash, and self-extracting 7z files. PDF
handling is now more robust and better handles encrypted PDF files. 

- Authenticode: ClamAV is now aware of the certificate chains when
scanning signed PE files. When the database contains signatures for
trusted root certificate authorities, the engine can whitelist
PE files with a valid signature. The same database file can also
include known compromised certificates to be rejected! This
feature can also be disabled in clamd.conf (DisableCertCheck) or
the command-line (nocerts). 

- New options: Several new options for clamscan and clamd have been
added. For example, ClamAV can be set to print infected files and
error files, and suppress printing OK results. This can be helpful
when scanning large numbers of files. This new option is "-o" for
clamscan and "LogClean" for clamd. Check clamd.conf or the clamscan
help message for specific details. 

- New callbacks added to the API: The libclamav API has additional hooks
for developers to use when wrapping ClamAV scanning. These function
types are prefixed with "clcb_" and allow developers to add logic at
certain steps of the scanning process without directly modifying the
library. For more details refer to the clamav.h file. 

- More configurable limits: Several hardcoded values are now configurable
parameters, providing more options for tuning the engine to match your
needs. Check clamd.conf or the clamscan help message for specific
details. 

- Performance improvements: This release furthers the use of memory maps
during scanning and unpacking, continuing the conversion started in
prior releases. Complex math functions have been switched from
libtommath to tomsfastmath functions. The A/C matcher code has also
been optimized to provide a speed boost. 

- Support for on-access scanning using Clamuko/Dazuko has been replaced
with fanotify. Accordingly, clamd.conf settings related to on-access
scanning have had Clamuko removed from the name. Clamuko-specific
configuration items have been marked deprecated and should no longer
be used.

There are also fixes for other minor issues and code quality changes. Please
see the ChangeLog file for details.

--
The ClamAV team (http://www.clamav.net/team)

Post-Mortem Analysis Of Virus Database Push Issues

On Thursday, 14 Feb 2013, in preparation for the coming ClamAV 0.98 release, a new database was scheduled to be made available to users. We had a set of issues while performing this upgrade, and we feel that it is appropriate to let our users and mirror providers know what happened, what has done to fix the issues, and what is being done to prevent these issues from happening again.

So first, What Happened?

1. 14 Feb 2013 0800 EST: Start of our scheduled work on our infrastructure.
2. 14 Feb 2013 0815 EST: A new, custom daily.cvd (our virus definition database) was published. This database was generated with ClamAV 0.98, which in turn caused freshclam to think that a new version of ClamAV was available (not yet, but there will be).
3. 14 Feb 2013 0830 EST: Published a new daily.cvd, generated with ClamAV 0.97.6, the current version of ClamAV. This corrected the issue with incorrect notifications of a new version of ClamAV.
4. 14 Feb 2013 1100 EST: Clients report errors with updating. Investigation starts.
5. 14 Feb 2013 1130 EST: The problem was isolated. The new database wasn't copied into a critical directory on our internal Signature server. The database publishing infrastructure didn't know that a custom database had been published. The custom database was overwritten with a new database.  This resulted in some users being unable to use the .cdiff files (our incremental update files) for updating, leading to users who had downloaded the custom database to be unable to update.
6. 14 Feb 2013 1330 EST: A new database was published to resolve the issues. Issues should now be resolved for most users.
7. 19 Feb 2013 1700 EST: Issues resolved for all remaining users by modifying the set of available .cdiff files.

Fixes That Have Been Performed

We've deleted all database files that would cause errors. This should fix the remainder of issues for our users.  However, any users who are still seeing errors should delete the mirrors.dat file in their database directory to force a reset of mirror selection.

Prevention

We've put in place a workflow that will prevent issues like this from popping up. A full change-management process is in place, with an emphasis on peer-reviewed planning, comprehensive test plans and appropriate personnel assignments.  Change plans will be approved by a senior administrator, a ClamAV developer and a representative from the analyst team.

For the convenience of our mirror providers, there is now a set maintenance window for routine changes: Monday 5pm EST through midnight EST.  As always, we will aim to notify mirror providers a week in advance of any change.  In the case of emergent issues, a different time or a shorter notification may be required.

We apologize for any inconvenience caused by the problems outlined in this post.  We will continue to review our processes to ensure that we are providing the best experience for both our users and our mirror providers.

ClamAV 0.97.3 has been released!

Just released is version 0.97.3 of ClamAV.  The following changes are noted in the ChangeLog distributed with the package:

Mon Oct 10 14:41:48 CEST 2011 (tk)
* freshclam/manager.c: fix error when compiling without DNS support (bb#3056)

Sat Oct  8 12:19:49 EEST 2011 (edwin)
* libclamav/pdf.c: flag and dump PDF objects with /Launch (bb #3514)

Sat Oct  8 12:10:13 EEST 2011 (edwin)
* libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb #3706).

Tue Aug  2 17:03:33 CEST 2011 (tk)
* docs: clarify behavior of --scan-*/Scan* options (bb#3134)

Mon Jul 25 16:09:19 EEST 2011 (edwin)
* libclamav/bytecode_vm.c: fix opcode 20 error (bb #3100)

Thu Sep 15 14:44:11 CEST 2011 (tk)
* freshclam: fix pidfile removal (bb#3499)

Sun Aug 21 17:05:24 EEST 2011 (edwin)
* libclamav/pdf.c:  fix incorrect blocking of some encrypted PDF with empty user passwords. (bb #3364)

Wed Aug  3 15:41:28 CEST 2011 (tk)
* sigtool/sigtool.c: fix calculation of max signature length

You can download the newest version of ClamAV by visiting the ClamAV.net website, or at the following download links:

Download : http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz

PGP sig  : http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz.sig

Bugfixes : http://www.clamav.net/release-info/bugs/0.97.3

ChangeLog: http://www.clamav.net/release-info/changelog/0.97.3

ClamAV 0.97.2 is now available

ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing
detection, hash matcher, and other minor issues. Please see
the ChangeLog file for details.

Download : http://downloads.sourceforge.net/clamav/clamav-0.97.2.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97.2.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97.2
ChangeLog: http://www.clamav.net/release-info/changelog/0.97.2

*** Announcement ***

The ClamAV project is launching a new service called "Third Party web interface". It will allow selected individuals/organizations to publish ClamAV Virus Databases (CVD) through the ClamAV mirror network.

If you choose to publish your signatures through our Third Party web interface you will benefit from the following:

• before publishing the signatures, we will test them for false positives against our false positive file collection.
• before publishing the signatures, we'll verify that the latest two major versions of ClamAV can load them correctly.
• the signatures will be digitally signed and packaged into a single .cvd compressed file.
• there will be no ".UNOFFICIAL" suffix in the detection names.
• a custom prefix will be added to the detection names, identifying the organization which published the signature.
• updates will be distributed both as full CVD files and cdiff incremental updates. Users will benefit from lower network traffic.
• the .cvd and .cdiff files will be distributed through the ClamAV mirror network.
• the service should result in faster remediation of false positives.
• ClamAV users will be able to download the third party databases using freshclam, by adding a single line to freshclam.conf, what should make signature maintenance significantly easier.

The service is still in beta, you are welcome to contact Luca Gibelli
if you intend to join the beta program.

We especially welcome those who already distribute their own unofficial signatures to join. A list of databases distributed by the new service  will be available at http://www.clamav.net/download/cvd/3rdparty

We will be happy to answer any questions you might have.

ClamAV 0.97.1 is now available

Recently the ClamAV team here at Sourcefire released version 0.97.1 of the software.  You can grab it here. Please see the below pasted changelog for ClamAV since the last version:

Thu Jun  9 08:22:31 CEST 2011 (acab)

------------------------------------

 * libclamav/mew.c: harden boundary check on e8/e9 fixup

Thu May 26 14:17:52 CEST 2011 (acab)

------------------------------------

 * libclamav/matcher-hash.c: in hm_sort don't swap an item with itself (bb#2818)

Thu May 12 13:01:56 CEST 2011 (tk)

----------------------------------

 * freshclam/manager.c: fix return code of Rfc2822DateTime() (bb#2809)

Sat May  7 18:05:23 EEST 2011 (edwin)

-------------------------------------

 * libclamav/pdf.c: better detection for encrypted PDFs (bb #2448)

Fri May  6 16:16:00 EEST 2011 (edwin)

------------------------------------

 * libclamav/c++: add support for building with external LLVM 2.9, and drop external 2.8 support

Thu May  5 01:07:57 CEST 2011 (acab)

------------------------------------

 * clamd: log request ip address for instream scans #bb2592

Wed May  4 14:07:12 EEST 2011 (edwin)

-------------------------------------

 * libclamav/c++/llvm/lib/Target/X86/X86InstrInfo.td: bb #2763

 don't assert on AVX chips (Intel Core i5 and i7)

Tue May  3 22:52:04 PDT 2011 (tk)

---------------------------------

 * sigtool: properly normalize html files (bb#2764)

Tue May  3 16:14:27 PDT 2011 (tk)

---------------------------------

 * sigtool/sigtool.c: fix formatting of hash dbs (bb#2765)

Wed Apr 27 15:07:22 CEST 2011 (tk)

----------------------------------

 * freshclam: add mirror statistics mechanism

Sat Apr  9 17:20:35 CEST 2011 (acab)

------------------------------------

 * libclamav/pe_icons.c: don't sigbus on sparc (bb#2695)

Sat Apr  9 03:56:17 CEST 2011 (acab)

------------------------------------

 * libclamav/pe.c: reset corrupted status before bytecode hooks (bb#2544)

Thu Mar 17 17:46:09 CET 2011 (tk)

---------------------------------

 * sigtool, freshclam: put .info on top of container to speed up loading

Wed Mar 16 15:53:42 CET 2011 (tk)

---------------------------------

 * sigtool: fix --verify-cdiff

Tue Mar 15 17:56:59 CET 2011 (tk)

---------------------------------

 * sigtool: allow arbitrary names for --build

Wed Mar  9 15:42:50 CET 2011 (tk)

---------------------------------

 * clamdscan: fix file exclusion (bb#2579)

Mon Feb 28 21:46:50 CET 2011 (tk)

---------------------------------

 * clamd: add new option ClamukoExcludeUID (bb#2260)

 Based on idea from alfred*bokxing.nl

Fri Feb 25 14:49:04 CET 2011 (tk)

---------------------------------

 * libclamav/elf.c: fix incorrect detection of Broken.Executable (bb#2580)

Thu Feb 24 14:52:18 CET 2011 (tk)

---------------------------------

 * shared/output.c: fix empty lines in syslog (bb#2578)

Mon Feb 21 18:19:18 CET 2011 (tk)

---------------------------------

 * clamd: update description of ReadTimeout (bb#2565)

Thu Feb 17 19:13:15 CET 2011 (tk)

---------------------------------

 * clamd: add new config option BytecodeUnsigned (bb#2537); drop

 "None" from BytecodeSecurity

 * clamscan: add new switch --bytecode-unsigned and drop --bytecode-trust-all

Tue Feb 15 19:19:31 CET 2011 (tk)

---------------------------------

 * sigtool/sigtool.c: improve handling of bytecode.info (bb#2292)

Thu Apr 14 21:29:36 EEST 2011 (edwin)

-------------------------------------

 * libclamav/others.c: make sure TLS key is initializer (bb #2588).

    Thanks to Cameron Brown for the detailed analysis of the bug.

Thu Apr 14 13:19:38 EEST 2011 (edwin)

-------------------------------------

 * configure: check for enable_extended_FILE_stdio (bb #2542)

Fri Feb 11 13:16:41 CET 2011 (tk)

---------------------------------

 * sigtool/sigtool.c: handle all signature formats with --(list|find)-sigs (bb#2534)

Tue Feb  8 02:42:11 CET 2011 (acab)

-----------------------------------

 * libclamav/mpoo.c: Make solaris linker happy - Thanks to John Kendall <john*capps.com>

ClamAV 0.97 has been released!

Since the release of ClamAV 0.97rc, there have been several bug fixes:

* libclamav/vba_extract.c: fix error path double free (bb#2486)
 * libclamav/phishcheck.c: fix some missed safebrowsing URLs (bb #2514)
 * libclamav/matcher-bm.c: fix error message (bb#2513)
 * libclamav/matcher-hash.c: stop leaking virusnames (nopool mode)

So anyone using the RC, or a previous version of ClamAV should go ahead and take the opportunity to update to 0.97 now.

ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for signatures based on SHA1 and SHA256, better error detection, as well as speed and memory optimizations. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097

Download: http://downloads.sourceforge.net/cla...av-0.97.tar.gz
PGP sig: http://downloads.sourceforge.net/cla....97.tar.gz.sig
Bugfixes: http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://www.clamav.net/release-info/changelog/0.97

We'll have further information regarding ClamAV this week, stay tuned to the blog to find out more!

ClamAV 0.97rc is available for download

The release candidate for ClamAV 0.97 is available for download.

ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support
for signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is
available in the ChangeLog file. For upgrade notes and tips please see:
https://wiki.clamav.net/Main/UpgradeNotes097

We encourage as many people as possible to test this release.
If you don't have access to a test machine you can still help
by downloading it and checking for us that it compiles and links
on your platform and by running "make check".
If you do have a test machine/model/network please help us by loading
ClamAV 0.97rc and testing.

All bug reports should be filed at http://bugs.clamav.net.
We also encourage all 3rd party developers of products and
distribution/port maintainers to download and check this update so that
you can go live as soon as the final version is released.

Download : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97rc