Cisco, Community and Open Source

In July we told you about Sourcefire’s agreement to be acquired by Cisco, and today that acquisition has closed – we are now one company. This also means that we are also now one community, and Cisco has reiterated its commitment to maintaining our innovation and support of Snort, ClamAV and other open source projects, as well as its own projects. As Marty Roesch wrote on our corporate blog:

"I can tell you with certainty that this is a great match for Sourcefire, for Cisco and, ultimately, for our customers, partners and open source communities… Beyond the technology, one of the things that is important to me is that Cisco and Sourcefire both share key values that transcend our company names, HQ locations and number of employees."

 I’m also happy to report that there will be no changes to how our communities are run or our communications, including mailing lists, snort.org, clamav.net or social media sites. Please visit the corporate blog for more details and, as always, reach out to me with questions. I will still be your community manager and I look forward to many more years of being a part of this community.

Article on Android Basic Block Signatures

Everyone that reads this blog may not read all of the other Sourcefire/Vulnerability Research Team (VRT) Blogs, so I thought I'd add a quick comment here about one of the Malware Research Teams articles over on our VRT Blog.

The article is entitled "Android Basic Block Signatures" and he goes over some good syntax for the ClamAV Signature Language.

Please check it out here: http://blog.talosintel.com/2013/10/android-basic-block-signatures.html

ClamAV 0.98 has been released!

ClamAV 0.98 includes many new features, across many different components
of ClamAV. There are new scanning options, extensions to the libclamav API,
support for additional filetypes, and internal upgrades.

- Signature improvements: New signature targets have been added for
PDF files, Flash files and Java class files. (NOTE: Java archive files
(JAR) are not part of the Java target.) Hash signatures can now specify
a '*' (wildcard) size if the size is unknown. Using wildcard size
requires setting the minimum engine FLEVEL to avoid backwards
compatibility issues. For more details read the ClamAV Signatures
guide.

- Scanning enhancements: New filetypes can be unpacked and scanned,
including ISO9660, Flash, and self-extracting 7z files. PDF
handling is now more robust and better handles encrypted PDF files. 

- Authenticode: ClamAV is now aware of the certificate chains when
scanning signed PE files. When the database contains signatures for
trusted root certificate authorities, the engine can whitelist
PE files with a valid signature. The same database file can also
include known compromised certificates to be rejected! This
feature can also be disabled in clamd.conf (DisableCertCheck) or
the command-line (nocerts). 

- New options: Several new options for clamscan and clamd have been
added. For example, ClamAV can be set to print infected files and
error files, and suppress printing OK results. This can be helpful
when scanning large numbers of files. This new option is "-o" for
clamscan and "LogClean" for clamd. Check clamd.conf or the clamscan
help message for specific details. 

- New callbacks added to the API: The libclamav API has additional hooks
for developers to use when wrapping ClamAV scanning. These function
types are prefixed with "clcb_" and allow developers to add logic at
certain steps of the scanning process without directly modifying the
library. For more details refer to the clamav.h file. 

- More configurable limits: Several hardcoded values are now configurable
parameters, providing more options for tuning the engine to match your
needs. Check clamd.conf or the clamscan help message for specific
details. 

- Performance improvements: This release furthers the use of memory maps
during scanning and unpacking, continuing the conversion started in
prior releases. Complex math functions have been switched from
libtommath to tomsfastmath functions. The A/C matcher code has also
been optimized to provide a speed boost. 

- Support for on-access scanning using Clamuko/Dazuko has been replaced
with fanotify. Accordingly, clamd.conf settings related to on-access
scanning have had Clamuko removed from the name. Clamuko-specific
configuration items have been marked deprecated and should no longer
be used.

There are also fixes for other minor issues and code quality changes. Please
see the ChangeLog file for details.

--
The ClamAV team (http://www.clamav.net/team)

Reminder: New Main.cvd is scheduled to be pushed tomorrow, September 17

As a reminder in case you didn't see the first warning, we are planning on pushing a new Main.cvd tomorrow, September 17th.  This will cause an increase in load on the mirror infrastructure as clients will have to download this new file.

Please see my previous blog post on the matter if you have any questions:
http://blog.clamav.net/2013/09/maincvd-scheduled-for-tuesday-september.html

Main.cvd scheduled for Tuesday September 17th

As many of you have written in and notified us, the "Daily.cvd" file is now bigger than the "Main.cvd".  This means on our side, it's time to make a new Main.cvd.

We are currently planning on cutting a new Main.cvd on Tuesday September 17th.  After the new Main.cvd is published the daily load on the mirrors and your networks should be much lighter.

We are estimating the new "Main" to be ~70MB.

We are also planning on making a new Main.cvd more periodically so this can be more easily predicted.  More information about this periodic process will be published as more details become available.

Bytecode - Covering the Android Vulnerabilities Master Key and Extra Field, a post on the VRT Blog.

Douglas Goddard, one of our awesome malware analysts here at Sourcefire wrote a post about Bytecode and it's ability to cover the recent Android Master Key Vulnerability.

Take a look at the blog post here: http://blog.talosintel.com/2013/08/bytecode-covering-android.html

A Continued Commitment to Open Source

A Continued Commitment to Open Source

Earlier today Cisco announced a definitive agreement to acquire Sourcefire. Marty Roesch has detailed the announcement on our corporate blog, but we want to make sure that you, our friends and community, are especially assured of Cisco’s commitment to maintaining our innovation and support of our open source projects. As Marty writes:

“I created Snort in 1998 to provide value-added security solutions for open source and address big problems that no one else could solve. We later expanded that open source commitment to ClamAV… The best news in all of this, especially for our partners, customers and open source users, is that Cisco is committed to accelerate the realization of our vision into the market. We’ll be able to more quickly innovate, develop and provide products and technologies that continue to solve your biggest security challenges. And not just for commercial and government solutions – they are committed to continued innovation and support of our open source projects, too."

Please visit the corporate blog for more details and feel free to reach out to me with any questions that you might have. We look forward to continuing to innovate together.

Additional Information and Where to Find It

In connection with the proposed acquisition by Cisco Systems, Inc. (“Cisco”) of Sourcefire, Inc. (“Sourcefire”) pursuant to the terms of an Agreement and Plan of Merger by and among Sourcefire, Cisco, and a wholly-owned subsidiary of Cisco, Sourcefire will file a proxy statement with the Securities and Exchange Commission (the “SEC”). Investors are urged to read the proxy statement (including all amendments and supplements) because it will contain important information. Investors may obtain free copies of the proxy statement when it becomes available, as well as other filings containing information about Sourcefire, without charge, at the SEC’s Internet site (http://www.sec.gov). These documents may also be obtained for free from Sourcefire’s Investor Relations web site (http://investor.sourcefire.com/) or by directing a request to Sourcefire at: Sourcefire, Inc., 9770 Patuxent Woods Drive, Columbia, MD 21046.
Sourcefire and its officers and directors and other members of management and employees may be deemed to be participants in the solicitation of proxies from Sourcefire’s stockholders with respect to the acquisition. Information about Sourcefire’s executive officers and directors is set forth in the proxy statement for the Sourcefire 2013 Annual Meeting of Stockholders, which was filed with the SEC on April 24, 2013. Investors may obtain more detailed information regarding the direct and indirect interests of Sourcefire and its respective executive officers and directors in the acquisition by reading the preliminary and definitive proxy statements regarding the transaction, which will be filed with the SEC.

Forward-Looking Statements

This written communication contains forward-looking statements that involve risks and uncertainties concerning Cisco’s proposed acquisition of Sourcefire, Sourcefire’s expected financial performance, as well as Sourcefire’s strategic and operational plans. Actual events or results may differ materially from those described in this written communication due to a number of risks and uncertainties. The potential risks and uncertainties include, among others, the possibility that the transaction will not close or that the closing may be delayed; the reaction of our customers to the transaction; general economic conditions; the possibility that Sourcefire may be unable to obtain stockholder approval as required for the transaction or that the other conditions to the closing of the transaction may not be satisfied; the transaction may involve unexpected costs, liabilities or delays; the outcome of any legal proceedings related to the transaction; the occurrence of any event, change or other circumstances that could give rise to the termination of the transaction agreement. In addition, please refer to the documents that Cisco and Sourcefire file with the SEC on Forms 10-K, 10-Q and 8-K. The filings by Sourcefire identify and address other important factors that could cause its financial and operational results to differ materially from those contained in the forward-looking statements set forth in this written communication. Sourcefire is under no duty to update any of the forward-looking statements after the date of this written communication to conform to actual results.

ClamAV 0.97.8 has been released!

Dear ClamAV users,


"ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to Felix Groebert of the Google Security Team for finding and reporting these issues."


Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz 
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/

You want to become a ClamAV mirror?

One of the questions I receive in my inbox quite frequently is:

"Does ClamAV need any more mirrors for virus definitions?"

The quick answer is "Yes!"  We'll take all the mirrors that we can get, as we increase output of virus definitions and such, we need more infrastructure to be able to handle the load.

If you are interested in becoming a ClamAV mirror, please follow the instructions here:

https://github.com/vrtadmin/clamav-faq/blob/master/mirrors/MirrorHowto.md

ClamAV 0.97.7 has been released!

Dear ClamAV users,


"ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues."


Download: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz 
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/