ClamAV Signature Interface maintenance is now complete! New Main.cvd!

Our ClamAV Signature Interface maintenance is now complete.  While we apologize for the delay, the rollout of the the new Signature Interface inside of ClamAV will result in several new features for the community, and I wanted to tell you about some of them:

First, the first new “main.cvd” in about two years.  This main.cvd has been completely re-written from scratch, and while the function of the “main” is largely the same, it’s been rewritten to not only enforce order to the signatures, but naming convention as well.  For example:

W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
Adware.Smshoax has moved to Win.Adware.Smshoax

Re-naming of the signatures may affect a local user’s whitelist.  If you have excluded certain signatures in the past that are now firing, we ask that you both submit the file to us for false positive remediation (if you believe it to be a false positive), and rename the signature whitelist on your side.

This new main is 109Mb in size, and contains 4 million signatures for ClamAV.  Now that the main.cvd has been rewritten, it is now easier for us to create diffs, which means upgrading the main more often, and making the “daily.cvd” smaller more often.

Second,  we now have the ability to offer different types of CVDs.  For instance, we now have the ability to distribute 3rd party signatures that are officially signed by ClamAV, but updated through the ClamAV global mirror network.  If we wanted to separate out “policy” type signatures from the daily.cvd into their own cvd, we can now do that.

Third, while we have not removed some of the older signature formats, we did convert those older signatures to the newer formats to empty those older “cvd”s out.

For example:
“db" signatures were consolidated into “ndb" signatures
“zmd" and “rmd"  archive signatures we moved to the “cdb" container signature format

These formats are not new, they simply have never been published before. This includes other formats such as “hsb", “msb", “sfp", and “crb".  The older formats are supported for now, we are simply no longer publishing them.

Fourth, newer features, like the ability to write signatures based on the SHA256 of a file have been added to the system, and we can now publish that type of detection.

We’d like to thank you for your patience.

ClamAV 0.99.1: Hangul Word Processor (HWP) Document Support

ClamAV added support for a new family, or perhaps old family of documents, in the 0.99.1 release: Hangul Word Processor (HWP) documents. HWP documents are document files specialized in the Korean language and developed by Hancom Inc.. The documents’ specialization in Korean make it a highly popular format used in South Korea with the government being a notable example. As popular format, it is subjected to possibly malicious content.

For this release, we primarily targeted the word-specific documents: HWP 2.x, HWP 3.x, HWP 5.x, and HWPX. The other file formats developed by Hancom Inc. which cover the spreadsheet and presentation formats are already handled by pre-existing methods in ClamAV; the only exception is HPT (an old presentation format) which will not be in this release.

• HWP 2.x, also known as HWPML
• XML-based document format similar to Microsoft’s older XML document format
• Contents of the document is stored in the XML including all embedded content
•  Embedded content is usually base64-encoded and normally uses zlib compression
• General embedded content is stored in OLE2 containers
• File  property collection: document’s attributes and metadata fields

• HWP 3.x, also known as HWP
• Custom binary file format. For additional information on the format, the documentation can be retrieved from Hancom’s website (note that it’s in Korean)
• Contents of HWP 3.x are stored in a file segment that uses optional password encryption and normally uses zlib compression
• Embedded content is stored in the content stream with general embedded content stored in HWP-styled* OLE2 containers
• File property collection: data from various file headers

• HWP 5.x, also known as HWP
• OLE2-based document format similar to Microsoft’s 97-2003 document formats
• Contents of HWP 5.x are stored in individual streams with zlib compression normally used on specific content streams including embedded content
• Embedded content is stored in individual streams under the BinData directory with general embedded content stored as HWP-style* OLE2 containers
• File property collection: data from the fileheader stream which appears to be the HWP legacy header and the /x005HwpSummaryInformation stream which uses the same property method as 97-2003 Microsoft documents

• HWPX
• OOXML-compliant document format
• Contents of the document are stored in XML documents within a ZIP archive
• Embedded content is stored in the BinData directory with general embedded content stored as HWP-style* OLE2 containers
• File property collection: data from the content.hpf document which is an xml document with the legacy file header.

*Hwp-styled OLE2 container are identical to normal OLE2 container with the exception that a 32-bit value is prepended to file/stream/data segment

ClamAV will release a new main.cvd and daily.cvd this weekend.

As we periodically do, we will be releasing a new main.cvd and daily.cvd this coming weekend (March 12-13).

We have completely re-written our signature management interface internally here at ClamAV, to provide us with more features and a better management process for cvd releases.  Part of the process will be to create these two new files.

Releasing these files will have an impact, not only to the end user who will have to download these files, but also to our dedicated mirror operators that will be serving these files to the end users.

The estimated size of these files are 100 MB and 10 MB respectively.

Please be ready to receive these files this weekend.  It is our hope that everything goes smoothly and, other than bandwidth, users shouldn't experience any problems.  For any questions, please do not hesitate to contact us.

ClamAV 0.99.1 has been released!

Join us in welcoming ClamAV 0.99.1 to the family!  It is ready for immediate download at ClamAV.net's download site.  As a reminder, this is the last release that will be done on SourceForge.net, and we encourage most people to move their downloads over to ClamAV.net immediately. 

Below are the Release Notes:

0.99.1
------

ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes. Please see ChangeLog for details.

Thanks to the following community members for code submissions used in
ClamAV 0.99.1:

Jim Morris
Andreas Cadhalpun
Mark Allan
Sebastian Siewior


Below is the ChangeLog:

Wed, 24 Feb 2016 18:45:00 -0500 (Steven Morgan)
------------------------------------------
 * ClamAV 0.99.1 release build.

Wed, 24 Feb 2016 13:29:42 -0500 (Kevin Lin)
------------------------------------------
 * hwp5.x: fix for streams without names

Sat, 20 Feb 2016 15:53:48 +0100 (Sebastian Andrzej Siewior)
------------------------------------------
 * libclamav: yara: avoid unaliged access to 64bit variable

Thu, 11 Feb 2016 15:56:47 -0500 (Mickey Sola)
------------------------------------------
 * bb11455 - patch by Mark Allan to add show-progress option to freshclam.

Tue, 16 Feb 2016 14:15:18 -0500 (Kevin Lin)
------------------------------------------
 * added 'CustomXML' as trigger for likely OOXML

Tue, 3 Feb 2016 17:30:00 -0500 (Steven Morgan)
------------------------------------------
 * ClamAV 0.99.1 beta1 release.

Tue, 2 Feb 2016 14:23:13 -0500 (Kevin Lin)
------------------------------------------
 * add scanning options for scanning xml-based documents
(MSXML, OOXML, HWPML) and HWP3

Fri, 29 Jan 2016 16:17:40 -0500 (Kevin Lin)
------------------------------------------
 * add dconfs for XDP, MBR, GPT, APM, OOXML, MSXML, and HWP formats

Tue, 2 Feb 2016 12:38:27 -0500 (Kevin Lin)
------------------------------------------
 * hwp: scan decompressed data on limits exceeded

Sun, 31 Jan 2016 15:41:54 -0500 (Steven Morgan)
------------------------------------------
 * Fix for signature name length<3 in .ign & .ign2 CVD files.

Fri, 29 Jan 2016 11:21:46 -0500 (Steven Morgan)
------------------------------------------
 * Change RTF file magic from '{\rtf' to '{\rt'

Wed, 27 Jan 2016 14:17:47 -0500 (Mickey Sola)
------------------------------------------
 * bb11444 - zeroing out buffer at allocation to avoid writing uninitialized
bytes to a file

Wed, 20 Jan 2016 16:21:58 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - adding check for compressed input stream

Wed, 13 Jan 2016 14:56:46 -0500 (Kevin Lin)
------------------------------------------
 * clean up and boost accuracy to detecting OOXML documents

Thu, 14 Jan 2016 17:01:01 -0500 (Steven Morgan)
------------------------------------------
 * 11477 - Fix crash when using pcre statistics due to inconsistent memory
management function calls

Thu, 14 Jan 2016 15:31:02 -0500 (Mickey Sola)
------------------------------------------
 * bb11444: adding check to verify a valid number of rounds for rijndael aes
encryption/decryption

Wed, 13 Jan 2016 13:18:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing edge case revealed by unit testing

Tue, 12 Jan 2016 17:20:26 -0500 (Steven Morgan)
------------------------------------------
 * bb11466 - let html be scanned raw when --scan-html=no is in effect.

Tue, 12 Jan 2016 16:14:40 -0500 (Steven Morgan)
------------------------------------------
 * bb11475: fix crash due to memory overlay with crafted 7z files.

Tue, 12 Jan 2016 14:30:41 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing off by one OOB write in htmlnorm

Mon, 11 Jan 2016 14:47:30 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - fixing autoit OOB bufferread

Wed, 6 Jan 2016 14:57:48 -0500 (Mickey Sola)
------------------------------------------
 * sigtool: adding support for decoding cdb sigs

Tue, 5 Jan 2016 13:13:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11467 - fix embedded http links.

Tue, 22 Dec 2015 19:04:42 -0500 (Steven Morgan)
------------------------------------------
 * bb11451 - fix guard macro name collision on AIX.

Tue, 22 Dec 2015 13:36:51 -0500 (Steven Morgan)
------------------------------------------
 * fix regression crash on sid 1005597703 due to uninitialzed
(i.e., garbage initialized) structure.

Mon, 21 Dec 2015 17:39:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11456 - corrects mso stream prefix value for big endian processors.
Patch by Jim Morris.

Thu, 17 Dec 2015 16:16:55 -0500 (Kevin Lin)
------------------------------------------
 * ooxml_hwp: add support for filetyping and preclassification

Thu, 17 Dec 2015 11:04:00 -0500 (Kevin Lin)
------------------------------------------
 * hwpole2: new filetype and handler for hwp embedded ole2 files

Thu, 17 Dec 2015 12:46:38 -0500 (Mickey Sola)
------------------------------------------
 * bb11443 - fixing possible oob dereference when parsing mbox files

Tue, 15 Dec 2015 16:12:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11442 - adding explicit wwunpack oob checks

Tue, 15 Dec 2015 10:53:05 -0500 (Mickey Sola)
------------------------------------------
 * bb11445 - fixing edge case where a null terminator was unintentionally
written into an adjacent buffer.

Wed, 16 Dec 2015 16:13:05 -0500 (Kevin Lin)
------------------------------------------
 * hwpml: use msxml_parser callback scanner for binary data

Wed, 16 Dec 2015 16:12:20 -0500 (Kevin Lin)
------------------------------------------
 * msxml_parser: add callback-based scanning mechanism

Tue, 15 Dec 2015 13:01:40 -0500 (Kevin Lin)
------------------------------------------
 * HWPML: added hwpml_keys for hwpml parsing

Tue, 15 Dec 2015 10:54:20 -0500 (Kevin Lin)
------------------------------------------
 * add HMPML filetype, tab fixes in filetype.c

Mon, 14 Dec 2015 16:34:11 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x: inflate compressed segment and offset tracking

Fri, 11 Dec 2015 17:50:40 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x file header parsing and preclass

Wed, 16 Dec 2015 14:56:56 -0500 (Kevin Lin)
------------------------------------------
 * pcre: fixed minimum pcre version check

Fri, 11 Dec 2015 17:41:38 -0500 (Steven Morgan)
------------------------------------------
 * bb11452 - endianess correction for swf files on sparc -
patch supplied by Jim Morris.

Wed, 9 Dec 2015 12:15:16 -0500 (Mickey Sola)
------------------------------------------
 * bb11424 - correcting buffer alignemnt for riff detection on sparc systems;
patch by Jim Morris

Wed, 9 Dec 2015 00:17:41 +0100 (Andreas Cadhalpun)
------------------------------------------
 * fix detection of libcheck without pkg-config file

Wed, 9 Dec 2015 11:43:35 -0500 (Kevin Lin)
------------------------------------------
 * add HWP5 filetype tracking to preclassification

Tue, 8 Dec 2015 15:05:30 -0500 (Kevin Lin)
------------------------------------------
 * add HWP 3.x internal filetypes

Tue, 8 Dec 2015 14:47:12 -0500 (Kevin Lin)
------------------------------------------
 * add hwp5 contents to preclass set

Fri, 4 Dec 2015 11:55:52 -0500 (Kevin Lin)
------------------------------------------
 * proper identification of HWP file format

Tue, 8 Dec 2015 18:36:48 -0500 (Steven Morgan)
------------------------------------------
 * bb11438 - strengthen file typing for OOXML.

Wed, 2 Dec 2015 14:06:32 -0500 (Mickey Sola)
------------------------------------------
 * bb-11099 - normalization of whitelist signatures

Wed, 2 Dec 2015 16:23:48 -0500 (Steven Morgan)
------------------------------------------
 * github issue #9 - wrong length & offset.

ClamAV 0.99.1-beta has been released!

Join us as we welcome ClamAV 0.99.1 beta for testing!  Be sure and grab the latest beta release on our official ClamAV download site.  Remember, as we've stated for the past two releases, 0.99.1 will be the last release we place on SourceForge.net, so please transition to using ClamAV.net!

First, a couple release notes:

ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes.

Thanks to the following community members for code submissions used in
ClamAV 0.99.1:

Jim Morris
Andreas Cadhalpun

ChangeLog:

Tue, 2 Feb 2016 14:23:13 -0500 (Kevin Lin)
------------------------------------------
 * add scanning options for scanning xml-based documents
(MSXML, OOXML, HWPML) and HWP3

Fri, 29 Jan 2016 16:17:40 -0500 (Kevin Lin)
------------------------------------------
 * add dconfs for XDP, MBR, GPT, APM, OOXML, MSXML, and HWP formats

Tue, 2 Feb 2016 12:38:27 -0500 (Kevin Lin)
------------------------------------------
 * hwp: scan decompressed data on limits exceeded

Sun, 31 Jan 2016 15:41:54 -0500 (Steven Morgan)
------------------------------------------
 * Fix for signature name length<3 in .ign & .ign2 CVD files.

Fri, 29 Jan 2016 11:21:46 -0500 (Steven Morgan)
------------------------------------------
 * Change RTF file magic from '{\rtf' to '{\rt'

Wed, 27 Jan 2016 14:17:47 -0500 (Mickey Sola)
------------------------------------------
 * bb11444 - zeroing out buffer at allocation to avoid writing uninitialized
bytes to a file

Wed, 20 Jan 2016 16:21:58 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - adding check for compressed input stream

Wed, 13 Jan 2016 14:56:46 -0500 (Kevin Lin)
------------------------------------------
 * clean up and boost accuracy to detecting OOXML documents

Thu, 14 Jan 2016 17:01:01 -0500 (Steven Morgan)
------------------------------------------
 * 11477 - Fix crash when using pcre statistics due to inconsistent memory
management function calls

Thu, 14 Jan 2016 15:31:02 -0500 (Mickey Sola)
------------------------------------------
 * bb11444: adding check to verify a valid number of rounds for rijndael aes
encryption/decryption

Wed, 13 Jan 2016 13:18:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing edge case revealed by unit testing

Tue, 12 Jan 2016 17:20:26 -0500 (Steven Morgan)
------------------------------------------
 * bb11466 - let html be scanned raw when --scan-html=no is in effect.

Tue, 12 Jan 2016 16:14:40 -0500 (Steven Morgan)
------------------------------------------
 * bb11475: fix crash due to memory overlay with crafted 7z files.

Tue, 12 Jan 2016 14:30:41 -0500 (Mickey Sola)
------------------------------------------
 * bb11441 - fixing off by one OOB write in htmlnorm

Mon, 11 Jan 2016 14:47:30 -0500 (Mickey Sola)
------------------------------------------
 * bb11446 - fixing autoit OOB bufferread

Wed, 6 Jan 2016 14:57:48 -0500 (Mickey Sola)
------------------------------------------
 * sigtool: adding support for decoding cdb sigs

Tue, 5 Jan 2016 13:13:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11467 - fix embedded http links.

Tue, 22 Dec 2015 19:04:42 -0500 (Steven Morgan)
------------------------------------------
 * bb11451 - fix guard macro name collision on AIX.

Tue, 22 Dec 2015 13:36:51 -0500 (Steven Morgan)
------------------------------------------
 * fix regression crash on sid 1005597703 due to uninitialzed
(i.e., garbage initialized) structure.

Mon, 21 Dec 2015 17:39:47 -0500 (Steven Morgan)
------------------------------------------
 * bb11456 - corrects mso stream prefix value for big endian processors.
Patch by Jim Morris.

Thu, 17 Dec 2015 16:16:55 -0500 (Kevin Lin)
------------------------------------------
 * ooxml_hwp: add support for filetyping and preclassification

Thu, 17 Dec 2015 11:04:00 -0500 (Kevin Lin)
------------------------------------------
 * hwpole2: new filetype and handler for hwp embedded ole2 files

Thu, 17 Dec 2015 12:46:38 -0500 (Mickey Sola)
------------------------------------------
 * bb11443 - fixing possible oob dereference when parsing mbox files

Tue, 15 Dec 2015 16:12:01 -0500 (Mickey Sola)
------------------------------------------
 * bb11442 - adding explicit wwunpack oob checks

Tue, 15 Dec 2015 10:53:05 -0500 (Mickey Sola)
------------------------------------------
 * bb11445 - fixing edge case where a null terminator was unintentionally
written into an adjacent buffer.

Wed, 16 Dec 2015 16:13:05 -0500 (Kevin Lin)
------------------------------------------
 * hwpml: use msxml_parser callback scanner for binary data

Wed, 16 Dec 2015 16:12:20 -0500 (Kevin Lin)
------------------------------------------
 * msxml_parser: add callback-based scanning mechanism

Tue, 15 Dec 2015 13:01:40 -0500 (Kevin Lin)
------------------------------------------
 * HWPML: added hwpml_keys for hwpml parsing

Tue, 15 Dec 2015 10:54:20 -0500 (Kevin Lin)
------------------------------------------
 * add HMPML filetype, tab fixes in filetype.c

Mon, 14 Dec 2015 16:34:11 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x: inflate compressed segment and offset tracking

Fri, 11 Dec 2015 17:50:40 -0500 (Kevin Lin)
------------------------------------------
 * Hwp3.x file header parsing and preclass

Wed, 16 Dec 2015 14:56:56 -0500 (Kevin Lin)
------------------------------------------
 * pcre: fixed minimum pcre version check

Fri, 11 Dec 2015 17:41:38 -0500 (Steven Morgan)
------------------------------------------
 * bb11452 - endianess correction for swf files on sparc -
patch supplied by Jim Morris.

Wed, 9 Dec 2015 12:15:16 -0500 (Mickey Sola)
------------------------------------------
 * bb11424 - correcting buffer alignemnt for riff detection on sparc systems;
patch by Jim Morris

Wed, 9 Dec 2015 00:17:41 +0100 (Andreas Cadhalpun)
------------------------------------------
 * fix detection of libcheck without pkg-config file

Wed, 9 Dec 2015 11:43:35 -0500 (Kevin Lin)
------------------------------------------
 * add HWP5 filetype tracking to preclassification

Tue, 8 Dec 2015 15:05:30 -0500 (Kevin Lin)
------------------------------------------
 * add HWP 3.x internal filetypes

Tue, 8 Dec 2015 14:47:12 -0500 (Kevin Lin)
------------------------------------------
 * add hwp5 contents to preclass set

Fri, 4 Dec 2015 11:55:52 -0500 (Kevin Lin)
------------------------------------------
 * proper identification of HWP file format

Tue, 8 Dec 2015 18:36:48 -0500 (Steven Morgan)
------------------------------------------
 * bb11438 - strengthen file typing for OOXML.

Wed, 2 Dec 2015 14:06:32 -0500 (Mickey Sola)
------------------------------------------
 * bb-11099 - normalization of whitelist signatures

Wed, 2 Dec 2015 16:23:48 -0500 (Steven Morgan)
------------------------------------------
 * github issue #9 - wrong length & offset.

ClamAV 0.99 Release is the largest ever!

We'd like to extend a huge thank you to our ClamAV community for helping us make ClamAV 0.99 the largest launch of ClamAV ever!

We generally average around 8,000 downloads a week of ClamAV, since 0.99 has launched (two weeks ago), we've had over 20,000 downloads a week.  

We're pretty happy with this number and can't wait until 0.99 is in everyone's hands, so that all of our millions of users can use the latest detection and features. 

If you haven't updated to ClamAV 0.99, we encourage you to do so as soon as possible, help us keep the momentum going, and keep breaking records!

ClamAV 0.99 has been released!

Please join us in welcoming ClamAV 0.99 to the family! The following are the 0.99 release notes:

ClamAV 0.99 contains major new features and changes. YARA rules,
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:

• Processing of YARA rules (some limitations- see signatures.pdf).
• Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
• New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
• A new ClamAV API callback function that is invoked when a virus is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.
• Configurable default password list to attempt zip file decryption.
• TIFF file support.
• Upgrade Windows pthread library to 2.9.1.
• A new signature target type for designating signatures to run against files with unknown file types.
• Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
• Support for LZMA decompression within Adobe Flash files.
• Support for MSO attachments within Microsoft Office 2003 XML files.
• A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
• Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

PLEASE NOTE: If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

As always ClamAV can be downloaded from the ClamAV Downloads page on ClamAV.net!  Please provide your feedback via the ClamAV Mailing Lists!

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

ClamAV 0.99rc2 has been posted!

ClamAV 0.99rc2 contains major new features and changes. YARA rules, 
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:

    - Processing of YARA rules(some limitations- see signatures.pdf).
    - Support in ClamAV logical signatures for many of the features
      added for YARA, such as Perl Compatible Regular Expressions,
      alternate strings, and YARA string attributes. See signatures.pdf
      for full details.
    - New and improved on-access scanning for Linux. See the recent blog
      post and clamdoc.pdf for details on the new on-access capabilities.
    - A new ClamAV API callback function that is invoked when a virus 
      is found. This is intended primarily for applications running in 
      all-match mode. Any applications using all-match mode must use 
      the new callback function to record and report detected viruses.    
    - Configurable default password list to attempt zip file decryption.
    - TIFF file support.
    - Upgrade Windows pthread library to 2.9.1.
    - A new signature target type for designating signatures to run
      against files with unknown file types.
    - Improved fidelity of the "data loss prevention" heuristic
      algorithm. Code supplied by Bill Parker.
    - Support for LZMA decompression within Adobe Flash files.
    - Support for MSO attachments within Microsoft Office 2003 XML files.
    - A new sigtool option(--ascii-normalize) allowing signature authors
      to more easily generate normalized versions of ascii files.
    - Windows installation directories changed from \Program Files\Sourcefire\
      ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

PLEASE NOTE:  If you are using clamd on-access scanning or have applications
using all-match mode, you will want to review the changes and make any necessary
adjustments before using ClamAV 0.99. Users of windows binaries need to be
aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports
included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

You can download ClamAV 0.99rc2 from the ClamAV downloads site.  As a reminder, in an upcoming release, we will cease updating the SourceForge release site for ClamAV.  Please start downloading directly from ClamAV.net now.

ClamAV 0.99 Release Candidate has been posted!

ClamAV 0.99 Release Candidate has been posted for download!  Please check out the below release notes:

This the first release of ClamAV that is being done on both ClamAV.net and SourceForge.  If you are a package or mirror maintainer, make sure you start moving your download location from SourceForge over to ClamAV.net.

0.99-rc1
--------

ClamAV 0.99 contains major new features and changes. YARA rules,  Perl Compatible Regular Expressions, revamped on-access scanning for Linux, and other new features join the many great features of ClamAV:

•     Processing of YARA rules(some limitations- see signatures.pdf).
•     Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
•     New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
•     A new ClamAV API callback function that is invoked when a virus  is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.    
•     Configurable default password list to attempt zip file decryption.
•     TIFF file support.
•     Upgrade Windows pthread library to 2.9.1.
•     A new signature target type for designating signatures to run against files with unknown file types.
•     Improved fidelity of the "data loss prevention" heuristic algorithm. Code supplied by Bill Parker.
•     Support for LZMA decompression within Adobe Flash files.
•     Support for MSO attachments within Microsoft Office 2003 XML files.
•     A new sigtool option(--ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
•     Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

PLEASE NOTE:  If you are using clamd on-access scanning or have applications using all-match mode, you will want to review the changes and make any necessary adjustments before using ClamAV 0.99. Users of windows binaries need to be aware of the change of installation directories.

Thank you to the ClamAV community members who sent patches and bug reports included for ClamAV 0.99:

Steve Basford
Sebastian Andrzej Siewior
Bill Parker
Andreas Schulze
Yann E. Morin
Andreas Cadhalpun
Dmitry Marakasov
Michael Pelletier
Felix Groebert

--
The ClamAV team (http://www.clamav.net/about.html#credits)

ClamAV.org relaunch, now with on page downloads!

Those of you that have visited ClamAV.org in the past several hours may have noticed a slight change in our procedures for downloads.  For years, we've been shuttling you over to Sourceforge's download site to download our packages.

That stopped today.  Starting today, we've moved all downloads of ClamAV onto ClamAV.org.

For the next couple of versions (at least 0.99 and a bug fix after), we'll be releasing ClamAV on both platforms to allow for the transition of packages, people's shell scripts, etc.

Starting today, this move should allow for more visibility for us into the platform, metrics around versions, and overall usage.  You will find our current release, all current beta and development releases, as well as previous stable releases.

Please be sure and report any bugs you may find to the web team here at ClamAV at: talosweb@cisco.com