ClamAV 0.97.8 has been released!

Dear ClamAV users,


"ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to Felix Groebert of the Google Security Team for finding and reporting these issues."


Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz 
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/

You want to become a ClamAV mirror?

One of the questions I receive in my inbox quite frequently is:

"Does ClamAV need any more mirrors for virus definitions?"

The quick answer is "Yes!"  We'll take all the mirrors that we can get, as we increase output of virus definitions and such, we need more infrastructure to be able to handle the load.

If you are interested in becoming a ClamAV mirror, please follow the instructions here:

https://github.com/vrtadmin/clamav-faq/blob/master/mirrors/MirrorHowto.md

ClamAV 0.97.7 has been released!

Dear ClamAV users,


"ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues."


Download: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz 
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/

Resolving Issues With Freshclam

Certain users are experiencing database update issues due to the failed Authenticode database push. This blog post will show how to check if you're one of those affected users and how to fix freshclam.

Validate You're Affected

You can validate that you're having this particular issue by a number of ways:

1. Check the hash of your daily.cvd. You are affected if the hash matches the following:
1. MD5: 89dedb45609e59b0244fb5202ab6fa56
2. SHA1: 9947ec90e60499ab7c3331670d5b26b4eaac76e4
2. Check your freshclam log file for repeated errors that look like:
1. Ignoring mirror [Mirror's IP address here] (has connected too many times with an outdated version)
3. Check the version number and the functional level of the daily.cvd by using sigtool:
1. sigtool --info daily.cvd will show a version number of 16681 and a functionality level of 73

How To Fix Freshclam

If you are expereincing the problem, please do the following:  Stop the freshclam daemon if it's running, delete both mirrors.dat and daily.cvd, then restart the freshclam daemon. Freshclam will then download a new daily.cvd and will be up-to-date.

We apologize for any inconvenience this has caused and thank you for using ClamAV.  If you have any further issues, please send a message to the ClamAV user's list or contact us via IRC.

Planned Infrastructure Maintenance - 04 Mar 2013

In preparation for the ClamAV 0.98 release, we will be performing maintenance on the infrastructure beginning at 5:00 PM EST on 04 Mar 2013.

We will be pushing out a new signature database that does not have a corresponding cdiff file. This means that clients will pull down a full copy of the daily.cvd database, which will cause an increase in download traffic from the mirrors.

The maintenance is estimated to take one hour.  No impact to users, beyond the downloading of a new daily.cvd, is anticipated.

We would like to extend our thanks to the mirror providers for their contributions, and thank you for using ClamAV.

Post-Mortem Analysis Of Virus Database Push Issues

On Thursday, 14 Feb 2013, in preparation for the coming ClamAV 0.98 release, a new database was scheduled to be made available to users. We had a set of issues while performing this upgrade, and we feel that it is appropriate to let our users and mirror providers know what happened, what has done to fix the issues, and what is being done to prevent these issues from happening again.

So first, What Happened?

1. 14 Feb 2013 0800 EST: Start of our scheduled work on our infrastructure.
2. 14 Feb 2013 0815 EST: A new, custom daily.cvd (our virus definition database) was published. This database was generated with ClamAV 0.98, which in turn caused freshclam to think that a new version of ClamAV was available (not yet, but there will be).
3. 14 Feb 2013 0830 EST: Published a new daily.cvd, generated with ClamAV 0.97.6, the current version of ClamAV. This corrected the issue with incorrect notifications of a new version of ClamAV.
4. 14 Feb 2013 1100 EST: Clients report errors with updating. Investigation starts.
5. 14 Feb 2013 1130 EST: The problem was isolated. The new database wasn't copied into a critical directory on our internal Signature server. The database publishing infrastructure didn't know that a custom database had been published. The custom database was overwritten with a new database.  This resulted in some users being unable to use the .cdiff files (our incremental update files) for updating, leading to users who had downloaded the custom database to be unable to update.
6. 14 Feb 2013 1330 EST: A new database was published to resolve the issues. Issues should now be resolved for most users.
7. 19 Feb 2013 1700 EST: Issues resolved for all remaining users by modifying the set of available .cdiff files.

Fixes That Have Been Performed

We've deleted all database files that would cause errors. This should fix the remainder of issues for our users.  However, any users who are still seeing errors should delete the mirrors.dat file in their database directory to force a reset of mirror selection.

Prevention

We've put in place a workflow that will prevent issues like this from popping up. A full change-management process is in place, with an emphasis on peer-reviewed planning, comprehensive test plans and appropriate personnel assignments.  Change plans will be approved by a senior administrator, a ClamAV developer and a representative from the analyst team.

For the convenience of our mirror providers, there is now a set maintenance window for routine changes: Monday 5pm EST through midnight EST.  As always, we will aim to notify mirror providers a week in advance of any change.  In the case of emergent issues, a different time or a shorter notification may be required.

We apologize for any inconvenience caused by the problems outlined in this post.  We will continue to review our processes to ensure that we are providing the best experience for both our users and our mirror providers.

Authenticode Certificate Chain Verification

Introduction

Microsoft introduced digitally signing PE object files (authenticode) in Windows 98. Hardware drivers eligible for the Windows Logo Program are required to contain a valid authenticode signature. Since then, Microsoft has expanded the program to executable object files (EXEs) and DLLs.

Microsoft has its own public key infrastructure (PKI). There are four trusted root certificate authorities: two by Microsoft, Thawte, and Verisign. Microsoft's own executables for Windows are signed.

Authenticode At Work

The Problem

It's becoming more common for malware authors to sign their executables. Malware authors are known to steal existing certificates or forge certificates (the certificate forging link talks about SSL certificates; though you can't use certificates used for web browsing with authenticode, the concept still applies). Stealing and forging existing certificates can trick unsuspecting users into trusting the malware.

The Solution

ClamAV 0.98 now parses and validates the authenticode certificates. ClamAV now ships a database of trusted and revoked certificates. If the PE file being scanned is flagged as a virus, ClamAV follows this logic in validating the certificate chain contained inside the PE file:

1. Load the chain in full
2. Validate each certificate in the chain:
1. If no certificate matches one of the four trusted roots, the whole chain is considered invalid and is subsequently ignored. Further chain processing is stopped.
2. If one certificate matches a revoked entry in the database, the whole chain is considered invalid. Report PE file being scanned is a virus.
3. If no certificates match a revoked entry in the database, the PE file is marked as clean. No virus is reported for the PE file being scanned.

Generating A Certificate Revocation Entry

Since the authenticode chain is verified only after a file has been flagged as virus by the ClamAV engine, you have to first create a signature for the file if one doesn't already exist. If a signature exists, yet the file is reported as clean, chances are that the file is being whitelisted due to having a valid authenticode signature. You can verify that the file is being whitelisted by passing --debug --verbose to clamscan and looking for the word authenicode (yes, that is indeed misspelled, but that works out to our advantage). If you see that word, then the file is being whitelisted and a certificate revocation entry needs to be created.

First, we need to dump the certificate chain so that we can find the certificate to revoke. You can tell ClamAV to dump the certificate chain to stderr by passing --dumpcerts to clamscan. You will then match the certificate that is dumped with the public key of the lowest certificate in the chain that Windows shows. Windows shows a few bytes before the public key actually starts. Don't worry, if that confuses you, I have screenshots:

Windows Certificate Information

Validating and Dumping Authenticode Certificate Information via ClamAV

Certificate revocation entries go into a .crtdb file in your ClamAV database directory. Its format is as follows: name;trusted;subject;serial;pubkey;exponent;codesign;timesign;certsign;notbefore;comment[;minFL[;maxFL]]

Where:

1. Name: a descriptive name for the certificate entry
2. Trusted: a bit field (0 or 1) whether this entry is trusted or revoked
3. Subject: the subject reported by ClamAV
4. Serial: the serial reported by ClamAV
5. Pubkey: the public key reported by ClamAV
6. Exponent: The exponent of the certificate. Set this to 010001.
7. Codesign: A bit field (0 or 1) whether this certificate can sign code
8. Timesign: A bit field (0 or 1) whether this certificate can generate a timestamp signature
9. Certsign: A bit field (0 or 1) whether this certificate can sign other certificates
10. Notbefore: The notbefore field of the certificate. Defaults to 0 if empty.
11. Comment: any comments about this entry
12. MinFL: The minimum ClamAV feature level needed for this entry. Required only if MaxFL is set.
13. MaxFL: The maximum ClamAV feature level supported by this entry

Let's return back to the example. We now have enough information to create the certificate revocation entry. It would look like: 

Descriptive name here;0;fe72355be4b6893d8e5b628d1a9ae8863d202b6f;a58d94ce010afa9865e732870971428768c92d64;ba0532ff862861cfaf8c22601fe479e3697b6ab94ff01c3254d105018c93bdb47f4c3fc1fb1d20172c46a727fb589f310cf6b081517ee472d145dfd4939c7d4652aad06c3ee6722f15703e88bbd8bc4d56fe7030b21f105fa9817b625103273caf46072628207e81bc13ac6ba18cdd3e93b97c9761730eb14ce36464cc997075;010001;1;0;0;0;

After adding that revocation entry to our certs database, ClamAV now flags the sample as a virus:

clamscan Reporting Virus

Contribute signatures to ClamAV

Back in February, Joel Esler who is our Open Source Community Manager, explained how you could contribute rules to Snort. We just wanted to let you know that the VRT is seeking and accepting your contribution on the ClamAV side as well.

One of the best features of ClamAV is the openness of the signatures database. There are very few anti-malware products out there that will allow you see exactly how a signature is constructed and let you use your  own custom signatures. We strive to provide the best protection we can to our users through the official signature releases we provide several times a day. However, the nature of our field makes it that you will at some point (if you haven't already) come across malware for which there are no official signatures to detect it.

That's where your contribution is sought and would be highly appreciated. If you come across malware that isn't detected with the official ClamAV signatures and you have your own signature to detect it, please provide it to us! It will go through our regular QA cycle and we will provide you with personal feedback. Your signature will be tweaked if necessary and tested against our clean files in order to prevent false positives once released. We will also give you credit for the signature your contributed unless you choose to remain anonymous.

You have a few ways of contributing signatures:

- Go to http://www.clamav.net/lang/en/sendvirus/submit-malware/ 

In the description field, provide your signature along with supporting evidence. Attach your sample and submit.

- Submit your password protected zip (a typical password is 'infected') along with your research and signature via email to vrt[at]sourcefire.com

We prefer "body-based" signatures as opposed to "checksum-based" signatures. Hex (body) signatures are based on a fragment of a malware sample's body converted into a hexadecimal string which can be extended using various wildcards. More on how to write ClamAV signatures here and here.

Of course we are always accepting false positive submissions here.

Open Source Antivirus: ClamAV by Dejan Lukan

For someone just getting started with ClamAV, I noticed this easy to read and understand blog post here.  If you know someone who is just getting started with ClamAV, or you yourself came to this blog looking to get started.  Check that blog post out!

ClamAV Wiki Documents

We've had much interest in the documents that were contained within our Wiki before we took it down here at ClamAV.  We've managed to salvage the useful pieces of the Wiki and publish them on our github site.  Check it out here:

https://github.com/vrtadmin/clamav-faq