[Clamav-devel] ClamAV Community Announcement
This is awesome. You guys rock hardcore. On Mar 2, 2010 12:24 PM, "Matt Watchinski" wrote: The release date for ClamAV 0.96 RC 1 has been moved up to March 10th, 2010. With that in mind, I wanted to take a moment to highlight some of the new features we've been working on and a new product for ClamAV Windows users. Additionally, I'd like to encourage users to try out the RC when its released on March 10th to help us find bugs before the final release. First up, let's talk about 0.96 and some of its major new features. 1. The Bytecode Interpreter - The Bytecode Interpreter allows ClamAV sig-makers to create very complex AV signatures for complex pieces of malware. This is a pretty major addition to the detection technologies inside of ClamAV. 2. Native Windows Support - ClamAV will now build natively under Visual Studio. This will allow 3rd Party application developers on windows to easily integrate LibClamAV into their applications. 3. UPX 3.0 unpacking support - Add support to decompressing UPX version 3.0 packed applications. 4. 7zip archive support - Add support for decompressing 7zip archives and inspecting their contents. 5. OSX Mach-O support - Add support for parsing OSX Mach-O binaries files and intelligently inspecting their contents 6. 64-bit ELF support - Add support for intelligently parsing and detecting malware in 64-Bit ELF binaries. 7. InstallShield archives support - Add support for unpacking and inspecting the contents of InstallShield archives. 8. CPIO archive support - Add support for unpacking and inspecting the contents of CPIO archives. 9. Heuristic improvements - Improve the PE heuristics detection engine by adding support of bogus icons and fake PE header information. In a nutshell, ClamAV can now detect malware that tries to disguise itself as a harmless application by using the most common Windows program icons. 10. Performance improvements - Overall performance improvements and memory optimizations for a better overall resource utilization experience. 11. Signature Improvements ? Logical signature improvements to allow referencing groups of signatures. Additionally, improvements to wildcard matching on word boundaries and newlines. And that's not all We've partnered up with Immunet (www.immunet.com) to leverage their Cloud-Based and community based detection network. As part of this partnership Immunet has helped us produce a lightweight, simple, and easy to use desktop AV product for Windows. This new product is called ClamAV for Windows. I know somewhat uncreative, but we focused all our creative talents on the technology and not the name. For a complete list of features, how it works, and other details please visit http://www.clamav.net/about/win32/ If you just want to try it out now, go here to download this new product http://www.clamav.net/win32/clam-latest-32.exe - 32 Bit http://www.clamav.net/win32/clam-latest-64.exe - 64 Bit Cheers, -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] ClamAV Community Announcement
The release date for ClamAV 0.96 RC 1 has been moved up to March 10th, 2010. With that in mind, I wanted to take a moment to highlight some of the new features we've been working on and a new product for ClamAV Windows users. Additionally, I'd like to encourage users to try out the RC when its released on March 10th to help us find bugs before the final release. First up, let's talk about 0.96 and some of its major new features. 1. The Bytecode Interpreter - The Bytecode Interpreter allows ClamAV sig-makers to create very complex AV signatures for complex pieces of malware. This is a pretty major addition to the detection technologies inside of ClamAV. 2. Native Windows Support - ClamAV will now build natively under Visual Studio. This will allow 3rd Party application developers on windows to easily integrate LibClamAV into their applications. 3. UPX 3.0 unpacking support - Add support to decompressing UPX version 3.0 packed applications. 4. 7zip archive support - Add support for decompressing 7zip archives and inspecting their contents. 5. OSX Mach-O support - Add support for parsing OSX Mach-O binaries files and intelligently inspecting their contents 6. 64-bit ELF support - Add support for intelligently parsing and detecting malware in 64-Bit ELF binaries. 7. InstallShield archives support - Add support for unpacking and inspecting the contents of InstallShield archives. 8. CPIO archive support - Add support for unpacking and inspecting the contents of CPIO archives. 9. Heuristic improvements - Improve the PE heuristics detection engine by adding support of bogus icons and fake PE header information. In a nutshell, ClamAV can now detect malware that tries to disguise itself as a harmless application by using the most common Windows program icons. 10. Performance improvements - Overall performance improvements and memory optimizations for a better overall resource utilization experience. 11. Signature Improvements ? Logical signature improvements to allow referencing groups of signatures. Additionally, improvements to wildcard matching on word boundaries and newlines. And that's not all We've partnered up with Immunet (www.immunet.com) to leverage their Cloud-Based and community based detection network. As part of this partnership Immunet has helped us produce a lightweight, simple, and easy to use desktop AV product for Windows. This new product is called ClamAV for Windows. I know somewhat uncreative, but we focused all our creative talents on the technology and not the name. For a complete list of features, how it works, and other details please visit http://www.clamav.net/about/win32/ If you just want to try it out now, go here to download this new product http://www.clamav.net/win32/clam-latest-32.exe - 32 Bit http://www.clamav.net/win32/clam-latest-64.exe - 64 Bit Cheers, -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Do I really have to upgrade to 0.95 ?...
I can understand that on some legacy production systems, it would be easier to work around than upgrade. I have run into FC3 production machines, and just compiling clamav or such wouldn't just work. Limor, can you give us a reason why it's an issue? 2010/3/2 Török Edwin > On 03/02/2010 02:00 PM, Limor Tal wrote: > > 1. Can I keep using code that is older than 0.95 with the future CVD > files > > Why? What prevents you from upgrading? > What version are you running now? > > > (those that will be distributed starting from May 2010) if I do not use > > sigtool and cdiff? > > If you somehow workaround the special signature (your question 4), then > the CVD will load. It may, or may not work; it may, or may not crash. > > There is also bug #1331 (which got fixed in 0.95) affecting libclamav > with logical signatures. > > All signatures can specify a "functionality level" to say what is the > minimum engine version needed to load them. When we release a signature > that makes use of these new features, we usually set the minimum > functionality level (so old engines will skip the signature). > > However due to bug #1331, ClamAV <0.95 which tries to load a logical > signature with a functionality level specified, it will either read > uninitialized memory, or crash. > So even if we wanted to add functionality level to the new ldbs, so that > older engines (than 0.95) can load it, we can't since adding the > functionality level would cause a crash for them. > If we don't add the functionality level, libclamav won't crash, but will > probably fail to load the signature with a syntax error. > > > 2. Are those the only places in the code where the long signatures in the > > daily file cause a problem? > > cdiff is the only problem with long signatures, which affects freshclam. > But as I've shown above there are other bugs with <0.95 that may cause > problems. > > > 3. Is the signature length the only incompatibility issue? > > No, see above for an example. > > > 4. Can I choose to ignore the "special signature which disables all clamd > > installations older than 0.95"? > > Nothing prevents you from removing that signature with a script, or > modifying the code to skip it. > > But if you go through all that trouble, you might as well just upgrade. > You are: > - spending time to implement something to workaround the special > signature, possibly more time than what an upgrade would need > - running a ClamAV installation that has known bugs (including security > bugs) that got fixed in later versions > - depending on how old your ClamAV engine is, you could be missing lots > of signatures. Look at the number of Known viruses reported by clamscan, > and compare it to the one on clamav.net > - there is no support for bugs in clamav 0.94.x or older, you should > run the latest stable to get all the security fixes [1] > > Considering all this, you could simply install clamav-0.95.3 using a > package from your distro, or compile it from source. > Then you would have something that you know that loads all signatures, > and works. > > [1] distributions may backport security fixes to older fixes. > They may or may not backport all the fixes that affect signature loading. > > Best regards, > --Edwin > ___ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > -- http://www.volatileminds.net ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Do I really have to upgrade to 0.95 ?...
On 03/02/2010 02:00 PM, Limor Tal wrote: > 1. Can I keep using code that is older than 0.95 with the future CVD files Why? What prevents you from upgrading? What version are you running now? > (those that will be distributed starting from May 2010) if I do not use > sigtool and cdiff? If you somehow workaround the special signature (your question 4), then the CVD will load. It may, or may not work; it may, or may not crash. There is also bug #1331 (which got fixed in 0.95) affecting libclamav with logical signatures. All signatures can specify a "functionality level" to say what is the minimum engine version needed to load them. When we release a signature that makes use of these new features, we usually set the minimum functionality level (so old engines will skip the signature). However due to bug #1331, ClamAV <0.95 which tries to load a logical signature with a functionality level specified, it will either read uninitialized memory, or crash. So even if we wanted to add functionality level to the new ldbs, so that older engines (than 0.95) can load it, we can't since adding the functionality level would cause a crash for them. If we don't add the functionality level, libclamav won't crash, but will probably fail to load the signature with a syntax error. > 2. Are those the only places in the code where the long signatures in the > daily file cause a problem? cdiff is the only problem with long signatures, which affects freshclam. But as I've shown above there are other bugs with <0.95 that may cause problems. > 3. Is the signature length the only incompatibility issue? No, see above for an example. > 4. Can I choose to ignore the "special signature which disables all clamd > installations older than 0.95"? Nothing prevents you from removing that signature with a script, or modifying the code to skip it. But if you go through all that trouble, you might as well just upgrade. You are: - spending time to implement something to workaround the special signature, possibly more time than what an upgrade would need - running a ClamAV installation that has known bugs (including security bugs) that got fixed in later versions - depending on how old your ClamAV engine is, you could be missing lots of signatures. Look at the number of Known viruses reported by clamscan, and compare it to the one on clamav.net - there is no support for bugs in clamav 0.94.x or older, you should run the latest stable to get all the security fixes [1] Considering all this, you could simply install clamav-0.95.3 using a package from your distro, or compile it from source. Then you would have something that you know that loads all signatures, and works. [1] distributions may backport security fixes to older fixes. They may or may not backport all the fixes that affect signature loading. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] Do I really have to upgrade to 0.95 ?...
1. Can I keep using code that is older than 0.95 with the future CVD files (those that will be distributed starting from May 2010) if I do not use sigtool and cdiff? 2. Are those the only places in the code where the long signatures in the daily file cause a problem? 3. Is the signature length the only incompatibility issue? 4. Can I choose to ignore the "special signature which disables all clamd installations older than 0.95"? ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net