Re: [clamav-users] Inquire about clamav latest stable version -
Hi Ged, Thank you for your reply! Let me explain more about what we plan to use clamav for, or the previous questions might be confusing. We're planning to use clamav in company's internal platform to do malware scanning. Downloading the source package is the best way to make sure we have the latest stable version and it's pretty convenient to do so as a user(we appreciate it very much). While since we use it at company, I'm not so sure if it complies with company's open source software usage policy and we might need to contact the related team to discuss this. Getting the package from package distribution is an easier way for us as such usage is already approved by the open source team at our company. Thank you for the information you provide, based on your response, I still wanna ask several more questions to make sure I understand correctly. 1. If we use a relatively older version, for example, 0.103.6, which is supported by "RedHat & Fedora" and "Fedora & EPEL" package distribution currently. I will expect some new features and changes added to version 105 don't exist in version 103. While could I still assume version 103 is still supported(new patches will be added) and could still give decent malware scanning results? 2. If we already use older versions (like version 103), upgrading it to a minor version with patch release(like 103.6) will install the bug fixes and give us a better using experience. While upgrading it to a new major version(like 105) may require more extra work, such as rust toolchain setup which is mentioned in the release note. I guess that's the reason why we release new major version 105 and patch release versions for 103 and 104 together? Sorry I may have some misunderstanding before. I thought we must upgrade to the latest version 105 or there might be security concern. So we're exploring ways to get the latest version installed in the internal platform once the new version is available. While if the previous versions still work, the delay might be acceptable and we can get more time to investigate into the downloading source package approach and see how we can apply it to our platform. Thank you very much! Looking forward to hearing from you. Best, Jiayi On 7/27/22, 12:10 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi there, On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote: > We want to get the latest stable version of clamav and use it in our > environment. From the release note > (https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html), > we see the v0.105.0 is released with 0.104.3 and 0.103.6(it seems > the latest stable version has also upgraded to 0.105.1 now). ... Please look again at the blog. You will see that updates have been published very recently. > when we intall the package via yum, we still only get the version 103 You did not say which distribution you are using but they all have their own policies on updates. Some of them backport security patches for you. You must look to the distribution for more information about it, the ClamAV development team can't help you very much with that. > 1. ClamAv 0.105,0, 0.104.3, 0.103.6 got released on the same day. We > don't see any major version change. Then why ClamAv released patch > for 0.014 and 0.103 when 0.105 is release. Since its a minor version > change, we think everyone should get the update? Are you offering to pay for extra work to be done? > 2. What are the differences between 0.105 and 0.103.6? We see the > yum and rpm packages currently only support latest clamav version as > 0.103.6 although these versions seem released in the meantime. Are > there any new changes in 0.105 causing the delay in package > distribution update? Please read the blog and the release notes for information about the enhancements. You may also wish to follow developments on Github. > 3. Do you have any suggestions that except downloading latest source > package for clamav What's wrong with the source package? There's a school of thought which holds that for security software, the only way to go is to do exactly that. > how can we make sure we get the latest version without delay? You can subscribe to the announcement mailing list: https://lists.clamav.net/mailman/listinfo/clamav-announce and then watch your distribution's equivalent (if there is one). > Yum and rpm don¢t have the latest 105 version for now. While we¢re > wondering if you know any other package provider and its repo may > a
[clamav-users] Inquire about clamav latest stable version -
Hi community, We want to get the latest stable version of clamav and use it in our environment. From the release note(https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html), we see the v0.105.0 is released with 0.104.3 and 0.103.6(it seems the latest stable version has also upgraded to 0.105.1 now). While when we intall the package via yum, we still only get the version 103 although it seems get released with more advanced versions together. We are wondering: 1. ClamAv 0.105,0, 0.104.3, 0.103.6 got released on the same day. We don't see any major version change. Then why ClamAv released patch for 0.014 and 0.103 when 0.105 is release. Since its a minor version change, we think everyone should get the update? 2. What are the differences between 0.105 and 0.103.6? We see the yum and rpm packages currently only support latest clamav version as 0.103.6 although these versions seem released in the meantime. Are there any new changes in 0.105 causing the delay in package distribution update? 3. Do you have any suggestions that except downloading latest source package for clamav, how can we make sure we get the latest version without delay? Yum and rpm don’t have the latest 105 version for now. While we’re wondering if you know any other package provider and its repo may always have the latest updates. Thank you very much! Looking forward to your reply. Best, Jiayi ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Inquiry about ClamAV's usage within sandbox
Hi Ged, Thank you very much for the detailed reply! Could I ask more about what will happen if ClamAV is compromised? I'm guessing it will give wrong detection result for the malware and also for other files to be scanned, or the scanner will crash then cannot work any more. Is there also a probability that when it's compromised, it could also infect other files when scanning them? I totally believe it's unlikely to happen. Just trying to consider every possibility from the security side and decide if it's better to do the scanning for different files in separate environments. Thanks a lot! Looking forward to hearing from you. Best, Jiayi On 3/22/22, 8:03 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi there, On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote: > ... I’m writing to inquire about the proper usage of ClamAV and > whether it’s suggested to run ClamAV within a sandbox to avoid > infecting other files/applications in the host if a malware is > detected. Vulnerabilities have been found - and fixed - in ClamAV in the past. A sandbox or similar will probably reduce the attackable 'surface'. I don't know what fraction of ClamAV users use sandboxing, I never have done but I use a separate machine for the scanner and pass the data to be scanned to it, over a network. > 1. When scanning a given file, will ClamAV only do static analysis > (based on signature database) or it will execute the file and > analyze its behavior? ClamAV will not attempt to execute the file. You can scan any file, including non-executable files. There are some heuristics, so it's not necessarily just using the signature database. If the file is something like an archive ClamAV may extract the contents, which can be a security concern. It's possible for example to create a small archive which extracts to a huge file. ClamAV has some configuration options to mitigate this kind of risk. > If the file is a malware and we use ClamAV to scan the file, will it > possibly infect the scanner or infect other files/applications on > the host? It's unlikely but the possibility cannot be ignored if you're serious about security. Before attacking other parts of the system, malware would most likely have to exploit a vulnerabililty in ClamAV. Use of the word 'infect' tends to imply some sort of magic. None of this is magic, it's just a computer doing what it's told but probably not what was intended by its user. I'd tend to use the word 'compromise' which means what I said in my previous sentence. > 2. Is there any built-in sandbox mechanism in ClamAV so that when > it scans a file, the file can be scanned in an isolated environment? No. As has been mentioned there are several approaches to protecting systems against this kind of thing. The ClamAV scanner might not run on the computer which is being scanned. (I think that's question 3. :) Your next question should be about detection rates. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Inquiry about ClamAV's usage within sandbox
Hi ClamAV community, Hope this email finds you well. I’m writing to inquire about the proper usage of ClamAV and whether it’s suggested to run ClamAV within a sandbox to avoid infecting other files/applications in the host if a malware is detected. I have two main questions: 1. When scanning a given file, will ClamAV only do static analysis(based on signature database) or it will execute the file and analyze its behavior? If the file is a malware and we use ClamAV to scan the file, will it possibly infect the scanner or infect other files/applications on the host? 2. Is there any built-in sandbox mechanism in ClamAV so that when it scans a file, the file can be scanned in an isolated environment? Thank you so much! Looking forward to hearing from you. Best, Jiayi ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml