Note: This README/NEWS file refers to the source tarball. Some things described here may not be available in binary packages. -- 0.98.7 ------ ClamAV 0.98.7 is here! This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. As always, we appreciate contributions of bug reports, code fixes, and sample submission from the ClamAV community members: Sebastian Andrzej Siewior Minzhaun Gong Dimitri Kirchner Goulven Guiheux John E. Krokes Kai Risku 0.98.6 ------ ClamAV 0.98.6 is a bug fix release correcting the following: - library shared object revisions. - installation issues on some Mac OS X and FreeBSD platforms. - includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd. - Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab. - Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328. - Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior. Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.6: Sebastian Andrzej Siewior Felix Groebert Kevin Szkudlapski Mark Pizzolato Daniel J. Luke 0.98.5 ------ Welcome to ClamAV 0.98.5! ClamAV 0.98.5 includes important new features for collecting and analyzing file properties. Software developers and analysts may collect file property meta data using the ClamAV API for subsequent analysis by ClamAV bytecode programs. Using these features will require that libjson-c is installed, but otherwise libjson-c is not needed. Look for our upcoming series of blog posts to learn more about using the ClamAV API and bytecode facilities for collecting and analyzing file properties. ClamAV 0.98.5 also includes these new features and bug fixes: - Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. - Addition of shared library support for LLVM versions 3.1 - 3.5 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. Andreas Cadhalpun submitted the patch implementing this support. - Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs. - Resolution of many of the warning messages from ClamAV compilation. - Improved detection of malicious PE files. - Security fix for ClamAV crash when using 'clamscan -a'. This issue was identified by Kurt Siefried of Red Hat. - Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida. - ClamAV 0.98.5 now works with OpenSSL in FIPS compliant mode. Thanks to Reinhard Max for supplying the patch. - Bug fixes and other feature enhancements. See Changelog or git log for details. Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.5: Andreas Cadhalpun Sebastian Andrzej Siewior Damien Millescamp Reinhard Max Kurt Seifried 0.98.4 ------ ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. - Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1. Thanks to the following individuals for testing, writing patches, and initiating quality improvements in this release: Tuomo Soini Scott Kitterman Jim Klimov Curtis Smith Steve Basford Martin Preen Lars Hecking Stuart Henderson Ismail Paruk Larry Rosenbaum Dave Simonson Sebastian Andrzej Siewior 0.98.2 ------ Here are the new features and improvements in ClamAV 0.98.2: - Support for common raw disk image formats using 512 byte sectors, specifically GPT, APM, and MBR partitioning. - Experimental support of OpenIOC files. ClamAV will now extract file hashes from OpenIOC files residing in the signature database location, and generate ClamAV hash signatures. ClamAV uses no other OpenIOC features at this time. No OpenIOC files will be delivered through freshclam. See openioc.org and iocbucket.com for additional information about OpenIOC. - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop) now support IPV6 addresses and configuration parameters. - Use OpenSSL file hash functions for improved performance. OpenSSL is now prerequisite software for ClamAV 0.98.2. - Improved detection of malware scripts within image files. Issue reported by Maarten Broekman. - Change to circumvent possible denial of service when processing icons within specially crafted PE files. Icon limits are now in place with corresponding clamd and clamscan configuration parameters. This issue was reported by Joxean Koret. - Improvements to the fidelity of the ClamAV pattern matcher, an issue reported by Christian Blichmann. - Opt-in collection of statistics. Statistics collected are: sizes and MD5 hashes of files, PE file section counts and section MD5 hashes, and names and counts of detected viruses. Enable statistics collection with the --enable-stats clamscan flag or StatsEnabled clamd configuration parameter. - Improvements to ClamAV build process, unit tests, and platform support with assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman, and Dave Simonson. - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam. - ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation improvements. Thanks to the following ClamAV community members for sending patches or reporting bugs and issues that are addressed in ClamAV 0.98.2: Sebastian Andrzej Siewior Scott Kitterman Joxean Koret Arkadiusz Miskiewicz Dave Simonson Maarten Broekman Christian Blichmann -- REGARDING OPENSSL In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. 0.98.1 ------ ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and quality improvements. These include: - Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format. - Extraction, decompression, and scanning of files within Extensible Archive (XAR) format. XAR format is commonly used for software packaging, such as PKG and RPM, as well as general archival. - Decompression and scanning of files in "Xz" compression format. - Recognition of Open Office XML formats. - Improvements and fixes to extraction and scanning of ole formats. - Option to force all scanned data to disk. This impacts only a few file types where some embedded content is normally scanned in memory. Enabling this option ensures that a file descriptor exists when callback functions are used, at a small performance cost. This should only be needed when callback functions are used that need file access. - Various improvements to ClamAV configuration, support of third party libraries, and unit tests. 0.98 ------ ClamAV 0.98 includes many new features, across all the different components of ClamAV. There are new scanning options, extensions to the libclamav API, support for additional filetypes, and internal upgrades. - Signature improvements: New signature targets have been added for PDF files, Flash files and Java class files. (NOTE: Java archive files (JAR) are not part of the Java target.) Hash signatures can now specify a '*' (wildcard) size if the size is unknown. Using wildcard size requires setting the minimum engine FLEVEL to avoid backwards compatibility issues. For more details read the ClamAV Signatures guide. - Scanning enhancements: New filetypes can be unpacked and scanned, including ISO9660, Flash, and self-extracting 7z files. PDF handling is now more robust and better handles encrypted PDF files. - Authenticode: ClamAV is now aware of the certificate chains when scanning signed PE files. When the database contains signatures for trusted root certificate authorities, the engine can whitelist PE files with a valid signature. The same database file can also include known compromised certificates to be rejected! This feature can also be disabled in clamd.conf (DisableCertCheck) or the command-line (nocerts). - New options: Several new options for clamscan and clamd have been added. For example, ClamAV can be set to print infected files and error files, and suppress printing OK results. This can be helpful when scanning large numbers of files. This new option is "-o" for clamscan and "LogClean" for clamd. Check clamd.conf or the clamscan help message for specific details. - New callbacks added to the API: The libclamav API has additional hooks for developers to use when wrapping ClamAV scanning. These function types are prefixed with "clcb_" and allow developers to add logic at certain steps of the scanning process without directly modifying the library. For more details refer to the clamav.h file. - More configurable limits: Several hardcoded values are now configurable parameters, providing more options for tuning the engine to match your needs. Check clamd.conf or the clamscan help message for specific details. - Performance improvements: This release furthers the use of memory maps during scanning and unpacking, continuing the conversion started in prior releases. Complex math functions have been switched from libtommath to tomsfastmath functions. The A/C matcher code has also been optimized to provide a speed boost. - Support for on-access scanning using Clamuko/Dazuko has been replaced with fanotify. Accordingly, clamd.conf settings related to on-access scanning have had Clamuko removed from the name. Clamuko-specific configuration items have been marked deprecated and should no longer be used. There are also fixes for other minor issues and code quality changes. Please see the ChangeLog file for details. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.97.8 ---- ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to Felix Groebert of the Google Security Team for finding and reporting these issues. 0.97.7 ---- ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues. 0.97.6 ---- ClamAV 0.97.6 includes minor bug fixes and detection improvements. ClamAV 0.97.6 corrects bug 5252 "CL_EFORMAT: Bad format or broken data ERROR reported as scan result." 0.97.5 ------ ClamAV 0.97.5 addresses possible evasion cases in some archive formats (CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability issues in portions of the bytecode engine. This release is recommended for all users. 0.97.4 ------ ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial support for on-access scanning under Mac OS X (see contrib/ClamAuth). This update is recommended for all users. 0.97.3 ------ ClamAV 0.97.3 is a minor bugfix release and is recommended for all users. Please refer to the ChangeLog file for details. 0.97.2 ------ ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection, hash matcher, and other minor issues. Please see the ChangeLog file for details. 0.97.1 ------ This is a bugfix release recommended for all users. Please refer to the ChangeLog file for details. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.97 ---- ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for signatures based on SHA1 and SHA256, better error detection, as well as speed and memory optimizations. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097 With Sourcefire, Inc. acquisition of Immunet Corp., ClamAV for Windows 3.0 has been renamed Immunet 3.0, powered by ClamAV. This release contains the fully integrated LibClamAV 0.97 engine for offline, OnDemand, and OnAccess scanning. Immunet 3.0 users can now utilize the full power of the LibClamAV engine, all the ClamAV signatures, and creation of custom signatures on any platform running Immunet 3.0, powered by ClamAV. If you run Windows systems in your environment and need an AV solution to protect them, give Immunet 3.0, powered by ClamAV a try; you can download it from http://www.clamav.net/download.html#otherversions -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.96.5 ------ ClamAV 0.96.5 includes bugfixes and minor feature enhancements, such as improved handling of detection statistics, better file logging, and support for custom database URLs in freshclam. Please refer to the ChangeLog for details. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.96.4 ------ ClamAV 0.96.4 is a bugfix release recommended for all users. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.96.3 ------ This release fixes problems with the PDF parser and the internal bzip2 library. A complete list of changes is available in the Changelog file. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.96.2 ------ ClamAV 0.96.2 brings a new PDF parser, performance and memory improvements, and a number of bugfixes and minor enhancements. This upgrade is recommended for all users. 0.96.1 ------ This is a bugfix release, please refer to the ChangeLog for the complete list of changes. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.96 ---- This release of ClamAV introduces new malware detection mechanisms and other significant improvements to the scan engine. The key features include: - The Bytecode Interpreter: the interpreter built into LibClamAV allows the signature writers to create and distribute very complex detection routines and remotely enhance the scanner's functionality - Heuristic improvements: improve the PE heuristics detection engine by adding support of bogus icons and fake PE header information. In a nutshell, ClamAV can now detect malware that tries to disguise itself as a harmless application by using the most common Windows program icons. - Signature Improvements: logical signature improvements to allow more detailed matching and referencing groups of signatures. Additionally, improvements to wildcard matching on word boundaries and newlines. - Support for new archives: 7zip, InstallShield and CPIO. LibClamAV can now transparently unpack and inspect their contents. - Support for new executable file formats: 64-bit ELF files and OS X Universal Binaries with Mach-O files. Additionally, the PE module can now decompress and inspect executables packed with UPX 3.0. - Support for DazukoFS in clamd - Performance improvements: overall performance improvements and memory optimizations for a better overall resource utilization experience. - Native Windows Support: ClamAV will now build natively under Visual Studio. This will allow 3rd Party application developers on Windows to easily integrate LibClamAV into their applications. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes096 -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.95.3 ------ ClamAV 0.95.3 is a bugfix release recommended for all users. Please refer to the ChangeLog included in the source distribution for the list of changes. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.95.2 ------ This version improves handling of archives, adds support for --file-list in clamscan and clamdscan, and fixes various issues found in previous releases. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.95.1 ------ This is a bugfix release only, please see the ChangeLog for details. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.95 ---- ClamAV 0.95 introduces many bugfixes, improvements and additions. To make the transition easier, we put various tips and upgrade notes on this page: https://wiki.clamav.net/Main/UpgradeNotes095. For detailed list of changes and bugfixes, please see the ChangeLog. The following are the key features of this release: - Google Safe Browsing support: in addition to the heuristic and signature based phishing detection mechanisms already available in ClamAV, the scanner can now make use of the Google's blacklists of suspected phishing and malware sites. The ClamAV Project distributes a constantly updated Safe Browsing database, which can be automatically fetched by freshclam. For more information, please see freshclam.conf(5) and http://safebrowsing.clamav.net. - New clamav-milter: The program has been redesigned and rewritten from scratch. The most notable difference is that the internal mode has been dropped which means that now a working clamd companion is required. The milter now also has its own configuration file. - Clamd extensions: The protocol has been extended to lighten the load that clamd puts on the system, solve limitations of the old protocol, and reduce latency when signature updates are received. For more information about the new extensions please see the official documentation and the upgrade notes. - Improved API: The API used to program ClamAV's engine (libclamav) has been redesigned to use modern object-oriented techniques and solves various API/ABI compatibility issues between old and new releases. You can find more information in Section 6 of clamdoc.pdf and in the upgrade notes. - ClamdTOP: This is a new program that allows system administrators to monitor clamd. It provides information about the items in the clamd's queue, clamd's memory usage, and the version of the signature database, all in real-time and in nice curses-based interface. - Memory Pool Allocator: Libclamav now includes its own memory pool allocator based on memory mapping. This new solution replaces the traditional malloc/free system for the copy of the signatures that is kept in memory. As a result, clamd requires much less memory, particularly when signature updates are received and the database is loaded into memory. - Unified Option Parser: Prior to version 0.95 each program in ClamAV's suite of programs had its own set of runtime options. The new general parser brings consistency of use and validation to these options across the suite. Some command line switches of clamscan have been renamed (the old ones will still be accepted but will have no effect and will result in warnings), please see clamscan(1) and clamscan --help for the details. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.94.2 ------ This is a bugfix release, please refer to the ChangeLog for a complete list of changes. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.94.1 ------ ClamAV 0.94.1 fixes some issues that were found in previous releases and includes one new feature, "Malware Statistics Gathering." This is an optional feature that allows ClamAV users optionally to submit statistics to us about what they detect in the field. We will then use these data to determine what types of malware are the most detected in the field and in what geographic area they are. It will also allow us to publish summary data on www.clamav.net where our users will be able to monitor the latest threats. You can help us by enabling SubmitDetectionStats in freshclam.conf. For more details, please refer to the ChangeLog -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.94 ---- Sourcefire and the ClamAV team are pleased to announce the release of ClamAV 0.94. The following are the key features and improvements of this version: - Logical Signatures: The logical signature technology uses operators such as AND, OR and NOT to allow the combination of more than one signature into one entry in the signature database resulting in more detailed and flexible pattern matching. - Anti-phishing Technology: Users can now change the priority and reporting of ClamAV's heuristic anti-phishing scanner within the detection engine process. They can choose whether, when scanning a supicious file, ClamAV should stop scanning and report the phish, or continue to scan in case the file contains other malware (clamd: HeuristicScanPrecedence, clamscan: --heuristic-scan-precedence) - Disassembly Engine: The initial version of the disassembly engine improves ClamAV's detection abilities. - PUA Detection: Users can now decide which PUA signatures should be loaded (clamd: ExcludePUA, IncludePUA; clamscan: --exclude-pua, --include-pua) - Data Loss Prevention (DLP): This version includes a new module that, when enabled, scans data for the inclusion of US formated Social Security Numbers and credit card numbers (clamd: StructuredDataDetection, clamscan: --detect-structured; additional fine-tuning options are available) - IPv6 Support: Freshclam now supports IPv6 - Improved Scanning of Scripts: The normalization of scripts now covers JavaScript - Improved QA and Unit Testing: The improved QA process now includes API testing and new library of test files in various formats that are tested on a wide variety of systems (try running 'make check' in the source directory) You may need to run 'ldconfig' after installing this version. ** This version drops the special support for Cygwin. Our QA process showed ** serious problems with ClamAV builds under Cygwin due to some low-level ** incompatibilities in the POSIX compatibility layer, resulting in unreliable ** ClamAV behaviour. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.93.3 ------ This release fixes a problem in handling of .cld files introduced in 0.93.2. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.93.2 ------ This release fixes and re-enables the Petite unpacker, improves database loading and solves some other minor issues. 0.93.1 ------ This version improves handling of PDF, CAB, RTF, OLE2 and HTML files and includes various bugfixes for 0.93 issues. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.93 ---- This release introduces many new features and engine enhancements, please see the notes below for the list of major changes. The most visible one is the new logic in scan limits which affects some command line and config options of clamscan and clamd. Please see clamscan(1) and clamd.conf(5) and the example config file for more information on the new options. Most important changes include: * libclamav: - New logic in scan limits: provides much more efficient protection against DoS attacks but also results in different command line and config options to clamscan and clamd (see below) - New/improved modules: unzip, SIS, cabinet, CHM, SZDD, text normalisator, entity converter - Improved filetype detection; filetype definitions can be remotely updated - Support for .cld containers (which replace .inc directories) - Improved pattern matcher and signature formats - More efficient scanning of HTML files - Many other improvements * clamd: - NEW CONFIG FILE OPTIONS: MaxScanSize, MaxFileSize, MaxRecursion, MaxFiles - ** THE FOLLOWING OPTIONS ARE NO LONGER SUPPORTED **: MailMaxRecursion, ArchiveMaxFileSize, ArchiveMaxRecursion, ArchiveMaxFiles, ArchiveMaxCompressionRatio, ArchiveBlockMax * clamscan: - NEW CMDLINE OPTIONS: --max-filesize, --max-scansize - REMOVED OPTIONS: --block-max, --max-space, --max-ratio * freshclam: - NEW CONFIG OPTION CompressLocalDatabase - NEW CMDLINE SWITCH --no-warnings - main.inc and daily.inc directories are no longer used by ClamAV; please remove them manually from your database directory -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.92.1 ------ This is a bugfix release, please refer to the ChangeLog for a complete list of changes. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.92 ---- This release provides various bugfixes, optimisations and improvements to the scanning engine. The new features include support for ARJ and SFX-ARJ archives, AutoIt, basic SPF parser in clamav-milter (to reduce phishing false-positives), faster scanning and others (see ChangeLog). To get a consistent behaviour of the anti-phishing module on all platforms, libclamav now includes the regex library from OpenBSD. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.91.2 ------- This release fixes various bugs in libclamav, freshclam and clamav-milter, and adds support for PUA (Potentially Unwanted Application) signatures (clamscan: --detect-pua, clamd: DetectPUA). ** Announcement ** Dear ClamAV users, On August 17, Sourcefire, the creators of Snort, acquired the ClamAV project. The full announcement is available here: http://www.sourcefire.com/products/clamav/ We'd like to thank everyone in the ClamAV community for their dedication to the project. The acquisition by Sourcefire is a testament to the hard work of the entire ClamAV community in developing cutting edge technology that truly showcases the promise of the open source model. With the additional resources Sourcefire will provide we look forward to working with the community to continue the advancement of ClamAV. Sourcefire now owns ClamAV project and related trademarks, as well as the source code copyrights held by the five principal members of the ClamAV team. Sourcefire will also assume control of the ClamAV project including: the ClamAV.org domain, web site and web site content; and the ClamAV Sourceforge project page. What's most important is that from the end-user perspective very little will change beyond the additional resources Sourcefire will provide in our continued efforts to advance the ClamAV technology and improve our ability to interact with the open source community. The core team will continue to lead the advancement of ClamAV and the CVD as employees of Sourcefire. Both the ClamAV engine and the signature database will remain under GPL. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.91.1 ------ This release fixes stability and other issues of 0.91. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.91 ---- ClamAV 0.91 is the first release to enable the anti-phishing technology in default builds. This technology combines heuristics with special signatures and provides effective protection against phishing threats. Other important changes and add-ons in this version include: - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - improved handling of .mdb files (fixes long startup times) - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - libclamav.dll available under Windows - IPv6 support in clamav-milter - many other improvements and bugfixes -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.90.3 ------ This release fixes some security bugs in libclamav and improves stability under Solaris. Please see ChangeLog for complete list of changes. If your system is suffering from long clamscan startup times, please consider installing 0.91rc1 which is due to be released shortly after 0.90.3. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.90.2 ------ This release fixes many problems in libclamav and freshclam. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.90.1 ------ This release includes various bugfixes and code enhancements. Please see ChangeLog for complete list of changes. ** Important note **: please run 'ldconfig' after installing this version. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.90 ---- The ClamAV team is proud to announce the long awaited ClamAV 0.90. This version introduces lots of new interesting features and marks a big step forward in the development of our antivirus engine. The most important change is the introduction of scripted updates. Instead of transferring the whole cvd file at each update, only the differences between the latest cvds and the previous versions will be transferred. In case the local copy of the latest cvd is corrupted or the scripted update fails for some reason, freshclam will fallback to the old method. Similarly to cvd files, scripted updates are compressed and digitally signed and are already being distributed. They will dramatically reduce traffic on our mirrors and will allow us to release even more updates in the future. Another noticeable change is the new configuration syntax: you can now turn single options on and off, the old crude hack of "DisableDefaultScanOptions" is no longer required. Cosmetic changes apart, the 0.9x series introduces lots of new code, but some parts are not compiled in by default because they are not ready for production systems yet. You are encouraged to pass the --enable-experimental flag to ./configure when compiling ClamAV. The experimental code introduces many improvements in terms of detection rate and performances. If you find a bug, please take some time to report it on our bugzilla: http://bugs.clamav.net. Your help in testing the new code is really appreciated. The experimental code introduces many improvements in terms of detection rate and performances. RAR3, SIS and SFX archives support is finally available together with new unpackers and decryptors: pespin, sue, yc, wwpack32, nspack, mew, upack and others. Additionally, ClamAV now includes better mechanisms for scanning ELF, PDF and tar files. The email decoding has been improved to reduce both the memory requirements and the time taken to process attachments. As part of the Google Summer of Code program, we have introduced support for a new phishing signatures format that has proved very effective in detecting phishing emails. The ClamAV phishing module allows better and more generic detection of phishing emails by searching for URLs in email messages, and comparing the real site with the URL displayed to the user in the message. On the performance side, support for the MULTISCAN command has been implemented in clamd, allowing to scan multiple files simultaneously. Support for Sensory Networks' NodalCore acceleration technology (http://www.clamav.net/nodalcore/) is now available in ClamAV and will be compiled in if the ncore libraries are detected at compile time. NodalCore acceleration allows highly improved scan speeds on systems equipped with NodalCore cards. Detailed list of changes: -) libclamav: + New unpacker for RAR3, RAR2 and RAR1 + Rewritten unpackers for Zip and CAB files + Support for RAR-SFX, Zip-SFX and CAB-SFX archives + New PE parsing model: - Accurate virtual and raw size and offset calculations - Proper parsing of executables with weird/handcrafted/uncommon headers - Proper handling (or skipping) of ghost sections at various places in the code - Rebuild improvements for various unpackers - Adjusted alignment on rebuilt executables - Proper handling of out of sections offsets - Broken exe detection now mimics the XPSP2 loader - Lots of misc improvements and fixes + Support for PE32+ (64-bit) executables + Support for MD5 signatures based on PE sections (.mdb) + ELF file parser + Support for Sensory Networks' NodalCore hardware acceleration technology + Advanced phishing detection module (experimental) + Signatures are stored in separate trees depending on their target type + Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC + Support for new obfuscators: SUE, Y0da Cryptor, CryptFF + Support for new packers: NsPack, wwpack32, MEW, Upack + Support for SIS files (SymbianOS packages) + Support for PDF and RTF files + New encoding and entity normalizer (experimental) -) clamd: + New config file parser: * all options require arguments (options without args must be now followed by boolean values: (yes, no), (1, 0), or (true, false) * optional arguments (as in NotifyClamd) are no longer supported * removed "DisableDefaultScanOptions" option (scan options can be configured individually) + TCP and local sockets can be operated simultaneously + New command: MULTISCAN (scan directory with multiple threads) + New option AlgorithmicDetection + New option ScanELF + New option NodalCoreAcceleration (requires hardware accelerator) + New option PhishingSignatures + New options to control the phishing module: - PhishingRestrictedScan - PhishingScanURLs - PhishingAlwaysBlockSSLMismatch - PhishingAlwaysBlockCloak -) clamav-milter: + Black list mode: optionally black lists an IP for a configurable amount of time + Black hole mode: detects emails that will be discarded and refrains from scanning them + Reporting: ability to report phishing attempts to anti-phishing organisations to help close the sites + Improved load balancing for scanning with clusters + Removed -b option (enable BOUNCE compile time option to re-enable the option) -) clamscan: + New options: --no-phishing-sigs, --no-algorithmic (disable phishing and algorithmic detection respectively) + New options to control the phishing module: --no-phishing-scan-urls, --no-phishing-restrictedscan, --phishing-ssl, --phishing-cloak + New option: --ncore (requires hardware accelerator) + New option: --no-elf + New option: --copy -) freshclam: + Interpreter for .cdiff files (scripted updates) + Initial version of mirror manager + New option: --list-mirrors (list details on mirrors accessed by the mirror manager) + New option HTTPUserAgent to force different User-Agent header -) sigtool: + New option: --utf16-decode (decode UTF16 encoded files) + New options: --diff, --run-cdiff, --verify-cdiff (update script management) + New option: --mdb (generated .mdb compatible signatures) -) clamconf: initial version of configuration utility for clamd and freshclam We are happy to announce new interesting software with support for ClamAV: + AqMail - a POP3 client with additional filtering + ClamFS - a FUSE-based file system with on-access anti-virus scanning + c-icap - an ICAP server coded in C with support for ClamAV + MailCleaner - a complete email filtering gateway + mod_streamav - a ClamAV based antivirus filter for Apache 2 + pyClamd - a python interface to Clamd More information at http://www.clamav.net/download.html#tools -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.7 ------ This version improves scanning of mail and tar files. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.6 ------ Changes in this release include better handling of network problems in freshclam and other minor bugfixes. The ClamAV developers encourage all users to give a try to the latest beta version of 0.90! -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.5 ------ This version fixes a crash in the CHM unpacker and a heap overflow in the function rebuilding PE files after unpacking. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.4 ------ This release fixes a possible heap overflow in the UPX code. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.3 ------ This version fixes handling of large binhex files and multiple alternatives in virus signatures. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.2 ------ This release improves virus detection, fixes zip handling on 64-bit architectures and possible security problem in freshclam. Following the 0.88.1 release some portals and security related websites published incorrect information on security problems of 0.88. To avoid such incidents in the future, every new ClamAV package will be released together with detailed information about security bugs it fixes. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88.1 ------ This version fixes a number of minor bugs and provides code updates to improve virus detection. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.88 ---- A possible heap overflow in the UPX code has been fixed. General improvements include better zip and mail processing, and support for a self-protection mode. The security of the UPX, FSG and Petite modules has been improved, too. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.87.1 ------ This release includes major bugfixes for problems with handling TNEF attachments, cabinet files and FSG compressed executables. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.87 ---- This version fixes vulnerabilities in handling of UPX and FSG compressed executables. Support for PE files, Zip and Cabinet archives has been improved and other small bugfixes have been made. The new option "--on-outdated-execute" allows freshclam to run a command when system reports a new engine version. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.86.2 ------ Changes in this release include fixes for three possible integer overflows in libclamav, improved scanning of Cabinet and FSG compressed files, better database handling in clamav-milter, and others. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.86.1 ------ A possible crash in the libmspack's Quantum decompressor has been fixed. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.86 ---- This release introduces a number of bugfixes and cleanups. Possible descriptor leaks in archive unpackers and mishandling of fast track uuencoded files have been fixed in libclamav. Database reloading in clamav-milter has been improved. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.85.1 ------ A problem where an email with more than one content-disposition type line, one or more of which was empty, could crash libclamav has been fixed. Other minor bugfixes have been made. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.85 ---- Bugfixes in this release include correct signature offset calculation in large files, proper handling of encrypted zip archives, and others. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.84 ---- This version improves detection of JPEG (MS04-028) based exploits, introduces support for TNEF files and new detection mechanisms. Various bugfixes (including problems with scanning of digest mail files) and improvements have been made. -) libclamav: + JPEG exploit detector now also checks embedded Photoshop thumbnail images + archive meta-data scanner (improves malware detection within encrypted archives) + support for TNEF (winmail.dat) decoding + support for all tar archive formats + MD5 implementation replaced with a slightly faster one + improved database reloading with reference counter + database updateable false positive eliminator + speed improvements + various bugfixes -) clamd: + VirusEvent now sets CLAM_VIRUSEVENT_FILENAME and CLAM_VIRUSEVENT_VIRUSNAME environment variables -) clamav-milter: + improved database update detection when not --external -) clamscan: + new options --include-dir and exclude-dir + new option --max-dir-recursion -) freshclam: + new directive LocalIPAddress -) contrib: + clamdmon 1.0 - clamdwatch replacement written in C -) 3rd party software: + hMailServer - open source e-mail server for Microsoft Window + pop3.proxy - proxy server for the POP3 protocol + HTTP Anti Virus Proxy + SmarterMail Filter - ClamAV based plugin for SmarterMail Mail Server + smf-clamd - small & fast virus filter for Sendmail + Squidclam - replacement for SquidClamAV-Redirector.py written in C + QtClamAVclient - remote clamd client based on the Qt Toolkit + qpsmtp - flexible smtpd daemon written in Perl News: Palo Alto, Calif. March 31st 2005 - Clam AntiVirus, the leading Open Source antivirus toolkit, and Sensory Networks, the leading provider of hardware acceleration for network security applications, announced a partnership to provide hardware acceleration support for the Clam AntiVirus suite. [...] Support for Sensory Networks' NodalCore acceleration in ClamAV will be available in version 0.90 of the software suite in Q3 2005. For more information please visit: http://www.sensorynetworks.com/ The ClamAV project announces the opening of the official merchandise store: http://www.cafepress.com/clamav/ A big thank you to Finndesign (http://www.finndesign.fi) which volunteered to design the whole line of products, including: - t-shirts (for women and men) - golf shirt - sweatshirt - coffee mug - mousepad - stickers - scrapbook By purchasing our merchandise, you contribute to the development of ClamAV. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.83 ---- Due to a high number of bad files produced by broken software, the MS05-002 exploit detector now only checks specific RIFF files. This version also fixes a stability problem of clamav-milter/clamd and improves e-mail scanning. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.82 ---- This release adds generic detection of MS05-002 ("Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution") based exploits. Fixes include correct attachment scanning in e-mails generated by some Internet worms (broken in 0.81), removed false positive "Suspect.Zip" warning on non-standard zip archives created by ICEOWS, better proxy support in freshclam, and speed improvements. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.81 ---- Scan engine improvements were made. The internal mail scanner now supports multipart/partial messages, and support for decoding non-standard mail files was greatly enhanced. clamav-milter by default uses libclamav and scans emails itself without the use of clamd. libclamav can now extract RFC2397 encoded data within HTML documents, block zip archives with modified information in local header, and scan HQX files. PE file structure rebuilding from compressed executables was improved. Important note to clamdwatch users: please upgrade to the latest version (contrib/clamdwatch) as soon as possible. -) libclamav: + major improvements in the mail scanning engine: o support for multipart/partial messages o improved support for non-standard quoted-printable attachments o in some situations it will try to guess a correct mode (e.g. a good type for an incorrect content-type, a best guess for an unknown encoding type, etc.) o handling of RFC822 comments in the commands (e.g.: Co(foo)ntent-Type: text/plain) o better recovery if memory softlimit is hit o new test code that decodes emails without parsing them first (must be enabled manually before compilation) + support for extracting RFC2397 encoded data within HTML documents + blocking of zip archives with modified information in local header + improved PE structure rebuilding from compressed executables + improved support for zip archives + support for Mac's HQX file format + stability and (minor) security fixes + a lot of minor improvements, including support for new platforms -) clamd: + new directive ExitOnOOM (stop the deamon when libclamav reports an out of memory condition) + new directives StreamMinPort and StreamMaxPort (port range specification for a stream mode) + support for passing of file descriptors -) clamdscan: + added support for --move and --remove -) clamav-milter: + by default uses libclamav to scan e-mails + new option --external (enables the use of clamd) + various optimisations -) freshclam: + the DNS mode is now enabled by default (no need for DNSDatabaseInfo in freshclam.conf) + --no-dns uses a If-Modified-Since method instead of a range GET + added support for AllowSupplementaryGroups -) sigtool: + new options --vba and --vba-hex (extract VBA/Word6 macros and optionally display the corresponding hex values; Word6 binary code will be disassembled) -) The list of third party programs with support for ClamAV is growing rapidly. Here are the latest additions (see clamdoc.pdf for details): + AVScan - a libclamav based GUI a-v scanner for Unix + clamailfilter - a Python script that provides a-v scanning via procmailrc + ClamAVPlugin - A ClamAV plugin for SpamAssassin 3.x + ClamCour - an e-mail filter for Courier + clamfilter - a small, secure, and efficient content filter for Postfix + ClamMail - an anti-virus POP3 proxy for Windows + ClamShell - a Java GUI for clamscan + ClamTk - a perl-tk GUI for ClamAV + clapf - a virus scanning and antispam content filter for Postfix + D bindings for ClamAV - ClamAV bindings for the D programming language + Frox - a transparent FTP proxy + KMail - a fully-featured email client now supports ClamAV out of box + Mail Avenger - a highly-configurable SMTP server with a-v support + Mailnees - a mail content filter for Sendmail and Postfix + Maverix - anti-spam and anti-virus solution for AOLServer + Moodle - scan files submitted by students for viruses! + php-clamav - scan files from within PHP + pymavis - a powerful email parser, similar to the old amavis-perl + QClam - a simple program to plug ClamAV to a qmail mailbox + qmailmrtg7 - display graphs of viruses found by ClamAV + qSheff - an e-mail filter for qmail + SafeSquid - a feature rich content filtering internet proxy + Scrubber - a server-side daemon for filtering mail content + simscan - an e-mail and spam filter for qmail + smtpfilter - scan SMTP session for viruses + snort-inline - scan your network traffic for viruses with ClamAV + SquidClamAV Redirector - a Squid helper script which adds virus scanning + WRAVLib - a library for a-v integration with Mono/.NET applications -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.80 ---- Stable version. Please read the release notes for the candidate versions below. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.80rc4 ------- Improvements in this release include better JPEG exploit verification, faster base64 decoding, support for GNU tar files, updated on-access scanner, and others. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.80rc3 ------- This release candidate eliminates possible false positive alerts in UPX/FSG compressed files and clarifies behaviour of default actions in clamd and freshclam. We encourage users to take advantage of our new mirror structure. In order to download the database from the closest mirror you should configure freshclam to use db.XY.clamav.net where XY is your country code (see http://www.iana.org/cctld/cctld-whois.htm for the full list). Please add the following lines to freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net DNSDatabaseInfo enables database and software version verification through DNS TXT records, and the second database mirror acts as a fallback in case a connection to the first mirror fails for some reason. 0.80rc2 ------- This update fixes a serious bug in e-mail scanner. 0.80rc ------ The development version of ClamAV is ready for general testing! New mechanisms have already proved very nasty to Internet worms successfully protecting against the new versions R, S, T, U, V and W of the infamous Mydoom worm and detecting them as Worm.Mydoom.Gen before they were analysed and specific signatures added by the ClamAV database maintainers. That means servers running the new version of ClamAV have detected and blocked 100% of Mydoom attacks! New features in this release include: -) libclamav + Portable Executable analyser (CL_SCAN_PE) featuring: o UPX decompression (all versions) o Petite decompression (2.x) o FSG decompression (1.3, 1.31, 1.33) o detection of broken executables (CL_SCAN_BLOCKBROKEN) + new, memory efficient, pattern matching algorithm (multipattern variant of Boyer-Moore) - it's now primary matcher and Aho-Corasick is only used for regular expression extended signatures + new signature format with advanced target type and offset specification + support for MD5 based signatures + extended regular expression scanner + added support for MS cabinet files + added support for CHM files + added support for POSIX tar archives + scanning inside PowerPoint documents + HTML normaliser with support for decoding of MS Script Encoder code + great improvements in e-mail scanner (now handles even more worm tricks) + new method of mail files detection + all e-mail attachments are now scanned (previously only the first ten attachments were scanned) + added support for scanning URLs in e-mails (CL_SCAN_MAILURL) + detection of Worm.Mydoom.M.log + updated API (still backward compatible but please consult clamdoc.pdf (Section 6) and adapt your software) -) clamd + new directive ScanHTML (enables HTML normalisator and ScrEnc decoder) + new directive ScanPE (win32 executable analyser and decompressor) + new directive DetectBrokenExecutables (try to detect broken executables and mark them as Broken.Executable) + new directive MailFollowURLs (try to download and scan files from URLs in mails. BE CAREFUL! DO NOT ENABLE IT ON LOADED MAIL SERVERS) + new directive ArchiveBlockMax (archives that exceed limits will be marked as viruses) + clamav.conf was renamed clamd.conf -) clamscan + mail files are scanned by default, use --no-mail to disable it + new option --no-html (disables HTML normalisator) + new option --no-pe (disables PE analyser) + new option --detect-broken + new option --block-max + new option --mail-follow-urls (download and scan files from URLs in mails) -) clamdscan + now prints warnings if some activated command line options are only supported by clamscan + added support for archive scanning in stdin mode -) clamav-milter + improved template file format + quarantined file names now contain virus names + initial support for SESSION mode of clamd -) freshclam: + new directive DNSDatabaseInfo that enables ultra lightweight version verification method through DNS (using TXT records). Based on idea by Christopher X. Candreva and enabled by default. (see http://www.gossamer-threads.com/lists/clamav/users/11102) + new option --no-dns (quick option to disable DNS method without editing freshclam.conf) -) sigtool + removed ability of automatic signature generation (use MD5 sums to create your own signatures, see signatures.pdf for details) + new option --md5 + new option --html-normalise (saves HTML normalisation and decryption results in three html files in current directory) -) configure: + new option --disable-gethostbyname_r (try enabling it if clamav-milter compilation fails) + new option --disable-dns (try enabling it if freshclam compilation fails) + extended regular expression scanner -) documentation + included new Mac OS X installation instructions + official documentation rewritten and outdated docs removed -) new 3rd party software with support for ClamAV: + OdeiaVir - an e-mail filter for qmail and Exim + ClamSMTP - a lightweight (written in C) and simple filter for Postfix + Protea AntiVirus Tools - a virus filter for Lotus Domino + PTSMail Utilities - an e-mail filter for Sendmail + mxGuard for IMail - a mail filter for Ipswitch IMail (W32) + Zabit - a content and attachment filter for qmail + BeClam - ClamAV port for BeOS + clamXav - a virus scanner with GUI for Mac OS X Special thanks to aCaB for his work on UPX, FSG and Petite decompressors. Thanks to good reaction times on new threats ClamAV was awarded as best security tool for 2004 by Linux Journal: "...With this year's outbreak of e-mail worms for non-Linux platforms, ClamAV has been getting quite a workout, and Linux admins on mailing lists report that database update times are keeping up with or beating the proprietary alternatives." Thanks! SourceWear.com is selling some very nice t-shirts and polo shirts powered by ClamAV. Wear them and virus writers will stay away from you :-) A quarter out of every dollar profited from the sale of these shirts will go to the ClamAV project. Visit http://www.sourcewear.com and click on ClamAV logo! -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.75 ---- This release fixes detection of e-mails generated by Worm.Mydoom.I. Important notice for people using ClamAV 0.60: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Our logs show that there is still a small percentage of ClamAV 0.60 installations updating their database. ClamAV 0.60 was released on July 29th, 2003 and it was the last release to use the old database format. Starting from version 0.65, released on November 12nd, ClamAV uses a new database format, which is compressed and digitally signed. We have been distributing the database in both formats till now, but we plan to drop support for ClamAV 0.60 on September 1st. We encourage _all_ users to upgrade to the latest release available. People running an old version of ClamAV are missing many viruses and may experience stability problems. On non-production systems you can try the latest development version. The new engine not only speeds up the scanning process but also limits memory usage by about 8 MB ! It's able to scan new formats, including CAB, CHM, UPX, HTML (normalisation), PowerPoint macros and can detect annoying e-mails with empty attachments generated by new Bagle variants. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.74 ---- Bugfixes in this version include crashes with multipart/mixed messages and corrupted OLE2 and Zip files. Improvements include various optimisations of mail scanning and clamav-milter and clamdscan behaviour. New members of our "3rd party software" list: + MyClamMailFilter an e-mail filter for procmail (written in C) + clamaktion scan files from the right-click Konqueror menu + QMVC Qmail Mail and Virus Control + pyclamav Python binding for ClamAV + FETCAV Front End To Clam AntiVirus based on Xdialog + Famuko an on-access scanner working in a userspace + SoftlabsAV a generic anti-virus filter for procmail Japanese users can take an advantage of the new ClamAV related site: http://clamav-jp.sourceforge.jp/ and join the clamav-jp-users mailing list. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.73 ---- This version fixes memory management problems in the OLE2 decoder and improves mail scanning. Thank you for using ClamAV ! -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.72 ---- Major bugfixes in this release include crashes with corrupted BinHex messages and some Excel documents. Protection against archive bombs (not fully functional since 0.70) was improved and a number of other improvements were made. -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.71 ---- This release fixes all bugs found in 0.70 and introduces a few new features - the noteworthy changes include: -) libclamav: + support nested OLE2 files + support Word6 macro code + ignore popular file types (media, graphics) + support compress.exe (SZDD) compression (test/test.msc) + improve virus detection in e-mails -) clamscan: + automatically decide (by comparing daily.cvd version numbers) which database directory (hardcoded or clamav.conf's one) to use + support compression ratio feature (--max-ratio) + allow regular expressions in --[in|ex]clude + do not overwrite old files in a quarantine directory but add a numerical extension to new files + respect --tempdir in libclamav + fix access problem when calling external unpackers in a superuser mode + fix file permission corruption with --deb in a superuser mode -) clamd + support log facility specification in syslog's style (LogFacility) + new directive LeaveTemporaryFiles (Debug no longer leaves temporary files not removed) -) clamav-milter: + include the virus name in the 550 rejection + support user defined template for virus notifications (--template-file) + sort quarantine messages by date + improve thread management + add X-Virus-Scanned and X-Infected-Received-From: headers + improve load balancing (when using remote servers with --server) + send 554 after DATA received, not 550 + save PID (--pidfile) -) documentation: + German clamdoc.pdf translation (Rupert Roesler-Schmidt and Karina Schwarz, uplink coherent solutions, http://www.uplink.at) + new Japanese documentation (Masaki Ogawa) -- The ClamAV team (http://www.clamav.net/about.html#credits) 0.70 ---- The two major changes in this version are new thread manager in clamd and support for decoding MS Office VBA macros. Both of them have been implemented by Trog. Besides, there are many improvements and bugfixes (all listed in ChangeLog), a short summary: -) clamd + new thread manager (with better SMP support) + on-access scanning now also available on FreeBSD (with Dazuko 2.0) + new directive ArchiveBlockEncrypted + new directive ReadTimeout (replaces ThreadTimeout) + handle SIGHUP (re-open logfile) and SIGUSR2 (reload database) + respect TCPAddr in stream scanner -) clamav-milter: + TCPWrappers support -) libclamav: + support MS Office documents (OLE2) and VBA macro decoding + support encrypted archive detection + new flags: CL_OLE2, CL_ENCRYPTED (see clamdoc.pdf, Section 6.1) + improve virus detection in big files + improve support for multipart, bounce and embedded RFC822 messages + improve RAR support + include backup snprintf implementation -) clamscan: + new option: --block-encrypted -) freshclam + new option: --pid, -p (write pid file if run as daemon) + handle SIGHUP (re-open logfile), SIGTERM (terminate with log message), SIGALRM and SIGUSR1 (wake up and check mirror) + fix bug with -u and -c handling -) contrib + windows clamd client now available with source code -) documentation: + new Polish documentation on ClamAV and Samba integration + official documentation updated Special thanks to Dirk Mueller <mueller*kde.org> for his code review, many bugfixes and cleanups. Thanks to the help of many companies we have 49 very fast and reliable virus database mirrors in 22 regions and the number is still growing. As of March 2004 we attempt to redirect our users to the closest pool of mirrors by looking at their ip source address when they try to resolve database.clamav.net. Our DNS servers can answer with a CNAME to: db.europe.clamav.net, db.america.clamav.net, db.asia.clamav.net or db.other.clamav.net. Our advanced push-mirroring mechanism (maintained by Luca Gibelli) allows database maintainers to update all the mirrors in less than one minute ! There will be no major feature enhancements in the 0.7x series. Our work will be concentrated on a new scanning engine and preliminary heuristics - please help us and test CVS snapshots from time to time. We are happy to announce new programs with support for ClamAV (all of them have been reviewed by our team - more info in the documentation and on our website: http://www.clamav.net/download.html#tools): + ClamWin - a GUI for Windows (!) + KlamAV - a collection of GUI tools for using ClamAV on KDE + clamscan-procfilter - a Perl procmail filter + j-chkmail - a powerful filter for sendmail + qscanq - Virus Scanning for Qmail + clamavr - a Ruby binding for ClamAV + DansGuardian Anti-Virus Plugin + Viralator - a Perl script that virus scans http downloads + ClamAssassin - a filter for procmail + Gadoyanvirus - a filter for Qmail + OpenProtect - a complete e-mail protection solution + RevolSys SMTP kit for Postfix - an antispam/antivirus tools installation + POP3 Virus Scanner Daemon + mailman-clamav - a virus filter for Mailman + wbmclamav - a webmin module to manage ClamAV + Scan Log Analyzer + mailgraph - a RRDtool frontend for Postfix Statistics + INSERT - a security toolkit on a credit card size CD + Local Area Security - a Live CD Linux distribution -- The ClamAV team (http://www.clamav.net/about.html#credits) April 17, 2004 0.68-1 ------ Fixed RAR support. 0.68 ---- This version fixes a crash with some RAR archives generated by the Bagle worm, also a few important fixes have been backported from CVS. We strongly encourage users to install the 0.70-rc version (released today). 0.67 ---- This release fixes a memory management problem (platform dependent; can lead to a DoS attack) with messages that only have attachments (reported by Oliver Brandmueller). It also contains patches for a few problems found in 0.66 and has better Cygwin support. 0.66 ---- This version is a response to the "clamav 0.65 remote DOS exploit" information published on popular security-related mailing lists. Unfortunately we had not been contacted by the author before he published that and had to release this (unplanned) package very quickly (it should be mentioned that CVS version was not vulnerable to the exploit). Untested code has been disabled also the Dazuko support is temporarily not available (if you really need it please use a CVS version or wait for a next stable release). Other noteworthy changes: -) clamd: + fixed database timestamp handling (and a double reload problem reported by Alex Pleiner and Ole Stanstrup) + new directive: ArchiveMaxCompressionRatio + new command: SESSION (starts a clamd session and allows to do multiple commands per TCP session) + new directives: TemporaryDirectory, LogClean (Andrey V. Malyshev) -) clamav-milter: (Nigel Horne) + added support for AllowSupplementaryGroups and ThreadTimeout + added --quarantine-dir (thanks to Michael Dankov) + added --noreject (thanks to Vijay Sarvepalli) + added --headers (thanks Leonid Zeitlin) + added --sign option -) libclamav: + detect Worm.SCO.A bounces (Nigel) + prevent buffer overflow in broken uuencoded files (Nigel) + scan multipart alternatives that have no boundaries (Nigel) + better handling of encapsulated messages (Nigel) + locate uuencoded viruses hidden in text portions of multipart/mixed mime messages (Nigel) + initial support for BinHex (Nigel) + fixed a mail recursion loop (problem reported by Alex Kah and Kristof Petr) + fixed bzip2 memory limit (improper call suggested by the buggy libbz2 documentation, problem reported by Tomasz Klim) + fixed on error descriptor leak in CVD unpacker (Thomas Lamy) + fixed memory leak in digital signature verification code (Thomas Lamy) + added maximal compression ratio limit (cl_limits->maxratio) -) clamscan: + support for multiple arguments on command line (Thomas Lamy) + fixed buffer overflow in --move (Denis De Messemacker) + removed support for sendfile() under Linux -) freshclam: + support for freshclam.conf (that may be optionally merged with clamav.conf, command line options overwrite config settings) + work-around for potential database downgrade (subtle problem in r-r dns handling) - reported by Daniel Mario Vega and patched by Luca Gibelli -) sigtool: + list virus names with --list-sigs (-l) -) contrib: + clamdwatch (by Mike Cathey) + windows clamd client with drag&drop support (Nigel Horne) -) documentation: + complete clamdoc.pdf French translation by Stephane Jeannenot + Polish how-to on ClamAV and Sendmail integration (with clamav-milter) by Przemyslaw Holowczyc News: ClamAV was the first anti-virus protecting against Worm.SCO.A (aka MyDoom.A) ! The signature was published by Diego d'Ambra in the daily update 105, 26-Jan-2004 20:23 GMT and we were at least two hours faster than "big" AV vendors: http://sourceforge.net/mailarchive/forum.php?thread_id=3764826&forum_id=34654 http://www.pcwelt.de/news/viren_bugs/37278/4.html clamav-devel is finally able to decode OLE2 (Microsoft Office) files and decompress VBA streams ! The code is developed by Trog, official ClamAV developer. Also we're testing new clamd implementation that will solve several important problems (especially that "Time out" related). Please help us and test the latest CVS version. The virus database now contains more than 20.000 signatures ! On January 8, Denis De Messemacker (who joined our team 3 months ago) added signatures for about 7700 new viruses. Also special thanks go to Tomasz Papszun for his hard work on daily submissions and forcing us to keep ClamAV quality on the highest possible level. New mirroring mechanisms. Luca Gibelli (ClamAV) and mirror administrators (22 sites, http://www.clamav.net/documentation.html for a complete mirror information) are converting mirrors to new "push mirroring" method. It uses advanced techniques to ensure all the mirrors are up to date. More info: http://www.clamav.net/documentation.html We would like to thank our donors: * Jeremy Garcia (http://www.linuxquestions.org) * Andries Filmer (http://www.netexpo.nl) * David Eriksson (http://www.2good.nu) * Dynamic Network Services, Inc (http://www.dyndns.org) * epublica * Invisik Corporation (http://www.invisik.com) * Keith (http://www.textpad.com) * Explido Software USA Inc. (http://www.explido.us) * cheahch from Singapore * Electric Embers * Stephane Rault * Brad Koehn * David Farrick * ActiveIntra.net Inc. (http://www.activeintra.net) * An anonymous donor from Colorado, US -- Tomasz Kojm <tkojm*clamav.net> February 10, 2004 0.65 ---- IMPORTANT NOTE: The project has been moved into SourceForge. The only official ClamAV's homepage is www.clamav.net (however clamav.elektrapro. com still works). We would like to thank ElektraPro.com for their support for the open-source community - THANKS ! ClamAV 0.65 introduces a new database container file format (called CVD) with support for digital signatures and compression. Please remove the old databases from your database directory before the installation. And the most important thing: clamd stability has been greatly improved (especially under FreeBSD) ! Also we have a new mirror infrastructure - you will find all the details in clamdoc.pdf. If you want to become an official ClamAV mirror (with entry in database.clamav.net) please read the clamav-mirror-howto.pdf document and contact our administrator - Luca Gibelli <nervous*clamav.net>. Noteworthy changes in this version: -) clamd: + fixed a race condition in database reloading code (random crashes under high load) + fixed a race condition with the improperly initialized session start time (thanks to Michael Dankov) + fixed PidFile permissions (Magnus Ekdahl, bug reported by Tomasz Papszun) + fixed LogFile permissions (Magnus Ekdahl) + new directive ScanRAR (bacause RAR support is now disabled by default) + new directive VirusEvent + new directive FixStaleSocket (Thomas Lamy and Mark Mielke) + new directive TCPAddr (Bernard Quatermass, fixed by Damien Curtain) + new directive Debug -) clamav-milter: (Nigel Horne <njh*clamav.net>) + new --force-scan flag + new -P and -q flags by Nicholas M. Kirsch WARNING: clamav-milter and our mail scanner are still in high development and may be unstable. You should always use the CVS version. -) libclamav: + support for a new database container format (CVD) - compressed and digitally signed + better protection against malformed zip archives (such as Mimail) + mail decoder fixes (thanks to Rene Bellora, Bernd Kuhls, Thomas Lamy, Tomasz Papszun) (Nigel Horne) + memory leak fixes (Thomas Lamy) + new scan option CL_DISABLERAR (disables built-in RAR unpacker) -) freshclam: + fixed --on-error-execute behaviour (David Woakes) + new option --user (-u) USER - run as USER instead of the default user. Patch by Damien Curtain. + rewritten to use database.clamav.net and CVD -) documentation: + new Spanish documentation on ClamAV and Sendmail integration by Erick Ivaan Lopez Carreon