Recent Releases
1.4.008 May 2024 07:45
minor feature:
lt;p gt;ClamAV 1.4.0 Release Candidate includes the following improvements and changes: lt;/p gt;.
lt;h3 gt;Major changes lt;/h3 gt;.
lt;ul gt;.
lt;li gt;.
lt;p gt;Added support for extracting ALZ archives. lt;br gt;.
The new ClamAV file type for ALZ archives is lt;code gt;CL_TYPE_ALZ lt;/code gt;. lt;br gt;
Added a lt;a href="https://docs.clamav.net/manual/Signatures/DynamicConfig.html" rel="nofollow" gt;DCONF lt;/a gt; option to enable or disable ALZ archive support. lt;/p gt;
lt;blockquote gt;.
lt;p gt; lt;em gt;Tip lt;/em gt;: DCONF (Dynamic CONFiguration) is a feature that allows for some configuration changes to be made via ClamAV lt;code gt;.cfg lt;/code gt; "signatures". lt;/p gt;.
lt;/blockquote gt;.
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1183" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1183/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;Added support for extracting LHA/LZH archives. lt;br gt;.
The new ClamAV file type for ALZ archives is lt;code gt;CL_TYPE_LHA_LZH lt;/code gt;. lt;br gt;
Added a lt;a href="https://docs.clamav.net/manual/Signatures/DynamicConfig.html" rel="nofollow" gt;DCONF lt;/a gt; option to enable or disable LHA/LZH archive support. lt;/p gt;
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1192" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1192/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document. lt;/p gt;.
lt;p gt;New ClamScan options: lt;/p gt;.
lt;div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="--scan-image =yes
1.3.118 Apr 2024 09:05
minor feature:
lt;p gt;ClamAV 1.3.1 is a critical patch release with the following : lt;/p gt;.
lt;ul gt;.
lt;li gt;.
lt;p gt; lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20380" rel="nofollow" gt;CVE-2024-20380 lt;/a gt;: lt;br gt;.
a possible crash in the HTML file parser that could cause a lt;br gt;
Denial-of-service (DoS) condition. lt;/p gt;
lt;p gt;This affects version 1.3.0 only and does not affect prior versions. lt;/p gt;.
lt;p gt;Thank you to Błażej Pawłowski for identifying this. lt;/p gt;.
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1242" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1242/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;Updated select Rust dependencies to the latest versions. lt;br gt;.
This resolved Cargo audit complaints and included PNG parser. lt;/p gt;
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1227" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1227/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;a causing some text to be truncated when converting from UTF-16. lt;/p gt;.
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1230" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1230/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;assorted complaints identified by Coverity static analysis. lt;/p gt;.
lt;ul gt;.
lt;li gt; lt;a href="https://github.com/Cisco-Talos/clamav/pull/1235" data-hovercard-type="pull_request" data-hovercard-url="/Cisco-Talos/clamav/pull/1235/hovercard" gt;GitHub pull request lt;/a gt; lt;/li gt;.
lt;/ul gt;.
lt;/li gt;.
lt;li gt;.
lt;p gt;a causing CVDs downloaded by the lt;code gt;DatabaseCustomURL lt;/code gt; Freshclam lt;br gt;.
Config option to be pruned and then re-
1.3.024 Feb 2024 10:37
minor feature:
Major changes
Added support for extracting and scanning attachments found in Microsoft OneNote section files.
OneNote parsing will be enabled by default, but may be optionally disabled using one of the following options:
a. The clamscan command line option: --scan-onenote=no,
b. The clamd.conf config option: ScanOneNote no,
c. The libclamav scan option options.parse = CL_SCAN_PARSE_ONENOTE;,
d. A signature change to the daily.cfg dynamic configuration (DCONF).
Other improvements
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system. Patch courtesy of Luca D'Amico
ClamD: When starting, ClamD will now check if the directory specified by TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD will print an error message and will exit with exit code 1. Patch courtesy of Andrew Kiggins.
CMake: If configured to build static libraries, CMake will now also install the libclamav_rust, libclammspack, libclamunrar_iface, and libclamunrar static libraries required by libclamav.
Note: These libraries are all linked into the clamscan, clamd, sigtool, and freshclam programs, which is why they did not need to be installed to function. However, these libraries would be required if you wish to build some other program that uses the libclamav static library. Patch courtesy of driverxdw.
Added file type recognition for compiled Python (.pyc) files.
The file type appears as a string parameter for these callback functions:
clcb_pre_cache
clcb_pre_scan
clcb_file_inspection
When scanning a .pyc file, the type parameter will now show "CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".
Improved support for decrypting PDF's with empty passwords.
Assorted minor improvements and typo fixes.
1.1.029 Jul 2023 12:56
minor feature:
- Added the ability to extract images embedded in HTML CSS `` blocks.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/813
- Updated to Sigtool so that the `--vba` option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/852
- Added a new ClamScan and ClamD option: `--fail-if-cvd-older-than=days`.
Additionally, we introduce `FailIfCvdOlderThan` as a `clamd.conf` synonym for
`--fail-if-cvd-older-than`. When passed, it causes ClamD to exit on startup
with a non-zero return code if the virus database is older than the specified
number of days.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/867
- Added a new function `cl_cvdgetage()` to the libclamav API.
This function will retrieve the age in seconds of the youngest file in a
database directory, or the age of a single CVD (or CLD) file.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/867
- Added a new function `cl_engine_set_clcb_vba()` to the libclamav API.
Use this function to set a `cb_vba` callback function.
The cb_vba callback function will be run whenever VBA is extracted from
office documents. The provided data will be a normalized copy of the
extracted VBA.
This callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/852
## Other improvements
- Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations.
Work courtesy of Sebastian Andrzej Siewior.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/840
- Build system: Added
0.100.0-beta09 Feb 2018 03:15
minor feature:
Interfaces to the Prelude SIEM open source package for collecting, ClamAV virus events. Visual Studio 2015 for building Microsoft Windows binaries. Support libmspack internal code or as a shared object library. The internal library is the default and contains additional, integrity checks. Linking with openssl 1.1.0. Deprecation of the AllowSupplementaryGroups parameter statement, in clamd, clamav-milter, and freshclam. Use of supplementary, is now in effect by default. Numerous, typo corrections, and compiler warning. Deprecating internal LLVM code support. The configure script has changed, to search the system for an installed instance of the LLVM development, libraries, and to otherwise use the bytecode interpreter for ClamAV, bytecode signatures. To use the LLVM Just-In-Time compiler for, executing bytecode signatures, please ensure that the LLVM development, package at version 3.6 or lower is installed. Using the deprecated LLVM, code is possible with the command: './configure --with-system-llvm=no', but it no longer compiles on all platforms. Compute and check PE import table hash (a.k.a. "imphash") signatures. Support file property collection and analysis for MHTML files. Raw scanning of PostScript files. clamsubmit to use the new virus and false positive submission web, interface. Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when, size limitations are exceeded. Improve decoders for PDF files.
0.99.320 Jul 2017 05:45
minor feature:
Interfaces to Prelude open source SIEM. Visual Studio 2015 for building Microsoft Windows binaries. Support libmspack code internally or as a shared object library. Linking with openssl 1.1.0. Numerous code patches, typos, and compiler warnings. Deprecating internal LLVM code support. The configure script has changed, to search the system for an installed instance of the LLVM development, libraries, and to otherwise use the bytecode interpreter for ClamAV, bytecode signatures. Using the deprecated internal LLVM code is possible, with the command: './configure --with-system-llvm=no', Compute and check PE import table hash (a.k.a. "imphash") signatures. Support file property collection and analysis for MHTML files. Raw scanning of PostScript files. clamsubmit to use the new virus and false positive submission web, interface. Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when, size limitations are exceeded. Improve decoders for PDF files.
0.99.211 May 2016 17:05
minor feature:
ups improving the reliability of several ClamAV file parsers. sigtool now decodes file type signatures (e.g. daily.ftm CVD file). now supporting libpcre2 in addition to libpcre. systemd support for clamd and freshclam. Patch provided by, Andreas Cadhalpun. builds on Mac OS X 10.10 10.11. improved deinfo for certificate metadata. improved freshclam messaging when using a proxy. some freshclam functionality when using private mirrors. clamd refinements of open file limitations on Solaris. Patch by, Jim Morris, clamav-milter signal handling for improved clean up during, termination.
0.99-rc205 Nov 2015 11:05
minor feature:
Processing of YARA rules(some limitations- see signatures.pdf). Support in ClamAV logical signatures for many of the features, added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf, for full details. New and improved on-access scanning for Linux. See the recent blog, post and clamdoc.pdf for details on the new on-access capabilities. A new ClamAV API callback function that is invoked when a virus, is found. This is intended primarily for applications running in, all-match mode. Any applications using all-match mode must use, the new callback function to record and report detected viruses. Configurable default password list to attempt zip file decryption. TIFF file support. Upgrade Windows pthread library to 2.9.1. A new signature target type for designating signatures to run, against files with unknown file types. Improved fidelity of the "data loss prevention" heuristic, algorithm. Code supplied by Bill Parker. Support for LZMA decompression within Adobe Flash files. Support for MSO attachments within Microsoft Office 2003 XML files. A new sigtool option(--ascii-normalize) allowing signature authors, to more easily generate normalized versions of ascii files. Windows installation directories changed from Program Files Sourcefire , ClamAV to Program Files ClamAV or Program Files ClamAV-x64.
0.99-rc108 Oct 2015 03:15
minor feature:
Processing of YARA rules(some limitations- see signatures.pdf). Support in ClamAV logical signatures for many of the features, added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf, for full details. New and improved on-access scanning for Linux. See the recent blog, post and clamdoc.pdf for details on the new on-access capabilities. A new ClamAV API callback function that is invoked when a virus, is found. This is intended primarily for applications running in, all-match mode. Any applications using all-match mode must use, the new callback function to record and report detected viruses. Configurable default password list to attempt zip file decryption. TIFF file support. Upgrade Windows pthread library to 2.9.1. A new signature target type for designating signatures to run, against files with unknown file types. Improved fidelity of the "data loss prevention" heuristic, algorithm. Code supplied by Bill Parker. Support for LZMA decompression within Adobe Flash files. Support for MSO attachments within Microsoft Office 2003 XML files. A new sigtool option(--ascii-normalize) allowing signature authors, to more easily generate normalized versions of ascii files.
0.99-beta202 Sep 2015 03:15
minor feature:
New and improved on-access scanning for Linux. See the recent, blog post for more details on the new on-access capabilities. Improved support for YARA rules including private rules, referencing other rules, and YARA "include" files. Configurable default password list to attempt zip file, decryption. TIFF support../configure options for YARA. upgrade Windows pthread library to 2.9.1. a new signature target type for uncategorized files. Improved fidelity of the "data loss prevention" heuristic, algorithm. Code supplied by Bill Parker.
0.99-beta110 Jun 2015 05:25
minor feature:
Process YARA rules(with limitations) as ClamAV signatures. Support in ClamAV logical signatures many of the features, added for YARA, such as Perl Compatible Regular Expressions.
0.98.701 May 2015 03:45
minor feature:
Improvements to PDF processing: decryption, escape sequence, handling, and file property collection. Scanning/analysis of additional Microsoft Office 2003 XML format. Fix infinite loop condition on crafted y0da cryptor file. Identified, and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. Fix crash on crafted petite packed file. Reported and patch, supplied by Sebastian Andrzej Siewior. CVE-2015-2222. Fix false negatives on files within iso9660 containers. This issue, was reported by Minzhuan Gong. Fix a couple crashes on crafted upack packed file. Identified and, patches supplied by Sebastian Andrzej Siewior. Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. Apply upstream patch for possible heap overflow in Henry Spencer's , regex library. CVE-2015-2305. Fix crash in upx decoder with crafted file. Discovered and patch, supplied by Sebastian Andrzej Siewior. CVE-2015-2170. Fix segfault scanning certain HTML files. Reported with sample by, Kai Risku. Improve detections within xar/pkg files.
0.98.518 Nov 2014 20:20
minor feature:
ClamAV 0.98.5 (final) includes important new features
for collecting and analyzing file properties.
Support for the XDP file format and extracting, decoding, and
scanning PDF files within XDP files.
Addition of shared library support for LLVM verions 3.1 - 3.4
for the purpose of just-in-time(JIT) compilation of ClamAV
bytecode signatures. Andreas Cadhalpun submitted the patch
implementing this support.
Enhancements to the clambc command line utility to assist
ClamAV bytecode signature authors by providing introspection
into compiled bytecode programs.
Resolution of many of the warning messages from ClamAV compilation.
Bug fixes and other feature enhancements.
0.98.5-rc114 Oct 2014 12:25
minor feature:
ClamAV 0.98.5 includes important new features
for collecting and analyzing file properties.
Support for the XDP file format and extracting, decoding, and
scanning PDF files within XDP files.
Addition of shared library support for LLVM verions 3.1 - 3.4
for the purpose of just-in-time(JIT) compilation of ClamAV
bytecode signatures. Andreas Cadhalpun submitted the patch
implementing this support.
Enhancements to the clambc command line utility to assist
ClamAV bytecode signature authors by providing introspection
into compiled bytecode programs.
Resolution of many of the warning messages from ClamAV compilation.
Bug fixes and other feature enhancements.
0.98.403 Jul 2014 18:52
minor feature:
This release addressed build problems on Solaris, OpenBSD, and AIX. Additional issues on Windows, Mac OS X, and Solaris 10 have been resolved.