Cisco has introduced a major new release of the free antivirus package ClamAV 0.104.0. Recall that the project passed into the hands of Cisco in 2013 after the purchase of Sourcefire, which develops ClamAV and Snort. The project code is distributed under the GPLv2 license.
At the same time, Cisco announced the formation of ClamAV Long Term Support (LTS) branches, which will be maintained for three years from the date of the first release in the branch. The first LTS branch will be ClamAV 0.103, which will be updated with vulnerabilities and critical issues until 2023.
Updates for regular non-LTS branches will be published at least 4 more months after the first release of the next branch (for example, updates for the ClamAV 0.104.x branch will be published 4 more months after the release of ClamAV 0.105.0). The ability to download the signature database for non-LTS branches will also be available for at least another 4 months after the release of the next branch.
Another significant change was the formation of official installation packages that allow you to upgrade without rebuilding from source and without waiting for packages to appear in distributions. The packages are prepared for Linux (in RPM and DEB formats for x86_64 and i686 architectures), macOS (for x86_64 and ARM64, including Apple M1 chip support) and Windows (x64 and win32). In addition, the publication of official container images in the Docker Hub has begun (images are offered both with and without a built-in signature database). In the future, I planned to publish RPM and DEB packages for the ARM64 architecture and host assemblies for FreeBSD (x86_64).
Key improvements in ClamAV 0.104:
- Switching to using the CMake build system, which is now mandatory for building ClamAV. Autotools and Visual Studio build systems are no longer supported.
- The built-in LLVM components have been removed in favor of using the existing external LLVM libraries. At runtime, a bytecode interpreter that does not have JIT support is used by default to process signatures with embedded bytecode. If you need to use LLVM instead of a bytecode interpreter, you need to explicitly specify the paths to the LLVM 3.6.2 libraries when building (support for newer releases is planned to be added later)
- The clamd and freshclam processes are now also available as Windows services. To install these services, the “-install-service” option is provided, and to start, you can use the standard “net start [name]” command.
- A new scanning option has been added that warns about the transfer of corrupted graphic files, through which they can potentially try to exploit vulnerabilities in graphic libraries. Format validation is implemented for JPEG, TIFF, PNG, and GIF files, and is enabled via the AlertBrokenMedia setting in clamd.conf or the "--alert-broken-media" command line option in clamscan.
- Added new types CL_TYPE_TIFF and CL_TYPE_JPEG for consistency with GIF and PNG file definitions. The BMP and JPEG 2000 types continue to be defined as CL_TYPE_GRAPHICS because format parsing is not supported for them.
- ClamScan has added a visual indicator of the progress of loading signatures and compiling the engine, which are performed before the start of scanning. The indicator is not displayed when running from outside the terminal or when specifying one of the options "--debug", "--quiet", "--infected", "--no-summary".
- To display progress, libclamav has added cl_engine_set_clcb_sigload_progress(), cl_engine_set_clcb_engine_compile_progress() and engine free: cl_engine_set_clcb_engine_free_progress() callbacks to display progress, with which applications can monitor and evaluate the execution time of the preliminary stages of loading and compiling signatures.
- Support for the "%f" string formatting mask for substituting the path to the file in which the virus was detected has been added to the VirusEvent option (similar to the "%v" mask with the name of the detected virus). In VirusEvent, similar functionality is also available through the $CLAM_VIRUUSEVENT_FILENAME and $CLAM_VIRUUSEVENT_VIRUSNAME environment variables.
- Improved AutoIt script unpacking module.
- Added support for extracting images from *.xls (Excel OLE2) files.
- The ability to download Authenticode hashes based on the SHA256 algorithm in the form of *.cat files (used to verify digitally signed Windows executable files) has been provided.
Source: opennet.ru