[clamav-users] [External] ClamAV® blog: ClamAV 0.103.0 release candidate
Kevin A. McGrail
kmcgrail at pccc.com
Wed Aug 19 10:25:42 UTC 2020
Morning All,
I tested the RC on a machine with 0.102.4 on it.
I did the same configure line, make, make install and ldconfig -v and
then tried to start the clamd daemon. After 29 minutes i gave up and
reverted to 0.102.4.
What can I get from the system that might be helpful for debugging purposes?
Anything I should do differently for testing?
Regards,
KAM
On 8/18/2020 5:57 PM, Joel Esler (jesler) via clamav-users wrote:
>
>>
>> https://blog.clamav.net/2020/08/clamav-01030-release-candidate.html
>>
>>
>> ClamAV 0.103.0 release candidate
>>
>> Today we are pleased to announce the ClamAV 0.103.0 release candidate
>> <https://www.clamav.net/downloads>!
>>
>> Please help us validate this release. We need your feedback so let us
>> know what you find and join us on the clamav mailing list
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>, in #clamav
>> on irc.freenode.net <http://irc.freenode.net>, or on our Discord
>> <https://discord.gg/sGaxA5Q>, which is bridged with our IRC.
>>
>> Please submit bugs to on our Bugzilla
>> <https://bugzilla.clamav.net/enter_bug.cgi?product=ClamAV>.
>>
>> ClamAV 0.103.0 includes the following improvements and changes.
>>
>>
>> Major changes
>>
>> * clamd can now reload the signature database without blocking
>> scanning. This multi-threaded database reload improvement was
>> made possible thanks to a community effort.
>> o Non-blocking database reloads are now the default behavior.
>> Some systems that are more constrained on RAM may need to
>> disable non-blocking reloads as it will temporarily consume
>> 2x as much memory. For this purpose we have added a new clamd
>> config option ConcurrentDatabaseReload which may be set to no.
>>
>>
>> Special thanks to the following for making this feature a reality:
>>
>> * Alberto Wu
>> * Alexander Sulfrian
>> * Arjen de Korte
>> * David Heidelberg
>> * Ged Haywood
>> * Julius Plenz
>> * Michael Orlitzky
>>
>>
>> Thank you all for your patience waiting for this feature.
>>
>>
>> Notable changes
>>
>>
>> * The DLP module has been enhanced with additional credit card
>> ranges and a new engine option which allows ClamAV to alert only
>> on credit cards (and not, for instance, gift cards) when
>> scannning with the DLP module. This feature enhancement was made
>> by John Schember, with input from Alexander Sulfrian.
>>
>>
>> * Support for Adobe Reader X PDF encryption, an overhaul of PNG
>> scanning to detect PNG specific exploits, and a major change to
>> GIF parsing which makes it more tolerant to problematic files and
>> adds the ability to scan overlays, all thanks to work and patches
>> submitted by Aldo Mazzeo.
>>
>>
>> * clamdtop.exe now available for Windows users. Functionality is
>> somewhat limited when compared with clamdtop on Linux. PDCurses
>> is required to build clamdtop.exe for ClamAV on Windows.
>>
>>
>> * The phishing detection module will now print "Suspicious link
>> found!" along with the "Real URL" and "Display URL" each time
>> phishing is detected. In a future version, we would like to print
>> out alert-related metadata like this at the end of a scan, but
>> for now this detail will help users understand why a given file
>> is being flagged as phishing.
>>
>>
>> * Added new */experimental/* CMake build tooling. CMake is not yet
>> recommended for production builds. /Our team would appreciate any
>> assistance improving the CMake build tooling so we can one day
>> deprecate Autotools and remove the Visual Studio solutions/.
>> o Please see the new CMake installation instructions found in
>> INSTALL.cmake.md for detailed instructions on how to build
>> ClamAV with CMake.
>>
>>
>> * Added --ping and --wait options to the clamdscan and clamonacc
>> client applications.
>> o The --ping (-p) command will attempt to ping clamd up to a
>> specified maximum number of attempts at an optional interval.
>> If the interval isn't specified, a default 1-second interval
>> is used. It will exit with status code `0` when it receives a
>> PONG from clamd or status code `21` if the timeout expires
>> before it receives a response.
>>
>> Example:
>>
>> * clamdscan -p 120 will attempt to ping clamd 120 at a 1 second
>> interval.
>> o The --wait (-w) command will wait up to 30 seconds for clamd
>> to start. This option may be used in tandem with the --ping
>> option to customize the max # of attempts and the attempt
>> interval. As with --ping, the scanning client may exit with
>> status code 21 if the timeout expires before a connection is
>> made to clamd.
>>
>> Example:
>>
>> * clamdscan -p 30:2 -w </file/> will attempt a scan, waiting up to
>> 60 seconds for clamd to start and receive the scan request.
>> o The ping-and-wait feature is particularly useful for those
>> wishing to start clamd and start clamonacc at startup,
>> ensuring that clamd is ready before clamonacc starts. It is
>> also useful for those wishing to start clamd immediately
>> before initiating scans with clamdscan rather than having the
>> clamd service run continuously.
>>
>> * Added Excel 4.0 (XLM) macro detection and extraction support.
>> Significantly improved VBA detection and extraction as well. Work
>> courtesy of Jonas Zaddach.
>> o This support not yet added to sigtool, as the VBA extraction
>> feature in sigtool is separate from the one used for scanning
>> and will still need to be updated or replaced in the future.
>>
>> * Improvements to the layout and legibility of temp files created
>> during a scan. Improvements to legibility and content of the
>> metadata JSON generated during a scan.
>>
>> To review the scan temp files and metadata JSON, run:
>>
>> clamscan --tempdir=</path/> --leave-temps --gen-json </target/>
>>
>>
>> Viewing the scan temp files and metadata.json file provides some
>> insight into how ClamAV analyzes a given file and can also be useful
>> to analysts for initial triage of potentially malicious files.
>>
>>
>>
>> Other improvements
>>
>>
>> * Added ability for freshclam and clamsubmit to override default
>> use of OpenSSL CA bundle with a custom CA bundle. On Linux/Unix
>> platforms (excluding macOS), users may specify a custom CA bundle
>> by setting the CURL_CA_BUNDLE environment variable. On macOS and
>> Windows, users are expected to add CA certificates to their
>> respective system's keychain/certificate store. Patch courtesy of
>> Sebastian A. Siewior
>>
>> * clamscan and clamdscan now print the scan start and end dates in
>> the scan summary.
>>
>> * The clamonacc on-access scanning daemon for Linux now installs to
>> sbin instead of bin.
>>
>> * Improvements to the freshclam progress bar so the width of the
>> text does not shift around as information changes and will not
>> spill exceed 80-characters even on very slow connections. Time is
>> now displayed in Xm XXs (or Xh XXm) for values of 60 seconds or
>> more. Bytes display now changes units at the proper 1024 B/KiB
>> instead of 2048 B/KiB. Patch courtesy of Zachary Murden.
>>
>> * Improve column alignment and line wrap rendering for clamdtop.
>> Also fixed an issue on Windows where clamdtop would occasionally
>> disconnect from clamd and fail to reconnect. Patch courtesy of
>> Zachary Murden.
>>
>> * Improvements to the AutoIT parser.
>>
>> * Loosened the curl version requirements in order to build and use
>> clamonacc. You may now build ClamAV with any version of libcurl.
>> However clamonacc's file descriptor-passing (FD-passing)
>> capability will only be available with libcurl 7.40 or newer.
>> FD-passing is ordinarily the default way to perform scans with
>> clamonacc as it is significantly faster than streaming.
>>
>> * Added LZMA and BZip2 decompression routines to the bytecode
>> signature API.
>>
>> * Disabled embedded type recognition for specific archive and disk
>> image file types. This change reduces file type misclassification
>> and improves scan time performance by reducing duplicated file
>> scanning.
>>
>>
>>
>>
>> Bug fixes
>>
>>
>> * Fixed issue scanning directories on Windows with clamdscan.exe
>> that was introduced when mitigating against symlink quarantine
>> attacks.
>>
>> * Fixed behavior of freshclam --quiet option. Patch courtesy of
>> Reio Remma.
>>
>> * Fixed behavior of freshclam's OnUpdateExecute, OnErrorExecute,
>> and OnOutdatedExecute config options on Windows when in
>> daemon-mode so it can handle multiple arguments. Patch courtesy
>> of Zachary Murden.
>>
>> * Fixed an error in the heuristic alert mechanism that would cause
>> a single detection within an archive to alert once for every
>> subsequent file scanned, potentially resulting in thousands of
>> alerts for a single scan.
>>
>> * Fixed clamd, clamav-milter, and freshclam to create PID files
>> before dropping privileges, to avoid the possibility of an
>> unprivileged user from changing the PID file so that a service
>> manager will kill a different process. This change does make the
>> services unable to clean up the PID file on exit.
>>
>> * Fixed the false positive (.fp) signature feature. In prior
>> versions, the hash in a false positive signature would be checked
>> only against the current layer of a file being scanned. In 0.103,
>> every file layer is hashed, and the hashes for each in the scan
>> recursion list are checked. This ensures that .fp signatures
>> containing a hash for any layer in the scan leading up to the
>> alert will negate the alert.
>> o As an example, a hash for a zip containing the file which
>> alerts would not prevent the detection in prior versions.
>> Only the hash of the embedded file would work. For some file
>> types where the outermost is always an archive, eg. docx
>> files, this made .fp signatures next to useless. For certain
>> file types where the scanned content was a normalized version
>> of the original content, eg. HTML, the normalized version was
>> never hashed and this meant that .fp signatures never worked.
>>
>> * Fixed Trusted & Revoked Windows executable (PE) file signature
>> rules (.crb) maximum functionality level (FLEVEL) which had been
>> being treated as the minimum FLEVEL. These signatures enable
>> ClamAV to trust executables that are digitally signed by trusted
>> publishers, or to alert on executables signed with compromised
>> signing-certificates. The minimum and maximum FLEVELS enable or
>> disable signatures at load time depending on the current ClamAV
>> version.
>>
>> * Fixed a bug wherein you could not build ClamAV with
>> --enable-libclamav-only if curl was not installed on the system.
>>
>> * Various other bug fixes, improvements, and documentation
>> improvements.
>>
>>
>>
>>
>> New Requirements
>>
>>
>> * Autotools (automake, autoconf, m4, pkg-config, libtool) are now
>> required in order to build from a Git clone because the files
>> generated by these tools have been removed from the Git
>> repository. To generate theses files before you compile ClamAV,
>> run autogen.sh. Users building with Autotools from the release
>> tarball should be unaffected.
>>
>> * Flex and Bison are now required in order to build from a Git
>> clone. Flex and Bison are also required to build with CMake.
>> Users building with Autotools from the release tarball should be
>> unaffected.
>>
>>
>>
>>
>> Acknowledgements
>>
>> The ClamAV team thanks the following individuals for their code
>> submissions:
>>
>> * Aldo Mazzeo
>> * Ángel
>> * Antonino Cangialosi
>> * Clement Lecigne
>> * Jamie Biggar
>> * Jan Smutny
>> * John Schember
>> * Jonathan Sabbe
>> * lutianxiong
>> * Reio Remma
>> * Sebastian A. Siewior
>> * Zachary Murden
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
--
*Kevin A. McGrail*
CEO Emeritus
Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032
http://www.pccc.com/
703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
KMcGrail at PCCC.com <mailto:kmcgrail at pccc.com>
https://www.linkedin.com/in/kmcgrail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200819/4194d34d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pccc_logo.gif
Type: image/gif
Size: 5282 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200819/4194d34d/attachment.gif>
More information about the clamav-users
mailing list