ClamAV 0.101.0 is a feature release with an assortment of improvements that
we've cooked up over the past 6 months.
### Some of the more obvious changes
- Our user manual has been converted from latex/pdf/html into **Markdown**!
Markdown is easier to read & edit than latex, and is easier to contribute
to as it eliminates the need to generate documents (the PDF, HTML).
Find the user manual under docs/UserManual[.md].
[Check it out!](
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual.md)
- Support for RAR v5 archive extraction! We replaced the legacy C-based unrar
implementation with RarLabs UnRAR 5.6.5 library. Licensing is the same as
before, although our `libclamunrar_iface` supporting library has changed from
LGPL to the BSD 3-Clause license.
- Libclamav API changes:
- The following scanning functions now require a filename argument.
This will enable ClamAV to report more details warning and error
information in the future, and will also allow for more sensible temp
file names. The filename argument may be `NULL` if a filename is not
available.
- `cl_scandesc`
- `cl_scandesc_callback`
- `cl_scanmap_callback`
- Scanning options have been converted from a single flag bit-field into
a structure of multiple categorized flag bit-fields. This change enabled
us to add new scanning options requested by the community. In addition,
the name of each scan option has changed a little.
As a result, the API changes will require libclamav users to modify
how they initialize and pass scan options into calls such as `cl_scandesc()`.
For details:
- [example code](
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/examples/ex1.c#L89)
- [documentation](
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual/libclamav.md#data-scan-functions)
- With our move to openssl versions >1.0.1, the `cl_cleanup_crypto()` function
has been deprecated. This is because cleanup of open-ssl init functions is
now handled by an auto-deinit procedure within the openssl library, meaning
the call to `EVP_cleanup()` may cause problems to processes external to Clam.
- `CL_SCAN_HEURISTIC_ENCRYPTED` scan option was replaced by 2 new scan options:
- `CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE`
- `CL_SCAN_HEURISTIC_ENCRYPTED_DOC`
- `clamd.conf` and command line interface (CLI) changes:
- As in 0.100.2, the clamd.conf `OnAccessExtraScanning` has been temporarily
disabled in order to prevent resource cleanup issues from impacting clamd
stability. As noted below, `OnAccessExtraScanning` is an opt-in minor
feature of on-access scanning on Linux systems and its loss does not
significantly impact the effectiveness of on-access scanning.
The option still exists, but the feature will not be enabled and a warning
will show if `LogVerbose` is enabled.
For details, see:
https://bugzilla.clamav.net/show_bug.cgi?id=12048 - "Heuristic Alerts" (aka "Algorithmic Detection") options have been changed
to make the names more consistent. The original options are deprecated in
0.101, and will be removed in a future feature release.
- In addition, _two new scan options_ were added to alert specifically on
encrypted archives or encrypted docs. Previous functionality did both, even
though it claimed to be specific to archives:
- Scan option details:
| Old `clamd.conf` option | *New* `clamd.conf` option |
| -------------------------------- | ---------------------------- |
| `AlgorithmicDetection` | `HeuristicAlerts` |
| `DetectBrokenExecutables` | `AlertBrokenExecutables` |
| `PhishingAlwaysBlockCloak` | `AlertPhishingCloak` |
| `PhishingAlwaysBlockSSLMismatch` | `AlertPhishingSSLMismatch` |
| `PartitionIntersection` | `AlertPartitionIntersection` |
| `BlockMax` | `AlertExceedsMax` |
| `OLE2BlockMacros` | `AlertOLE2Macros` |
| `ArchiveBlockEncrypted` | `AlertEncrypted` |
| | `AlertEncryptedArchive` |
| | `AlertEncryptedDoc` |
| Old `clamscan` option | *New* `clamscan` option |
| ---------------------------- | -------------------------------- |
| `--algorithmic-detection` | `--heuristic-alerts` |
| `--detect-broken` | `--alert-broken` |
| `--phishing-cloak` | `--alert-phishing-cloak` |
| `--phishing-ssl` | `--alert-phishing-ssl` |
| `--partition-intersection` | `--alert-partition-intersection` |
| `--block-max` | `--alert-exceeds-max` |
| `--block-macros` | `--alert-macros` |
| `--block-encrypted` | `--alert-encrypted` |
| | `--alert-encrypted-archive` |
| | `--alert-encrypted-doc` |
### Some more subtle improvements
- Logical signatures have been extended with a new subsignature type which
allows for numerical byte sequence comparison. For those familiar with
Snort, this byte comparison feature works similarly to the byte_extract
and byte_test feature, in that it allows signature writers to extract and
compare a specified number of bytes (offset from a match) against another
numeric value. You can read more about this feature, see how it works, and
look over examples in [our documentation](docs/UserManual/Signatures.md).
- Backwards compatibility improvements for detecting the OpenSSL dependency.
- Freshclam updated to match exit codes defined in the freshclam.1 man page.
- Upgrade from libmspack 0.5alpha to libmspack 0.7.1alpha. As a reminder, we
support system-installed versions of libmspack. _However_, at this time the
ClamAV-provided version of libmspack provides additional abilities to parse
broken or non-standard CAB files beyond what the stock libmspack 0.7.1alpha
provides. We are working with the upstream project to incorporate our
modifications, and hopefully these changes will appear in a future release
of libmspack.
- Updated the bundled 3rd party library libxml2 included for Windows builds to
version 2.9.8.
- Updated the bundled 3rd party library pcre included for Windows builds to
pcre2 version 10.31.
- Upgraded Aspack PE unpacking capability with support up to version 2.42.
- Improvements to PDF parsing capability.
- Replaced the Windows installer with a new installer built using InnoSetup 5.
- Improved `curl-config` detection logic.
GitHub pull-request by Thomas Petazzoni.
- Added file type `CL_TYPE_LNK` to more easily identify Windows Shortcut files
when writing signatures.
- Improved parsing of Windows executable (PE) Authenticode signatures. Pull-
request by Andrew Williams.
- Added support for Authenticode signature properties commonly used by
Windows system files. These files are now much more likely to be
whitelisted correctly.
- Signature parsing now works correctly on big endian systems.
- Some simplification to freshclam mirror management code, including changes
to reduce timeout on ignoring mirrors after errors, and to make freshclam
more tolerant when there is a delay between the time the new signature
database content is announced and the time that the content-delivery-network
has the content available for download.
- Email MIME Header parsing changes to accept argument values with unbalanced
quotes. Improvement should improve detection of attachments on malformed
emails.
GitHub pull-request by monnerat.
- Included the config filename when reporting errors parsing ClamAV configs.
GitHub pull-request by Josh Soref.
- Improvement to build scripts for clamav-milter.
GitHub pull-request by Renato Botelho.
### Other changes
- Removed option handler for `AllowSupplementaryGroups` from libfreshclam.
This option was previously deprecated from freshclam in ClamAV 0.100.0 but
remained in libfreshclam by mistake.
- In older versions of pcre2 and in pcre, a higher `PCRERecMatchLimit` may
cause `clamd` to crash on select files. We have lowered the default
`PCRERecMatchLimit` to 2000 to reduce the likelihood of a crash and have
added warnings to recommend using pcre2 v10.30 or higher to eliminate
the issue.
