From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Clamav-announce] =?utf-8?q?ClamAV=C2=AE?= blog: ClamAV 0.104.0 released Date: Mon, 06 Sep 2021 10:59:52 +0100 Message-ID: <3760BC1A-1E89-4D69-B266-CE04825F5E3B@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0031253799152556894==" List-Id: --===============0031253799152556894== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Yes, it is an LTS version, but where is the general benefit? * The LLVM issue is the same (the old version is bundles with clamav 0.103.x = if I recall correctly). * We will miss out on new features. * Updating clamav is generally not very painful (like the kernel is for examp= le), so if we update to 0.104.n+1 or 0.103.n+1 is kind of the same. I wasn=E2=80=99t aware that there is a different version of the bytecode engi= ne that does not need LLVM. Since we do not care *that* much about performanc= e in ClamAV, I think we should be fine with this. First of all I want to make= sure that we are scanning for all the signatures. If 0.104.0 is running fine in =E2=80=9Cinterpreter=E2=80=9D mode, I would sug= gest to submit a patch. -Michael > On 5 Sep 2021, at 10:29, Matthias Fischer w= rote: >=20 > Hi, >=20 > thinkin about it, consider sticking with 0.103.3 LTS(!): >=20 > =3D> https://docs.clamav.net/faq/faq-eol.html >=20 > "Expected end of life" will be September 2023, "DB downloads allowed > until" Sep 2023", "Patch versions continue until "Sep 2023". >=20 > Besides, '0.104.0' - built with "interpreter" - is running like > '0.103.3'. No seen differences in functionality and speed. >=20 > Changelog for 0.104.0: > =3D> https://blog.clamav.net/2021/09/clamav-01040-released.html#more >=20 > Jm2C >=20 > Best, > Matthias >=20 > On 04.09.2021 18:47, Matthias Fischer wrote: >> Hi, >>=20 >> I finally got a "testversion" of 'clamav 0.104.0' up and running in >> productive environment (Core 159 / 64bit). Testing. Its filtering, no >> problems during startup. >>=20 >> But: NO 'llvm' - I built this version with "-D >> BYTECODE_RUNTIME=3D"interpreter" \". >>=20 >> I did this because if I read the clamav blog right, it would make no >> (big) difference compared to 0.103.3: >>=20 >> "The bytecode interpreter is the default runtime for bytecode signatures >> just as it was in ClamAV 0.103. >> We wished to add support for newer versions of LLVM, but ran out of >> time. If you're building ClamAV from source and you wish to use LLVM >> instead of the bytecode interpreter, you will need to supply the >> development libraries for LLVM version 3.6.2." >>=20 >> The current 'llvm 12.0.1' isn't supported, 'llvm 3.6.2' kept crashing my >> build, so I thought: what the heck!? >>=20 >> I'll test and report. If anyone wants to test this too, I'll send a patch. >>=20 >> Best, >> Matthias >>=20 >> On 04.09.2021 13:38, Michael Tremer wrote: >>> Hello, >>>=20 >>>> On 4 Sep 2021, at 04:58, Matthias Fischer wrote: >>>>=20 >>>> Hi all, >>>>=20 >>>> On 03.09.2021 18:36, Stefan Schantl wrote: >>>>> Hello Michael, Hello Matthias, Hello list, >>>>>> Hello everyone, >>>>>>=20 >>>>>> I just received this announcement that clamav 0.104.0 has been >>>>>> released. >>>>>>=20 >>>>>> The interesting things for us are the changes in the build system: >>>>>>=20 >>>>>> * It now requires cmake which isn=E2=80=99t a problem >>>>=20 >>>> Yep. Done. >>>> I already did a few - early tests with 'clamav 0.104-rc. I'm still not >>>> 100% sure about the needed options, but it builds (see attached lfs-file= ). >>>>=20 >>>>>> * It now requires LLVM which we don=E2=80=99t have >>>>>>=20 >>>>>> LLVM is probably going to be large, but Stefan has already played >>>>>> around with it and we might be able to merge his patches. So, Stefan, >>>>>> could you please post them? I suppose Matthias is the de-facto >>>>>> maintainer of clamav. You will need to merge these patches locally to >>>>>> see if clamav is happy with what Stefan has built. >>>>>=20 >>>>> I've created and pushed a new LLVM git branch in my personal git >>>>> repository, which builds the LLVM compiler suite. >>>>>=20 >>>>> https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dshortlog;h= =3Drefs/heads/llvm >>>>>=20 >>>>> I hope this will do the trick with the new clamav version. >>>>=20 >>>> I'm not sure at this point. >>>>=20 >>>> I think we need to add something like "-D BYTECODE_RUNTIME=3D"llvm" \" f= or >>>> building 'clamav'. >>>>=20 >>>> Stefan provided the current 'llvm 12.0.1'. Thanks again! >>>>=20 >>>> But the clamav announcement - please read below - says: >>>> "We hoped to add support for newer versions of LLVM, but ran out of >>>> time. If you're building ClamAV from source and you wish to use LLVM >>>> instead of the bytecode interpreter, you will need to supply the >>>> development libraries for LLVM version 3.6.2." >>>=20 >>> This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar comp= any that cannot afford to do things right. I hope they have a different strat= egy for their other products. >>>=20 >>> LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 = year old release that is no longer maintained and I suppose many bugs and sec= urity issues have been fixed in the meantime. >>>=20 >>>> First build - *without* BYTECODE_RUNTIME=3D"llvm" - seems to build ok, >>>> next I'll test building *with* this option. I'm just a bit puzzled if I >>>> should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss >>>> something? >>>=20 >>> If it won=E2=80=99t build with recent releases we are facing the question= whether we want to ship old and outdated software that nobody cares for any = more and disable the functionality altogether. What is better? Not scanning c= ertain signatures, or exposing the firewall to being exploited through its vi= rus scanner? >>>=20 >>> I vote for disabling the bytecode runtime. >>>=20 >>>> And since the 'llvm' rootfile is quite large: does anyone have an idea >>>> what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment= ). >>>=20 >>> Probably some libraries which we could have seen by checking what clamav = is linked against (with lld). But that is a kind of moot question now :) >>>=20 >>> Thank you for investigating this. >>>=20 >>> -Michael >>>=20 >>>> Best, >>>> Matthias >>>>=20 >>>>> Best regards, >>>>>=20 >>>>> -Stefan >>>>>=20 >>>>>>=20 >>>>>> This will be an interesting project :) >>>>=20 >>>> I think so... ;-) >>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>> Begin forwarded message: >>>>>>>=20 >>>>>>> From: "Joel Esler (jesler)" >>>>>>> Subject: [Clamav-announce] ClamAV=C2=AE blog: ClamAV 0.104.0 released >>>>>>> Date: 3 September 2021 at 16:51:29 BST >>>>>>> To: "ClamAV-announce(a)lists.clamav.net" < >>>>>>> ClamAV-announce(a)lists.clamav.net>, "clamav-users(a)lists.clamav.net" >>>>>>> >>>>>>> Reply-To: noreply(a)clamav.net >>>>>>>=20 >>>>>>>=20 >>>>>>>>=20 >>>>>>>> https://blog.clamav.net/2021/09/clamav-01040-released.html >>>>>>>>=20 >>>>>>>> ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official >>>>>>>> release as of today. >>>>>>>> We are also announcing a new Long Term Support (LTS) program >>>>>>>> today in an update to our End-of-Life (EOL) policy. The LTS will >>>>>>>> start retroactively with ClamAV 0.103, the previous feature >>>>>>>> release. This new LTS policy extends the life of 0.103 up through >>>>>>>> September 2023 and will facilitate the production of more >>>>>>>> frequent feature releases while enabling users to rely on a >>>>>>>> supported version for years to come if they cannot keep pace with >>>>>>>> the feature release cadence. For full details about the Long Term >>>>>>>> Support program, you can see the LTS announcement blog post and >>>>>>>> review the LTS policy in our online documentation. >>>>>>>> We're also introducing new install packages to make it easier for >>>>>>>> folks to upgrade without having to build ClamAV from source and >>>>>>>> without having to wait for a community volunteer to package the >>>>>>>> latest release. You can find the new install packages on the >>>>>>>> ClamAV.net Downloads Page. >>>>>>>> Today you can find: >>>>>>>> * x86_64 and i686 RPM packages compatible with RPM-based Linux >>>>>>>> distributions running glibc version 2.17 or newer. >>>>>>>> * x86_64 and i686 DEB packages compatible with Debian-based >>>>>>>> Linux distributions running glibc version 2.23 or newer. >>>>>>>> * An x86_64/ARM64 macOS installer package is compatible with >>>>>>>> Intel and Apple M1 systems. >>>>>>>> * x64 and win32 Windows packages are compatible with Windows 7 >>>>>>>> and newer. >>>>>>>> In the future, we hope to supplement these with ARM64 Linux DEB >>>>>>>> and RPM packages and an x86_64 FreeBSD package. >>>>>>>> Please note that you may find installations in this release >>>>>>>> require more manual configuration than when using a preconfigured >>>>>>>> package provided by a Linux or Unix distribution. See our >>>>>>>> installation instructions on clamav.net for more information. >>>>>>>> ClamAV 0.104.0 includes the following improvements and changes. >>>>>>>>=20 >>>>>>>> New Requirements * As of ClamAV 0.104, CMake is required to build >>>>>>>> ClamAV.We have added comprehensive build instructions for using >>>>>>>> CMake to the new INSTALL.md file. The online documentation will >>>>>>>> also be updated to include CMake build instructions.The Autotools >>>>>>>> and the Visual Studio build systems have been removed. >>>>>>>>=20 >>>>>>>> Major changes * The built-in LLVM for the bytecode runtime has >>>>>>>> been removed.The bytecode interpreter is the default runtime for >>>>>>>> bytecode signatures just as it was in ClamAV 0.103.We hoped to >>>>>>>> add support for newer versions of LLVM, but ran out of time. If >>>>>>>> you're building ClamAV from source and you wish to use LLVM >>>>>>>> instead of the bytecode interpreter, you will need to supply the >>>>>>>> development libraries for LLVM version 3.6.2. See the "bytecode >>>>>>>> runtime" section in INSTALL.md to learn more. >>>>>>>> * There are now official ClamAV images on Docker Hub.Docker Hub >>>>>>>> ClamAV tags:clamav/clamav:: A release preloaded with >>>>>>>> signature databases.Using this container will save the ClamAV >>>>>>>> project some bandwidth. Use this if you will keep the image >>>>>>>> around so that you don't download the entire database set every >>>>>>>> time you start a new container. Updating with FreshClam from the >>>>>>>> existing databases set does not use much >>>>>>>> data.clamav/clamav:_base: A release with no signature >>>>>>>> databases.Use this container only if you mount a volume in your >>>>>>>> container under /var/lib/clamav to persist your signature >>>>>>>> database databases. This method is the best option because it >>>>>>>> will reduce data costs for ClamAV and for the Docker registry, >>>>>>>> but it does require advanced familiarity with Linux and >>>>>>>> Docker.Caution: Using this image without mounting an existing >>>>>>>> database directory will cause FreshClam to download the entire >>>>>>>> database set each time you start a new container.You can use >>>>>>>> the unstable version >>>>>>>> (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to >>>>>>>> try the latest from our development branch.Please, be kind when >>>>>>>> using 'free' bandwidth, both for the virus databases but also the >>>>>>>> Docker registry. Try not to download the entire database set or >>>>>>>> the larger ClamAV database images on a regular basis.For more >>>>>>>> details, see the ClamAV Docker documentation.Special thanks to >>>>>>>> Olliver Schinagl for his excellent work creating ClamAV's new >>>>>>>> Docker files, image database deployment tooling, and user >>>>>>>> documentation. >>>>>>>> * clamd and freshclam are now available as Windows services. To >>>>>>>> install and run them, use the --install-service option and net >>>>>>>> start [name] command.Special thanks to Gianluigi Tiesi for his >>>>>>>> original work on this feature. >>>>>>>>=20 >>>>>>>> Notable changesThe following was added in 0.103.1 and is repeated >>>>>>>> here for awareness, as patch versions do not generally introduce >>>>>>>> new options: >>>>>>>> * Added a new scan option to alert on broken media (graphics) >>>>>>>> file formats. This feature mitigates the risk of malformed media >>>>>>>> files intended to exploit vulnerabilities in other software. At >>>>>>>> present, media validation exists for JPEG, TIFF, PNG and GIF >>>>>>>> files. To enable this feature, set AlertBrokenMedia yes in >>>>>>>> clamd.conf, or use the --alert-broken-media option when >>>>>>>> using clamscan. These options are disabled by default in this >>>>>>>> patch release but may be enabled in a subsequent release. >>>>>>>> Application developers may enable this scan option by >>>>>>>> enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan >>>>>>>> option bit field. >>>>>>>> * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG >>>>>>>> typing behavior. BMP and JPEG 2000 files will continue to detect >>>>>>>> as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG >>>>>>>> 2000 format checking capabilities. >>>>>>>> * Added progress callbacks to libclamav for:database >>>>>>>> load: cl_engine_set_clcb_sigload_progress()engine >>>>>>>> compile: cl_engine_set_clcb_engine_compile_progress()engine >>>>>>>> free: cl_engine_set_clcb_engine_free_progress()These new >>>>>>>> callbacks enable an application to monitor and estimate load, >>>>>>>> compile, and unload progress. See clamav.h for API details. >>>>>>>> * Added progress bars to ClamScan for the signature load and >>>>>>>> engine compile steps before a scan begins. The start-up progress >>>>>>>> bars won't be enabled if ClamScan isn't running in a terminal >>>>>>>> (i.e. stdout is not a TTY), or if any of these options are used:- >>>>>>>> -debug--quiet--infected--no-summary >>>>>>>> Other improvements * Added the %f format string option to the >>>>>>>> ClamD VirusEvent feature to insert the file path of the scan >>>>>>>> target when a virus-event occurs. This supplements the >>>>>>>> VirusEvent %v option which prints the signature (virus) name. The >>>>>>>> ClamD VirusEvent feature also provides two environment >>>>>>>> variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA >>>>>>>> ME for a similar effect. Patch courtesy of Vasile Papp. >>>>>>>> * Improvements to the AutoIt extraction module. Patch courtesy >>>>>>>> of cw2k. >>>>>>>> * Added support for extracting images from Excel *.xls (OLE2) >>>>>>>> documents. >>>>>>>> * Trusted SHA256-based Authenticode hashes can now be loaded in >>>>>>>> from *.cat files. For more information, visit our Authenticode >>>>>>>> documentation about using *.cat files with *.crb rules to trust >>>>>>>> signed Windows executables. >>>>>>>>=20 >>>>>>>> Bug fixes * Fixed a memory leak affecting logical signatures that >>>>>>>> use the "byte compare" feature. Patch courtesy of Andrea De >>>>>>>> Pasquale. >>>>>>>> * Fixed bytecode match evaluation for PDF bytecode hooks in PDF >>>>>>>> file scans. >>>>>>>> * Other minor bug fixes. >>>>>>>>=20 >>>>>>>> AcknowledgmentsThe ClamAV team thanks the following individuals >>>>>>>> for their code submissions: >>>>>>>> * Alexander Golovach >>>>>>>> * Andrea De Pasquale >>>>>>>> * Andrew Williams >>>>>>>> * Arjen de Korte >>>>>>>> * Armin Kuster >>>>>>>> * Brian Bergstrand >>>>>>>> * cw2k >>>>>>>> * Duane Waddle >>>>>>>> * Gianluigi Tiesi >>>>>>>> * Jonas Zaddach >>>>>>>> * Kenneth Hau >>>>>>>> * Mark Fortescue >>>>>>>> * Markus Strehle >>>>>>>> * Olliver Schinagl >>>>>>>> * Orion Poplawski >>>>>>>> * Sergey Valentey >>>>>>>> * Sven Rue=C3=9F >>>>>>>> * Tom Briden >>>>>>>> * Tuomo Soini >>>>>>>> * Vasile Papp >>>>>>>> * Yasuhiro Kimura >>>>>>> _______________________________________________ >>>>>>>=20 >>>>>>> clamav-announce mailing list >>>>>>> clamav-announce(a)lists.clamav.net >>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-announce >>>>>>>=20 >>>>>>> http://www.clamav.net/contact.html#ml >>>>>>=20 >>>>>=20 >>>>>=20 >>>>=20 >>>> >>>=20 >>=20 >=20 --===============0031253799152556894==--