Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
* It now requires cmake which isn’t a problem
* It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
This will be an interesting project :)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" ClamAV-announce@lists.clamav.net, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 released
ClamAV 0.104.0 is available as an official release as of today.
We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post https://blog.clamav.net/2021/09/changes-to-clamav-end-of-life-policy.html and review the LTS policy in our online documentation https://docs.clamav.net/faq/faq-eol.html.
We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page https://www.clamav.net/downloads.
<>Today you can find:
x86_64 and i686 RPM packages compatible with RPM-based Linux distributions running glibc version 2.17 or newer. x86_64 and i686 DEB packages compatible with Debian-based Linux distributions running glibc version 2.23 or newer. An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems. x64 and win32 Windows packages are compatible with Windows 7 and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package.
Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net https://docs.clamav.net/manual/Installing.html for more information.
ClamAV 0.104.0 includes the following improvements and changes.
New Requirements
As of ClamAV 0.104, CMake is required to build ClamAV.
We have added comprehensive build instructions for using CMake to the new INSTALL.md https://vscode-remote+wsl+ubuntu-20.04.vscode-resource.vscode-webview.net/home/micasnyd/INSTALL.md file. The online documentation will also be updated to include CMake build instructions.
The Autotools and the Visual Studio build systems have been removed.
Major changes
The built-in LLVM for the bytecode runtime has been removed.
The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.
We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md https://vscode-remote+wsl+ubuntu-20.04.vscode-resource.vscode-webview.net/home/micasnyd/INSTALL.md#bytecode-runtime to learn more.
There are now official ClamAV images on Docker Hub https://hub.docker.com/r/clamav/clamav.
Docker Hub ClamAV tags:
clamav/clamav:<version>: A release preloaded with signature databases.
Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.
clamav/clamav:<version>_base: A release with no signature databases.
Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.
Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.
You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.
Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.
For more details, see the ClamAV Docker documentation https://docs.clamav.net/manual/Installing/Docker.html.
Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.
Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changes
The following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
Added progress callbacks to libclamav for:
database load: cl_engine_set_clcb_sigload_progress() engine compile: cl_engine_set_clcb_engine_compile_progress() engine free: cl_engine_set_clcb_engine_free_progress() These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:
--debug --quiet --infected --no-summary Other improvements
Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME for a similar effect. Patch courtesy of Vasile Papp.
Improvements to the AutoIt extraction module. Patch courtesy of cw2k.
Added support for extracting images from Excel *.xls (OLE2) documents.
Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. For more information, visit our Authenticode documentation https://docs.clamav.net/appendix/Authenticode.html about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes
Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans.
Other minor bug fixes.
Acknowledgments
The ClamAV team thanks the following individuals for their code submissions:
Alexander Golovach Andrea De Pasquale Andrew Williams Arjen de Korte Armin Kuster Brian Bergstrand cw2k Duane Waddle Gianluigi Tiesi Jonas Zaddach Kenneth Hau Mark Fortescue Markus Strehle Olliver Schinagl Orion Poplawski Sergey Valentey Sven Rueß Tom Briden Tuomo Soini Vasile Papp Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
It now requires cmake which isn’t a problem
It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
Best regards,
-Stefan
This will be an interesting project :)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find: * x86_64 and i686 RPM packages compatible with RPM-based Linux distributions running glibc version 2.17 or newer. * x86_64 and i686 DEB packages compatible with Debian-based Linux distributions running glibc version 2.23 or newer. * An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems. * x64 and win32 Windows packages are compatible with Windows 7 and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more. * There are now official ClamAV images on Docker Hub.Docker Hub ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation. * clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options: * Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field. * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities. * Added progress callbacks to libclamav for:database load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details. * Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp. * Improvements to the AutoIt extraction module. Patch courtesy of cw2k. * Added support for extracting images from Excel *.xls (OLE2) documents. * Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale. * Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans. * Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions: * Alexander Golovach * Andrea De Pasquale * Andrew Williams * Arjen de Korte * Armin Kuster * Brian Bergstrand * cw2k * Duane Waddle * Gianluigi Tiesi * Jonas Zaddach * Kenneth Hau * Mark Fortescue * Markus Strehle * Olliver Schinagl * Orion Poplawski * Sergey Valentey * Sven Rueß * Tom Briden * Tuomo Soini * Vasile Papp * Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
Hello,
On 3 Sep 2021, at 17:36, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
It now requires cmake which isn’t a problem
It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
Thank you. Just for reference, could you please post this as an —-rfc to the list?
I hope this will do the trick with the new clamav version.
I hope so, too, but we might need to ship some runtime libraries. I just don’t know which ones they might be. Ideally I want to ship as little as possible.
-Michael
Best regards,
-Stefan
This will be an interesting project :)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find:
- x86_64 and i686 RPM packages compatible with RPM-based Linux
distributions running glibc version 2.17 or newer.
- x86_64 and i686 DEB packages compatible with Debian-based
Linux distributions running glibc version 2.23 or newer.
- An x86_64/ARM64 macOS installer package is compatible with
Intel and Apple M1 systems.
- x64 and win32 Windows packages are compatible with Windows 7
and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more.
- There are now official ClamAV images on Docker Hub.Docker Hub
ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
- clamd and freshclam are now available as Windows services. To
install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
- Added a new scan option to alert on broken media (graphics)
file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
- Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG
typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
- Added progress callbacks to libclamav for:database
load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
- Added progress bars to ClamScan for the signature load and
engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp.
- Improvements to the AutoIt extraction module. Patch courtesy
of cw2k.
- Added support for extracting images from Excel *.xls (OLE2)
documents.
- Trusted SHA256-based Authenticode hashes can now be loaded in
from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
- Fixed bytecode match evaluation for PDF bytecode hooks in PDF
file scans.
- Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions:
- Alexander Golovach
- Andrea De Pasquale
- Andrew Williams
- Arjen de Korte
- Armin Kuster
- Brian Bergstrand
- cw2k
- Duane Waddle
- Gianluigi Tiesi
- Jonas Zaddach
- Kenneth Hau
- Mark Fortescue
- Markus Strehle
- Olliver Schinagl
- Orion Poplawski
- Sergey Valentey
- Sven Rueß
- Tom Briden
- Tuomo Soini
- Vasile Papp
- Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
Hi,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
It now requires cmake which isn’t a problem
It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
Thanks Stefan,
I'll take a look...
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find: * x86_64 and i686 RPM packages compatible with RPM-based Linux distributions running glibc version 2.17 or newer. * x86_64 and i686 DEB packages compatible with Debian-based Linux distributions running glibc version 2.23 or newer. * An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems. * x64 and win32 Windows packages are compatible with Windows 7 and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more. * There are now official ClamAV images on Docker Hub.Docker Hub ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation. * clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options: * Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field. * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities. * Added progress callbacks to libclamav for:database load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details. * Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp. * Improvements to the AutoIt extraction module. Patch courtesy of cw2k. * Added support for extracting images from Excel *.xls (OLE2) documents. * Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale. * Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans. * Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions: * Alexander Golovach * Andrea De Pasquale * Andrew Williams * Arjen de Korte * Armin Kuster * Brian Bergstrand * cw2k * Duane Waddle * Gianluigi Tiesi * Jonas Zaddach * Kenneth Hau * Mark Fortescue * Markus Strehle * Olliver Schinagl * Orion Poplawski * Sergey Valentey * Sven Rueß * Tom Briden * Tuomo Soini * Vasile Papp * Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find: * x86_64 and i686 RPM packages compatible with RPM-based Linux distributions running glibc version 2.17 or newer. * x86_64 and i686 DEB packages compatible with Debian-based Linux distributions running glibc version 2.23 or newer. * An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems. * x64 and win32 Windows packages are compatible with Windows 7 and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more. * There are now official ClamAV images on Docker Hub.Docker Hub ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation. * clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options: * Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field. * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities. * Added progress callbacks to libclamav for:database load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details. * Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp. * Improvements to the AutoIt extraction module. Patch courtesy of cw2k. * Added support for extracting images from Excel *.xls (OLE2) documents. * Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale. * Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans. * Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions: * Alexander Golovach * Andrea De Pasquale * Andrew Williams * Arjen de Korte * Armin Kuster * Brian Bergstrand * cw2k * Duane Waddle * Gianluigi Tiesi * Jonas Zaddach * Kenneth Hau * Mark Fortescue * Markus Strehle * Olliver Schinagl * Orion Poplawski * Sergey Valentey * Sven Rueß * Tom Briden * Tuomo Soini * Vasile Papp * Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
Hello,
On 4 Sep 2021, at 04:58, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company that cannot afford to do things right. I hope they have a different strategy for their other products.
LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year old release that is no longer maintained and I suppose many bugs and security issues have been fixed in the meantime.
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
If it won’t build with recent releases we are facing the question whether we want to ship old and outdated software that nobody cares for any more and disable the functionality altogether. What is better? Not scanning certain signatures, or exposing the firewall to being exploited through its virus scanner?
I vote for disabling the bytecode runtime.
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Probably some libraries which we could have seen by checking what clamav is linked against (with lld). But that is a kind of moot question now :)
Thank you for investigating this.
-Michael
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find:
- x86_64 and i686 RPM packages compatible with RPM-based Linux
distributions running glibc version 2.17 or newer.
- x86_64 and i686 DEB packages compatible with Debian-based
Linux distributions running glibc version 2.23 or newer.
- An x86_64/ARM64 macOS installer package is compatible with
Intel and Apple M1 systems.
- x64 and win32 Windows packages are compatible with Windows 7
and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more.
- There are now official ClamAV images on Docker Hub.Docker Hub
ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
- clamd and freshclam are now available as Windows services. To
install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
- Added a new scan option to alert on broken media (graphics)
file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
- Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG
typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
- Added progress callbacks to libclamav for:database
load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
- Added progress bars to ClamScan for the signature load and
engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp.
- Improvements to the AutoIt extraction module. Patch courtesy
of cw2k.
- Added support for extracting images from Excel *.xls (OLE2)
documents.
- Trusted SHA256-based Authenticode hashes can now be loaded in
from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
- Fixed bytecode match evaluation for PDF bytecode hooks in PDF
file scans.
- Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions:
- Alexander Golovach
- Andrea De Pasquale
- Andrew Williams
- Arjen de Korte
- Armin Kuster
- Brian Bergstrand
- cw2k
- Duane Waddle
- Gianluigi Tiesi
- Jonas Zaddach
- Kenneth Hau
- Mark Fortescue
- Markus Strehle
- Olliver Schinagl
- Orion Poplawski
- Sergey Valentey
- Sven Rueß
- Tom Briden
- Tuomo Soini
- Vasile Papp
- Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
<llvm-12.0.1><lfs_clamav.txt>
Hi,
On 04.09.2021 13:38, Michael Tremer wrote:
Hello,
On 4 Sep 2021, at 04:58, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
Done. Building with 'llvm 3.6.2' and 'cfe[!]-3.6.2' crashed.
I had to remove some 'llvm' options in lfs (AMDGPU and BPF), and downloaded 'cfe 3.6.2' to test the whole '3.6.2' bundle. But nevertheless, 'llvm 3.6.2' build did stop with a 'ninja' error. I didn't investigate this further, it already took some time...
This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company that cannot afford to do things right. I hope they have a different strategy for their other products.
ACK.
LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year old release that is no longer maintained and I suppose many bugs and security issues have been fixed in the meantime.
ACK.
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
If it won’t build with recent releases we are facing the question whether we want to ship old and outdated software that nobody cares for any more and disable the functionality altogether. What is better? Not scanning certain signatures, or exposing the firewall to being exploited through its virus scanner?
I vote for disabling the bytecode runtime.
+1
Devel is running.
I'll test with "-D BYTECODE_RUNTIME="none" " - *without* 'llvm' and 'clang' as I did in my first builds. Would this be sufficient?
Addendum: In the meantime I tested with "-D BYTECODE_RUNTIME="interpreter" - this is building, too. But I have not yet tested these builds productively with a clean build respectively. And I'm not sure which one to prefer!?
Best, Matthias
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Probably some libraries which we could have seen by checking what clamav is linked against (with lld). But that is a kind of moot question now :)
Thank you for investigating this.
-Michael
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find:
- x86_64 and i686 RPM packages compatible with RPM-based Linux
distributions running glibc version 2.17 or newer.
- x86_64 and i686 DEB packages compatible with Debian-based
Linux distributions running glibc version 2.23 or newer.
- An x86_64/ARM64 macOS installer package is compatible with
Intel and Apple M1 systems.
- x64 and win32 Windows packages are compatible with Windows 7
and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more.
- There are now official ClamAV images on Docker Hub.Docker Hub
ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
- clamd and freshclam are now available as Windows services. To
install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
- Added a new scan option to alert on broken media (graphics)
file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
- Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG
typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
- Added progress callbacks to libclamav for:database
load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
- Added progress bars to ClamScan for the signature load and
engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp.
- Improvements to the AutoIt extraction module. Patch courtesy
of cw2k.
- Added support for extracting images from Excel *.xls (OLE2)
documents.
- Trusted SHA256-based Authenticode hashes can now be loaded in
from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
- Fixed bytecode match evaluation for PDF bytecode hooks in PDF
file scans.
- Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions:
- Alexander Golovach
- Andrea De Pasquale
- Andrew Williams
- Arjen de Korte
- Armin Kuster
- Brian Bergstrand
- cw2k
- Duane Waddle
- Gianluigi Tiesi
- Jonas Zaddach
- Kenneth Hau
- Mark Fortescue
- Markus Strehle
- Olliver Schinagl
- Orion Poplawski
- Sergey Valentey
- Sven Rueß
- Tom Briden
- Tuomo Soini
- Vasile Papp
- Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
<llvm-12.0.1><lfs_clamav.txt>
Hi,
I finally got a "testversion" of 'clamav 0.104.0' up and running in productive environment (Core 159 / 64bit). Testing. Its filtering, no problems during startup.
But: NO 'llvm' - I built this version with "-D BYTECODE_RUNTIME="interpreter" ".
I did this because if I read the clamav blog right, it would make no (big) difference compared to 0.103.3:
"The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103. We wished to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
The current 'llvm 12.0.1' isn't supported, 'llvm 3.6.2' kept crashing my build, so I thought: what the heck!?
I'll test and report. If anyone wants to test this too, I'll send a patch.
Best, Matthias
On 04.09.2021 13:38, Michael Tremer wrote:
Hello,
On 4 Sep 2021, at 04:58, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company that cannot afford to do things right. I hope they have a different strategy for their other products.
LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year old release that is no longer maintained and I suppose many bugs and security issues have been fixed in the meantime.
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
If it won’t build with recent releases we are facing the question whether we want to ship old and outdated software that nobody cares for any more and disable the functionality altogether. What is better? Not scanning certain signatures, or exposing the firewall to being exploited through its virus scanner?
I vote for disabling the bytecode runtime.
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Probably some libraries which we could have seen by checking what clamav is linked against (with lld). But that is a kind of moot question now :)
Thank you for investigating this.
-Michael
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
https://blog.clamav.net/2021/09/clamav-01040-released.html
ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official release as of today. We are also announcing a new Long Term Support (LTS) program today in an update to our End-of-Life (EOL) policy. The LTS will start retroactively with ClamAV 0.103, the previous feature release. This new LTS policy extends the life of 0.103 up through September 2023 and will facilitate the production of more frequent feature releases while enabling users to rely on a supported version for years to come if they cannot keep pace with the feature release cadence. For full details about the Long Term Support program, you can see the LTS announcement blog post and review the LTS policy in our online documentation. We're also introducing new install packages to make it easier for folks to upgrade without having to build ClamAV from source and without having to wait for a community volunteer to package the latest release. You can find the new install packages on the ClamAV.net Downloads Page. Today you can find:
- x86_64 and i686 RPM packages compatible with RPM-based Linux
distributions running glibc version 2.17 or newer.
- x86_64 and i686 DEB packages compatible with Debian-based
Linux distributions running glibc version 2.23 or newer.
- An x86_64/ARM64 macOS installer package is compatible with
Intel and Apple M1 systems.
- x64 and win32 Windows packages are compatible with Windows 7
and newer. In the future, we hope to supplement these with ARM64 Linux DEB and RPM packages and an x86_64 FreeBSD package. Please note that you may find installations in this release require more manual configuration than when using a preconfigured package provided by a Linux or Unix distribution. See our installation instructions on clamav.net for more information. ClamAV 0.104.0 includes the following improvements and changes.
New Requirements * As of ClamAV 0.104, CMake is required to build ClamAV.We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.The Autotools and the Visual Studio build systems have been removed.
Major changes * The built-in LLVM for the bytecode runtime has been removed.The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more.
- There are now official ClamAV images on Docker Hub.Docker Hub
ClamAV tags:clamav/clamav:<version>: A release preloaded with signature databases.Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.clamav/clamav:<version>_base: A release with no signature databases.Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.For more details, see the ClamAV Docker documentation.Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
- clamd and freshclam are now available as Windows services. To
install and run them, use the --install-service option and net start [name] command.Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changesThe following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
- Added a new scan option to alert on broken media (graphics)
file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
- Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG
typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
- Added progress callbacks to libclamav for:database
load: cl_engine_set_clcb_sigload_progress()engine compile: cl_engine_set_clcb_engine_compile_progress()engine free: cl_engine_set_clcb_engine_free_progress()These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
- Added progress bars to ClamScan for the signature load and
engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:- -debug--quiet--infected--no-summary Other improvements * Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA ME for a similar effect. Patch courtesy of Vasile Papp.
- Improvements to the AutoIt extraction module. Patch courtesy
of cw2k.
- Added support for extracting images from Excel *.xls (OLE2)
documents.
- Trusted SHA256-based Authenticode hashes can now be loaded in
from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes * Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
- Fixed bytecode match evaluation for PDF bytecode hooks in PDF
file scans.
- Other minor bug fixes.
AcknowledgmentsThe ClamAV team thanks the following individuals for their code submissions:
- Alexander Golovach
- Andrea De Pasquale
- Andrew Williams
- Arjen de Korte
- Armin Kuster
- Brian Bergstrand
- cw2k
- Duane Waddle
- Gianluigi Tiesi
- Jonas Zaddach
- Kenneth Hau
- Mark Fortescue
- Markus Strehle
- Olliver Schinagl
- Orion Poplawski
- Sergey Valentey
- Sven Rueß
- Tom Briden
- Tuomo Soini
- Vasile Papp
- Yasuhiro Kimura
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
<llvm-12.0.1><lfs_clamav.txt>
Hi,
thinkin about it, consider sticking with 0.103.3 LTS(!):
=> https://docs.clamav.net/faq/faq-eol.html
"Expected end of life" will be September 2023, "DB downloads allowed until" Sep 2023", "Patch versions continue until "Sep 2023".
Besides, '0.104.0' - built with "interpreter" - is running like '0.103.3'. No seen differences in functionality and speed.
Changelog for 0.104.0: => https://blog.clamav.net/2021/09/clamav-01040-released.html#more
Jm2C
Best, Matthias
On 04.09.2021 18:47, Matthias Fischer wrote:
Hi,
I finally got a "testversion" of 'clamav 0.104.0' up and running in productive environment (Core 159 / 64bit). Testing. Its filtering, no problems during startup.
But: NO 'llvm' - I built this version with "-D BYTECODE_RUNTIME="interpreter" ".
I did this because if I read the clamav blog right, it would make no (big) difference compared to 0.103.3:
"The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103. We wished to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
The current 'llvm 12.0.1' isn't supported, 'llvm 3.6.2' kept crashing my build, so I thought: what the heck!?
I'll test and report. If anyone wants to test this too, I'll send a patch.
Best, Matthias
On 04.09.2021 13:38, Michael Tremer wrote:
Hello,
On 4 Sep 2021, at 04:58, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company that cannot afford to do things right. I hope they have a different strategy for their other products.
LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year old release that is no longer maintained and I suppose many bugs and security issues have been fixed in the meantime.
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
If it won’t build with recent releases we are facing the question whether we want to ship old and outdated software that nobody cares for any more and disable the functionality altogether. What is better? Not scanning certain signatures, or exposing the firewall to being exploited through its virus scanner?
I vote for disabling the bytecode runtime.
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Probably some libraries which we could have seen by checking what clamav is linked against (with lld). But that is a kind of moot question now :)
Thank you for investigating this.
-Michael
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
Begin forwarded message:
From: "Joel Esler (jesler)" jesler@cisco.com Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released Date: 3 September 2021 at 16:51:29 BST To: "ClamAV-announce@lists.clamav.net" < ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" clamav-users@lists.clamav.net Reply-To: noreply@clamav.net
> > https://blog.clamav.net/2021/09/clamav-01040-released.html > > ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official > release as of today. > We are also announcing a new Long Term Support (LTS) program > today in an update to our End-of-Life (EOL) policy. The LTS will > start retroactively with ClamAV 0.103, the previous feature > release. This new LTS policy extends the life of 0.103 up through > September 2023 and will facilitate the production of more > frequent feature releases while enabling users to rely on a > supported version for years to come if they cannot keep pace with > the feature release cadence. For full details about the Long Term > Support program, you can see the LTS announcement blog post and > review the LTS policy in our online documentation. > We're also introducing new install packages to make it easier for > folks to upgrade without having to build ClamAV from source and > without having to wait for a community volunteer to package the > latest release. You can find the new install packages on the > ClamAV.net Downloads Page. > Today you can find: > * x86_64 and i686 RPM packages compatible with RPM-based Linux > distributions running glibc version 2.17 or newer. > * x86_64 and i686 DEB packages compatible with Debian-based > Linux distributions running glibc version 2.23 or newer. > * An x86_64/ARM64 macOS installer package is compatible with > Intel and Apple M1 systems. > * x64 and win32 Windows packages are compatible with Windows 7 > and newer. > In the future, we hope to supplement these with ARM64 Linux DEB > and RPM packages and an x86_64 FreeBSD package. > Please note that you may find installations in this release > require more manual configuration than when using a preconfigured > package provided by a Linux or Unix distribution. See our > installation instructions on clamav.net for more information. > ClamAV 0.104.0 includes the following improvements and changes. > > New Requirements * As of ClamAV 0.104, CMake is required to build > ClamAV.We have added comprehensive build instructions for using > CMake to the new INSTALL.md file. The online documentation will > also be updated to include CMake build instructions.The Autotools > and the Visual Studio build systems have been removed. > > Major changes * The built-in LLVM for the bytecode runtime has > been removed.The bytecode interpreter is the default runtime for > bytecode signatures just as it was in ClamAV 0.103.We hoped to > add support for newer versions of LLVM, but ran out of time. If > you're building ClamAV from source and you wish to use LLVM > instead of the bytecode interpreter, you will need to supply the > development libraries for LLVM version 3.6.2. See the "bytecode > runtime" section in INSTALL.md to learn more. > * There are now official ClamAV images on Docker Hub.Docker Hub > ClamAV tags:clamav/clamav:<version>: A release preloaded with > signature databases.Using this container will save the ClamAV > project some bandwidth. Use this if you will keep the image > around so that you don't download the entire database set every > time you start a new container. Updating with FreshClam from the > existing databases set does not use much > data.clamav/clamav:<version>_base: A release with no signature > databases.Use this container only if you mount a volume in your > container under /var/lib/clamav to persist your signature > database databases. This method is the best option because it > will reduce data costs for ClamAV and for the Docker registry, > but it does require advanced familiarity with Linux and > Docker.Caution: Using this image without mounting an existing > database directory will cause FreshClam to download the entire > database set each time you start a new container.You can use > the unstable version > (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to > try the latest from our development branch.Please, be kind when > using 'free' bandwidth, both for the virus databases but also the > Docker registry. Try not to download the entire database set or > the larger ClamAV database images on a regular basis.For more > details, see the ClamAV Docker documentation.Special thanks to > Olliver Schinagl for his excellent work creating ClamAV's new > Docker files, image database deployment tooling, and user > documentation. > * clamd and freshclam are now available as Windows services. To > install and run them, use the --install-service option and net > start [name] command.Special thanks to Gianluigi Tiesi for his > original work on this feature. > > Notable changesThe following was added in 0.103.1 and is repeated > here for awareness, as patch versions do not generally introduce > new options: > * Added a new scan option to alert on broken media (graphics) > file formats. This feature mitigates the risk of malformed media > files intended to exploit vulnerabilities in other software. At > present, media validation exists for JPEG, TIFF, PNG and GIF > files. To enable this feature, set AlertBrokenMedia yes in > clamd.conf, or use the --alert-broken-media option when > using clamscan. These options are disabled by default in this > patch release but may be enabled in a subsequent release. > Application developers may enable this scan option by > enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan > option bit field. > * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG > typing behavior. BMP and JPEG 2000 files will continue to detect > as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG > 2000 format checking capabilities. > * Added progress callbacks to libclamav for:database > load: cl_engine_set_clcb_sigload_progress()engine > compile: cl_engine_set_clcb_engine_compile_progress()engine > free: cl_engine_set_clcb_engine_free_progress()These new > callbacks enable an application to monitor and estimate load, > compile, and unload progress. See clamav.h for API details. > * Added progress bars to ClamScan for the signature load and > engine compile steps before a scan begins. The start-up progress > bars won't be enabled if ClamScan isn't running in a terminal > (i.e. stdout is not a TTY), or if any of these options are used:- > -debug--quiet--infected--no-summary > Other improvements * Added the %f format string option to the > ClamD VirusEvent feature to insert the file path of the scan > target when a virus-event occurs. This supplements the > VirusEvent %v option which prints the signature (virus) name. The > ClamD VirusEvent feature also provides two environment > variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA > ME for a similar effect. Patch courtesy of Vasile Papp. > * Improvements to the AutoIt extraction module. Patch courtesy > of cw2k. > * Added support for extracting images from Excel *.xls (OLE2) > documents. > * Trusted SHA256-based Authenticode hashes can now be loaded in > from *.cat files. For more information, visit our Authenticode > documentation about using *.cat files with *.crb rules to trust > signed Windows executables. > > Bug fixes * Fixed a memory leak affecting logical signatures that > use the "byte compare" feature. Patch courtesy of Andrea De > Pasquale. > * Fixed bytecode match evaluation for PDF bytecode hooks in PDF > file scans. > * Other minor bug fixes. > > AcknowledgmentsThe ClamAV team thanks the following individuals > for their code submissions: > * Alexander Golovach > * Andrea De Pasquale > * Andrew Williams > * Arjen de Korte > * Armin Kuster > * Brian Bergstrand > * cw2k > * Duane Waddle > * Gianluigi Tiesi > * Jonas Zaddach > * Kenneth Hau > * Mark Fortescue > * Markus Strehle > * Olliver Schinagl > * Orion Poplawski > * Sergey Valentey > * Sven Rueß > * Tom Briden > * Tuomo Soini > * Vasile Papp > * Yasuhiro Kimura _______________________________________________
clamav-announce mailing list clamav-announce@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce
<llvm-12.0.1><lfs_clamav.txt>
Hello,
Yes, it is an LTS version, but where is the general benefit?
* The LLVM issue is the same (the old version is bundles with clamav 0.103.x if I recall correctly).
* We will miss out on new features.
* Updating clamav is generally not very painful (like the kernel is for example), so if we update to 0.104.n+1 or 0.103.n+1 is kind of the same.
I wasn’t aware that there is a different version of the bytecode engine that does not need LLVM. Since we do not care *that* much about performance in ClamAV, I think we should be fine with this. First of all I want to make sure that we are scanning for all the signatures.
If 0.104.0 is running fine in “interpreter” mode, I would suggest to submit a patch.
-Michael
On 5 Sep 2021, at 10:29, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
thinkin about it, consider sticking with 0.103.3 LTS(!):
=> https://docs.clamav.net/faq/faq-eol.html
"Expected end of life" will be September 2023, "DB downloads allowed until" Sep 2023", "Patch versions continue until "Sep 2023".
Besides, '0.104.0' - built with "interpreter" - is running like '0.103.3'. No seen differences in functionality and speed.
Changelog for 0.104.0: => https://blog.clamav.net/2021/09/clamav-01040-released.html#more
Jm2C
Best, Matthias
On 04.09.2021 18:47, Matthias Fischer wrote:
Hi,
I finally got a "testversion" of 'clamav 0.104.0' up and running in productive environment (Core 159 / 64bit). Testing. Its filtering, no problems during startup.
But: NO 'llvm' - I built this version with "-D BYTECODE_RUNTIME="interpreter" ".
I did this because if I read the clamav blog right, it would make no (big) difference compared to 0.103.3:
"The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103. We wished to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
The current 'llvm 12.0.1' isn't supported, 'llvm 3.6.2' kept crashing my build, so I thought: what the heck!?
I'll test and report. If anyone wants to test this too, I'll send a patch.
Best, Matthias
On 04.09.2021 13:38, Michael Tremer wrote:
Hello,
On 4 Sep 2021, at 04:58, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi all,
On 03.09.2021 18:36, Stefan Schantl wrote:
Hello Michael, Hello Matthias, Hello list,
Hello everyone,
I just received this announcement that clamav 0.104.0 has been released.
The interesting things for us are the changes in the build system:
- It now requires cmake which isn’t a problem
Yep. Done. I already did a few - early tests with 'clamav 0.104-rc. I'm still not 100% sure about the needed options, but it builds (see attached lfs-file).
- It now requires LLVM which we don’t have
LLVM is probably going to be large, but Stefan has already played around with it and we might be able to merge his patches. So, Stefan, could you please post them? I suppose Matthias is the de-facto maintainer of clamav. You will need to merge these patches locally to see if clamav is happy with what Stefan has built.
I've created and pushed a new LLVM git branch in my personal git repository, which builds the LLVM compiler suite.
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
I hope this will do the trick with the new clamav version.
I'm not sure at this point.
I think we need to add something like "-D BYTECODE_RUNTIME="llvm" " for building 'clamav'.
Stefan provided the current 'llvm 12.0.1'. Thanks again!
But the clamav announcement - please read below - says: "We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2."
This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company that cannot afford to do things right. I hope they have a different strategy for their other products.
LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year old release that is no longer maintained and I suppose many bugs and security issues have been fixed in the meantime.
First build - *without* BYTECODE_RUNTIME="llvm" - seems to build ok, next I'll test building *with* this option. I'm just a bit puzzled if I should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss something?
If it won’t build with recent releases we are facing the question whether we want to ship old and outdated software that nobody cares for any more and disable the functionality altogether. What is better? Not scanning certain signatures, or exposing the firewall to being exploited through its virus scanner?
I vote for disabling the bytecode runtime.
And since the 'llvm' rootfile is quite large: does anyone have an idea what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment).
Probably some libraries which we could have seen by checking what clamav is linked against (with lld). But that is a kind of moot question now :)
Thank you for investigating this.
-Michael
Best, Matthias
Best regards,
-Stefan
This will be an interesting project :)
I think so... ;-)
-Michael
> Begin forwarded message: > > From: "Joel Esler (jesler)" jesler@cisco.com > Subject: [Clamav-announce] ClamAV® blog: ClamAV 0.104.0 released > Date: 3 September 2021 at 16:51:29 BST > To: "ClamAV-announce@lists.clamav.net" < > ClamAV-announce@lists.clamav.net>, "clamav-users@lists.clamav.net" > clamav-users@lists.clamav.net > Reply-To: noreply@clamav.net > > >> >> https://blog.clamav.net/2021/09/clamav-01040-released.html >> >> ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official >> release as of today. >> We are also announcing a new Long Term Support (LTS) program >> today in an update to our End-of-Life (EOL) policy. The LTS will >> start retroactively with ClamAV 0.103, the previous feature >> release. This new LTS policy extends the life of 0.103 up through >> September 2023 and will facilitate the production of more >> frequent feature releases while enabling users to rely on a >> supported version for years to come if they cannot keep pace with >> the feature release cadence. For full details about the Long Term >> Support program, you can see the LTS announcement blog post and >> review the LTS policy in our online documentation. >> We're also introducing new install packages to make it easier for >> folks to upgrade without having to build ClamAV from source and >> without having to wait for a community volunteer to package the >> latest release. You can find the new install packages on the >> ClamAV.net Downloads Page. >> Today you can find: >> * x86_64 and i686 RPM packages compatible with RPM-based Linux >> distributions running glibc version 2.17 or newer. >> * x86_64 and i686 DEB packages compatible with Debian-based >> Linux distributions running glibc version 2.23 or newer. >> * An x86_64/ARM64 macOS installer package is compatible with >> Intel and Apple M1 systems. >> * x64 and win32 Windows packages are compatible with Windows 7 >> and newer. >> In the future, we hope to supplement these with ARM64 Linux DEB >> and RPM packages and an x86_64 FreeBSD package. >> Please note that you may find installations in this release >> require more manual configuration than when using a preconfigured >> package provided by a Linux or Unix distribution. See our >> installation instructions on clamav.net for more information. >> ClamAV 0.104.0 includes the following improvements and changes. >> >> New Requirements * As of ClamAV 0.104, CMake is required to build >> ClamAV.We have added comprehensive build instructions for using >> CMake to the new INSTALL.md file. The online documentation will >> also be updated to include CMake build instructions.The Autotools >> and the Visual Studio build systems have been removed. >> >> Major changes * The built-in LLVM for the bytecode runtime has >> been removed.The bytecode interpreter is the default runtime for >> bytecode signatures just as it was in ClamAV 0.103.We hoped to >> add support for newer versions of LLVM, but ran out of time. If >> you're building ClamAV from source and you wish to use LLVM >> instead of the bytecode interpreter, you will need to supply the >> development libraries for LLVM version 3.6.2. See the "bytecode >> runtime" section in INSTALL.md to learn more. >> * There are now official ClamAV images on Docker Hub.Docker Hub >> ClamAV tags:clamav/clamav:<version>: A release preloaded with >> signature databases.Using this container will save the ClamAV >> project some bandwidth. Use this if you will keep the image >> around so that you don't download the entire database set every >> time you start a new container. Updating with FreshClam from the >> existing databases set does not use much >> data.clamav/clamav:<version>_base: A release with no signature >> databases.Use this container only if you mount a volume in your >> container under /var/lib/clamav to persist your signature >> database databases. This method is the best option because it >> will reduce data costs for ClamAV and for the Docker registry, >> but it does require advanced familiarity with Linux and >> Docker.Caution: Using this image without mounting an existing >> database directory will cause FreshClam to download the entire >> database set each time you start a new container.You can use >> the unstable version >> (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to >> try the latest from our development branch.Please, be kind when >> using 'free' bandwidth, both for the virus databases but also the >> Docker registry. Try not to download the entire database set or >> the larger ClamAV database images on a regular basis.For more >> details, see the ClamAV Docker documentation.Special thanks to >> Olliver Schinagl for his excellent work creating ClamAV's new >> Docker files, image database deployment tooling, and user >> documentation. >> * clamd and freshclam are now available as Windows services. To >> install and run them, use the --install-service option and net >> start [name] command.Special thanks to Gianluigi Tiesi for his >> original work on this feature. >> >> Notable changesThe following was added in 0.103.1 and is repeated >> here for awareness, as patch versions do not generally introduce >> new options: >> * Added a new scan option to alert on broken media (graphics) >> file formats. This feature mitigates the risk of malformed media >> files intended to exploit vulnerabilities in other software. At >> present, media validation exists for JPEG, TIFF, PNG and GIF >> files. To enable this feature, set AlertBrokenMedia yes in >> clamd.conf, or use the --alert-broken-media option when >> using clamscan. These options are disabled by default in this >> patch release but may be enabled in a subsequent release. >> Application developers may enable this scan option by >> enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan >> option bit field. >> * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG >> typing behavior. BMP and JPEG 2000 files will continue to detect >> as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG >> 2000 format checking capabilities. >> * Added progress callbacks to libclamav for:database >> load: cl_engine_set_clcb_sigload_progress()engine >> compile: cl_engine_set_clcb_engine_compile_progress()engine >> free: cl_engine_set_clcb_engine_free_progress()These new >> callbacks enable an application to monitor and estimate load, >> compile, and unload progress. See clamav.h for API details. >> * Added progress bars to ClamScan for the signature load and >> engine compile steps before a scan begins. The start-up progress >> bars won't be enabled if ClamScan isn't running in a terminal >> (i.e. stdout is not a TTY), or if any of these options are used:- >> -debug--quiet--infected--no-summary >> Other improvements * Added the %f format string option to the >> ClamD VirusEvent feature to insert the file path of the scan >> target when a virus-event occurs. This supplements the >> VirusEvent %v option which prints the signature (virus) name. The >> ClamD VirusEvent feature also provides two environment >> variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA >> ME for a similar effect. Patch courtesy of Vasile Papp. >> * Improvements to the AutoIt extraction module. Patch courtesy >> of cw2k. >> * Added support for extracting images from Excel *.xls (OLE2) >> documents. >> * Trusted SHA256-based Authenticode hashes can now be loaded in >> from *.cat files. For more information, visit our Authenticode >> documentation about using *.cat files with *.crb rules to trust >> signed Windows executables. >> >> Bug fixes * Fixed a memory leak affecting logical signatures that >> use the "byte compare" feature. Patch courtesy of Andrea De >> Pasquale. >> * Fixed bytecode match evaluation for PDF bytecode hooks in PDF >> file scans. >> * Other minor bug fixes. >> >> AcknowledgmentsThe ClamAV team thanks the following individuals >> for their code submissions: >> * Alexander Golovach >> * Andrea De Pasquale >> * Andrew Williams >> * Arjen de Korte >> * Armin Kuster >> * Brian Bergstrand >> * cw2k >> * Duane Waddle >> * Gianluigi Tiesi >> * Jonas Zaddach >> * Kenneth Hau >> * Mark Fortescue >> * Markus Strehle >> * Olliver Schinagl >> * Orion Poplawski >> * Sergey Valentey >> * Sven Rueß >> * Tom Briden >> * Tuomo Soini >> * Vasile Papp >> * Yasuhiro Kimura > _______________________________________________ > > clamav-announce mailing list > clamav-announce@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-announce > > http://www.clamav.net/contact.html#ml
<llvm-12.0.1><lfs_clamav.txt>
-
Matthias Fischer -
Michael Tremer -
Stefan Schantl