ClamAV Changelog

What's new in ClamAV 1.2.0

Aug 29, 2023

Major changes:
Added support for extracting Universal Disk Format (UDF) partitions.
Specifically, this version adds support for the Beginning Extended Area Descriptor (BEA01) type of UDF files.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/941
Added an option to customize the size of ClamAV's clean file cache.
Increasing the size of the clean file cache may improve scan performance but will require more RAM. The cache size value should be a square number or will be rounded up to the nearest square number.
The cache size option for clamd and clamscan is --cache-size. Alternatively, you can customize the cache size for ClamD by setting CacheSize in clamd.conf.
Patch courtesy of Craig Andrews.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/882
Introduced a SystemD timer for running Freshclam updates, without sending Freshclam into the background. This takes the "burden of timing the updates" from Freshclam and puts it onto SystemD. The timer can be activated, audited, and the logs inspected:
sudo systemctl enable --now clamav-freshclam-once.timer
sudo systemctl list-timers
sudo systemctl status clamav-freshclam-once.timer
sudo systemctl status clamav-freshclam-once.service
journalctl -u clamav-freshclam-once.service
If you want a different update interval you can edit the timer unit file:
sudo systemctl edit clamav-freshclam-once.timer
Patch courtesy of Nils Werner.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/962
Raised the MaxScanSize limit so the total amount of data scanned when scanning a file or archive may exceed 4 gigabytes.
Introduced the ability to suffix the MaxScanSize and other config file size options with a "G" or "g" for the number of gigabytes. For example, for ClamD you may now specify MaxScanSize 10G in clamd.conf. And for ClamScan, you may now specify --max-scansize=10g.
The MaxFileSize is still limited internally in ClamAV to 2 gigabytes. Any file, or embedded file, larger than 2GB will be skipped. You may use clamscan --alert-exceeds-max, or the clamd.conf option AlertExceedsMax yes to tell if a scan is not completed because of the scan limits.
Patch courtesy of matthias-fratz-bsz.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/945
Added ability for Freshclam to use a client certificate PEM file and a private key PEM file for authentication to a private mirror by setting the following environment variables:
FRESHCLAM_CLIENT_CERT: May be set to the path of a file (PEM) containing the client certificate.
FRESHCLAM_CLIENT_KEY: May be set to the path of a file (PEM) containing the client private key.
FRESHCLAM_CLIENT_KEY_PASSWD: May be set to a password for the client key PEM file, if it is password protected.
Patch courtesy of jedrzej.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/955
Other improvements:
Fix an issue extracting files from ISO9660 partitions where the files are listed in the plain ISO tree and there also exists an empty Joliet tree.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/938
CMake build system improvement to support compiling with OpenSSL 3.x on macOS with the Xcode toolchain.
The official ClamAV installers and packages are now built with OpenSSL 3.1.1 or newer.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/970
The suggested path for the clamd.pid and clamd.sock file in the sample configs have been updated to reflect the recommended locations for these files in the Docker images. These are:
/run/clamav/clamd.pid
/run/clamav/clamd.sock
For consistency, it now specifies clamd.sock instead of clamd.socket.
Patch courtesy of computersalat.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/931
Bug fixes:
Fixed an issue where ClamAV does not abort the signature load process after partially loading an invalid signature. The bug would later cause a crash when scanning certain files.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/934
Fixed a possible buffer over-read bug when unpacking PE files.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/927
Removed a warning message showing the HTTP response codes during the Freshclam database update process.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/935
Added missing command line options to the ClamD and ClamAV-Milter --help message and manpages.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/936
ClamOnAcc: Fixed error message when using --wait without --ping option. Patch courtesy of Răzvan Cojocaru.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/984
Fixed an assortment of code quality issues identified by Coverity:
GitHub pull requests:
https://github.com/Cisco-Talos/clamav/pull/989
https://github.com/Cisco-Talos/clamav/pull/998
Windows: Fixed a build issue with the CMake-Rust integration regarding detecting native static libraries that caused builds to fail with Rust version 1.70 and newer.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/992
Fixed a bounds check issue in the PDF parser that may result in a 1-byte buffer over read but does not cause a crash.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/988
Upgraded the bundled UnRAR library (libclamunrar) to version 6.2.10.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1008
Fixed a compatibility issue with libjson-c version 0.17.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1002

New in ClamAV 1.1.1 (Aug 16, 2023)

New in ClamAV 1.0.1 (Feb 16, 2023)

New in ClamAV 1.0.0 (Nov 29, 2022)

Major changes:
Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password. Use of the default password will now appear in the metadata JSON.
Overhauled the implementation of the all-match feature. The newer code is more reliable and easier to maintain:
This project fixed several known issues with signature detection in all- match mode:
Enabled embedded file-type recognition signatures to match when a malware signature also matched in a scan of the same layer.
Enabled bytecode signatures to run in all-match mode after a match has occurred.
Fixed an assortment of all-match edge case issues.
Added multiple test cases to verify correct all-match behavior.
Added a new callback to the public API for inspecting file content during a scan at each layer of archive extraction:
The new callback function type is clcb_file_inspection defined in clamav.h.
The function cl_engine_set_clcb_file_inspection() may be used to enable the callback prior to performing a scan.
This new callback is to be considered unstable for the 1.0 release. We may alter this function in a subsequent feature version.
Added a new function to the public API for unpacking CVD signature archives:
The new function is cl_cvdunpack(). The last parameter for the function may be set to verify if a CVD's signature is valid before unpacking the CVD content to the destination directory.
The option to build with an external TomsFastMath library has been removed. ClamAV requires non-default build options for TomsFastMath to support bigger floating point numbers. Without this change, database and Windows EXE/DLL authenticode certificate validation may fail. The ENABLE_EXTERNAL_TOMSFASTMATH build is now ignored.
GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/742
Moved the Dockerfile and supporting scripts from the main ClamAV repository over to a new repository: https://github.com/Cisco-Talos/clamav-docker
The separate repository will make it easier to update the images and fix issues with images for released ClamAV versions.
Any users building the ClamAV Docker image rather than pulling them from Docker Hub will have to get the latest Docker files from the new location.
Increased the SONAME major version for libclamav because of ABI changes between the 0.103 LTS release and the 1.0 LTS release.
Other improvements:
Add checks to limit PDF object extraction recursion.
Increased the limit for memory allocations based on untrusted input and altered the warning message when the limit is exceeded so that it is more helpful and less dramatic.
Dramatically improved the build time of libclamav-Rust unit tests. The unit test build is included in the time limit for the test itself and was timing out on slower systems. The ClamAV Rust code modules now share the same build directory, which also reduces the amount of disk space used for the build.
For Windows: The debugging symbol (PDB) files are now installed alongside the DLL and LIB library files when built in "RelWithDebInfo" or "Debug" mode.
Relaxed the constraints on the check for overlapping ZIP file entries so as not to alert on slightly malformed, but non-malicious, Java (JAR) archives.
Increased the time limit in FreshClam before warning if the DNS entry is stale. In combination with changes to update the DNS entry more frequently, this should prevent false alarms of failures in the database publication system.
Docker: The C library header files are now included in the Docker image. Patch courtesy of GitHub user TerminalFi.
Show the BYTECODE_RUNTIME build options when using the ccmake GUI for CMake. Patch courtesy of ????? ????????.
Added explicit minimum and maximum supported LLVM versions so that the build will fail if you try to build with a version that is too old or too new and will print a helpful message rather than simply failing to compile because of compatibility issues. Patch courtesy of Matt Jolly.
Fixed compiler warnings that may turn into errors in Clang 16. Patch courtesy of Michael Orlitzky.
Allow building with a custom RPATH so that the executables may be moved after build in a development environment to a final installation directory.
Bug fixes:
Assorted code quality fixes. These are not security issues and will not be backported to prior feature versions:
Several heap buffer overflows while loading PDB and WDB databases were found by OSS-Fuzz and by Michal Dardas.
Follow-up Optimization: https://github.com/Cisco-Talos/clamav/pull/712
oss-fuzz 43843: heap buffer overflow read (1) cli_sigopts_handler
oss-fuzz 44849: heap buffer overflow read (4) in HTML/js-norm
oss-fuzz 43816: heap buffer overflow read (8) in cli_bcomp_freemeta
oss-fuzz 43832: heap buffer overflow read (2) in cli_parse_add
oss-fuzz 44493: integer overflow in cli_scannulsft
CIFuzz leak detected in IDB parser
oss-fuzz assorted signature parser leaks
oss-fuzz 40601: leak detected in pdf_parseobj
Fixed a build failure when using LIBCLAMAV_ONLY mode with tests enabled.
Fixed an issue verifying EXE/DLL authenticode signatures to determine a given file can be trusted (skipped).
Fixed a caching bug relating to the Container and Intermediates logical signature condition.
Fixed a build issue when build with RAR disabled or when building with an external libmspack library rather than the bundled library.
Fixed the capitalization of the -W option for clamonacc in the clamonacc manpage. Patch courtesy of GitHub user monkz.
Fixed a performance issue with Rust code when the build type is not explicitly set to "Release" or "RelWithDebInfo". The Rust default build type is now "RelWithDebInfo" just like the C code, instead of Debug. This means it is now optimized by default.
Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (/) followed by a colon (:).
Fixed an issue detecting and scanning ZIP file entries appended to very small files. The fix is part of the all-match feature overhaul.
Fixed a detection issue with EXE/DLL import-address-table hash signatures that specify a wildcard (*) for the size field. The fix is part of the all-match feature overhaul.
Fixed the default bytecode timeout value listed in the manpages and in the sample config files. Patches courtesy of Liam Jarvis and Ben Bodenmiller.
Fixed an issue building the libclamav_rust test program when running ctest if building with BYTECODE_RUNTIME=llvm and when the FindLLVM.cmake module is used to find the LLVM libraries. Patch courtesy of GitHub user teoberi.
Fixed an issue where scans sent to clamd with the all-match mode enabled caused all subsequent scans to also use all-match mode.
Fixed bug when starting clamonacc with the --log=FILE option that created randomly named files in the current directory.
Other assorted bug fixes.

New in ClamAV 0.104.1 (Nov 4, 2021)

FreshClam:
Add a 24-hour cool-down for FreshClam clients that have received an HTTP 403 (Forbidden) response from the CDN. This is to reduce the volume of 403-response data served to blocked FreshClam clients that are configured with a tight update-loop.
Fixed a bug where FreshClam treats an empty CDIFF as an incremental update failure instead of as an intentional request to download the whole CVD.
ClamDScan: Fix a scan error when broken symlinks are encountered on macOS with "FollowDirectorySymlinks" and "FollowFileSymlinks" options disabled.
Overhauled the scan recursion / nested archive extraction logic and added new limits on embedded file-type recognition performed during the "raw" scan of each file. This limits embedded file-type misidentification and prevents detecting embedded file content that is found/extracted and scanned at other layers in the scanning process.
Fix an issue with the FMap module that failed to read from some nested files.
Fixed an issue where failing to load some rules from a Yara file containing multiple rules may cause a crash.
Fixed assorted compiler warnings.
Fixed assorted Coverity static code analysis issues.
Scan limits:
Added virus-name suffixes to the alerts that trigger when a scan limit has been exceeded. Rather than simply Heuristics.Limits.Exceeded, you may now see limit-specific virus-names, to include:
Heuristics.Limits.Exceeded.MaxFileSize
Heuristics.Limits.Exceeded.MaxScanSize
Heuristics.Limits.Exceeded.MaxFiles
Heuristics.Limits.Exceeded.MaxRecursion
Heuristics.Limits.Exceeded.MaxScanTime
Renamed the Heuristics.Email.ExceedsMax.* alerts to align with the other limit alerts names. These alerts include:
Heuristics.Limits.Exceeded.EmailLineFoldcnt
Heuristics.Limits.Exceeded.EmailHeaderBytes
Heuristics.Limits.Exceeded.EmailHeaders
Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
Heuristics.Limits.Exceeded.EmailMIMEArguments
Fixed an issue where the Email-related scan limits would alert even when the "AlertExceedsMax" (--alert-exceeds-max) scan option is not enabled.
Fixes an issue in the Zip parser where exceeding the "MaxFiles" limit or the "MaxFileSize" limit would abort the scan but would fail to alert. The Zip scan limit issues were independently identified and reported by Aaron Leliaert and Max Allan.
Fixed a leak in the Email parser when using the --gen-json scan option.
Fixed an issue where a failure to record metadata in the Email parser when using the --gen-json scan option could cause the Email parser to abort the scan early and fail to extract and scan additional content.
Fixed a file name memory leak in the Zip parser.
Fixed an issue where certain signature patterns may cause a crash or cause unintended matches on some systems when converting characters to uppercase if a UTF-8 unicode single-byte grapheme becomes a multi-byte grapheme. Patch courtesy of Andrea De Pasquale.
CMake:
Fix a packaging issue with the Windows *.msi installer so that it will include all of the required files.
Add support for developer code-signing on macOS during the build.
Fix an issue finding and linking with the tinfo library on systems where tinfo is separate from ncurses. Patch courtesy of Luca Barbato.
Tests: Improved the Freshclam incremental update tests to verify correct behavior when a zero-byte CDIFF is downloaded and the CVD served to FreshClam is older than advertised.
Docker: Remove the freshclam.dat file when building the Docker image with the databases-included so FreshClam agents running in the container will have a unique ID in the HTTP User-Agent.

New in ClamAV 0.104.0 (Oct 31, 2021)

New Requirements
As of ClamAV 0.104, CMake is required to build ClamAV.
We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.
The Autotools and the Visual Studio build systems have been removed.
Major changes
The built-in LLVM for the bytecode runtime has been removed.
The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.
We hoped to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md to learn more.
There are now official ClamAV images on Docker Hub.
Docker Hub ClamAV tags:
clamav/clamav:<version>: A release preloaded with signature databases.
Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.
clamav/clamav:<version>_base: A release with no signature databases.
Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.
Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.
You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.
Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.
For more details, see the ClamAV Docker documentation.
Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.
Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changes:
The following was added in 0.103.1 and is repeated here for awareness, as patch versions do not generally introduce new options:
Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities.
Added progress callbacks to libclamav for:
database load: cl_engine_set_clcb_sigload_progress()
engine compile: cl_engine_set_clcb_engine_compile_progress()
engine free: cl_engine_set_clcb_engine_free_progress()
These new callbacks enable an application to monitor and estimate load, compile, and unload progress. See clamav.h for API details.
Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The start-up progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. stdout is not a TTY), or if any of these options are used:
--debug
--quiet
--infected
--no-summary
Other improvements:
Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME for a similar effect. Patch courtesy of Vasile Papp.
Improvements to the AutoIt extraction module. Patch courtesy of cw2k.
Added support for extracting images from Excel *.xls (OLE2) documents.
Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. For more information, visit our Authenticode documentation about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes:
Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans.
Other minor bug fixes.

New in ClamAV 0.104.0 RC 2 (Aug 20, 2021)

What changed since the first release candidate:
First and foremost, we are listening to your concerns about the build system change from Autotools to CMake, and about changes coming in a future feature release when we add the Rust programming language toolchain into our build requirements. We can't bring back Autotools, but we hope that the following will help.
We are introducing a Long Term Support (LTS) program that will begin with the 0.103 feature release. Users will be required to stay up to date with the latest patch versions (e.g., 0.103.3) within the 0.103 feature series, but will have the peace-of-mind that the 0.103 feature release will receive critical patch versions with a stable ABI up until End-of-Life in September 2023. Stay tuned for a separate blog post introducing the full details of our LTS program. We will also add a version-support-matrix to our online documentation in tandem with the LTS blog post for easy reference.
In addition to the above, we've resolved the following issues identified during the first release candidate:
Increased the functionality level (FLEVEL) for the 0.104 release to make space for additional 0.103 (LTS) patch versions. See the Version & FLEVEL reference.
Improvements installation instructions in INSTALL.md and in the online documentation.
Fixed iconv / libiconv detection in the CMake configuration process when -Werror=return-type is enabled, such as in the openSUSE packaging environment. See PR-233.
Fixed broken CMake build when RAR support is intentionally disabled and test-support is enabled. See PR-237.
Fixed broken CMake build on systems that do not provide format string macros for standard integer types. See PR-231.
Improved long file path support on Windows. (Disclaimer: presently requires user to opt-in with a registry key change). See PR-229.
Fixed a segfault and socket file descriptor leak in ClamOnAcc. See PR-227.
Fixed an error reported by ClamD when scanning directories on Windows. See PR-230.
Fixed issue with Freshclam support for Universal Naming Convention (UNC) paths on Windows. See PR-226.
Added missing environment variable feature documentation to the manpages. See PR-254.
Fixed an assortment of issues identified by Coverity static analysis. See PR-221.
Tuned the Valgrind suppression rules for the public test suite to resolve a false positive that caused intermittent ClamD test failures. See PR-238.
Fixed the mspack library name to deconflict with system installed mspack packages. See PR-234.
Fixed a false positive in the ClamD tests, reported by Valgrind when compiling with Clang. See PR-236.

New in ClamAV 0.104.0 RC (Jul 23, 2021)

New Requirements:
As of ClamAV 0.104, CMake is required to build ClamAV.
We have added comprehensive build instructions for using CMake to the new INSTALL.md file. The online documentation will also be updated to include CMake build instructions.
The Autotools and the Visual Studio build systems have been removed.
Major changes:
The built-in LLVM for the bytecode runtime has been removed.
The bytecode interpreter is the default runtime for bytecode signatures just as it was in ClamAV 0.103.
We wished to add support for newer versions of LLVM, but ran out of time. If you're building ClamAV from source and you wish to use LLVM instead of the bytecode interpreter, you will need to supply the development libraries for LLVM version 3.6.2. See INSTALL.md to learn more.
There are now official ClamAV images on Docker Hub.
Note: Until ClamAV 0.104.0 is released, these images are limited to "unstable" versions, which are updated daily with the latest changes in the default branch on GitHub.
You can find the images on Docker Hub under clamav.
Docker Hub ClamAV tags:
clamav/clamav:<version>: A release preloaded with signature databases.
Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from the existing databases set does not use much data.
clamav/clamav:<version>_base: A release with no signature databases.
Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.
Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.
You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.
Please, be kind when using "free" bandwidth for the virus databases and Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.
For more details, see the ClamAV Docker documentation.
Special thanks to Olliver Schinagl for his excellent work creating ClamAV's new Docker files, image database deployment tooling, and user documentation.
clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.
Special thanks to Gianluigi Tiesi for his original work on this feature.
Notable changes:
We added these features in 0.103.1 but wanted to re-post them here, as patch versions do not generally introduce new options:
Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. Currently, media validation exists for JPEG, TIFF, PNG, and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch, but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF and PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not have BMP or JPEG 2000 format-checking capabilities.
Added progress callbacks to libclamav for:
database load: cl_engine_set_clcb_sigload_progress()
engine compile: cl_engine_set_clcb_engine_compile_progress()
engine free: cl_engine_set_clcb_engine_free_progress()
These new callbacks enable an application to monitor and estimate load, compile and unload progress. See clamav.h for API details.
Added progress bars to ClamScan for the signature load and engine compile steps before a scan begins. The startup progress bars won't be enabled if ClamScan isn't running in a terminal (i.e. if stdout is not a TTY), or if any of these options are used:
--debug
--quiet
--infected
--no-summary
Other improvements:
Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus event occurs. This supplements the VirusEvent %v option that prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME for a similar effect. This fix comes courtesy of Vasile Papp.
Improvements to the AutoIt extraction module. Patch courtesy of cw2k.
Added support for extracting images from Excel *.xls (OLE2) documents.
Trusted SHA256-based Authenticode hashes can now be loaded in from *.cat files. See our Authenticode documentation for more info about using *.cat files with *.crb rules to trust signed Windows executables.
Bug fixes:
Fixed a memory leak affecting logical signatures that use the "byte compare" feature. Patch courtesy of Andrea De Pasquale.
Fixed bytecode match evaluation for PDF bytecode hooks in PDF file scans.
Other minor bug fixes.

New in ClamAV 0.103.3 (Jun 21, 2021)

Fixed a scan performance issue when ENGINE_OPTIONS_FORCE_TO_DISK is enabled. This issue did not affect most users, but for those affected, it caused every scanned file to be copied to the temp directory before the scan.
Fixed ClamDScan crashes when using the --fdpass --multiscan command-line options in combination with the ClamD ExcludePath config file options.
Fixed an issue where the mirrors.dat file is owned by root when starting as root (or with sudo) and using daemon-mode. File ownership will be set to the DatabaseOwner just before FreshClam switches to run as that user.
Renamed the mirrors.dat file to freshclam.dat.
Unfortunately, some users have FreshClam configured to automatically delete mirrors.dat if FreshClam failed. Renaming mirrors.dat to freshclam.dat should make it so those scripts don't delete important FreshClam data.
We used to recommend deleting mirrors.dat if FreshClam failed to update. This is because mirrors.dat used to keep track of offline mirrors and network interruptions were known to cause FreshClam to think that all mirrors were offline. ClamAV now uses a paid CDN instead of a mirror network, and the new FreshClam DAT file no longer stores that kind of information. The UUID used in ClamAV's HTTP User-Agent is stored in the FreshClam DAT file and we want the UUID to persist between runs, even if there was a failure.
Disabled the HTTPUserAgent config option if the DatabaseMirror uses clamav.net. This will prevent users from being inadvertently blocked and will ensure that we can keep better metrics on which ClamAV versions are being used.
This change effectively deprecates the HTTPUserAgent option for most users.
Moved the detection for Heuristics.PNG.CVE-2010-1205 behind the ClamScan --alert-broken-media option (ClamD AlertBrokenMedia yes) option. This type of PNG issue appears to be common enough to be an annoyance, and the CVE is old enough that no one should be vulnerable at this point.
Fixed ClamSubmit failures after changes to Cloudflare "__cfduid" cookies.

New in ClamAV 0.103.2 (Apr 8, 2021)

New in ClamAV 0.103.1 (Feb 3, 2021)

Notable changes:
Added a new scan option to alert on broken media (graphics) file formats.
This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present, media validation exists for JPEG, TIFF, PNG and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf for use with ClamD, or use the --alert-broken-media option when using ClamScan. These options are disabled by default in this patch release but may be enabled in a subsequent release.
Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.
Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF and PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format-checking capabilities.
Bug fixes:
Fixed PNG parser logic bugs that caused an excess of parsing errors and fixed a stack exhaustion issue affecting some systems when scanning PNG files. PNG file type detection was disabled via signature database update for ClamAV version 0.103.0 to mitigate the effects from these bugs.
Fixed an issue where PNG and GIF files no longer work with Target:5 graphics signatures if detected as CL_TYPE_PNG or CL_TYPE_GIF rather than as CL_TYPE_GRAPHICS. Target types now support up to 10 possible file types to make way for additional graphics types in future releases.
Fixed ClamOnAcc's --fdpass option:
File descriptor passing (or "FD-passing") is a mechanism by which ClamOnAcc and ClamDScan may transfer an open file to ClamD to scan, even if ClamD is running as a non-privileged user and wouldn't otherwise have read-access to the file. This enables ClamD to scan all files without having to run ClamD as root. If possible, ClamD should never be run as root to mitigate the risk in case ClamD is somehow compromised while scanning malware.
Interprocess file descriptor passing for ClamOnAcc was broken since version 0.102.0 due to a bug introduced by the switch to cURL for communicating with ClamD. On Linux, passing file descriptors from one process to another is handled by the kernel, so we reverted ClamOnAcc to use standard system calls for socket communication when FD-passing is enabled.
Fixed a ClamOnAcc stack corruption issue on some systems when using an older version of libcurl. Patch courtesy of Emilio Pozuelo Monfort.
Allow ClamScan and ClamDScan scans to proceed even if the realpath lookup failed. This alleviates an issue on Windows scanning files hosted on file-systems that do not support the GetMappedFileNameW() API, such as on ImDisk RAM-disks.
Fixed FreshClam's --on-update-execute=EXIT_1 temporary directory cleanup issue.
ClamD's log output and VirusEvent feature now provide the scan target's file path instead of a file descriptor. The ClamD socket API for submitting a scan by FD-passing doesn't include a file path. This feature works by looking up the file path by the file descriptor. This feature works on Mac and Linux but is not yet implemented for other UNIX operating systems. FD-passing is not available for Windows.
Fixed an issue where FreshClam database validation didn't work correctly when run in daemon mode on Linux/Unix.
Fixed scan speed performance issues accidentally introduced in ClamAV 0.103.0 caused by hashing file maps more than once when parsing a file as a new type, and caused by frequent scanning of non-HTML text data with the HTML parser.
Other improvements:
Scanning JPEG, TIFF, PNG and GIF files will no longer return "parse" errors when file format validation fails. Instead, the scan will alert with the "Heuristics.Broken.Media" signature prefix and a descriptive suffix to indicate the issue, provided that the "alert broken media" feature is enabled.
GIF format validation will no longer fail if the GIF image is missing the trailer byte, as this appears to be a relatively common issue in otherwise functional GIFs.
Added a TIFF dynamic configuration (DCONF) option that was missing. This will allow us to disable TIFF format validation via signature database update in the event that it proves to be problematic. This feature already exists for many other file types.
Acknowledgments:
The ClamAV team thanks Emilio Pozuelo Monfort for their code submissions.

New in ClamAV 0.103.0 (Sep 14, 2020)

With your feedback on the previous candidates, we've fixed these additional issues:
The freshclam PID file was not readable by other users in previous release candidates but is now readable by all.
An issue with how freshclam was linked with the autotools build system caused SysLog settings to be ignored.
The real-path checks introduced to clamscan and clamdscan in 0.102.4 broke scanning of some files with Unicode filenames and files on network shares for Windows users.
Thanks to the users for your help in fixing these bugs.
Major changes:
clamd can now reload the signature database without blocking scanning. This multi-threaded database reload improvement was made possible thanks to a community effort.
Non-blocking database reloads are now the default behavior. Some systems that are more constrained on RAM may need to disable non-blocking reloads, as it will temporarily consume double the amount of memory. We added a new clamd config option ConcurrentDatabaseReload, which may be set to no.
Notable changes:
The DLP module has been enhanced with additional credit card ranges and a new engine option that allows ClamAV to alert only on credit cards (and not, for instance, gift cards) when scanning with the DLP module. John Schember developed this feature, with input from Alexander Sulfrian.
We added support for Adobe Reader X PDF encryption and overhauled the PNG-scanning tool to detect PNG-specific exploits. We also made a major change to GIF parsing that now makes it more tolerant of problematic files and adds the ability to scan overlays, all thanks to work and patches submitted by Aldo Mazzeo.
clamdtop.exe is now available for Windows users. The functionality is somewhat limited when compared to clamdtop on Linux. PDCurses is required to build clamdtop.exe for ClamAV on Windows.
The phishing detection module will now print "Suspicious link found!" along with the "Real URL" and "Display URL" each time ClamAV detects phishing. In a future version, we would like to print out alert-related metadata like this at the end of a scan, but for now, this detail will help users understand why a given file is being flagged as phishing.
Added new *experimental* CMake build tooling. CMake is not yet recommended for production builds. Our team would appreciate any assistance improving the CMake build tooling so we can one day deprecate autotools and remove the Visual Studio solutions.
Please see the new CMake installation instructions found in INSTALL.cmake.md for detailed instructions on how to build ClamAV with CMake.
Added --ping and --wait options to the clamdscan and clamonacc client applications.
The --ping (-p) command will attempt to ping clamd up to a specified maximum number of attempts at an optional interval. If the interval isn't specified, a default one-second interval is used. It will exit with status code `0` when it receives a PONG from clamd or status code `21` if the timeout expires before it receives a response.
Added Excel 4.0 (XLM) macro detection and extraction support. Significantly improved VBA detection and extraction as well. Work courtesy of Jonas Zaddach.
This support not yet added to sigtool, as the VBA extraction feature in sigtool is separate from the one used for scanning and will still need to be updated or replaced in the future.
Improvements to the layout and legibility of temp files created during a scan. Improvements to legibility and content of the metadata JSON generated during a scan.
To review the scan temp files and metadata JSON, run:
clamscan --tempdir=<path> --leave-temps --gen-json <target>
Viewing the scan temp files and metadata.json file provides some insight into how ClamAV analyzes a given file and can also be useful to analysts for the initial triage of potentially malicious files.
Other improvements:
Added ability for freshclam and clamsubmit to override default use of OpenSSL CA bundle with a custom CA bundle. On Linux/Unix platforms (excluding macOS), users may specify a custom CA bundle by setting the CURL_CA_BUNDLE environment variable. On macOS and Windows, users are expected to add CA certificates to their respective system's keychain/certificate store. Patch courtesy of Sebastian A. Siewior.
clamscan and clamdscan now print the scan start and end dates in the scan summary.
The clamonacc on-access scanning daemon for Linux now installs to sbin instead of bin.
Improvements to the freshclam progress bar to ensure the text does not shift around as information changes. The bar will not exceed 80 characters, even on very slow connections. Time is now displayed in Xm XXs (or Xh XXm) for values of 60 seconds or longer. The bytes display now changes units at the proper 1024 B/KiB instead of 2048 B/KiB. Patch courtesy of Zachary Murden.
Improve column alignment and line wrap rendering for clamdtop. Also fixed an issue on Windows where clamdtop would occasionally disconnect from clamd and fail to reconnect. Patch courtesy of Zachary Murden.
Improvements to the AutoIT parser.
Loosened the curl version requirements in order to build and use clamonacc. You may now build ClamAV with any version of libcurl. However, clamonacc's file descriptor-passing (FD-passing) capability will only be available with libcurl 7.40 or newer. FD-passing is ordinarily the default way to perform scans with clamonacc, as it is significantly faster than streaming.
Added LZMA and BZip2 decompression routines to the bytecode signature API.
Disabled embedded type recognition for specific archive and disk image file types. This change reduces file type misclassification and improves scan time performance by reducing duplicated file scanning.
Use pkg-config to detect libpcre2-8 before resorting to pcre2-config or pcre-config.
Patch courtesy of Michael Orlitzky.
Bug fixes:
Fixed issue scanning directories on Windows with clamdscan.exe that was introduced when mitigating against symlink quarantine attacks.
Fixed behavior of freshclam --quiet option. Patch courtesy of Reio Remma.
Fixed behavior of freshclam's OnUpdateExecute, OnErrorExecute, and OnOutdatedExecute config options on Windows when in daemon-mode so it can handle multiple arguments. Patch courtesy of Zachary Murden.
Fixed an error in the heuristic alert mechanism that would cause a single detection within an archive to alert once for every subsequent file scanned, potentially resulting in thousands of alerts for a single scan.
Fixed clamd, clamav-milter, and freshclam to create PID files before dropping privileges, to avoid the possibility of an unprivileged user from changing the PID file so that a service manager will kill a different process. This change does make the services unable to clean up the PID file on exit.
Fixed the false positive (.fp) signature feature. In prior versions, the hash in a false positive signature would be checked only against the current layer of a file being scanned. In 0.103, every file layer is hashed, and the hashes for each in the scan recursion list are checked. This ensures that .fp signatures containing a hash for any layer in the scan leading up to the alert will negate the alert.
As an example, a hash for a zip containing the file which alerts would not prevent the detection in prior versions. Only the hash of the embedded file would work. For some file types where the outermost is always an archive, eg. docx files, this made .fp signatures next to useless. For certain file types where the scanned content was a normalized version of the original content, eg. HTML, the normalized version was never hashed and this meant that .fp signatures never worked.
Fixed Trusted & Revoked Windows executable (PE) file signature rules (.crb) maximum functionality level (FLEVEL) which had been being treated as the minimum FLEVEL. These signatures enable ClamAV to trust executables that are digitally signed by trusted publishers or to alert on executables signed with compromised signing-certificates. The minimum and maximum FLEVELS enable or disable signatures at load time depending on the current ClamAV version.
Fixed a bug wherein you could not build ClamAV with --enable-libclamav-only if curl was not installed on the system.
Various other bug fixes, improvements and documentation improvements.
New Requirements:
Autotools (automake, autoconf, m4, pkg-config, libtool) are now required to build from a Git clone because the files generated by these tools have been removed from the Git repository. To generate these files before you compile ClamAV, run autogen.sh. Users building with autotools from the release tarball should be unaffected.

New in ClamAV 0.103.0 RC 2 (Sep 1, 2020)

New in ClamAV 0.103.0 RC (Aug 18, 2020)

Major changes:
clamd can now reload the signature database without blocking scanning. This multi-threaded database reload improvement was made possible thanks to a community effort.
Non-blocking database reloads are now the default behavior. Some systems that are more constrained on RAM may need to disable non-blocking reloads as it will temporarily consume 2x as much memory. For this purpose we have added a new clamd config option ConcurrentDatabaseReload which may be set to no.
Notable changes:
The DLP module has been enhanced with additional credit card ranges and a new engine option which allows ClamAV to alert only on credit cards (and not, for instance, gift cards) when scannning with the DLP module. This feature enhancement was made by John Schember, with input from Alexander Sulfrian.
Support for Adobe Reader X PDF encryption, an overhaul of PNG scanning to detect PNG specific exploits, and a major change to GIF parsing which makes it more tolerant to problematic files and adds the ability to scan overlays, all thanks to work and patches submitted by Aldo Mazzeo.
clamdtop.exe now available for Windows users. Functionality is somewhat limited when compared with clamdtop on Linux. PDCurses is required to build clamdtop.exe for ClamAV on Windows.
The phishing detection module will now print "Suspicious link found!" along with the "Real URL" and "Display URL" each time phishing is detected. In a future version, we would like to print out alert-related metadata like this at the end of a scan, but for now this detail will help users understand why a given file is being flagged as phishing.
Added new *experimental* CMake build tooling. CMake is not yet recommended for production builds. Our team would appreciate any assistance improving the CMake build tooling so we can one day deprecate Autotools and remove the Visual Studio solutions.
Please see the new CMake installation instructions found in INSTALL.cmake.md for detailed instructions on how to build ClamAV with CMake.
Added --ping and --wait options to the clamdscan and clamonacc client applications.
The --ping (-p) command will attempt to ping clamd up to a specified maximum number of attempts at an optional interval. If the interval isn't specified, a default 1-second interval is used. It will exit with status code `0` when it receives a PONG from clamd or status code `21` if the timeout expires before it receives a response.
Other improvements
Added ability for freshclam and clamsubmit to override default use of OpenSSL CA bundle with a custom CA bundle. On Linux/Unix platforms (excluding macOS), users may specify a custom CA bundle by setting the CURL_CA_BUNDLE environment variable. On macOS and Windows, users are expected to add CA certificates to their respective system's keychain/certificate store. Patch courtesy of Sebastian A. Siewior
clamscan and clamdscan now print the scan start and end dates in the scan summary.
The clamonacc on-access scanning daemon for Linux now installs to sbin instead of bin.
Improvements to the freshclam progress bar so the width of the text does not shift around as information changes and will not spill exceed 80-characters even on very slow connections. Time is now displayed in Xm XXs (or Xh XXm) for values of 60 seconds or more. Bytes display now changes units at the proper 1024 B/KiB instead of 2048 B/KiB. Patch courtesy of Zachary Murden.
Improve column alignment and line wrap rendering for clamdtop. Also fixed an issue on Windows where clamdtop would occasionally disconnect from clamd and fail to reconnect. Patch courtesy of Zachary Murden.
Improvements to the AutoIT parser.
Loosened the curl version requirements in order to build and use clamonacc. You may now build ClamAV with any version of libcurl. However clamonacc's file descriptor-passing (FD-passing) capability will only be available with libcurl 7.40 or newer. FD-passing is ordinarily the default way to perform scans with clamonacc as it is significantly faster than streaming.
Added LZMA and BZip2 decompression routines to the bytecode signature API.
Disabled embedded type recognition for specific archive and disk image file types. This change reduces file type misclassification and improves scan time performance by reducing duplicated file scanning.
Bug fixes:
Fixed issue scanning directories on Windows with clamdscan.exe that was introduced when mitigating against symlink quarantine attacks.
Fixed behavior of freshclam --quiet option. Patch courtesy of Reio Remma.
Fixed behavior of freshclam's OnUpdateExecute, OnErrorExecute, and OnOutdatedExecute config options on Windows when in daemon-mode so it can handle multiple arguments. Patch courtesy of Zachary Murden.
Fixed an error in the heuristic alert mechanism that would cause a single detection within an archive to alert once for every subsequent file scanned, potentially resulting in thousands of alerts for a single scan.
Fixed clamd, clamav-milter, and freshclam to create PID files before dropping privileges, to avoid the possibility of an unprivileged user from changing the PID file so that a service manager will kill a different process. This change does make the services unable to clean up the PID file on exit.
Fixed the false positive (.fp) signature feature. In prior versions, the hash in a false positive signature would be checked only against the current layer of a file being scanned. In 0.103, every file layer is hashed, and the hashes for each in the scan recursion list are checked. This ensures that .fp signatures containing a hash for any layer in the scan leading up to the alert will negate the alert.
As an example, a hash for a zip containing the file which alerts would not prevent the detection in prior versions. Only the hash of the embedded file would work. For some file types where the outermost is always an archive, eg. docx files, this made .fp signatures next to useless. For certain file types where the scanned content was a normalized version of the original content, eg. HTML, the normalized version was never hashed and this meant that .fp signatures never worked.
Fixed Trusted & Revoked Windows executable (PE) file signature rules (.crb) maximum functionality level (FLEVEL) which had been being treated as the minimum FLEVEL. These signatures enable ClamAV to trust executables that are digitally signed by trusted publishers, or to alert on executables signed with compromised signing-certificates. The minimum and maximum FLEVELS enable or disable signatures at load time depending on the current ClamAV version.
Fixed a bug wherein you could not build ClamAV with --enable-libclamav-only if curl was not installed on the system.
Various other bug fixes, improvements, and documentation improvements.
New Requirements:
Autotools (automake, autoconf, m4, pkg-config, libtool) are now required in order to build from a Git clone because the files generated by these tools have been removed from the Git repository. To generate theses files before you compile ClamAV, run autogen.sh. Users building with Autotools from the release tarball should be unaffected.
Flex and Bison are now required in order to build from a Git clone. Flex and Bison are also required to build with CMake. Users building with Autotools from the release tarball should be unaffected.

New in ClamAV 0.102.2 (Feb 5, 2020)

New in ClamAV 0.102.1 (Nov 20, 2019)

New in ClamAV 0.102.0 (Oct 2, 2019)

Major changes:
The On-Access Scanning feature has been migrated out of clamd and into a brand new utility named clamonacc. This utility is similar to clamdscan and clamav-milter in that it acts as a client to clamd. This separation from clamd means that clamd no longer needs to run with root privileges while scanning potentially malicious files. Instead, clamd may drop privileges to run under an account that does not have super-user. In addition to improving the security posture of running clamd with On-Access enabled, this update fixed a few outstanding defects:
On-Access scanning for created and moved files (Extra-Scanning) is fixed.
VirusEvent for On-Access scans is fixed.
With clamonacc, it is now possible to copy, move, or remove a file if the scan triggered an alert, just like with clamdscan.
For details on how to use the new clamonacc On-Access scanner, please refer to the user manual on ClamAV.net, and please read our blog post entitled "Understanding and transitioning to ClamAV's new On-Access scanner."
The freshclam database update utility has undergone a significant update. This includes:
Added support for HTTPS.
Support for database mirrors hosted on ports other than 80.
Removal of the mirror management feature (mirrors.dat).
An all new libfreshclam library API.
Notable changes:
Added support for extracting ESTsoft .egg archives. This feature is new code developed from scratch using ESTsoft's Egg-archive specification and without referencing the UnEgg library provided by ESTsoft. This was necessary because the UnEgg library's license includes restrictions limiting the commercial use of the UnEgg library.
The documentation has moved!
Users should navigate to ClamAV.net to view the documentation online.
The documentation will continue to be provided in HTML format with each release for offline viewing in the docs/html directory.
The new home for the documentation markdown is in our ClamAV FAQ Github repository.
To remediate future denial of service conditions caused by excessive scan times, we introduced a scan time limit. The default value is 2 minutes (120000 milliseconds).
To customize the time limit:
use the clamscan --max-scantime option
use the clamd MaxScanTime config option
Libclamav users may customize the time limit using the cl_engine_set_num function. For example:
cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
Other improvements:
Improved Windows executable Authenticode handling, enabling both whitelisting and blacklisting of files based on code-signing certificates. Additional improvements to Windows executable (PE file) parsing. Work courtesy of Andrew Williams.
Added support for creating bytecode signatures for Mach-O and ELF executable unpacking. Work courtesy of Jonas Zaddach.
Re-formatted the entire ClamAV code-base using clang-format in conjunction with our new ClamAV code style specification. See the clamav.net blog post for details.
Integrated ClamAV with Google's OSS-Fuzz automated fuzzing service with the help of Alex Gaynor. This work has already proven beneficial, enabling us to identify and fix subtle bugs in both legacy code and newly developed code.
The clamsubmit tool is now available on Windows.
The clamscan metadata feature (--gen-json) is now available on Windows.
Significantly reduced number of warnings generated when compiling ClamAV with "-Wall" and "-Wextra" compiler flags and made many subtle improvements to the consistency of variable types throughout the code.
Updated the majority of third-party dependencies for ClamAV on Windows. The source code for each has been removed from the clamav-devel repository. This means that these dependencies have to be compiled independently of ClamAV. The added build process complexity is offset by significantly reducing the difficulty of releasing ClamAV with newer versions of those dependencies.
During the 0.102 development period, we've also improved our Continuous Integration (CI) processes. Most recently, we added a CI pipeline definition to the ClamAV Git repository. This chains together our build and quality assurance test suites and enables automatic testing of all proposed changes to ClamAV, with customizable parameters to suit the testing needs of any given code change.
Added a new clamav-version.h generated header to provide version number macros in text and numerical format for ClamAV, libclamav, and libfreshclam.
Improved cross-platform buildability of libxml2. Work courtesy of Eneas U de Queiroz with supporting ideas pulled from the work of Jim Klimov.
Bug fixes:
Fix to prevent a possible crash when loading LDB type signature databases and PCRE is not available. Patch courtesy of Tomasz Kojm.
Fixes to the PDF parser that will improve PDF malware detection efficacy. Patch courtesy of Clement Lecigne.
Fix for regular expression phishing signatures (PDB R-type signatures).
Various other bug fixes.
New Requirements:
Libcurl has become a hard-dependency. Libcurl enables HTTPS support for freshclam and clamsubmit as well as communication between clamonacc and clamd.
Libcurl version >= 7.45 is required when building ClamAV from source with the new On-Access Scanning application (clamonacc). Users on Linux operating systems that package older versions of libcurl (e.g. all versions of CentOS and Debian versions <= 8) have a number of options:
Wait for your package maintainer to provide a newer version of libcurl.
Install a newer version of libcurl from source.
Disable installation of clamonacc and On-Access Scanning capabilities with the ./configure flag --disable-clamonacc.
Non-Linux users will need to take no actions as they are unaffected by this new requirement.

New in ClamAV 0.102.0 RC (Sep 16, 2019)

Major changes:
The On-Access Scanning feature has been migrated out of clamd and into a brand new utility named clamonacc. This utility is similar to clamdscan and clamav-milter in that it acts as a client to clamd. This separation from clamd means that clamd no longer needs to run with root privileges while scanning potentially malicious files. Instead, clamd may drop privileges to run under an account that does not have super-user. In addition to improving the security posture of running clamd with On-Access enabled, this update fixed a few outstanding defects:
On-Access scanning for created and moved files (Extra-Scanning) is fixed.
VirusEvent for On-Access scans is fixed.
With clamonacc, it is now possible to copy, move, or remove a file if the scan triggered an alert, just like with clamdscan. For details on how to use the new clamonacc On-Access scanner, please refer to the user manual on ClamAV.net, and keep an eye out for a new blog post on the topic.
The freshclam database update utility has undergone a significant update. This includes:
Added support for HTTPS.
Support for database mirrors hosted on ports other than 80.
Removal of the mirror management feature (mirrors.dat).
An all new libfreshclam library API.
Notable changes:
Added support for extracting ESTsoft .egg archives. This feature is new code developed from scratch using ESTsoft's Egg-archive specification and without referencing the UnEgg library provided by ESTsoft. This was necessary because the UnEgg library's license includes restrictions limiting the commercial use of the UnEgg library.
The documentation has moved!
Users should navigate to ClamAV.net to view the documentation online.
The documentation will continue to be provided in HTML format with each release for offline viewing in the docs/html directory.
The new home for the documentation markdown is in our ClamAV FAQ Github repository.
To remediate future denial of service conditions caused by excessive scan times, we introduced a scan time limit. The default value is 2 minutes (120000 milliseconds).
To customize the time limit:
use the clamscan --max-scantime option
use the clamd MaxScanTime config option
Libclamav users may customize the time limit using the cl_engine_set_num function. For example:
cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
Other improvements:
Improved Windows executable Authenticode handling, enabling both whitelisting and blacklisting of files based on code-signing certificates. Additional improvements to Windows executable (PE file) parsing. Work courtesy of Andrew Williams.
Added support for creating bytecode signatures for Mach-O and ELF executable unpacking. Work courtesy of Jonas Zaddach.
Re-formatted the entire ClamAV code-base using clang-format in conjunction with our new ClamAV code style specification. See the clamav.net blog post for details.
Integrated ClamAV with Google's OSS-Fuzz automated fuzzing service with the help of Alex Gaynor. This work has already proven beneficial, enabling us to identify and fix subtle bugs in both legacy code and newly developed code.
The clamsubmit tool is now available on Windows.
The clamscan metadata feature (--gen-json) is now available on Windows.
Significantly reduced number of warnings generated when compiling ClamAV with "-Wall" and "-Wextra" compiler flags and made many subtle improvements to the consistency of variable types throughout the code.
Updated the majority of third-party dependencies for ClamAV on Windows. The source code for each has been removed from the clamav-devel repository. This means that these dependencies have to be compiled independently of ClamAV. The added build process complexity is offset by significantly reducing the difficulty of releasing ClamAV with newer versions of those dependencies.
During the 0.102 development period, we've also improved our Continuous Integration (CI) processes. Most recently, we added a CI pipeline definition to the ClamAV Git repository. This chains together our build and quality assurance test suites and enables automatic testing of all proposed changes to ClamAV, with customizable parameters to suit the testing needs of any given code change.
Added a new clamav-version.h generated header to provide version number macros in text and numerical format for ClamAV, libclamav, and libfreshclam.
Improved cross-platform buildability of libxml2. Work courtesy of Eneas U de Queiroz with supporting ideas pulled from the work of Jim Klimov.
Bug fixes:
Fix to prevent a possible crash when loading LDB type signature databases and PCRE is not available. Patch courtesy of Tomasz Kojm.
Fixes to the PDF parser that will improve PDF malware detection efficacy. Patch courtesy of Clement Lecigne.
Fix for regular expression phishing signatures (PDB R-type signatures).
Various other bug fixes.
New Requirements:
Libcurl has become a hard-dependency. Libcurl enables HTTPS support for freshclam and clamsubmit as well as communication between clamonacc and clamd.
Libcurl version >= 7.45 is required when building ClamAV from source with the new On-Access Scanning application (clamonacc). Users on Linux operating systems that package older versions of libcurl (e.g. all versions of CentOS and Debian versions <= 8) have a number of options:
Wait for your package maintainer to provide a newer version of libcurl.
Install a newer version of libcurl from source.
Disable installation of clamonacc and On-Access Scanning capabilities with the ./configure flag --disable-clamonacc.
Non-Linux users will need to take no actions as they are unaffected by this new requirement.

New in ClamAV 0.101.2 (Mar 27, 2019)

- Fixes for the following vulnerabilities affecting 0.101.1 and prior:
- CVE-2019-1787:
An out-of-bounds heap read condition may occur when scanning PDF
documents. The defect is a failure to correctly keep track of the number
of bytes remaining in a buffer when indexing file data.
- CVE-2019-1789:
An out-of-bounds heap read condition may occur when scanning PE files
(i.e. Windows EXE and DLL files) that have been packed using Aspack as a
result of inadequate bound-checking.
- CVE-2019-1788:
An out-of-bounds heap write condition may occur when scanning OLE2 files
such as Microsoft Office 97-2003 documents. The invalid write happens when
an invalid pointer is mistakenly used to initialize a 32bit integer to
zero. This is likely to crash the application.
- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
- CVE-2019-1786:
An out-of-bounds heap read condition may occur when scanning malformed PDF
documents as a result of improper bounds-checking.
- CVE-2019-1785:
A path-traversal write condition may occur as a result of improper input
validation when scanning RAR archives. Issue reported by aCaB.
- CVE-2019-1798:
A use-after-free condition may occur as a result of improper error
handling when scanning nested RAR archives. Issue reported by David L.
- Fixes for the following assorted bugs:
- Added checks to prevent shifts from causing undefined behavior in HTML
normalizer, UPX unpacker, ARJ extractor, CPIO extractor, OLE2 parser,
LZW decompressor used in the PDF parser, Xz decompressor, and UTF-16 to
ASCII transcoder.
- Added checks to prevent integer overflow in UPX unpacker.
- Fix for minor memory leak in OLE2 parser.
- Fix to speed up PDF parser when handling truncated (or malformed) PDFs.
- Fix for memory leak in ARJ decoder failure condition.
- Fix for potential memory and file descriptor leak in HTML normalization code.
- Removed use of problematic feature that converted file descriptors to
file paths. The feature was intended to improve performance when scanning
file types, notably RAR archives, for which the API requires a file path.
This feature caused issues in environments where the ClamAV engine is run
in a low-permissions or sandboxed process. RAR archives are still supported
with this change, but performance may suffer slightly if the file path is not
provided in calls to `cl_scandesc_callback()`.
- Added filename and tempfile names to scandesc calls in clamd.
- Added general scan option `CL_SCAN_GENERAL_UNPRIVILEGED` to treat the scan
engine as unprivileged, meaning that the scan engine will not have read
access to the file. Provided file paths are for logging purposes only.
- Added ability to create a temp file when scanning RAR archives when the
process does not have read access to the file path provided (i.e.
unprivileged is set, or an access check fails).

New in ClamAV 0.101.1 (Jan 8, 2019)

New in ClamAV 0.100.1 (Jul 9, 2018)

New in ClamAV 0.100.0 (Apr 9, 2018)

Some of the more prominent submissions include:
Interfaces to the Prelude SIEM open source package for collecting ClamAV virus events.
Support for Visual Studio 2015 for Windows builds. Please note that we have deprecated support for Windows XP, and while Vista may still work, we no longer test ClamAV on Windows XP or Vista.
Support libmspack internal code or as a shared object library. The internal library is the default and includes modifications to enable parsing of CAB files that do not entirely adhere to the CAB file format.
Linking with OpenSSL 1.1.0.
Deprecation of the AllowSupplementaryGroups parameter statement in clamd, clamav-milter, and freshclam. Use of supplementary is now in effect by default.
Numerous bug fixes, typo corrections, and compiler warning fixes.
Additionally, we have introduced important changes and new features in ClamAV 0.100, including but not limited to:
Deprecating internal LLVM code support. The configure script has changed to search the system for an installed instance of the LLVM development libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode signatures. To use the LLVM Just-In-Time compiler for executing bytecode signatures, please ensure that the LLVM development package at version 3.6 or lower is installed. Using the deprecated LLVM code is possible with the command: ./configure --with-system-llvm=no, but it no longer compiles on all platforms.
Compute and check PE import table hash (a.k.a. "imphash") signatures.
Support file property collection and analysis for MHTML files.
Raw scanning of PostScript files.
Fix clamsubmit to use the new virus and false positive submission web interface.
Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when size limitations are exceeded.
Improved decoders for PDF files.
Reduced number of compile time warnings.
Improved support for C++11.
Improved detection of system installed libraries.
Fixes to ClamAV's Container system and the introduction of Intermediates for more descriptive signatures.

New in ClamAV 0.100.0 RC (Mar 22, 2018)

New in ClamAV 0.99.4 (Mar 1, 2018)

New in ClamAV 0.99.3 (Feb 19, 2018)

CVE-2017-12374
1. ClamAV UAF (use-after-free) Vulnerabilities
The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations. If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://bugzilla.clamav.net/show_bug.cgi?id=11939
CVE-2017-12375
2. ClamAV Buffer Overflow Vulnerability
The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
https://bugzilla.clamav.net/show_bug.cgi?id=11940
CVE-2017-12376
3. ClamAV Buffer Overflow in handle_pdfname Vulnerability
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device.
The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code.
https://bugzilla.clamav.net/show_bug.cgi?id=11942
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12377
4. ClamAV Mew Packet Heap Overflow Vulnerability
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device.
The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap overflow condition when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device.
https://bugzilla.clamav.net/show_bug.cgi?id=11943
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L
CVE-2017-12378
5. ClamAV Buffer Over Read Vulnerability
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to improper input validation checking mechanisms of .tar (Tape Archive) files sent to an affected device. A successful exploit could cause a buffer over-read condition when ClamAV scans the malicious .tar file, potentially allowing the attacker to cause a DoS condition on the affected device.
https://bugzilla.clamav.net/show_bug.cgi?id=11946
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
CVE-2017-12379
6. ClamAV Buffer Overflow in messageAddArgument Vulnerability
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device.
The vulnerability is due to improper input validation checking mechanisms in the message parsing function on an affected system. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition or execute arbitrary code on an affected device.
https://bugzilla.clamav.net/show_bug.cgi?id=11944
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L
CVE-2017-12380
7. ClamAV Null Dereference Vulnerability
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to improper input validation checking mechanisms during certain mail parsing functions of the ClamAV software. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. An exploit could trigger a NULL pointer dereference condition when ClamAV scans the malicious email, which may result in a DoS condition.
https://bugzilla.clamav.net/show_bug.cgi?id=11945
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Also included are 2 minor fixes to properly detect openssl install locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1# version numbers.

New in ClamAV 0.100.0 Beta (Feb 6, 2018)

New in ClamAV 0.99.3 Beta 2 (Dec 18, 2017)

New in ClamAV 0.99.3 Beta 1 (Aug 24, 2017)

New in ClamAV 0.99.2 (May 4, 2016)

7z: fix for FolderStartPackStreamIndex array index heck
bb11547 - print all CDBNAME entries for a zip file when using the -z flag.
try to minimize the err cleanup path
clamunrar: notice if unpacking comment failed
bb9042 - signature manual update.
bb#11396 - use temp var for realloc to prevent pointer loss.
bb#11397 - fix debug VI hex truncation
bb#11398 - freshclam: avoid random data in mirrors.dat.
libclamav: print raw certificate metadata
bb#11529 - freshclam manager check return code of strdup.
bb#11261 - additional suppress IP notification when using proxy
bb#10983 - fix download and verification of *.cld through PrivateMirrors
bb#11261 - suppress IP notification when using proxy
bb#11543 - remove redundant mempool assignment
bb#11003 - divide out dumpcerts output for better readability
bb#11003 - fix dconf and option handling for nocert and dumpcert
bb11463 - patch by Jim Morris to increase clamd's soft file descriptor to its potential maximum on 64-bit systems
Move libfreshclam config to m4/reorganization.
adding libfreshclam
Add 'cdb' datafile to sigtools list of datafile types
bb11526 - NULL pointer check.
bb11524 - malloc() NULL pointer check
bb1436 - clamscan 'block-macros' option.
bb#11514 - initialize cpio name buffer
bb#11514 - initialize mspack decompression buffers
bb#11514 - prevent memory allocations on used pointers (folder objects)
bb#11514 - prevent memory allocations on used pointers (boolvectors)
bb#11514 - initialize ARJ metadata structures
bb#11514 - change cli_malloc with cli_calloc
bb#11514 - check packSizes prior to dereference
bb#11514 - fixed inconsistent folder state on failure
bb#11514 - pre-check on (*unpackSizes) dereference
bb11514 - fix on pre-checks on dereferenced array
bb11514 - pre-checks on dereferenced array size values (not =0)
bb-11514 - adding sanity checks to 7z header parsing
bb#11514 - fixed mew source read issue
bb#11513 - documentation update on targets
filetype consistency
move llvm option flag handling to new m4 file
hwp5.x: fix for streams without names

ClamAV Changelog

What's new in ClamAV 1.2.0

New in ClamAV 1.1.1 (Aug 16, 2023)

New in ClamAV 1.0.1 (Feb 16, 2023)

New in ClamAV 1.0.0 (Nov 29, 2022)

New in ClamAV 0.104.1 (Nov 4, 2021)

New in ClamAV 0.104.0 (Oct 31, 2021)

New in ClamAV 0.104.0 RC 2 (Aug 20, 2021)

New in ClamAV 0.104.0 RC (Jul 23, 2021)

New in ClamAV 0.103.3 (Jun 21, 2021)

New in ClamAV 0.103.2 (Apr 8, 2021)

New in ClamAV 0.103.1 (Feb 3, 2021)

New in ClamAV 0.103.0 (Sep 14, 2020)

New in ClamAV 0.103.0 RC 2 (Sep 1, 2020)

New in ClamAV 0.103.0 RC (Aug 18, 2020)

New in ClamAV 0.102.2 (Feb 5, 2020)

New in ClamAV 0.102.1 (Nov 20, 2019)

New in ClamAV 0.102.0 (Oct 2, 2019)

New in ClamAV 0.102.0 RC (Sep 16, 2019)

New in ClamAV 0.101.2 (Mar 27, 2019)

New in ClamAV 0.101.1 (Jan 8, 2019)

New in ClamAV 0.100.1 (Jul 9, 2018)

New in ClamAV 0.100.0 (Apr 9, 2018)

New in ClamAV 0.100.0 RC (Mar 22, 2018)

New in ClamAV 0.99.4 (Mar 1, 2018)

New in ClamAV 0.99.3 (Feb 19, 2018)

New in ClamAV 0.100.0 Beta (Feb 6, 2018)

New in ClamAV 0.99.3 Beta 2 (Dec 18, 2017)

New in ClamAV 0.99.3 Beta 1 (Aug 24, 2017)

New in ClamAV 0.99.2 (May 4, 2016)

New in ClamAV 0.99.1 (Mar 3, 2016)

New in ClamAV 0.99.1 Beta 1 (Feb 5, 2016)

New in ClamAV 0.99 (Dec 1, 2015)

New in ClamAV 0.99 RC 2 (Nov 17, 2015)

New in ClamAV 0.99 RC 1 (Oct 20, 2015)

New in ClamAV 0.98.7 (Apr 29, 2015)

New in ClamAV 0.98.6 (Apr 29, 2015)

New in ClamAV 0.98.5 (Nov 19, 2014)

New in ClamAV 0.98.5 RC 1 (Oct 14, 2014)

New in ClamAV 0.98.5 Beta 1 (Jul 9, 2014)

New in ClamAV 0.98.4 (Jun 17, 2014)

New in ClamAV 0.98.4 RC 1 (May 16, 2014)

New in ClamAV 0.98.3 (May 8, 2014)

New in ClamAV 0.98.1 (Jan 15, 2014)

New in ClamAV 0.98 (Sep 20, 2013)

New in ClamAV 0.97.8 (May 15, 2013)

New in ClamAV 0.97.7 (Mar 18, 2013)

New in ClamAV 0.97.5 (Mar 18, 2013)

New in ClamAV 0.97.4 (Mar 18, 2013)

New in ClamAV 0.97.3 (Mar 18, 2013)