Cisco has introduced a major new release of the free antivirus package ClamAV 0.105.0 and has also published patch releases of ClamAV 0.104.3 and 0.103.6 with vulnerabilities and bug fixes. Recall that the project passed into the hands of Cisco in 2013 after the purchase of Sourcefire, which develops ClamAV and Snort. The project code is distributed under the GPLv2 license.
Key improvements in ClamAV 0.105:
- A compiler for the Rust language is included among the required dependencies for building. The build requires at least Rust 1.56. The necessary Rust dependency libraries are included in the main ClamAV package.
- The code for incremental updating of the database archive (CDIFF) has been rewritten in Rust. The new implementation made it possible to significantly speed up the application of updates that remove a large number of signatures from the database. This is the first module rewritten in Rust.
- The default limits have been increased:
- MaxScanSize: 100M > 400M
- MaxFileSize: 25M > 100M
- StreamMaxLength: 25M > 100M
- PCREMaxFileSize: 25M > 100M
- MaxEmbeddedPE: 10M > 40M
- MaxHTMLNormalize: 10M > 40M
- MaxScriptNormalize: 5M > 20M
- MaxHTMLNoTags: 2M > 8M
- The maximum line size in freshclam.conf and clamd.conf configuration files has been increased from 512 to 1024 characters (when specifying access tokens, the DatabaseMirror parameter could exceed 512 bytes).
- To identify images used for phishing or malware distribution, a new type of logical signatures is supported, which uses the fuzzy hashing method, which allows identifying similar objects with a certain degree of probability. To generate a fuzzy hash for an image, you can use the “sigtool –fuzzy-img” command.
- ClamScan and ClamDScan have a built-in process memory scanning capability. This feature has been ported from the ClamWin package and is specific to the Windows platform. Added “–memory”, “–kill” and “–unload” options to ClamScan and ClamDScan on Windows platform.
- Updated runtime components for executing bytecode based on LLVM. To increase scanning performance compared to the default bytecode interpreter, a JIT compilation mode is proposed. Support for older versions of LLVM has been discontinued, now you can use LLVM versions from 8 to 12 to work.
- Added a GenerateMetadataJson setting to Clamd that is equivalent to the “–gen-json” option in clamscan and causes the metadata about the progress of the scan to be written to the metadata.json file in JSON format.
- The ability to build using the external library TomsFastMath (libtfm) is provided, enabled using the options “-D ENABLE_EXTERNAL_TOMSFASTMATH=ON”, “-D TomsFastMath_INCLUDE_DIR=<path>” and “-D TomsFastMath_LIBRARY=<path>”. The included copy of the TomsFastMath library has been updated to version 0.13.1.
- The Freshclam utility has improved ReceiveTimeout handling behavior, which now aborts only stuck downloads and does not interrupt active slow downloads with data transfer over bad links.
- Added support for building ClamdTop using the ncursesw library in the absence of ncurses.
- Vulnerabilities fixed:
- CVE-2022-20803 – Double free memory in OLE2 file parser.
- CVE-2022-20770 – Infinite loop in CHM file parser.
- CVE-2022-20796 – Crash due to null pointer dereference in cache validation code.
- CVE-2022-20771 – Infinite loop in TIFF file parser.
- CVE-2022-20792 – Buffer overflow in the signature database load module.
Leave a Reply