diff -Nru clamav-0.103.6+dfsg/CMakeLists.txt clamav-0.103.8+dfsg/CMakeLists.txt --- clamav-0.103.6+dfsg/CMakeLists.txt 2022-05-02 04:46:41.000000000 +0000 +++ clamav-0.103.8+dfsg/CMakeLists.txt 2023-02-13 00:03:33.000000000 +0000 @@ -15,7 +15,7 @@ set(VERSION_SUFFIX "") project( ClamAV - VERSION "0.103.6" + VERSION "0.103.8" DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." ) set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH}) diff -Nru clamav-0.103.6+dfsg/configure clamav-0.103.8+dfsg/configure --- clamav-0.103.6+dfsg/configure 2022-05-02 04:47:06.000000000 +0000 +++ clamav-0.103.8+dfsg/configure 2023-02-13 00:03:59.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ClamAV 0.103.6. +# Generated by GNU Autoconf 2.69 for ClamAV 0.103.8. # # Report bugs to . # @@ -592,8 +592,8 @@ # Identity of this package. PACKAGE_NAME='ClamAV' PACKAGE_TARNAME='clamav' -PACKAGE_VERSION='0.103.6' -PACKAGE_STRING='ClamAV 0.103.6' +PACKAGE_VERSION='0.103.8' +PACKAGE_STRING='ClamAV 0.103.8' PACKAGE_BUGREPORT='https://github.com/Cisco-Talos/clamav/issues' PACKAGE_URL='https://www.clamav.net/' @@ -1606,7 +1606,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ClamAV 0.103.6 to adapt to many kinds of systems. +\`configure' configures ClamAV 0.103.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1687,7 +1687,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ClamAV 0.103.6:";; + short | recursive ) echo "Configuration of ClamAV 0.103.8:";; esac cat <<\_ACEOF --enable-dependency-tracking @@ -1922,7 +1922,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ClamAV configure 0.103.6 +ClamAV configure 0.103.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2550,7 +2550,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ClamAV $as_me 0.103.6, which was +It was created by ClamAV $as_me 0.103.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4308,7 +4308,7 @@ # Define the identity of the package. PACKAGE='clamav' - VERSION='0.103.6' + VERSION='0.103.8' # Some tools Automake needs. @@ -6036,7 +6036,7 @@ $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h -VERSION="0.103.6" +VERSION="0.103.8" major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/^0-9//g"` minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/^0-9//g"` @@ -31896,7 +31896,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ClamAV $as_me 0.103.6, which was +This file was extended by ClamAV $as_me 0.103.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -31963,7 +31963,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ClamAV config.status 0.103.6 +ClamAV config.status 0.103.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -34813,7 +34813,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ClamAV $as_me 0.103.6, which was +This file was extended by ClamAV $as_me 0.103.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -34880,7 +34880,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ClamAV config.status 0.103.6 +ClamAV config.status 0.103.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru clamav-0.103.6+dfsg/configure.ac clamav-0.103.8+dfsg/configure.ac --- clamav-0.103.6+dfsg/configure.ac 2022-05-12 16:36:26.000000000 +0000 +++ clamav-0.103.8+dfsg/configure.ac 2023-02-17 20:22:49.000000000 +0000 @@ -22,7 +22,7 @@ dnl For a release change [devel] to the real version [0.xy] dnl also change VERSION below -AC_INIT([ClamAV], [0.103.6], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/]) +AC_INIT([ClamAV], [0.103.8], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/]) dnl put configure auxiliary into config AC_CONFIG_AUX_DIR([config]) diff -Nru clamav-0.103.6+dfsg/debian/changelog clamav-0.103.8+dfsg/debian/changelog --- clamav-0.103.6+dfsg/debian/changelog 2022-05-12 16:40:40.000000000 +0000 +++ clamav-0.103.8+dfsg/debian/changelog 2023-02-20 15:07:28.000000000 +0000 @@ -1,3 +1,13 @@ +clamav (0.103.8+dfsg-0ubuntu0.18.04.1) bionic-security; urgency=medium + + * Updated to version 0.103.8 to fix security issues. + - debian/rules: bump CL_FLEVEL to 129. + - debian/libclamav9.symbols: updated CLAMAV_PRIVATE symbols to new + version. + - CVE-2023-20032, CVE-2023-20052 + + -- David Fernandez Gonzalez Mon, 20 Feb 2023 16:07:28 +0100 + clamav (0.103.6+dfsg-0ubuntu0.18.04.1) bionic-security; urgency=medium * Updated to version 0.103.6 to fix security issues. diff -Nru clamav-0.103.6+dfsg/debian/libclamav9.symbols clamav-0.103.8+dfsg/debian/libclamav9.symbols --- clamav-0.103.6+dfsg/debian/libclamav9.symbols 2022-05-12 16:40:40.000000000 +0000 +++ clamav-0.103.8+dfsg/debian/libclamav9.symbols 2023-02-20 15:07:28.000000000 +0000 @@ -1,20 +1,20 @@ libclamav.so.9 libclamav9 #MINVER# * Build-Depends-Package: libclamav-dev - CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.6 + CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.8 CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0 - __cli_strcasestr@CLAMAV_PRIVATE 0.103.6 - __cli_strndup@CLAMAV_PRIVATE 0.103.6 - __cli_strnlen@CLAMAV_PRIVATE 0.103.6 - __cli_strnstr@CLAMAV_PRIVATE 0.103.6 - base64Flush@CLAMAV_PRIVATE 0.103.6 - blobAddData@CLAMAV_PRIVATE 0.103.6 - blobCreate@CLAMAV_PRIVATE 0.103.6 - blobDestroy@CLAMAV_PRIVATE 0.103.6 - cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.6 + __cli_strcasestr@CLAMAV_PRIVATE 0.103.8 + __cli_strndup@CLAMAV_PRIVATE 0.103.8 + __cli_strnlen@CLAMAV_PRIVATE 0.103.8 + __cli_strnstr@CLAMAV_PRIVATE 0.103.8 + base64Flush@CLAMAV_PRIVATE 0.103.8 + blobAddData@CLAMAV_PRIVATE 0.103.8 + blobCreate@CLAMAV_PRIVATE 0.103.8 + blobDestroy@CLAMAV_PRIVATE 0.103.8 + cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.8 cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0 - cl_base64_decode@CLAMAV_PRIVATE 0.103.6 - cl_base64_encode@CLAMAV_PRIVATE 0.103.6 - cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.6 + cl_base64_decode@CLAMAV_PRIVATE 0.103.8 + cl_base64_encode@CLAMAV_PRIVATE 0.103.8 + cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.8 cl_countsigs@CLAMAV_PUBLIC 0.101.0 cl_cvdfree@CLAMAV_PUBLIC 0.101.0 cl_cvdhead@CLAMAV_PUBLIC 0.101.0 @@ -54,19 +54,19 @@ cl_fmap_close@CLAMAV_PUBLIC 0.101.0 cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0 cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0 - cl_get_pkey_file@CLAMAV_PRIVATE 0.103.6 - cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.6 - cl_hash_data@CLAMAV_PRIVATE 0.103.6 + cl_get_pkey_file@CLAMAV_PRIVATE 0.103.8 + cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.8 + cl_hash_data@CLAMAV_PRIVATE 0.103.8 cl_hash_destroy@CLAMAV_PUBLIC 0.101.0 - cl_hash_file_fd@CLAMAV_PRIVATE 0.103.6 - cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.6 - cl_hash_file_fp@CLAMAV_PRIVATE 0.103.6 + cl_hash_file_fd@CLAMAV_PRIVATE 0.103.8 + cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.8 + cl_hash_file_fp@CLAMAV_PRIVATE 0.103.8 cl_hash_init@CLAMAV_PUBLIC 0.101.0 cl_init@CLAMAV_PUBLIC 0.101.0 - cl_initialize_crypto@CLAMAV_PRIVATE 0.103.6 + cl_initialize_crypto@CLAMAV_PRIVATE 0.103.8 cl_load@CLAMAV_PUBLIC 0.101.0 - cl_load_cert@CLAMAV_PRIVATE 0.103.6 - cl_load_crl@CLAMAV_PRIVATE 0.103.6 + cl_load_cert@CLAMAV_PRIVATE 0.103.8 + cl_load_crl@CLAMAV_PRIVATE 0.103.8 cl_retdbdir@CLAMAV_PUBLIC 0.101.0 cl_retflevel@CLAMAV_PUBLIC 0.103.5 cl_retver@CLAMAV_PUBLIC 0.101.0 @@ -76,196 +76,196 @@ cl_scanfile_callback@CLAMAV_PUBLIC 0.101.0 cl_scanmap_callback@CLAMAV_PUBLIC 0.101.0 cl_set_clcb_msg@CLAMAV_PUBLIC 0.101.0 - cl_sha1@CLAMAV_PRIVATE 0.103.6 - cl_sha256@CLAMAV_PRIVATE 0.103.6 - cl_sign_data@CLAMAV_PRIVATE 0.103.6 - cl_sign_data_keyfile@CLAMAV_PRIVATE 0.103.6 - cl_sign_file_fd@CLAMAV_PRIVATE 0.103.6 - cl_sign_file_fp@CLAMAV_PRIVATE 0.103.6 + cl_sha1@CLAMAV_PRIVATE 0.103.8 + cl_sha256@CLAMAV_PRIVATE 0.103.8 + cl_sign_data@CLAMAV_PRIVATE 0.103.8 + cl_sign_data_keyfile@CLAMAV_PRIVATE 0.103.8 + cl_sign_file_fd@CLAMAV_PRIVATE 0.103.8 + cl_sign_file_fp@CLAMAV_PRIVATE 0.103.8 cl_statchkdir@CLAMAV_PUBLIC 0.101.0 cl_statfree@CLAMAV_PUBLIC 0.101.0 cl_statinidir@CLAMAV_PUBLIC 0.101.0 cl_strerror@CLAMAV_PUBLIC 0.101.0 cl_update_hash@CLAMAV_PUBLIC 0.101.0 - cl_validate_certificate_chain@CLAMAV_PRIVATE 0.103.6 - cl_validate_certificate_chain_ts_dir@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_fd@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_fd_x509@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_fd_x509_keyfile@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_hash@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_hash_x509@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_hash_x509_keyfile@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_x509@CLAMAV_PRIVATE 0.103.6 - cl_verify_signature_x509_keyfile@CLAMAV_PRIVATE 0.103.6 - cli_ac_buildtrie@CLAMAV_PRIVATE 0.103.6 - cli_ac_chklsig@CLAMAV_PRIVATE 0.103.6 - cli_ac_free@CLAMAV_PRIVATE 0.103.6 - cli_ac_freedata@CLAMAV_PRIVATE 0.103.6 - cli_ac_init@CLAMAV_PRIVATE 0.103.6 - cli_ac_initdata@CLAMAV_PRIVATE 0.103.6 - cli_ac_scanbuff@CLAMAV_PRIVATE 0.103.6 - cli_basename@CLAMAV_PRIVATE 0.103.6 - cli_bm_free@CLAMAV_PRIVATE 0.103.6 - cli_bm_init@CLAMAV_PRIVATE 0.103.6 - cli_bm_scanbuff@CLAMAV_PRIVATE 0.103.6 - cli_build_regex_list@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_alloc@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_clear@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_destroy@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_getresult_int@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_set_trace@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_setfile@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_setfuncid@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_setparam_int@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_context_setparam_ptr@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_debug@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_debug_printsrc@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_describe@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_destroy@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_done@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_init@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_load@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_prepare2@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_printversion@CLAMAV_PRIVATE 0.103.6 - cli_bytecode_run@CLAMAV_PRIVATE 0.103.6 - cli_bytefunc_describe@CLAMAV_PRIVATE 0.103.6 - cli_byteinst_describe@CLAMAV_PRIVATE 0.103.6 - cli_bytetype_describe@CLAMAV_PRIVATE 0.103.6 - cli_bytevalue_describe@CLAMAV_PRIVATE 0.103.6 - cli_calloc@CLAMAV_PRIVATE 0.103.6 - cli_check_auth_header@CLAMAV_PRIVATE 0.103.6 - cli_chomp@CLAMAV_PRIVATE 0.103.6 - cli_codepage_to_utf8@CLAMAV_PRIVATE 0.103.6 - cli_ctime@CLAMAV_PRIVATE 0.103.6 - cli_cvdunpack@CLAMAV_PRIVATE 0.103.6 - cli_dbgmsg_internal@CLAMAV_PRIVATE 0.103.6 - cli_dconf_init@CLAMAV_PRIVATE 0.103.6 - cli_debug_flag@CLAMAV_PRIVATE 0.103.6 - cli_detect_environment@CLAMAV_PRIVATE 0.103.6 - cli_disasm_one@CLAMAV_PRIVATE 0.103.6 - cli_errmsg@CLAMAV_PRIVATE 0.103.6 - cli_filecopy@CLAMAV_PRIVATE 0.103.6 - cli_free_vba_project@CLAMAV_PRIVATE 0.103.6 - cli_ftw@CLAMAV_PRIVATE 0.103.6 - cli_genhash_pe@CLAMAV_PRIVATE 0.103.6 - cli_gentemp@CLAMAV_PRIVATE 0.103.6 - cli_gentemp_with_prefix@CLAMAV_PRIVATE 0.103.6 - cli_gentempfd@CLAMAV_PRIVATE 0.103.6 - cli_get_filepath_from_filedesc@CLAMAV_PRIVATE 0.103.6 - cli_gettmpdir@CLAMAV_PRIVATE 0.103.6 - cli_hashfile@CLAMAV_PRIVATE 0.103.6 - cli_hashset_destroy@CLAMAV_PRIVATE 0.103.6 - cli_hashstream@CLAMAV_PRIVATE 0.103.6 - cli_hex2str@CLAMAV_PRIVATE 0.103.6 - cli_hex2ui@CLAMAV_PRIVATE 0.103.6 - cli_initroots@CLAMAV_PRIVATE 0.103.6 - cli_isnumber@CLAMAV_PRIVATE 0.103.6 - cli_js_destroy@CLAMAV_PRIVATE 0.103.6 - cli_js_init@CLAMAV_PRIVATE 0.103.6 - cli_js_output@CLAMAV_PRIVATE 0.103.6 - cli_js_parse_done@CLAMAV_PRIVATE 0.103.6 - cli_js_process_buffer@CLAMAV_PRIVATE 0.103.6 - cli_ldbtokenize@CLAMAV_PRIVATE 0.103.6 - cli_malloc@CLAMAV_PRIVATE 0.103.6 - cli_memstr@CLAMAV_PRIVATE 0.103.6 - cli_ole2_extract@CLAMAV_PRIVATE 0.103.6 - cli_parse_add@CLAMAV_PRIVATE 0.103.6 - cli_pcre_build@CLAMAV_PRIVATE 0.103.6 - cli_pcre_freeoff@CLAMAV_PRIVATE 0.103.6 - cli_pcre_init@CLAMAV_PRIVATE 0.103.6 - cli_pcre_perf_events_destroy@CLAMAV_PRIVATE 0.103.6 - cli_pcre_perf_print@CLAMAV_PRIVATE 0.103.6 - cli_pcre_recaloff@CLAMAV_PRIVATE 0.103.6 - cli_pcre_scanbuf@CLAMAV_PRIVATE 0.103.6 - cli_ppt_vba_read@CLAMAV_PRIVATE 0.103.6 - cli_printcxxver@CLAMAV_PRIVATE 0.103.6 - cli_readn@CLAMAV_PRIVATE 0.103.6 - cli_realloc@CLAMAV_PRIVATE 0.103.6 - cli_realpath@CLAMAV_PRIVATE 0.103.6 - cli_regcomp@CLAMAV_PRIVATE 0.103.6 - cli_regex2suffix@CLAMAV_PRIVATE 0.103.6 - cli_regexec@CLAMAV_PRIVATE 0.103.6 - cli_regfree@CLAMAV_PRIVATE 0.103.6 - cli_rmdirs@CLAMAV_PRIVATE 0.103.6 - cli_rndnum@CLAMAV_PRIVATE 0.103.6 - cli_sanitize_filepath@CLAMAV_PRIVATE 0.103.6 - cli_scan_buff@CLAMAV_PRIVATE 0.103.6 - cli_scan_fmap@CLAMAV_PRIVATE 0.103.6 - cli_sigopts_handler@CLAMAV_PRIVATE 0.103.6 - cli_sigperf_events_destroy@CLAMAV_PRIVATE 0.103.6 - cli_sigperf_print@CLAMAV_PRIVATE 0.103.6 - cli_str2hex@CLAMAV_PRIVATE 0.103.6 - cli_strbcasestr@CLAMAV_PRIVATE 0.103.6 - cli_strdup@CLAMAV_PRIVATE 0.103.6 - cli_strerror@CLAMAV_PRIVATE 0.103.6 - cli_strlcat@CLAMAV_PRIVATE 0.103.6 - cli_strlcpy@CLAMAV_PRIVATE 0.103.6 - cli_strntoul@CLAMAV_PRIVATE 0.103.6 - cli_strrcpy@CLAMAV_PRIVATE 0.103.6 - cli_strtok@CLAMAV_PRIVATE 0.103.6 - cli_strtokbuf@CLAMAV_PRIVATE 0.103.6 - cli_strtokenize@CLAMAV_PRIVATE 0.103.6 - cli_textbuffer_append_normalize@CLAMAV_PRIVATE 0.103.6 - cli_unescape@CLAMAV_PRIVATE 0.103.6 - cli_unlink@CLAMAV_PRIVATE 0.103.6 - cli_url_canon@CLAMAV_PRIVATE 0.103.6 - cli_utf16_to_utf8@CLAMAV_PRIVATE 0.103.6 - cli_utf16toascii@CLAMAV_PRIVATE 0.103.6 - cli_vba_inflate@CLAMAV_PRIVATE 0.103.6 - cli_vba_readdir@CLAMAV_PRIVATE 0.103.6 - cli_versig2@CLAMAV_PRIVATE 0.103.6 - cli_versig@CLAMAV_PRIVATE 0.103.6 - cli_warnmsg@CLAMAV_PRIVATE 0.103.6 - cli_wm_decrypt_macro@CLAMAV_PRIVATE 0.103.6 - cli_wm_readdir@CLAMAV_PRIVATE 0.103.6 - cli_writen@CLAMAV_PRIVATE 0.103.6 - decodeLine@CLAMAV_PRIVATE 0.103.6 - disasmbuf@CLAMAV_PRIVATE 0.103.6 - fmap@CLAMAV_PRIVATE 0.103.6 - fmap_dump_to_file@CLAMAV_PRIVATE 0.103.6 - fmap_duplicate@CLAMAV_PRIVATE 0.103.6 - free_duplicate_fmap@CLAMAV_PRIVATE 0.103.6 - get_fpu_endian@CLAMAV_PRIVATE 0.103.6 - have_clamjit@CLAMAV_PRIVATE 0.103.6 - have_rar@CLAMAV_PRIVATE 0.103.6 - html_normalise_map@CLAMAV_PRIVATE 0.103.6 - html_normalise_mem@CLAMAV_PRIVATE 0.103.6 - html_screnc_decode@CLAMAV_PRIVATE 0.103.6 - html_tag_arg_free@CLAMAV_PRIVATE 0.103.6 - init_domainlist@CLAMAV_PRIVATE 0.103.6 - init_regex_list@CLAMAV_PRIVATE 0.103.6 - init_whitelist@CLAMAV_PRIVATE 0.103.6 - is_regex_ok@CLAMAV_PRIVATE 0.103.6 - load_regex_matcher@CLAMAV_PRIVATE 0.103.6 + cl_validate_certificate_chain@CLAMAV_PRIVATE 0.103.8 + cl_validate_certificate_chain_ts_dir@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_fd@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_fd_x509@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_fd_x509_keyfile@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_hash@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_hash_x509@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_hash_x509_keyfile@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_x509@CLAMAV_PRIVATE 0.103.8 + cl_verify_signature_x509_keyfile@CLAMAV_PRIVATE 0.103.8 + cli_ac_buildtrie@CLAMAV_PRIVATE 0.103.8 + cli_ac_chklsig@CLAMAV_PRIVATE 0.103.8 + cli_ac_free@CLAMAV_PRIVATE 0.103.8 + cli_ac_freedata@CLAMAV_PRIVATE 0.103.8 + cli_ac_init@CLAMAV_PRIVATE 0.103.8 + cli_ac_initdata@CLAMAV_PRIVATE 0.103.8 + cli_ac_scanbuff@CLAMAV_PRIVATE 0.103.8 + cli_basename@CLAMAV_PRIVATE 0.103.8 + cli_bm_free@CLAMAV_PRIVATE 0.103.8 + cli_bm_init@CLAMAV_PRIVATE 0.103.8 + cli_bm_scanbuff@CLAMAV_PRIVATE 0.103.8 + cli_build_regex_list@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_alloc@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_clear@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_destroy@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_getresult_int@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_set_trace@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_setfile@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_setfuncid@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_setparam_int@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_context_setparam_ptr@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_debug@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_debug_printsrc@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_describe@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_destroy@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_done@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_init@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_load@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_prepare2@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_printversion@CLAMAV_PRIVATE 0.103.8 + cli_bytecode_run@CLAMAV_PRIVATE 0.103.8 + cli_bytefunc_describe@CLAMAV_PRIVATE 0.103.8 + cli_byteinst_describe@CLAMAV_PRIVATE 0.103.8 + cli_bytetype_describe@CLAMAV_PRIVATE 0.103.8 + cli_bytevalue_describe@CLAMAV_PRIVATE 0.103.8 + cli_calloc@CLAMAV_PRIVATE 0.103.8 + cli_check_auth_header@CLAMAV_PRIVATE 0.103.8 + cli_chomp@CLAMAV_PRIVATE 0.103.8 + cli_codepage_to_utf8@CLAMAV_PRIVATE 0.103.8 + cli_ctime@CLAMAV_PRIVATE 0.103.8 + cli_cvdunpack@CLAMAV_PRIVATE 0.103.8 + cli_dbgmsg_internal@CLAMAV_PRIVATE 0.103.8 + cli_dconf_init@CLAMAV_PRIVATE 0.103.8 + cli_debug_flag@CLAMAV_PRIVATE 0.103.8 + cli_detect_environment@CLAMAV_PRIVATE 0.103.8 + cli_disasm_one@CLAMAV_PRIVATE 0.103.8 + cli_errmsg@CLAMAV_PRIVATE 0.103.8 + cli_filecopy@CLAMAV_PRIVATE 0.103.8 + cli_free_vba_project@CLAMAV_PRIVATE 0.103.8 + cli_ftw@CLAMAV_PRIVATE 0.103.8 + cli_genhash_pe@CLAMAV_PRIVATE 0.103.8 + cli_gentemp@CLAMAV_PRIVATE 0.103.8 + cli_gentemp_with_prefix@CLAMAV_PRIVATE 0.103.8 + cli_gentempfd@CLAMAV_PRIVATE 0.103.8 + cli_get_filepath_from_filedesc@CLAMAV_PRIVATE 0.103.8 + cli_gettmpdir@CLAMAV_PRIVATE 0.103.8 + cli_hashfile@CLAMAV_PRIVATE 0.103.8 + cli_hashset_destroy@CLAMAV_PRIVATE 0.103.8 + cli_hashstream@CLAMAV_PRIVATE 0.103.8 + cli_hex2str@CLAMAV_PRIVATE 0.103.8 + cli_hex2ui@CLAMAV_PRIVATE 0.103.8 + cli_initroots@CLAMAV_PRIVATE 0.103.8 + cli_isnumber@CLAMAV_PRIVATE 0.103.8 + cli_js_destroy@CLAMAV_PRIVATE 0.103.8 + cli_js_init@CLAMAV_PRIVATE 0.103.8 + cli_js_output@CLAMAV_PRIVATE 0.103.8 + cli_js_parse_done@CLAMAV_PRIVATE 0.103.8 + cli_js_process_buffer@CLAMAV_PRIVATE 0.103.8 + cli_ldbtokenize@CLAMAV_PRIVATE 0.103.8 + cli_malloc@CLAMAV_PRIVATE 0.103.8 + cli_memstr@CLAMAV_PRIVATE 0.103.8 + cli_ole2_extract@CLAMAV_PRIVATE 0.103.8 + cli_parse_add@CLAMAV_PRIVATE 0.103.8 + cli_pcre_build@CLAMAV_PRIVATE 0.103.8 + cli_pcre_freeoff@CLAMAV_PRIVATE 0.103.8 + cli_pcre_init@CLAMAV_PRIVATE 0.103.8 + cli_pcre_perf_events_destroy@CLAMAV_PRIVATE 0.103.8 + cli_pcre_perf_print@CLAMAV_PRIVATE 0.103.8 + cli_pcre_recaloff@CLAMAV_PRIVATE 0.103.8 + cli_pcre_scanbuf@CLAMAV_PRIVATE 0.103.8 + cli_ppt_vba_read@CLAMAV_PRIVATE 0.103.8 + cli_printcxxver@CLAMAV_PRIVATE 0.103.8 + cli_readn@CLAMAV_PRIVATE 0.103.8 + cli_realloc@CLAMAV_PRIVATE 0.103.8 + cli_realpath@CLAMAV_PRIVATE 0.103.8 + cli_regcomp@CLAMAV_PRIVATE 0.103.8 + cli_regex2suffix@CLAMAV_PRIVATE 0.103.8 + cli_regexec@CLAMAV_PRIVATE 0.103.8 + cli_regfree@CLAMAV_PRIVATE 0.103.8 + cli_rmdirs@CLAMAV_PRIVATE 0.103.8 + cli_rndnum@CLAMAV_PRIVATE 0.103.8 + cli_sanitize_filepath@CLAMAV_PRIVATE 0.103.8 + cli_scan_buff@CLAMAV_PRIVATE 0.103.8 + cli_scan_fmap@CLAMAV_PRIVATE 0.103.8 + cli_sigopts_handler@CLAMAV_PRIVATE 0.103.8 + cli_sigperf_events_destroy@CLAMAV_PRIVATE 0.103.8 + cli_sigperf_print@CLAMAV_PRIVATE 0.103.8 + cli_str2hex@CLAMAV_PRIVATE 0.103.8 + cli_strbcasestr@CLAMAV_PRIVATE 0.103.8 + cli_strdup@CLAMAV_PRIVATE 0.103.8 + cli_strerror@CLAMAV_PRIVATE 0.103.8 + cli_strlcat@CLAMAV_PRIVATE 0.103.8 + cli_strlcpy@CLAMAV_PRIVATE 0.103.8 + cli_strntoul@CLAMAV_PRIVATE 0.103.8 + cli_strrcpy@CLAMAV_PRIVATE 0.103.8 + cli_strtok@CLAMAV_PRIVATE 0.103.8 + cli_strtokbuf@CLAMAV_PRIVATE 0.103.8 + cli_strtokenize@CLAMAV_PRIVATE 0.103.8 + cli_textbuffer_append_normalize@CLAMAV_PRIVATE 0.103.8 + cli_unescape@CLAMAV_PRIVATE 0.103.8 + cli_unlink@CLAMAV_PRIVATE 0.103.8 + cli_url_canon@CLAMAV_PRIVATE 0.103.8 + cli_utf16_to_utf8@CLAMAV_PRIVATE 0.103.8 + cli_utf16toascii@CLAMAV_PRIVATE 0.103.8 + cli_vba_inflate@CLAMAV_PRIVATE 0.103.8 + cli_vba_readdir@CLAMAV_PRIVATE 0.103.8 + cli_versig2@CLAMAV_PRIVATE 0.103.8 + cli_versig@CLAMAV_PRIVATE 0.103.8 + cli_warnmsg@CLAMAV_PRIVATE 0.103.8 + cli_wm_decrypt_macro@CLAMAV_PRIVATE 0.103.8 + cli_wm_readdir@CLAMAV_PRIVATE 0.103.8 + cli_writen@CLAMAV_PRIVATE 0.103.8 + decodeLine@CLAMAV_PRIVATE 0.103.8 + disasmbuf@CLAMAV_PRIVATE 0.103.8 + fmap@CLAMAV_PRIVATE 0.103.8 + fmap_dump_to_file@CLAMAV_PRIVATE 0.103.8 + fmap_duplicate@CLAMAV_PRIVATE 0.103.8 + free_duplicate_fmap@CLAMAV_PRIVATE 0.103.8 + get_fpu_endian@CLAMAV_PRIVATE 0.103.8 + have_clamjit@CLAMAV_PRIVATE 0.103.8 + have_rar@CLAMAV_PRIVATE 0.103.8 + html_normalise_map@CLAMAV_PRIVATE 0.103.8 + html_normalise_mem@CLAMAV_PRIVATE 0.103.8 + html_screnc_decode@CLAMAV_PRIVATE 0.103.8 + html_tag_arg_free@CLAMAV_PRIVATE 0.103.8 + init_domainlist@CLAMAV_PRIVATE 0.103.8 + init_regex_list@CLAMAV_PRIVATE 0.103.8 + init_whitelist@CLAMAV_PRIVATE 0.103.8 + is_regex_ok@CLAMAV_PRIVATE 0.103.8 + load_regex_matcher@CLAMAV_PRIVATE 0.103.8 lsig_sub_matched@CLAMAV_PUBLIC 0.101.0 - messageCreate@CLAMAV_PRIVATE 0.103.6 - messageDestroy@CLAMAV_PRIVATE 0.103.6 - mpool_calloc@CLAMAV_PRIVATE 0.103.6 - mpool_create@CLAMAV_PRIVATE 0.103.6 - mpool_destroy@CLAMAV_PRIVATE 0.103.6 - mpool_free@CLAMAV_PRIVATE 0.103.6 - mpool_getstats@CLAMAV_PRIVATE 0.103.6 - phishingScan@CLAMAV_PRIVATE 0.103.6 - phishing_done@CLAMAV_PRIVATE 0.103.6 - phishing_init@CLAMAV_PRIVATE 0.103.6 - regex_list_add_pattern@CLAMAV_PRIVATE 0.103.6 - regex_list_done@CLAMAV_PRIVATE 0.103.6 - regex_list_match@CLAMAV_PRIVATE 0.103.6 - tableCreate@CLAMAV_PRIVATE 0.103.6 - tableDestroy@CLAMAV_PRIVATE 0.103.6 - tableFind@CLAMAV_PRIVATE 0.103.6 - tableInsert@CLAMAV_PRIVATE 0.103.6 - tableIterate@CLAMAV_PRIVATE 0.103.6 - tableRemove@CLAMAV_PRIVATE 0.103.6 - tableUpdate@CLAMAV_PRIVATE 0.103.6 - text_normalize_init@CLAMAV_PRIVATE 0.103.6 - text_normalize_map@CLAMAV_PRIVATE 0.103.6 - text_normalize_reset@CLAMAV_PRIVATE 0.103.6 - uniq_add@CLAMAV_PRIVATE 0.103.6 - uniq_free@CLAMAV_PRIVATE 0.103.6 - uniq_get@CLAMAV_PRIVATE 0.103.6 - uniq_init@CLAMAV_PRIVATE 0.103.6 + messageCreate@CLAMAV_PRIVATE 0.103.8 + messageDestroy@CLAMAV_PRIVATE 0.103.8 + mpool_calloc@CLAMAV_PRIVATE 0.103.8 + mpool_create@CLAMAV_PRIVATE 0.103.8 + mpool_destroy@CLAMAV_PRIVATE 0.103.8 + mpool_free@CLAMAV_PRIVATE 0.103.8 + mpool_getstats@CLAMAV_PRIVATE 0.103.8 + phishingScan@CLAMAV_PRIVATE 0.103.8 + phishing_done@CLAMAV_PRIVATE 0.103.8 + phishing_init@CLAMAV_PRIVATE 0.103.8 + regex_list_add_pattern@CLAMAV_PRIVATE 0.103.8 + regex_list_done@CLAMAV_PRIVATE 0.103.8 + regex_list_match@CLAMAV_PRIVATE 0.103.8 + tableCreate@CLAMAV_PRIVATE 0.103.8 + tableDestroy@CLAMAV_PRIVATE 0.103.8 + tableFind@CLAMAV_PRIVATE 0.103.8 + tableInsert@CLAMAV_PRIVATE 0.103.8 + tableIterate@CLAMAV_PRIVATE 0.103.8 + tableRemove@CLAMAV_PRIVATE 0.103.8 + tableUpdate@CLAMAV_PRIVATE 0.103.8 + text_normalize_init@CLAMAV_PRIVATE 0.103.8 + text_normalize_map@CLAMAV_PRIVATE 0.103.8 + text_normalize_reset@CLAMAV_PRIVATE 0.103.8 + uniq_add@CLAMAV_PRIVATE 0.103.8 + uniq_free@CLAMAV_PRIVATE 0.103.8 + uniq_get@CLAMAV_PRIVATE 0.103.8 + uniq_init@CLAMAV_PRIVATE 0.103.8 libfreshclam.so.2 libclamav9 #MINVER# FRESHCLAM_PRIVATE@FRESHCLAM_PRIVATE 0.103.0 FRESHCLAM_PUBLIC@FRESHCLAM_PUBLIC 0.102.1 diff -Nru clamav-0.103.6+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch clamav-0.103.8+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch --- clamav-0.103.6+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch 2022-01-12 20:02:01.000000000 +0000 +++ clamav-0.103.8+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch 2023-02-20 15:07:16.000000000 +0000 @@ -13,11 +13,9 @@ 5 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 m4/reorganization/libs/tomsfastmath.m4 -diff --git a/configure.ac b/configure.ac -index 514a967..32be9e5 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -98,6 +98,7 @@ m4_include([m4/reorganization/libs/libmspack.m4]) +--- clamav-0.103.6+dfsg.orig/configure.ac ++++ clamav-0.103.6+dfsg/configure.ac +@@ -98,6 +98,7 @@ m4_include([m4/reorganization/libs/libms if test "x$use_internal_mspack" = "xno"; then mspack_msg="External, $LIBMSPACK_CFLAGS $LIBMSPACK_LIBS" fi @@ -33,11 +31,9 @@ # Yep, downgrading the compiler avoids the bug too: # 4.0.x, and 4.1.0 are the known buggy versions -diff --git a/libclamav/Makefile.am b/libclamav/Makefile.am -index 526ad56..7a5185e 100644 ---- a/libclamav/Makefile.am -+++ b/libclamav/Makefile.am -@@ -588,6 +588,7 @@ libclamav_la_SOURCES += yara_arena.c \ +--- clamav-0.103.6+dfsg.orig/libclamav/Makefile.am ++++ clamav-0.103.6+dfsg/libclamav/Makefile.am +@@ -587,6 +587,7 @@ libclamav_la_SOURCES += yara_arena.c \ yara_clam.h endif @@ -45,7 +41,7 @@ libclamav_la_SOURCES += bignum.h\ bignum_fast.h\ tomsfastmath/addsub/fp_add.c\ -@@ -672,6 +673,11 @@ libclamav_la_SOURCES += bignum.h\ +@@ -671,6 +672,11 @@ libclamav_la_SOURCES += bignum.h\ tomsfastmath/sqr/fp_sqr_comba_small_set.c\ tomsfastmath/sqr/fp_sqrmod.c @@ -57,10 +53,8 @@ .PHONY2: version.h.tmp version.c: version.h version.h: version.h.tmp -diff --git a/libclamav/bignum.h b/libclamav/bignum.h -index 8fdc956..56dfa95 100644 ---- a/libclamav/bignum.h -+++ b/libclamav/bignum.h +--- clamav-0.103.6+dfsg.orig/libclamav/bignum.h ++++ clamav-0.103.6+dfsg/libclamav/bignum.h @@ -1,9 +1,13 @@ #ifndef BIGNUM_H_ #define BIGNUM_H_ @@ -76,10 +70,8 @@ typedef fp_int mp_int; #define mp_cmp fp_cmp #define mp_toradix_n(a, b, c, d) fp_toradix_n(a, b, c, d) -diff --git a/libclamav/xdp.c b/libclamav/xdp.c -index 64a8a7b..8b82945 100644 ---- a/libclamav/xdp.c -+++ b/libclamav/xdp.c +--- clamav-0.103.6+dfsg.orig/libclamav/xdp.c ++++ clamav-0.103.6+dfsg/libclamav/xdp.c @@ -52,7 +52,7 @@ #include "scanners.h" #include "conv.h" @@ -89,11 +81,8 @@ #include "filetypes.h" static char *dump_xdp(cli_ctx *ctx, const char *start, size_t sz); -diff --git a/m4/reorganization/libs/tomsfastmath.m4 b/m4/reorganization/libs/tomsfastmath.m4 -new file mode 100644 -index 0000000..2a821a1 --- /dev/null -+++ b/m4/reorganization/libs/tomsfastmath.m4 ++++ clamav-0.103.6+dfsg/m4/reorganization/libs/tomsfastmath.m4 @@ -0,0 +1,12 @@ +dnl Check for system tomsfastmath +PKG_CHECK_MODULES([TOMSFASTMATH], [tomsfastmath], [have_system_tomsfastmath=yes], [have_system_tomsfastmath=no]) diff -Nru clamav-0.103.6+dfsg/debian/rules clamav-0.103.8+dfsg/debian/rules --- clamav-0.103.6+dfsg/debian/rules 2022-05-12 16:40:40.000000000 +0000 +++ clamav-0.103.8+dfsg/debian/rules 2023-02-20 15:07:28.000000000 +0000 @@ -87,7 +87,7 @@ fi;\ done; \ # Check for library features which may have been upgraded. - if ! grep -q "CL_FLEVEL 127" libclamav/others.h ; then \ + if ! grep -q "CL_FLEVEL 129" libclamav/others.h ; then \ echo "cl_retflevel needs boosting in symbol file"; \ touch debian/exit; \ fi; diff -Nru clamav-0.103.6+dfsg/docs/html/appendix/Authenticode.html clamav-0.103.8+dfsg/docs/html/appendix/Authenticode.html --- clamav-0.103.6+dfsg/docs/html/appendix/Authenticode.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/appendix/Authenticode.html 2023-02-13 00:03:34.000000000 +0000 @@ -530,7 +530,7 @@

What are x509 certificates? (Provides an overview of the ASN1 structure of x509 certificates)

  • -

    Signed Malware (Research papers on signed malware with interactive tables of malicious code signing certs)

    +

    Signed Malware (Research papers on signed malware with interactive tables of malicious code signing certs)

    • diff -Nru clamav-0.103.6+dfsg/docs/html/appendix/CvdPrivateMirror.html clamav-0.103.8+dfsg/docs/html/appendix/CvdPrivateMirror.html --- clamav-0.103.6+dfsg/docs/html/appendix/CvdPrivateMirror.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/appendix/CvdPrivateMirror.html 2023-02-13 00:03:34.000000000 +0000 @@ -219,7 +219,7 @@ # 2. Use an HTTP Range-request to check if there is an update, rather than DNS. PrivateMirror http://mirror.mylan:8000 -# ScriptedUpdates is needed because you won't be serving CDIFF files. +# ScriptedUpdates is not needed because you won't be serving CDIFF files. ScriptedUpdates no

    When you run freshclam on your client machines, they should check for updates from your private server over HTTP by downloading just the database header*. If there is a new version, the client will download the whole CVD or CLD file from your private server to update.

    diff -Nru clamav-0.103.6+dfsg/docs/html/appendix/FileTypes.html clamav-0.103.8+dfsg/docs/html/appendix/FileTypes.html --- clamav-0.103.6+dfsg/docs/html/appendix/FileTypes.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/appendix/FileTypes.html 2023-02-13 00:03:34.000000000 +0000 @@ -145,7 +145,7 @@

    A Target Type is an integer that indicates which kind of file the signature will match against. Target Type notation was first created for the purposes writing efficient signatures. A signature with a target type of 0 will be run against every file type, and thus is not ideal. However, the Target Type notation is limited and it may be unavoidable.

    Although the newer CL_TYPE string name notation has replaced the Target Type for some signature formats, many signature formats require a target type number.

    This is the current list of available Target Types:

    - +
    Target TypeDescription
    @@ -160,6 +160,7 @@
    Target TypeDescription
    0any file
    1Portable Executable, both 32- and 64-bit
    2OLE2 containers, including specific macros. Primarily used by MS Office and MSI installation files
    11Flash files
    12Java class files
    +

    Important: HTML, ASCII, Javascript are all normalized:

      @@ -190,7 +191,7 @@

    ClamAV File Types are prefixed with CL_TYPE_. The following is an exhaustive list of all current file types.

    - +
    CL_TYPEDescription
    @@ -268,7 +269,7 @@
    CL_TYPEDescription
    CL_TYPE_7Z7-Zip Archive
    CL_TYPE_7ZSFXSelf-Extracting 7-Zip Archive
    CL_TYPE_APMDisk Image - Apple Partition Map
    CL_TYPE_ZIPZip Archive
    CL_TYPE_ZIPSFXSelf-Extracting Zip Archive
    - +

    Build Guides

    Configuration Guides

    Other

    diff -Nru clamav-0.103.6+dfsg/docs/html/community_resources/CompileClamAV_AmazonLinux2.txt clamav-0.103.8+dfsg/docs/html/community_resources/CompileClamAV_AmazonLinux2.txt --- clamav-0.103.6+dfsg/docs/html/community_resources/CompileClamAV_AmazonLinux2.txt 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/community_resources/CompileClamAV_AmazonLinux2.txt 2023-02-13 00:03:34.000000000 +0000 @@ -0,0 +1,53 @@ +# These are steps to compile ClamAV/ClamD on Amazon Linux 2 (could works also on other distro RHEL based) +# Needed because on arm platform, EPEL repositories has been deprecated and it's not possible anymore to +# install ClamAV in that WAY + +# TO DO +# - Install or handle Rust, required for version 0.105 + +cd +pip3 install cmake pytest +yum install systemd-devel bzip2-devel check-devel json-c-devel libcurl-devel libxml2-devel ncurses-devel openssl-devel pcre2-devel zlib-devel -y + +cd /usr/local/src/ +version=0.104.2 +wget https://www.clamav.net/downloads/production/clamav-$version.tar.gz +tar -xzf clamav-$version.tar.gz +cd clamav-$version/ +mkdir build && cd build +cmake -DAPP_CONFIG_DIRECTORY=/etc/clamd.d -DENABLE_CLAMONACC=false -DENABLE_MILTER=false .. && cmake --build . && ctest && cmake --build . --target install + +rm -f /etc/clamd.d/clamd.conf +rm -f /etc/clamd.d/freshclam.conf +cp /etc/clamd.d/clamd.conf.sample /etc/clamd.d/clamd.conf +cp /etc/clamd.d/freshclam.conf.sample /etc/clamd.d/freshclam.conf + + +sed -i "s/^Example/#Example/g" /etc/clamd.d/clamd.conf +sed -i "s@^#LocalSocket .*@LocalSocket /run/clamav/clamd.ctl@g" /etc/clamd.d/clamd.conf +sed -i "s/^#LocalSocketGroup .*/LocalSocketGroup clamav/g" /etc/clamd.d/clamd.conf +sed -i "s/^#LogFileMaxSize 2M/#LogFileMaxSize 20M/" /etc/clamd.d/clamd.conf +sed -i "s/^#ScanPE yes/ScanPE no/" /etc/clamd.d/clamd.conf +sed -i "s/^#DisableCertCheck yes/DisableCertCheck yes/" /etc/clamd.d/clamd.conf +sed -i "s/^#MaxScanTime .*/MaxScanTime 5000/" /etc/clamd.d/clamd.conf + + +sed -i "s/^Example/#Example/g" /etc/clamd.d/freshclam.conf +sed -i "s/^#LogSyslog .*/LogSyslog yes/g" /etc/clamd.d/freshclam.conf + + +groupadd -r clamav +useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav + + +sed -i "s|^ExecStart=|Restart = always\nExecStart=|g" /usr/lib/systemd/system/clamav-daemon.service +sed -i "s|^ExecStart=|Restart = always\nExecStart=|g" /usr/lib/systemd/system/clamav-freshclam.service + + +systemctl enable clamav-freshclam +systemctl enable clamav-daemon +systemctl start clamav-freshclam +sleep 30 +chown clamav:clamav /usr/local/share/clamav/ +systemctl start clamav-daemon + diff -Nru clamav-0.103.6+dfsg/docs/html/css/chrome.css clamav-0.103.8+dfsg/docs/html/css/chrome.css --- clamav-0.103.6+dfsg/docs/html/css/chrome.css 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/css/chrome.css 2023-02-13 00:03:34.000000000 +0000 @@ -208,24 +208,63 @@ pre > .buttons { position: absolute; z-index: 100; - right: 5px; - top: 5px; + right: 0px; + top: 2px; + margin: 0px; + padding: 2px 0px; color: var(--sidebar-fg); cursor: pointer; + visibility: hidden; + opacity: 0; + transition: visibility 0.1s linear, opacity 0.1s linear; +} +pre:hover > .buttons { + visibility: visible; + opacity: 1 } pre > .buttons :hover { color: var(--sidebar-active); + border-color: var(--icons-hover); + background-color: var(--theme-hover); } pre > .buttons i { margin-left: 8px; } pre > .buttons button { - color: inherit; - background: transparent; - border: none; cursor: inherit; + margin: 0px 5px; + padding: 3px 5px; + font-size: 14px; + + border-style: solid; + border-width: 1px; + border-radius: 4px; + border-color: var(--icons); + background-color: var(--theme-popup-bg); + transition: 100ms; + transition-property: color,border-color,background-color; + color: var(--icons); +} +@media (pointer: coarse) { + pre > .buttons button { + /* On mobile, make it easier to tap buttons. */ + padding: 0.3rem 1rem; + } +} +pre > code { + padding: 1rem; +} + +/* FIXME: ACE editors overlap their buttons because ACE does absolute + positioning within the code block which breaks padding. The only solution I + can think of is to move the padding to the outer pre tag (or insert a div + wrapper), but that would require fixing a whole bunch of CSS rules. +*/ +.hljs.ace_editor { + padding: 0rem 0rem; } + pre > .result { margin-top: 10px; } @@ -468,6 +507,8 @@ padding: 0; list-style: none; display: none; + /* Don't let the children's background extend past the rounded corners. */ + overflow: hidden; } .theme-popup .default { color: var(--icons); @@ -476,7 +517,7 @@ width: 100%; border: 0; margin: 0; - padding: 2px 10px; + padding: 2px 20px; line-height: 25px; white-space: nowrap; text-align: left; @@ -488,8 +529,10 @@ .theme-popup .theme:hover { background-color: var(--theme-hover); } -.theme-popup .theme:hover:first-child, -.theme-popup .theme:hover:last-child { - border-top-left-radius: inherit; - border-top-right-radius: inherit; + +.theme-selected::before { + display: inline-block; + content: "✓"; + margin-left: -14px; + width: 14px; } diff -Nru clamav-0.103.6+dfsg/docs/html/css/general.css clamav-0.103.8+dfsg/docs/html/css/general.css --- clamav-0.103.6+dfsg/docs/html/css/general.css 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/css/general.css 2023-02-13 00:03:34.000000000 +0000 @@ -22,8 +22,18 @@ } code { - font-family: "Source Code Pro", Consolas, "Ubuntu Mono", Menlo, "DejaVu Sans Mono", monospace, monospace !important; - font-size: 0.875em; /* please adjust the ace font size accordingly in editor.js */ + font-family: var(--mono-font) !important; + font-size: var(--code-font-size); +} + +/* make long words/inline code not x overflow */ +main { + overflow-wrap: break-word; +} + +/* make wide tables scroll if they overflow */ +.table-wrapper { + overflow-x: auto; } /* Don't change font size in headers. */ @@ -80,8 +90,7 @@ .content { overflow-y: auto; - padding: 0 15px; - padding-bottom: 50px; + padding: 0 5px 50px 5px; } .content main { margin-left: auto; @@ -139,6 +148,18 @@ border-bottom: .1em solid var(--quote-border); } +kbd { + background-color: var(--table-border-color); + border-radius: 4px; + border: solid 1px var(--theme-popup-border); + box-shadow: inset 0 -1px 0 var(--theme-hover); + display: inline-block; + font-size: var(--code-font-size); + font-family: var(--mono-font); + line-height: 10px; + padding: 4px 5px; + vertical-align: middle; +} :not(.footnote-definition) + .footnote-definition, .footnote-definition + :not(.footnote-definition) { diff -Nru clamav-0.103.6+dfsg/docs/html/faq/faq-eol.html clamav-0.103.8+dfsg/docs/html/faq/faq-eol.html --- clamav-0.103.6+dfsg/docs/html/faq/faq-eol.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/faq/faq-eol.html 2023-02-13 00:03:34.000000000 +0000 @@ -146,11 +146,12 @@

    Disclaimer: If this policy has to change due to a compatibility problem that prohibits the use of new detection technology, or impacts the stability of ClamAV infrastructure, we will announce the end of life for those versions four months before they become unsupported.

    Long Term Support (LTS) Feature Releases

    -

    ClamAV 0.103 is the first Long Term Support (LTS) feature release.

    +

    ClamAV 1.0 is the latest Long Term Support (LTS) feature release.

    +

    ClamAV 0.103 is the previous Long Term Support (LTS) feature release.

    LTS feature releases will be supported for at least three (3) years from the initial publication date of that LTS feature version. In other words, support for the LTS release "X.Y" starts when version "X.Y.0" is published and ends three years after.

    Each LTS feature release will be supported with critical patch versions and access to download signatures for the duration of the three year support period.

    A new LTS feature release will be identified approximately every two (2) years.

    -

    Users must stay up-to-date with the latest patch versions for continued support. As of November 3, that means version 0.103.4.

    +

    Users must stay up-to-date with the latest patch versions for continued support.

    Regular (non-LTS) Feature Releases

    Non-LTS feature releases will be supported with critical patch versions for at least four (4) months from the initial publication date of the next feature release or until the next-next feature release is published.

    Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the next-next feature release is published.

    @@ -207,15 +208,19 @@

    Note: This markdown table is generated from a spreadsheet using this tool.

    - - - +
    Feature releaseFirst PublishedLatest patch versionExpected End of Life (EOL)Signature load testing untilSignature FP testing untilDB downloads allowed untilPatch versions continue until
    0.104Sep-3 20210.104.10.106 + 4 months0.106 + 4 months0.106 + 4 months0.105 + 4 months, or 0.106
    0.103 LTSSep-14 20200.103.4Sep-14 2023Sep-14 20230.104 publishedSep-14 2023Sep-14 2023
    + + + + +
    Feature releaseFirst PublishedLatest patch versionExpected End of Life (EOL)Signature load testing untilSignature FP testing untilDB downloads allowed untilPatch versions continue until
    1.1TBDTBD1.3 + 4 months1.3 + 4 months1.2 published1.3 + 4 months1.2 + 4 months, or 1.3
    1.0 LTSNov-28 20221.0.0Nov-28 2025Nov-28 20251.1 publishedNov-28 2025Nov-28 2025
    0.105May-4 20220.105.01.1 + 4 months1.1 + 4 months1.0 published1.1 + 4 months1.0 + 4 months, or 1.1
    0.104Sep-3 20210.104.31.0 + 4 months1.0 + 4 months0.105 published1.0 + 4 months0.105 + 4 months, or 1.0
    0.103 LTSSep-14 20200.103.6Sep-14 2023Sep-14 20230.104 publishedSep-14 2023Sep-14 2023
    0.102Oct-2 20190.102.4Jan-3 2022 (0.104 + 4 mo.)Jan-3 2022Jan-3 2022
    0.101Dec-3 20180.101.5Jan-3 2022Jan-3 2022Jan-3 2022
    0.100Apr-9 20180.100.3Oct-29 2021Oct-29 2021Oct-29 2021
    0.99Dec-1 20150.99.4Mar-1 2021
    -

    Currently, every version from ClamAV 0.100 and down, including all patch versions, are unsupported, and are actively blocked from downloading new updates.

    + +

    Currently, every version from ClamAV 0.102 and down, including all patch versions, are unsupported, and are actively blocked from downloading new updates.

    Additional Detail About Critical Patch Support

    Like all bugs, security patches are first prepared for our upcoming feature release. Only security patches and other critical fixes or critical improvements are backported to previous feature releases.

    The ClamAV Team is small and can't afford to publish patch versions for every release. To keep up momentum crafting new features and other improvements, our policy is to backport no further than 1 or 2 of the latest feature releases plus the Long Term Support (LTS) feature releases.

    diff -Nru clamav-0.103.6+dfsg/docs/html/faq/faq-troubleshoot.html clamav-0.103.8+dfsg/docs/html/faq/faq-troubleshoot.html --- clamav-0.103.6+dfsg/docs/html/faq/faq-troubleshoot.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/faq/faq-troubleshoot.html 2023-02-13 00:03:34.000000000 +0000 @@ -178,6 +178,12 @@

    Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can't resolve TXT record. If that's the case, please recompile ClamAV with the flag --enable-dns-fix if using ./configure or -D ENABLE_FRESHCLAM_DNS_FIX=ON if using CMake.

    For other questions regarding issues with the signature databases, see our Virus Database FAQ.

    +

    ClamAV becomes unresponsive

    +

    ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.

    +

    ClamAV stops responding after about 24 hours

    +

    ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.

    +

    ClamAV crashes once each day

    +

    ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.

    diff -Nru clamav-0.103.6+dfsg/docs/html/highlight.css clamav-0.103.8+dfsg/docs/html/highlight.css --- clamav-0.103.6+dfsg/docs/html/highlight.css 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/highlight.css 2023-02-13 00:03:34.000000000 +0000 @@ -61,7 +61,6 @@ overflow-x: auto; background: #f6f7f6; color: #000; - padding: 0.5em; } .hljs-emphasis { diff -Nru clamav-0.103.6+dfsg/docs/html/index.html clamav-0.103.8+dfsg/docs/html/index.html --- clamav-0.103.6+dfsg/docs/html/index.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/index.html 2023-02-13 00:03:34.000000000 +0000 @@ -82,7 +82,7 @@ @@ -295,22 +295,26 @@

    The following minimum recommended system requirements are for using ClamScan or ClamD applications with the standard ClamAV signature database provided by Cisco.

    Minimum recommended RAM for ClamAV:

    +
    +

    Tip: Server environments, like Docker, as well as and embedded runtime environments are often resource constrained. We recommend at 3-4 GiB of RAM, but you may get by with less if you're willing to accept some limitations. You can find more information here.

    +

    Minimum recommended CPU for ClamAV:

    Minimum available hard disk space required:

    -

    For the ClamAV application we recommend having 5 GB of free space available. This recommendation is in addition to the recommended disk space for each OS.

    +

    For the ClamAV application we recommend having 5 GiB of free space available. This recommendation is in addition to the recommended disk space for each OS.

    Note: The tests to determine these minimum requirements were performed on systems that were not running other applications. If other applications are being run on the system, additional resources will be required in addition to our recommended minimums.

    Mailing Lists and Chat

    +

    Mailing Lists

    If you have a trouble installing or using ClamAV try asking on our mailing lists. There are four lists available:

    -
  • clamav-binary (at) lists.clamav.net -
      -
    • discussion and announcements for package maintainers
      • -
    -

    • You can subscribe and search the mailing list archives here.

    -

    You can also join the community on our ClamAV Discord chat server.

    +

    To unsubscribe: Use the same form page that you used when you subscribed. Search at the bottom for "unsubscribe".

    +

    IMPORTANT: When you subscribe or unsubscribe, you will receive a confirmation email with a link that you must click on or else no action will occur. If you did not receive the confirmation email, check your spam folder.

    +

    Chat

    +

    You can join the community on our ClamAV Discord chat server.

    Submitting New or Otherwise Undetected Malware

    If you've got a virus which is not detected by the current version of ClamAV using the latest signature databases, please submit the sample for review at our website:

    https://www.clamav.net/reports/malware

    diff -Nru clamav-0.103.6+dfsg/docs/html/Introduction.html clamav-0.103.8+dfsg/docs/html/Introduction.html --- clamav-0.103.6+dfsg/docs/html/Introduction.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/Introduction.html 2023-02-13 00:03:34.000000000 +0000 @@ -295,22 +295,26 @@

    The following minimum recommended system requirements are for using ClamScan or ClamD applications with the standard ClamAV signature database provided by Cisco.

    Minimum recommended RAM for ClamAV:

    +
    +

    Tip: Server environments, like Docker, as well as and embedded runtime environments are often resource constrained. We recommend at 3-4 GiB of RAM, but you may get by with less if you're willing to accept some limitations. You can find more information here.

    +

    Minimum recommended CPU for ClamAV:

    Minimum available hard disk space required:

    -

    For the ClamAV application we recommend having 5 GB of free space available. This recommendation is in addition to the recommended disk space for each OS.

    +

    For the ClamAV application we recommend having 5 GiB of free space available. This recommendation is in addition to the recommended disk space for each OS.

    Note: The tests to determine these minimum requirements were performed on systems that were not running other applications. If other applications are being run on the system, additional resources will be required in addition to our recommended minimums.

    Mailing Lists and Chat

    +

    Mailing Lists

    If you have a trouble installing or using ClamAV try asking on our mailing lists. There are four lists available:

    -
  • clamav-binary (at) lists.clamav.net -
      -
    • discussion and announcements for package maintainers
      • -
    -

    • You can subscribe and search the mailing list archives here.

    -

    You can also join the community on our ClamAV Discord chat server.

    +

    To unsubscribe: Use the same form page that you used when you subscribed. Search at the bottom for "unsubscribe".

    +

    IMPORTANT: When you subscribe or unsubscribe, you will receive a confirmation email with a link that you must click on or else no action will occur. If you did not receive the confirmation email, check your spam folder.

    +

    Chat

    +

    You can join the community on our ClamAV Discord chat server.

    Submitting New or Otherwise Undetected Malware

    If you've got a virus which is not detected by the current version of ClamAV using the latest signature databases, please submit the sample for review at our website:

    https://www.clamav.net/reports/malware

    diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Development/Contribute.html clamav-0.103.8+dfsg/docs/html/manual/Development/Contribute.html --- clamav-0.103.6+dfsg/docs/html/manual/Development/Contribute.html 2022-05-02 04:46:42.000000000 +0000 +++ clamav-0.103.8+dfsg/docs/html/manual/Development/Contribute.html 2023-02-13 00:03:34.000000000 +0000 @@ -383,10 +383,10 @@

    ClamAV signatures have a "Target Type" which is an integer type which can be used in signatures to limit signature matches to specific file types. ClamAV also categorizes signature patterns into two different Aho-Corasick pattern-matching trie's by Target Type. Target Type 1 (Windows executables (EXE/DLL/SYS/etc.) go in one trie, and everything else goes in the other trie. Unfortunately, not every file type has an associated target type. In addition, while it's conceivable to be able to add new text-based file types dynamically (see the above project idea about file type magic signatures), it is less feasible to dynamically add new numerical target types.

    For some advanced reading, see:

    -

    This project is to add a new "Type:" keyword to the TargetDescriptionBlock for Logical Signature (.ldb) to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("Target:"), Container File Types ("Container:"), and Container Intermediate Types ("Intermediates:"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.

    +

    This project is to add a new "FileTypes:" keyword to the TargetDescriptionBlock for Logical Signature (.ldb) to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("Target:"), Container File Types ("Container:"), and Container Intermediate Types ("Intermediates:"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.

    To illustrate, this is the file type magic signature for a Microsoft Shortcut File, aka CL_TYPE_LNK:

    0:0:4C0000000114020000000000C000000000000046:Microsoft Windows Shortcut File:CL_TYPE_ANY:CL_TYPE_LNK:100
    @@ -395,8 +395,13 @@ 
    SignatureName;Target:0;(0&1);0:4C0000000114020000000000C000000000000046;deadbeef

    After this change, the signature could instead read:

    -
    SignatureName;Target:0,Type:CL_TYPE_LNK;(0);deadbeef
+
    SignatureName;Target:0,FileTypes:CL_TYPE_LNK;(0);deadbeef
 
    
+
    Extending this, we would really like to build this new option to replace "Container" and "Intermediates". We would like to also specify parent file types, and use a logical condition supporting alternative file types for each layer.
    
+
    Some examples:
    
+
    Filetypes:(ZIP|RAR)>PDF  to say "a PDF in a ZIP or a RAR"
    
+
    Filetypes:(ZIP|RAR)>(PDF|HTML)  to say "a PDF or HTML file in a ZIP or a RAR"
    
+
    Filetypes:EML>ZIP>*  to say "any file in a ZIP in an email"
    
 
    Category: Low-hanging Fruit, Core Development
    
 
    What you will learn from this project:
    
 
      
@@ -406,7 +411,7 @@
 
        
 
      • C development experience.
        • 
 
      
-
      Project Size: Small
      
+
      Project Size: Medium
      
 
      libclamav Callback Function to Request Additional File
      
 
      Add a callback function to give libclamav file parsers the ability to request additional file data from the scanning application -- I.e. clamscan and clamd (and by extension clamdscan & clamonacc).
      
 
      This feature would enable support for split-archive scans, if all components of the split archive are present and available to the scanning application. To make this work for clamdscan+clamd, or clamonacc+clamd, the request would also have to be relayed by clamd over the socket API to the scanning client, and the client would have to respond with additional data, filepath, or file descriptor for clamd to provide via the callback to file parser.
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Development/tips-and-tricks.html clamav-0.103.8+dfsg/docs/html/manual/Development/tips-and-tricks.html
--- clamav-0.103.6+dfsg/docs/html/manual/Development/tips-and-tricks.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Development/tips-and-tricks.html	2023-02-13 00:03:34.000000000 +0000
@@ -217,8 +217,8 @@
 
      When using ClamAV without libclamav statically linked, if you set breakpoints on libclamav functions by name, you'll need to make sure to indicate that the breakpoints should be resolved after libraries have been loaded.
      
 
      For other documentation about how to use gdb, check out the following resources:
      
 
 
      Hunting for Memory Leaks
      
 
      You can easily hunt for memory leaks with valgrind. Check out this guide to get started: Valgrind Quick Start
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Installing/Community-projects.html clamav-0.103.8+dfsg/docs/html/manual/Installing/Community-projects.html
--- clamav-0.103.6+dfsg/docs/html/manual/Installing/Community-projects.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Installing/Community-projects.html	2023-02-13 00:03:34.000000000 +0000
@@ -283,13 +283,13 @@
 
      rust-clamav | libclamav
      
 
      Like clamav-rs. rust-clamav is a safe library for interacting with libclamav from Rust. The low-level C API is wrapped in idomatic and safe Rust code.
      
 
      Get rust-clamav
      
+
      clamav-tcp | clamd
      
+
      A simple to use TCP client for scanning files with ClamAV. This is not exactly a binding. It is a Rust crate for interacting with ClamD. 
      
+
      Get clamav-tcp
      
 
      Perl
      
 
      File::Scan::ClamAV | clamd
      
 
      A Perl module for interacting with ClamD. File::Scan::ClamAV will connect to a local Clam Anti-Virus clamd service and send commands.
      
 
      Get File::Scan::ClamAV
      
-
      Mail::ClamAV | libclamav
      
-
      Perl extension for the ClamAV virus scanner.
      
-
      Get Mail::ClamAV
      
 
      Ruby
      
 
      Clamby | clamscan + freshclam
      
 
      Ruby binding for scanning file uploads using ClamScan. If you have a file upload on your site and you do not scan the files for viruses then you not only compromise your software, but also the users of the software and their files. This gem's function is to simply scan a given file.
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Installing/Docker.html clamav-0.103.8+dfsg/docs/html/manual/Installing/Docker.html
--- clamav-0.103.6+dfsg/docs/html/manual/Installing/Docker.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Installing/Docker.html	2023-02-13 00:03:34.000000000 +0000
@@ -141,6 +141,25 @@
                     
      
                         
      ClamAV in Docker
      
 
      ClamAV can be run within a Docker container. This provides isolation from other processes by running it in a containerized environment. If new or unfamiliar with Docker, containers or cgroups see docker.com.
      
+
      Memory (RAM) Requirements
      
+
      Whether you're using the official ClamAV docker images or third party images that run ClamAV, you will need to ensure that you have enough RAM.
      
+
      Recommended RAM for ClamAV (As of 2020/09/20):
      
+
        
+
      • Minimum: 3 GiB
        • 
+
      • Preferred: 4 GiB
        • 
+
      
+
      Why is this much RAM required?
      
+
      ClamAV uses upwards of 1.2 GiB of RAM simply to load the signature definitions into matching structures in the construct we call an "engine". This does not take into account any RAM required to process the files during the scanning process.
      
+
      ClamAV uses upwards of 2.4 GiB of RAM for a short period each day when loading new signature definitions. When the clamd processs reloads the databases after an update, the default behavior is for ClamAV to build a new engine based on the updated signatures first. Once loaded and once all scans that use the old engine have completed, the old engine is unloaded. This process is called "concurrent reloading" and enables scans to continue during the reload. As a consequence, clamd will use twice the amount of RAM for a brief period. During the reload.
      
+
      The freshclam process may also consume a sizeable chunk of memory when load-testing newly downloaded databases. It won't use quite as much as a clamd database reload, but it may still be enough to cause issues on some systems.
      
+
      If your container does not have enough RAM you can expect that the OS (or Docker) may kill your clamd process. Within Docker, this may cause your container to become unresponsive. If you're observing issues with ClamAV failing or becoming unresponsive once a day, it is likely that your system does not have enough RAM to run ClamAV.
      
+
      What can I do to minimize RAM usage?
      
+
      clamd reload memory usage
      
+
      You can minimize clamd RAM usage by setting ConcurrentDatabaseReload no in clamd.conf.
      
+
      The downside is that clamd will block any new scans until reload is complete.
      
+
      freshclam memory usage
      
+
      You can disable freshclam database load testing to minimize RAM usage by setting TestDatabases no in freshclam.conf.
      
+
      The downside here is a risk that a download may fail in an unexpected way and that freshclam will unknowingly keep the broken database, causing clamd to fail to load/reload the broken file.
      
 
      The official images on Docker Hub
      
 
      ClamAV image tags on Docker Hub follow these naming conventions.
      
 
      All images come in two forms:
      
@@ -185,7 +204,13 @@
 
      End of Life
      
 
      The ClamAV Docker images are subject to ClamAV's End-of-Life (EOL) policy. After EOL for a given feature release, those images will no longer be updated and may be unable to download signature updates.
      
 
      Building the ClamAV image
      
-
      While it is recommended to pull the image from our Docker Hub registry, some may want to build the image locally instead. All that is needed is:
      
+
      While it is recommended to pull the image from our Docker Hub registry, some may want to build the image locally instead.
      
+
      To do this, you will need to get the  Dockerfile and the supporting scripts/ directory from the clamav-docker Git repository. Be sure to select the correct one for this ClamAV release.
      
+
      
+
      Tip: For unreleased ClamAV versions, such as when building from the main git branch, you should select the files from the clamav-dockere/clamav/unstable/<distro> directory.
      
+
      
+
      Place the Dockerfile and scripts/ directory in the ClamAV source directory.
+Then you can build the image. For example, run:
      
 
      docker build --tag "clamav:TICKET-123" .
 
      
 
      in the current directory. This will build the ClamAV image and tag it with the name "clamav:TICKET-123". Any name can generally be used and it is this name that needs to be referred to later when running the image.
      
@@ -213,6 +238,9 @@
 
      
 
      Tip: It's common to see -it instead of --interactive --tty.
      
 
      
+
      
+
      Tip: It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command
      
+
      
 
      Running ClamD using a Locally Built Image
      
 
      You can run a container using an image built locally (see "Building the ClamAV Image"). Just run:
      
 
      docker run -it --rm \
@@ -335,9 +363,12 @@
 
      docker exec --interactive --tty "clamav_container_01" /bin/sh
 
      
 
      Unix sockets
      
-
      The default socket for clamd is located inside the container as /run/clamav/clamd.sock and can be connected to when exposed via a Docker volume mount. To ensure, that clamd within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.
      
-
          --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/
+
      The default socket for clamd is located inside the container as /tmp/clamd.sock and can be connected to when exposed via a Docker volume mount. To ensure, that clamd within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.
      
+
          --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/tmp/
 
      
+
      
+
      Note: If you override the LocalSocket option with a custom clamd.conf config file, then you may find the clamd.sock file in a different location.
      
+
      
 
      With the socket exposed to the host, any other service can now talk to clamd as well. If for example clamdtop where installed on the local host, calling
      
 
      clamdtop "/var/lib/docker/data/clamav/sockets/clamd.sock"
 
      
@@ -369,8 +400,8 @@
 
      Performance
      
 
      The performance impact of running clamd in Docker is negligible. Docker is in essence just a wrapper around Linux's cgroups and cgroups can be thought of as chroot or FreeBSD's jail. All code is executed on the host without any translation. Docker does however do some isolation (through cgroups) to isolate the various systems somewhat.
      
 
      Of course, nothing in life is free, and so there is some overhead. Disk-space being the most prominent one. The Docker container might have some duplication of files for example between the host and the container. Further more, also RAM memory may be duplicated for each instance, as there is no RAM-deduplication. Both of which can be solved on the host however. A filesystem that supports disk-deduplication and a memory manager that does RAM-deduplication.
      
-
      The base container in itself is already very small ~16 MiB, at the time of thiswriting, this cost is still very tiny, where the advantages are very much worththe cost in general.
      
-
      The container including the virus database is about ~240 MiB at the time of this writing.
      
+
      The base container image in itself is already quite small 80 / 225 MB (compressed/uncompressed) at the time of this writing, this cost is still very tiny, where the advantages are very much worth the cost in general.
      
+
      The container including the virus database is about 300 / 456 MB (compressed/uncompressed) at the time of this writing.
      
 
      Bandwidth
      
 
      Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.
      
 
      Advanced container configurations
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Installing/Installing-from-source-Unix.html clamav-0.103.8+dfsg/docs/html/manual/Installing/Installing-from-source-Unix.html
--- clamav-0.103.6+dfsg/docs/html/manual/Installing/Installing-from-source-Unix.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Installing/Installing-from-source-Unix.html	2023-02-13 00:03:34.000000000 +0000
@@ -183,7 +183,7 @@
 
 
      Install prerequisites
      
 
      
-
      Note: Many of the instructions below rely on Python 3's Pip package manager to install CMake. This is because many distributions do not provide a new enough version of CMake required to build ClamAV.
      
+
      Note: Some of the instructions below rely on Python 3's Pip package manager to install CMake. This is because some distributions do not provide a new enough version of CMake required to build ClamAV.
      
 
      
 
      
 
      Tip: The Python 3 pytest package is recommended in the instructions below in case the unit tests fail so that the test output is easy to read. You're welcome to skip it. However, if you have Python 2's pytest installed but not Python 3's pytest, the tests may fail to run.
      
@@ -235,17 +235,15 @@
 
      As root or with sudo, run:
      
 
      zypper install -y \
   `# install tools` \
-  gcc gcc-c++ make python3 python3-pip valgrind \
+  gcc gcc-c++ make python3 valgrind \
   `# install clamav dependencies` \
   libbz2-devel check-devel libjson-c-devel libcurl-devel libxml2-devel \
-  ncurses-devel libopenssl-devel pcre2-devel sendmail-devel zlib-devel
-
      
-
      As a regular user, run:
      
-
      python3 -m pip install --user cmake pytest
+  ncurses-devel libopenssl-devel pcre2-devel sendmail-devel zlib-devel \
+  cmake python-pytest
 
      
 
      
-
      Tip: If you don't have a user account, e.g. in a Docker container, run:
      
-
      python3 -m pip install cmake pytest
+
      Tip: If you you're on an older release and if the cmake provided by your release is too old, then you may need to remove cmake, install python3-pip, and then install cmake like this:
      
+
      python3 -m pip install --user cmake
 
      
 
      
 
      Version 0.105+: install the Rust toolchain. The best option is to install the Rust toolchain using rustup your Rust toolchain. openSUSE users that are unable or unwilling to use rustup may have luck with:
      
@@ -258,14 +256,12 @@
   gcc make pkg-config python3 python3-pip python3-pytest valgrind \
   `# install clamav dependencies` \
   check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev \
-  libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
-
      
-
      As a regular user, run:
      
-
      python3 -m pip install --user cmake
+  libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev \
+  cmake python-pytest
 
      
 
      
-
      Tip: If you don't have a user account, e.g. in a Docker container, run:
      
-
      python3 -m pip install cmake
+
      Tip: If you you're on an older release and if the cmake provided by your release is too old, then you may need to remove cmake, install python3-pip, and then install cmake like this:
      
+
      python3 -m pip install --user cmake
 
      
 
      
 
      Version 0.105+: install the Rust toolchain. The best option is to install the Rust toolchain using rustup your Rust toolchain. Debian users are unlikely to find an adequate Rust toolchain through the distribution's package manager. Ubuntu users will have better luck. At the time of writing, even Ubuntu 18.04 appears to have relatively recent Rust tools available (1.57.0, where the latest security patch for rustc is version 1.58.1). Debian and Ubuntu users may install the Rust toolchain with:
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Installing/Packages.html clamav-0.103.8+dfsg/docs/html/manual/Installing/Packages.html
--- clamav-0.103.6+dfsg/docs/html/manual/Installing/Packages.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Installing/Packages.html	2023-02-13 00:03:34.000000000 +0000
@@ -286,16 +286,20 @@
 
      FreeBSD offers two ClamAV ports (packages):
      
 
        
 
      • clamav
        • 
-
      • clamav-devel
        • 
+
      • clamav-lts
        • 
 
      
 
      To install, run:
      
 
      pkg install clamav
 
      
+
      and
      
+
      pkg install clamav-lts
+
      
+
      respectively.
      
 
      
 
      Note: For more details, see:
      
 
        
 
      • https://www.freshports.org/security/clamav
        • 
-
      • https://www.freshports.org/security/clamav-devel
        • 
+
      • https://www.freshports.org/security/clamav-lts
        • 
 
      
 
      
 
      OpenBSD
      
diff -Nru clamav-0.103.6+dfsg/docs/html/manual/Signatures/PhishSigs.html clamav-0.103.8+dfsg/docs/html/manual/Signatures/PhishSigs.html
--- clamav-0.103.6+dfsg/docs/html/manual/Signatures/PhishSigs.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/manual/Signatures/PhishSigs.html	2023-02-13 00:03:34.000000000 +0000
@@ -631,7 +631,7 @@
 
    
 
    Flags
    
 
    Flags are a binary OR of the following numbers:
    
-
+
    FlagValue
    
@@ -643,6 +643,7 @@
 
    FlagValue
    
 
    HOST_SUFFICIENT1
    
 
    DOMAIN_SUFFICIENT2
    
 
    DO_REVERSE_LOOKUP4
    CHECK_IMG_URL256
    
 
    DOMAINLIST_REQUIRED512
    
 
    
+
 
    The names of the constants are self-explanatory.
    
 
    These constants are defined in libclamav/phishcheck.h, you can check there for the latest flags.
    
 
    There is a default set of flags that are enabled, these are currently:
    
diff -Nru clamav-0.103.6+dfsg/docs/html/print.html clamav-0.103.8+dfsg/docs/html/print.html
--- clamav-0.103.6+dfsg/docs/html/print.html	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/print.html	2023-02-13 00:03:34.000000000 +0000
@@ -296,22 +296,26 @@
 
    The following minimum recommended system requirements are for using ClamScan or ClamD applications with the standard ClamAV signature database provided by Cisco.
    
 
    Minimum recommended RAM for ClamAV:
    
 
      
-
    • FreeBSD and Linux server edition: 2 GiB+
      • 
-
    • Linux non-server edition: 2 GiB+
      • 
-
    • Windows 7 & 10 32-bit: 2 GiB+
      • 
+
    • FreeBSD and Linux server edition: 3 GiB+
      • 
+
    • Linux non-server edition: 3 GiB+
      • 
+
    • Windows 7 & 10 32-bit: 3 GiB+
      • 
 
    • Windows 7 & 10 64-bit: 3 GiB+
      • 
 
    • macOS: 3 GiB+
      • 
 
    
+
    
+
    Tip: Server environments, like Docker, as well as and embedded runtime environments are often resource constrained. We recommend at 3-4 GiB of RAM, but you may get by with less if you're willing to accept some limitations. You can find more information here.
    
+
    
 
    Minimum recommended CPU for ClamAV:
    
 
      
 
    • 1 CPU at 2.0 Ghz+
      • 
 
    
 
    Minimum available hard disk space required:
    
-
    For the ClamAV application we recommend having 5 GB of free space available. This recommendation is in addition to the recommended disk space for each OS.
    
+
    For the ClamAV application we recommend having 5 GiB of free space available. This recommendation is in addition to the recommended disk space for each OS.
    
 
    
 
    Note: The tests to determine these minimum requirements were performed on systems that were not running other applications. If other applications are being run on the system, additional resources will be required in addition to our recommended minimums.
    
 
    
 
    Mailing Lists and Chat
    
+
    Mailing Lists
    
 
    If you have a trouble installing or using ClamAV try asking on our mailing lists. There are four lists available:
    
 
      
 
    • clamav-announce (at) lists.clamav.net
@@ -335,14 +339,12 @@
 
    • database update announcements, moderated
      • 
 
    
 
-
  • clamav-binary (at) lists.clamav.net
-
      
-
    • discussion and announcements for package maintainers
      • 
-
    
-
    • 
 
 
    You can subscribe and search the mailing list archives here.
    
-
    You can also join the community on our ClamAV Discord chat server.
    
+
    To unsubscribe: Use the same form page that you used when you subscribed. Search at the bottom for "unsubscribe".
    
+
    IMPORTANT: When you subscribe or unsubscribe, you will receive a confirmation email with a link that you must click on or else no action will occur. If you did not receive the confirmation email, check your spam folder.
    
+
    Chat
    
+
    You can join the community on our ClamAV Discord chat server.
    
 
    Submitting New or Otherwise Undetected Malware
    
 
    If you've got a virus which is not detected by the current version of ClamAV using the latest signature databases, please submit the sample for review at our website:
    
 
    https://www.clamav.net/reports/malware
    
@@ -597,16 +599,20 @@
 
    FreeBSD offers two ClamAV ports (packages):
    
 
      
 
    • clamav
      • 
-
    • clamav-devel
      • 
+
    • clamav-lts
      • 
 
    
 
    To install, run:
    
 
    pkg install clamav
 
    
+
    and
    
+
    pkg install clamav-lts
+
    
+
    respectively.
    
 
    
 
    Note: For more details, see:
    
 
      
 
    • https://www.freshports.org/security/clamav
      • 
-
    • https://www.freshports.org/security/clamav-devel
      • 
+
    • https://www.freshports.org/security/clamav-lts
      • 
 
    
 
    
 
    OpenBSD
    
@@ -664,6 +670,25 @@
 
    If you wish to run clamd you'll also need to create /opt/local/etc/clamd.conf from /opt/local/etc/clamd.conf.sample, and configure clamd.conf with Local/Unix socket settings (preferred), or TCP socket settings.
    
 
    ClamAV in Docker
    
 
    ClamAV can be run within a Docker container. This provides isolation from other processes by running it in a containerized environment. If new or unfamiliar with Docker, containers or cgroups see docker.com.
    
+
    Memory (RAM) Requirements
    
+
    Whether you're using the official ClamAV docker images or third party images that run ClamAV, you will need to ensure that you have enough RAM.
    
+
    Recommended RAM for ClamAV (As of 2020/09/20):
    
+
      
+
    • Minimum: 3 GiB
      • 
+
    • Preferred: 4 GiB
      • 
+
    
+
    Why is this much RAM required?
    
+
    ClamAV uses upwards of 1.2 GiB of RAM simply to load the signature definitions into matching structures in the construct we call an "engine". This does not take into account any RAM required to process the files during the scanning process.
    
+
    ClamAV uses upwards of 2.4 GiB of RAM for a short period each day when loading new signature definitions. When the clamd processs reloads the databases after an update, the default behavior is for ClamAV to build a new engine based on the updated signatures first. Once loaded and once all scans that use the old engine have completed, the old engine is unloaded. This process is called "concurrent reloading" and enables scans to continue during the reload. As a consequence, clamd will use twice the amount of RAM for a brief period. During the reload.
    
+
    The freshclam process may also consume a sizeable chunk of memory when load-testing newly downloaded databases. It won't use quite as much as a clamd database reload, but it may still be enough to cause issues on some systems.
    
+
    If your container does not have enough RAM you can expect that the OS (or Docker) may kill your clamd process. Within Docker, this may cause your container to become unresponsive. If you're observing issues with ClamAV failing or becoming unresponsive once a day, it is likely that your system does not have enough RAM to run ClamAV.
    
+
    What can I do to minimize RAM usage?
    
+
    clamd reload memory usage
    
+
    You can minimize clamd RAM usage by setting ConcurrentDatabaseReload no in clamd.conf.
    
+
    The downside is that clamd will block any new scans until reload is complete.
    
+
    freshclam memory usage
    
+
    You can disable freshclam database load testing to minimize RAM usage by setting TestDatabases no in freshclam.conf.
    
+
    The downside here is a risk that a download may fail in an unexpected way and that freshclam will unknowingly keep the broken database, causing clamd to fail to load/reload the broken file.
    
 
    The official images on Docker Hub
    
 
    ClamAV image tags on Docker Hub follow these naming conventions.
    
 
    All images come in two forms:
    
@@ -708,7 +733,13 @@
 
    End of Life
    
 
    The ClamAV Docker images are subject to ClamAV's End-of-Life (EOL) policy. After EOL for a given feature release, those images will no longer be updated and may be unable to download signature updates.
    
 
    Building the ClamAV image
    
-
    While it is recommended to pull the image from our Docker Hub registry, some may want to build the image locally instead. All that is needed is:
    
+
    While it is recommended to pull the image from our Docker Hub registry, some may want to build the image locally instead.
    
+
    To do this, you will need to get the  Dockerfile and the supporting scripts/ directory from the clamav-docker Git repository. Be sure to select the correct one for this ClamAV release.
    
+
    
+
    Tip: For unreleased ClamAV versions, such as when building from the main git branch, you should select the files from the clamav-dockere/clamav/unstable/<distro> directory.
    
+
    
+
    Place the Dockerfile and scripts/ directory in the ClamAV source directory.
+Then you can build the image. For example, run:
    
 
    docker build --tag "clamav:TICKET-123" .
 
    
 
    in the current directory. This will build the ClamAV image and tag it with the name "clamav:TICKET-123". Any name can generally be used and it is this name that needs to be referred to later when running the image.
    
@@ -736,6 +767,9 @@
 
    
 
    Tip: It's common to see -it instead of --interactive --tty.
    
 
    
+
    
+
    Tip: It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command
    
+
    
 
    Running ClamD using a Locally Built Image
    
 
    You can run a container using an image built locally (see "Building the ClamAV Image"). Just run:
    
 
    docker run -it --rm \
@@ -858,9 +892,12 @@
 
    docker exec --interactive --tty "clamav_container_01" /bin/sh
 
    
 
    Unix sockets
    
-
    The default socket for clamd is located inside the container as /run/clamav/clamd.sock and can be connected to when exposed via a Docker volume mount. To ensure, that clamd within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.
    
-
        --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/
+
    The default socket for clamd is located inside the container as /tmp/clamd.sock and can be connected to when exposed via a Docker volume mount. To ensure, that clamd within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.
    
+
        --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/tmp/
 
    
+
    
+
    Note: If you override the LocalSocket option with a custom clamd.conf config file, then you may find the clamd.sock file in a different location.
    
+
    
 
    With the socket exposed to the host, any other service can now talk to clamd as well. If for example clamdtop where installed on the local host, calling
    
 
    clamdtop "/var/lib/docker/data/clamav/sockets/clamd.sock"
 
    
@@ -892,8 +929,8 @@
 
    Performance
    
 
    The performance impact of running clamd in Docker is negligible. Docker is in essence just a wrapper around Linux's cgroups and cgroups can be thought of as chroot or FreeBSD's jail. All code is executed on the host without any translation. Docker does however do some isolation (through cgroups) to isolate the various systems somewhat.
    
 
    Of course, nothing in life is free, and so there is some overhead. Disk-space being the most prominent one. The Docker container might have some duplication of files for example between the host and the container. Further more, also RAM memory may be duplicated for each instance, as there is no RAM-deduplication. Both of which can be solved on the host however. A filesystem that supports disk-deduplication and a memory manager that does RAM-deduplication.
    
-
    The base container in itself is already very small ~16 MiB, at the time of thiswriting, this cost is still very tiny, where the advantages are very much worththe cost in general.
    
-
    The container including the virus database is about ~240 MiB at the time of this writing.
    
+
    The base container image in itself is already quite small 80 / 225 MB (compressed/uncompressed) at the time of this writing, this cost is still very tiny, where the advantages are very much worth the cost in general.
    
+
    The container including the virus database is about 300 / 456 MB (compressed/uncompressed) at the time of this writing.
    
 
    Bandwidth
    
 
    Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.
    
 
    Advanced container configurations
    
@@ -981,7 +1018,7 @@
 
 
    Install prerequisites
    
 
    
-
    Note: Many of the instructions below rely on Python 3's Pip package manager to install CMake. This is because many distributions do not provide a new enough version of CMake required to build ClamAV.
    
+
    Note: Some of the instructions below rely on Python 3's Pip package manager to install CMake. This is because some distributions do not provide a new enough version of CMake required to build ClamAV.
    
 
    
 
    
 
    Tip: The Python 3 pytest package is recommended in the instructions below in case the unit tests fail so that the test output is easy to read. You're welcome to skip it. However, if you have Python 2's pytest installed but not Python 3's pytest, the tests may fail to run.
    
@@ -1033,17 +1070,15 @@
 
    As root or with sudo, run:
    
 
    zypper install -y \
   `# install tools` \
-  gcc gcc-c++ make python3 python3-pip valgrind \
+  gcc gcc-c++ make python3 valgrind \
   `# install clamav dependencies` \
   libbz2-devel check-devel libjson-c-devel libcurl-devel libxml2-devel \
-  ncurses-devel libopenssl-devel pcre2-devel sendmail-devel zlib-devel
-
    
-
    As a regular user, run:
    
-
    python3 -m pip install --user cmake pytest
+  ncurses-devel libopenssl-devel pcre2-devel sendmail-devel zlib-devel \
+  cmake python-pytest
 
    
 
    
-
    Tip: If you don't have a user account, e.g. in a Docker container, run:
    
-
    python3 -m pip install cmake pytest
+
    Tip: If you you're on an older release and if the cmake provided by your release is too old, then you may need to remove cmake, install python3-pip, and then install cmake like this:
    
+
    python3 -m pip install --user cmake
 
    
 
    
 
    Version 0.105+: install the Rust toolchain. The best option is to install the Rust toolchain using rustup your Rust toolchain. openSUSE users that are unable or unwilling to use rustup may have luck with:
    
@@ -1056,14 +1091,12 @@
   gcc make pkg-config python3 python3-pip python3-pytest valgrind \
   `# install clamav dependencies` \
   check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev \
-  libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
-
    
-
    As a regular user, run:
    
-
    python3 -m pip install --user cmake
+  libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev \
+  cmake python-pytest
 
    
 
    
-
    Tip: If you don't have a user account, e.g. in a Docker container, run:
    
-
    python3 -m pip install cmake
+
    Tip: If you you're on an older release and if the cmake provided by your release is too old, then you may need to remove cmake, install python3-pip, and then install cmake like this:
    
+
    python3 -m pip install --user cmake
 
    
 
    
 
    Version 0.105+: install the Rust toolchain. The best option is to install the Rust toolchain using rustup your Rust toolchain. Debian users are unlikely to find an adequate Rust toolchain through the distribution's package manager. Ubuntu users will have better luck. At the time of writing, even Ubuntu 18.04 appears to have relatively recent Rust tools available (1.57.0, where the latest security patch for rustc is version 1.58.1). Debian and Ubuntu users may install the Rust toolchain with:
    
@@ -1735,13 +1768,13 @@
 
    rust-clamav | libclamav
    
 
    Like clamav-rs. rust-clamav is a safe library for interacting with libclamav from Rust. The low-level C API is wrapped in idomatic and safe Rust code.
    
 
    Get rust-clamav
    
+
    clamav-tcp | clamd
    
+
    A simple to use TCP client for scanning files with ClamAV. This is not exactly a binding. It is a Rust crate for interacting with ClamD. 
    
+
    Get clamav-tcp
    
 
    Perl
    
 
    File::Scan::ClamAV | clamd
    
 
    A Perl module for interacting with ClamD. File::Scan::ClamAV will connect to a local Clam Anti-Virus clamd service and send commands.
    
 
    Get File::Scan::ClamAV
    
-
    Mail::ClamAV | libclamav
    
-
    Perl extension for the ClamAV virus scanner.
    
-
    Get Mail::ClamAV
    
 
    Ruby
    
 
    Clamby | clamscan + freshclam
    
 
    Ruby binding for scanning file uploads using ClamScan. If you have a file upload on your site and you do not scan the files for viruses then you not only compromise your software, but also the users of the software and their files. This gem's function is to simply scan a given file.
    
@@ -4213,7 +4246,7 @@
 
 
    Flags
    
 
    Flags are a binary OR of the following numbers:
    
-
+
    FlagValue
    
@@ -4225,6 +4258,7 @@
 
    FlagValue
    
 
    HOST_SUFFICIENT1
    
 
    DOMAIN_SUFFICIENT2
    
 
    DO_REVERSE_LOOKUP4
    CHECK_IMG_URL256
    
 
    DOMAINLIST_REQUIRED512
    
 
    
+
 
    The names of the constants are self-explanatory.
    
 
    These constants are defined in libclamav/phishcheck.h, you can check there for the latest flags.
    
 
    There is a default set of flags that are enabled, these are currently:
    
@@ -5351,8 +5385,8 @@
 
    When using ClamAV without libclamav statically linked, if you set breakpoints on libclamav functions by name, you'll need to make sure to indicate that the breakpoints should be resolved after libraries have been loaded.
    
 
    For other documentation about how to use gdb, check out the following resources:
    
 
 
    Hunting for Memory Leaks
    
 
    You can easily hunt for memory leaks with valgrind. Check out this guide to get started: Valgrind Quick Start
    
@@ -6158,10 +6192,10 @@
 
    ClamAV signatures have a "Target Type" which is an integer type which can be used in signatures to limit signature matches to specific file types. ClamAV also categorizes signature patterns into two different Aho-Corasick pattern-matching trie's by Target Type. Target Type 1 (Windows executables (EXE/DLL/SYS/etc.) go in one trie, and everything else goes in the other trie. Unfortunately, not every file type has an associated target type. In addition, while it's conceivable to be able to add new text-based file types dynamically (see the above project idea about file type magic signatures), it is less feasible to dynamically add new numerical target types.
    
 
    For some advanced reading, see:
    
 
-
    This project is to add a new "Type:" keyword to the TargetDescriptionBlock for Logical Signature (.ldb) to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("Target:"), Container File Types ("Container:"), and Container Intermediate Types ("Intermediates:"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.
    
+
    This project is to add a new "FileTypes:" keyword to the TargetDescriptionBlock for Logical Signature (.ldb) to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("Target:"), Container File Types ("Container:"), and Container Intermediate Types ("Intermediates:"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.
    
 
    To illustrate, this is the file type magic signature for a Microsoft Shortcut File, aka CL_TYPE_LNK:
    
 
    0:0:4C0000000114020000000000C000000000000046:Microsoft Windows Shortcut File:CL_TYPE_ANY:CL_TYPE_LNK:100
 
    
@@ -6170,8 +6204,13 @@
 
    SignatureName;Target:0;(0&1);0:4C0000000114020000000000C000000000000046;deadbeef
 
    
 
    After this change, the signature could instead read:
    
-
    SignatureName;Target:0,Type:CL_TYPE_LNK;(0);deadbeef
+
    SignatureName;Target:0,FileTypes:CL_TYPE_LNK;(0);deadbeef
 
    
+
    Extending this, we would really like to build this new option to replace "Container" and "Intermediates". We would like to also specify parent file types, and use a logical condition supporting alternative file types for each layer.
    
+
    Some examples:
    
+
    Filetypes:(ZIP|RAR)>PDF  to say "a PDF in a ZIP or a RAR"
    
+
    Filetypes:(ZIP|RAR)>(PDF|HTML)  to say "a PDF or HTML file in a ZIP or a RAR"
    
+
    Filetypes:EML>ZIP>*  to say "any file in a ZIP in an email"
    
 
    Category: Low-hanging Fruit, Core Development
    
 
    What you will learn from this project:
    
 
      
@@ -6181,7 +6220,7 @@
 
        
 
      • C development experience.
        • 
 
      
-
      Project Size: Small
      
+
      Project Size: Medium
      
 
      libclamav Callback Function to Request Additional File
      
 
      Add a callback function to give libclamav file parsers the ability to request additional file data from the scanning application -- I.e. clamscan and clamd (and by extension clamdscan & clamonacc).
      
 
      This feature would enable support for split-archive scans, if all components of the split archive are present and available to the scanning application. To make this work for clamdscan+clamd, or clamonacc+clamd, the request would also have to be relayed by clamd over the socket API to the scanning client, and the client would have to respond with additional data, filepath, or file descriptor for clamd to provide via the callback to file parser.
      
@@ -6486,6 +6525,12 @@
 
      Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can't resolve TXT record. If that's the case, please recompile ClamAV with the flag --enable-dns-fix if using ./configure or -D ENABLE_FRESHCLAM_DNS_FIX=ON if using CMake.
      
 
      
 
      For other questions regarding issues with the signature databases, see our Virus Database FAQ.
      
+
      ClamAV becomes unresponsive
      
+
      ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.
      
+
      ClamAV stops responding after about 24 hours
      
+
      ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.
      
+
      ClamAV crashes once each day
      
+
      ClamAV requires a lot of memory in order to function properly. It is particularly common in environments like Docker / Kubernetes for a container to lack the required memory needed for the clamd process to reload the databases after the daily signature update. This may cause the process to crash or become unresponsive. You can find more information here.
      
 
      Interpreting Scan Alerts FAQ
      
 
      If you're unable to find an answer to your question in our FAQ, you can seek help in our clamav-users mailing list, on our Discord server, or by submitting an issue on GitHub. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.
      
 
      Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to our documentation source repository.
      
@@ -6961,11 +7006,12 @@
 
      Disclaimer: If this policy has to change due to a compatibility problem that prohibits the use of new detection technology, or impacts the stability of ClamAV infrastructure, we will announce the end of life for those versions four months before they become unsupported.
      
 
 
      Long Term Support (LTS) Feature Releases
      
-
      ClamAV 0.103 is the first Long Term Support (LTS) feature release.
      
+
      ClamAV 1.0 is the latest Long Term Support (LTS) feature release.
      
+
      ClamAV 0.103 is the previous Long Term Support (LTS) feature release.
      
 
      LTS feature releases will be supported for at least three (3) years from the initial publication date of that LTS feature version. In other words, support for the LTS release "X.Y" starts when version "X.Y.0" is published and ends three years after.
      
 
      Each LTS feature release will be supported with critical patch versions and access to download signatures for the duration of the three year support period.
      
 
      A new LTS feature release will be identified approximately every two (2) years.
      
-
      Users must stay up-to-date with the latest patch versions for continued support. As of November 3, that means version 0.103.4.
      
+
      Users must stay up-to-date with the latest patch versions for continued support.
      
 
      Regular (non-LTS) Feature Releases
      
 
      Non-LTS feature releases will be supported with critical patch versions for at least four (4) months from the initial publication date of the next feature release or until the next-next feature release is published.
      
 
      Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the next-next feature release is published.
      
@@ -7022,15 +7068,19 @@
 
      
 
      Note: This markdown table is generated from a spreadsheet using this tool.
      
 
      
-
-
-
+
      Feature releaseFirst PublishedLatest patch versionExpected End of Life (EOL)Signature load testing untilSignature FP testing untilDB downloads allowed untilPatch versions continue until
      0.104Sep-3 20210.104.10.106 + 4 months0.106 + 4 months0.106 + 4 months0.105 + 4 months, or 0.106
      0.103 LTSSep-14 20200.103.4Sep-14 2023Sep-14 20230.104 publishedSep-14 2023Sep-14 2023
      
+
+
+
+
+
      Feature releaseFirst PublishedLatest patch versionExpected End of Life (EOL)Signature load testing untilSignature FP testing untilDB downloads allowed untilPatch versions continue until
      1.1TBDTBD1.3 + 4 months1.3 + 4 months1.2 published1.3 + 4 months1.2 + 4 months, or 1.3
      1.0 LTSNov-28 20221.0.0Nov-28 2025Nov-28 20251.1 publishedNov-28 2025Nov-28 2025
      0.105May-4 20220.105.01.1 + 4 months1.1 + 4 months1.0 published1.1 + 4 months1.0 + 4 months, or 1.1
      0.104Sep-3 20210.104.31.0 + 4 months1.0 + 4 months0.105 published1.0 + 4 months0.105 + 4 months, or 1.0
      0.103 LTSSep-14 20200.103.6Sep-14 2023Sep-14 20230.104 publishedSep-14 2023Sep-14 2023
      
 
      0.102Oct-2 20190.102.4Jan-3 2022 (0.104 + 4 mo.)Jan-3 2022Jan-3 2022
      
 
      0.101Dec-3 20180.101.5Jan-3 2022Jan-3 2022Jan-3 2022
      
 
      0.100Apr-9 20180.100.3Oct-29 2021Oct-29 2021Oct-29 2021
      
 
      0.99Dec-1 20150.99.4Mar-1 2021
      
 
      
-
      Currently, every version from ClamAV 0.100 and down, including all patch versions, are unsupported, and are actively blocked from downloading new updates.
      
+
+
      Currently, every version from ClamAV 0.102 and down, including all patch versions, are unsupported, and are actively blocked from downloading new updates.
      
 
      Additional Detail About Critical Patch Support
      
 
      Like all bugs, security patches are first prepared for our upcoming feature release. Only security patches and other critical fixes or critical improvements are backported to previous feature releases.
      
 
      The ClamAV Team is small and can't afford to publish patch versions for every release. To keep up momentum crafting new features and other improvements, our policy is to backport no further than 1 or 2 of the latest feature releases plus the Long Term Support (LTS) feature releases.
      
@@ -7069,7 +7119,7 @@
 
 
      Build Guides
      
 
        
-
      • 
+
      • Compile ClamAV on Amazon Linux 2: Needed because on ARM platform, EPEL repositories has been deprecated and it's not possible anymore to install ClamAV in that WAY.
        • 
 
      
 
      Configuration Guides
      
 
        
@@ -7081,7 +7131,7 @@
 
      
 
      Other
      
 
 
      Appendix
      
 
        
@@ -7092,7 +7142,7 @@
 
      
 
      Terminology
      
 
      General Terminology
      
-
+
      TermDescription
      
@@ -7106,8 +7156,9 @@
 
      TermDescription
      
 
      adwareAdware is software that injects extra advertisements into other applications like your browser, or extra advertisements bundled by a third party into software that is ordinarily free of advertisements. Adware is often considered to be a type of Potentially Unwanted Application (PUA) when the the advertisements aren't used to fund development of the application but are injected by a third party.
      
 
      bytecodeBytecode is a partially compiled executable that is platform agnostic but must be further compiled or otherwise interpreted in order to be executed. For ClamAV, "bytecode signature" refer to ClamAV plugin with a .cbc file extension. Some bytecode signatures detect specific types of malware, as the name suggests. Other bytecode signatures extend file parser support within ClamAV, enabling faster deployment of new ClamAV features.
      
 
      CLDA CLD is the uncompressed ClamAV signature database archive. CLD files are created by FreshClam when a CVD or CLD database archive is updated with a CDIFF patch file.
      on-accessOn-access in the context of malware detection refers to a technology to scan files when they are created, opened, moved, or otherwise accessed. On-access scanning is one form of "real time protection". The scan may block access to the file and prevent access if an alert occurs, or it may simply scan as the file is being accessed to alert or take some action when the scan is complete.
      
 
      PUAA Potentially Unwanted Application (PUA) or Potentially Unwanted Program (PUP) is a program that probably isn't malware, but little benefit to the user and is considered to be undesirable by most people. This may include software like crypto currency mining software, adware, and other software that may be legitimate but may also be used to take advantage of unsuspecting users. See our FAQ page about PUA signatures for more information.
      
 
      
+
 
      ClamAV Components
      
-
+
      ComponentDescription
      
@@ -7123,7 +7174,7 @@
 
      ComponentDescription
      
 
      clamav-configThis is a script for checking how ClamAV was compiled. clamav-config is not present on Windows installations.
      
 
      clamav-milterClamAV-Milter is a daemon that performs email filter scanning through clamd.
      
 
      clambc-compilerThe ClamAV Bytecode Compiler (ClamBC-Compiler or ClamBCC) is a compiler for building bytecode executable signature plugins. The Bytecode Compiler installed separately. See the ClamAV Bytecode Compiler project on Github for more details.
      libfreshclamThe FreshClam library enables you to build the signature update update features into your programs. The C programming API can be found in libfreshclam.h.
      
 
      sigtoolSigTool is a signature database (cvd) manipulation tool for malware analysts and signature writers.
      
 
      
-
      Private Local Mirrors
      
+
      Private Local Mirrors
      
 
      There are some situations in which it may be desirable to set up a private mirror for distributing ClamAV databases.
      
 
      If you run ClamAV on many clients on your network, each new installation will download a copy of the database files. This is a waste of bandwidth and resources for your network and for our mirrors network.
      
 
      Sometimes the servers which perform the scan are not directly connected to Internet and can only download updates from a server in the same network segment.
      
@@ -7203,7 +7254,7 @@
 # 2. Use an HTTP Range-request to check if there is an update, rather than DNS.
 PrivateMirror http://mirror.mylan:8000
 
-# ScriptedUpdates is needed because you won't be serving CDIFF files.
+# ScriptedUpdates is not needed because you won't be serving CDIFF files.
 ScriptedUpdates no
 
    
 
    When you run freshclam on your client machines, they should check for updates from your private server over HTTP by downloading just the database header*. If there is a new version, the client will download the whole CVD or CLD file from your private server to update.
    
@@ -7605,7 +7656,7 @@
 
    What are x509 certificates? (Provides an overview of the ASN1 structure of x509 certificates)
    
 
 
  • 
-
    Signed Malware (Research papers on signed malware with interactive tables of malicious code signing certs)
    
+
    Signed Malware (Research papers on signed malware with interactive tables of malicious code signing certs)
    
 
    • 
 
 
    ClamAV File Types
    
@@ -7614,7 +7665,7 @@
 
    A Target Type is an integer that indicates which kind of file the signature will match against. Target Type notation was first created for the purposes writing efficient signatures. A signature with a target type of 0 will be run against every file type, and thus is not ideal. However, the Target Type notation is limited and it may be unavoidable.
    
 
    Although the newer CL_TYPE string name notation has replaced the Target Type for some signature formats, many signature formats require a target type number.
    
 
    This is the current list of available Target Types:
    
-
+
    Target TypeDescription
    
@@ -7629,6 +7680,7 @@
 
    Target TypeDescription
    
 
    0any file
    
 
    1Portable Executable, both 32- and 64-bit
    
 
    2OLE2 containers, including specific macros. Primarily used by MS Office and MSI installation files
    11Flash files
    
 
    12Java class files
    
 
    
+
 
    
 
    Important: HTML, ASCII, Javascript are all normalized:
    
 
      
@@ -7659,7 +7711,7 @@
 
 
    
 
    ClamAV File Types are prefixed with CL_TYPE_. The following is an exhaustive list of all current file types.
    
-
+
    CL_TYPEDescription
    
@@ -7737,18 +7789,26 @@
 
    CL_TYPEDescription
    
 
    CL_TYPE_7Z7-Zip Archive
    
 
    CL_TYPE_7ZSFXSelf-Extracting 7-Zip Archive
    
 
    CL_TYPE_APMDisk Image - Apple Partition Map
    CL_TYPE_ZIPZip Archive
    
 
    CL_TYPE_ZIPSFXSelf-Extracting Zip Archive
    
 
    
-
    Versions & Functionality Levels (FLEVELs)
    
+
    Versions & Functionality Levels (FLEVELs)
    
 
    The Functionality Level (or FLEVEL) is an integer that signatures may use to define which versions of ClamAV the signature features support. It is up to the signature writers to select the correct FLEVEL or range of FLEVELs when writing a signature so that it does not cause failures in older versions of ClamAV.
    
 
    Setting appropriate FLEVELs in signatures is particularly crucial when using features added in the last 3-4 major release versions.
    
 
    ClamAV Version to FLEVEL chart
    
 
    
 
    Note: This markdown table is generated from a spreadsheet using this tool.
    
 
    
-
-
-
+
    Release DateReleaseFLEVELFunctionalityLevel (bytecode enum)clamav lib.sofreshclam lib.soAPI/ABI changes, major features, other notes
    n/a1.0.0160FUNC_LEVEL_1_0n/an/an/an/a
    n/a0.105.0150FUNC_LEVEL_0105n/an/an/an/a
    
+
+
+
+
+
+
+
+
+
+
@@ -7768,7 +7828,7 @@
 
-
+
@@ -7802,6 +7862,7 @@
 
    Release DateReleaseFLEVELFunctionalityLevel (bytecode enum)clamav lib.sofreshclam lib.soAPI/ABI changes, major features, other notes
    n/a1.1.0180FUNC_LEVEL_1_1n/an/an/an/a
    Nov-20221.0.0160FUNC_LEVEL_1_011:00:0011.0.02:02:002.0.2Added cl_cvdunpack() API. Added unstable clcb_file_inspection callback, and cl_engine_set_clcb_file_inspection() API. All-match mode is now more reliable. Fix logical signature "Intermediates" feature.
    May-20220.105.1151FUNC_LEVEL_0105_110:00:019.1.02:02:002.0.2Fix logical signature "Intermediates" feature.
    May-20220.105.0150FUNC_LEVEL_010510:00:019.1.02:02:002.0.2Fuzzy image hash subsignatures; Fix byte-compare subsignature premature alert
    Nov-20210.104.4144FUNC_LEVEL_0104_410:00:019.1.02:02:002.0.2Fix logical signature "Intermediates" feature.
    Nov-20210.104.3143FUNC_LEVEL_0104_310:00:019.1.02:02:002.0.2Critical bug fixes; Fix byte-compare subsignature premature alert (0.104)
    Nov-20210.104.2142FUNC_LEVEL_0104_210:00:019.1.02:02:002.0.2Critical bug fixes
    
 
    Nov-20210.104.1141FUNC_LEVEL_0104_110:00:019.1.02:02:002.0.2Critical bug fixes
    
 
    Sep-20210.104.0140FUNC_LEVEL_010410:00:019.1.02:02:002.0.2CMake stabilized (autotools removed); Added db load/compile/free callbacks to clamav.h API.
    Nov-20210.103.7128FUNC_LEVEL_0103_89:05:009.0.52:01:002.0.1Fix logical signature "Intermediates" feature.
    Nov-20210.103.6127FUNC_LEVEL_0103_69:05:009.0.52:01:002.0.1Critical bug fixes; Fix byte-compare subsignature premature alert (0.103)
    Nov-20210.103.5126FUNC_LEVEL_0103_59:05:009.0.52:01:002.0.1Critical bug fixes
    
 
    Nov-20210.103.4125FUNC_LEVEL_0103_49:05:009.0.52:01:002.0.1Critical bug fixes
    
 
    Jun-20210.103.3124FUNC_LEVEL_0103_39:05:009.0.52:01:002.0.1Critical bug fixes
    
 
    Apr-20210.103.2123FUNC_LEVEL_0103_29:05:009.0.52:01:002.0.1Security fixes
    Mar-20190.100.394FUNC_LEVEL_0100_38:02:017.1.2Security fixes
    
 
    Sep-20180.100.293FUNC_LEVEL_0100_28:01:017.1.1Security fixes; Some lenience changes to FreshClam
    
 
    Jun-20180.100.192FUNC_LEVEL_0100_18:01:017.1.1Security fixes; Add support for HTTPS in ClamSubmit
    Mar-20180.100.090FUNC_LEVEL_01008:01:017.1.1Feature release 2 years in dev't; Many improvements; Notably Container/Intermediates changes; Changes to wildcard signatures
    Mar-20180.100.090FUNC_LEVEL_01008:01:017.1.1Feature release 2 years in dev't; Many improvements; Notably Container/Intermediates changes; Changes to wildcard signatures; PE Imp-hash signatures
    
 
    Mar-20180.99.485FUNC_LEVEL_099_48:01:017.1.1Security fixes; Other important bug fixes
    
 
    Jan-20180.99.384FUNC_LEVEL_099_38:01:017.1.1Security fixes; Minor bug fixes
    
 
    May-20160.99.282FUNC_LEVEL_099_28:01:017.1.1Various bug fixes
    Apr-20090.95.1426:03:006.0.3
    
 
    Mar-20090.95416:02:006.0.2Ignores should use IGN format (including line number)
    
 
    
+
 
    
 
    For more information on ClamAV file type support, see the File Types Reference.
    
 
diff -Nru clamav-0.103.6+dfsg/docs/html/searchindex.js clamav-0.103.8+dfsg/docs/html/searchindex.js
--- clamav-0.103.6+dfsg/docs/html/searchindex.js	2022-05-02 04:46:42.000000000 +0000
+++ clamav-0.103.8+dfsg/docs/html/searchindex.js	2023-02-13 00:03:34.000000000 +0000
@@ -1 +1 @@
-Object.assign(window.search, {"doc_urls":["Introduction.html#clamav","Introduction.html#community-projects","Introduction.html#features","Introduction.html#license","Introduction.html#supported-platforms","Introduction.html#recommended-system-requirements","Introduction.html#mailing-lists-and-chat","Introduction.html#submitting-new-or-otherwise-undetected-malware","Introduction.html#related-products","manual/Installing.html#installing-clamav","manual/Installing.html#installing-with-a-package-manager","manual/Installing.html#installing-with-an-installer","manual/Installing.html#official-clamav-docker-images","manual/Installing.html#installing-from-source","manual/Installing.html#what-now","manual/Installing/Packages.html#clamav-packages","manual/Installing/Packages.html#the-packages","manual/Installing/Docker.html#clamav-in-docker","manual/Installing/Docker.html#the-official-images-on-docker-hub","manual/Installing/Docker.html#building-the-clamav-image","manual/Installing/Docker.html#running-clamd","manual/Installing/Docker.html#running-clamdscan","manual/Installing/Docker.html#controlling-the-container","manual/Installing/Docker.html#connecting-to-the-container","manual/Installing/Docker.html#container-clamd-health-check","manual/Installing/Docker.html#performance","manual/Installing/Docker.html#bandwidth","manual/Installing/Docker.html#advanced-container-configurations","manual/Installing/Installing-from-source-Unix.html#building-clamav-with-cmake-v0104-and-newer","manual/Installing/Installing-from-source-Unix.html#install-prerequisites","manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain","manual/Installing/Installing-from-source-Unix.html#adding-new-system-user-and-group","manual/Installing/Installing-from-source-Unix.html#download-the-source-code","manual/Installing/Installing-from-source-Unix.html#build-clamav","manual/Installing/Installing-from-source-Unix.html#un-install","manual/Installing/Installing-from-source-Unix.html#what-now","manual/Installing/Installing-from-source-Unix-old.html#building-clamav-with-autotools-v0103-and-older","manual/Installing/Installing-from-source-Unix-old.html#install-prerequisites","manual/Installing/Installing-from-source-Unix-old.html#adding-new-system-user-and-group","manual/Installing/Installing-from-source-Unix-old.html#download-the-source-code","manual/Installing/Installing-from-source-Unix-old.html#build-clamav","manual/Installing/Installing-from-source-Unix-old.html#un-install","manual/Installing/Installing-from-source-Unix-old.html#what-now","manual/Installing/Installing-from-source-Windows.html#installing-clamav-on-windows-from-source","manual/Installing/Installing-from-source-Windows.html#install-prerequisites","manual/Installing/Installing-from-source-Windows.html#download-the-source-code","manual/Installing/Installing-from-source-Windows.html#build-clamav","manual/Installing/Installing-from-source-Windows.html#what-now","manual/Installing/Community-projects.html#community-projects","manual/Installing/Community-projects.html#signatures","manual/Installing/Community-projects.html#mail-filters","manual/Installing/Community-projects.html#clamav-bindings","manual/Installing/Community-projects.html#miscellaneous-tools","manual/Installing/Add-clamav-user.html#add-a-service-user-account","manual/Installing/Add-clamav-user.html#create-a-service-user-account-and-group","manual/Installing/Add-clamav-user.html#about-how-the-service-accounts-are-used","manual/Installing/Add-clamav-user.html#after-installation--make-the-service-account-own-the-database-directory","manual/Usage.html#usage","manual/Usage.html#purpose","manual/Usage.html#daemon","manual/Usage.html#scanner","manual/Usage.html#signature-testing-and-management","manual/Usage.html#configuration","manual/Usage/Configuration.html#configuration","manual/Usage/Configuration.html#first-time-set-up","manual/Usage/Configuration.html#freshclamconf","manual/Usage/Configuration.html#clamdconf","manual/Usage/Configuration.html#clamav-milterconf","manual/Usage/Configuration.html#configure-selinux-for-clamav","manual/Usage/Configuration.html#clamconf","manual/Usage/Configuration.html#next-steps","manual/Usage/SignatureManagement.html#signature-testing-and-management","manual/Usage/SignatureManagement.html#freshclam","manual/Usage/SignatureManagement.html#sigtool","manual/Usage/SignatureManagement.html#clambc","manual/Usage/SignatureManagement.html#next-steps","manual/Usage/SignatureManagement.html#create-your-own-signatures","manual/Usage/Scanning.html#scanning","manual/Usage/Scanning.html#daemon","manual/Usage/Scanning.html#one-time-scanning","manual/Usage/Scanning.html#process-memory-scanning","manual/Usage/Scanning.html#disclaimers","manual/Usage/Scanning.html#windows-specific-issues","manual/OnAccess.html#on-access-scanning","manual/OnAccess.html#purpose","manual/OnAccess.html#requirements","manual/OnAccess.html#general-use","manual/OnAccess.html#troubleshooting","manual/OnAccess.html#configuration-and-recipes","manual/OnAccess.html#command-line-options-for-versions--0102","manual/Usage/Services.html#running-clamav-services","manual/Usage/Services.html#windows-services","manual/Usage/ReportABug.html#how-to-report-a-bug","manual/Usage/ReportABug.html#warning-against-accidental-vulnerability-disclosure","manual/Usage/ReportABug.html#steps-before-you-report","manual/Usage/ReportABug.html#required-information","manual/Signatures.html#creating-signatures-for-clamav","manual/Signatures.html#introduction","manual/Signatures.html#database-formats","manual/Signatures.html#signature-writing-tips-and-tricks","manual/Signatures/DatabaseInfo.html#database-info","manual/Signatures/DynamicConfig.html#dynamic-configuration-dconf","manual/Signatures/DynamicConfig.html#example","manual/Signatures/AuthenticodeRules.html#trusted-and-revoked-certificates","manual/Signatures/FileTypeMagic.html#file-type-magic","manual/Signatures/AllowLists.html#allow-list-databases","manual/Signatures/AllowLists.html#file-allow-lists","manual/Signatures/AllowLists.html#signature-ignore-lists","manual/Signatures/AllowLists.html#phishing-heuristic-allow-lists","manual/Signatures/HashSignatures.html#file-hash-signatures","manual/Signatures/HashSignatures.html#md5-hash-based-signatures","manual/Signatures/HashSignatures.html#sha1-and-sha256-hash-based-signatures","manual/Signatures/HashSignatures.html#special-hash-based-signatures-for-pe-files-windows-exe-dll-and-sys-files","manual/Signatures/HashSignatures.html#hash-signatures-with-unknown-size","manual/Signatures/BodySignatureFormat.html#body-based-signature-content-format","manual/Signatures/BodySignatureFormat.html#hexadecimal-format","manual/Signatures/BodySignatureFormat.html#wildcards","manual/Signatures/BodySignatureFormat.html#character-classes","manual/Signatures/BodySignatureFormat.html#alternate-strings","manual/Signatures/LogicalSignatures.html#logical-signatures","manual/Signatures/LogicalSignatures.html#subsignature-modifiers","manual/Signatures/LogicalSignatures.html#special-subsignature-types","manual/Signatures/LogicalSignatures.html#signatures-for-version-information-vi-metadata-in-pe-files","manual/Signatures/LogicalSignatures.html#icon-signatures-for-pe-files","manual/Signatures/ExtendedSignatures.html#extended-signature-format","manual/Signatures/YaraRules.html#using-yara-rules-in-clamav","manual/Signatures/PhishSigs.html#phishing-signatures","manual/Signatures/PhishSigs.html#database-file-format","manual/Signatures/PhishSigs.html#introduction-to-regular-expressions","manual/Signatures/PhishSigs.html#how-to-create-database-files","manual/Signatures/BytecodeSignatures.html#bytecode-signatures","manual/Signatures/ContainerMetadata.html#signatures-based-on-container-metadata","manual/Signatures/EncryptedArchives.html#passwords-for-archive-files-experimental","manual/Signatures/SignatureNames.html#official-signature-naming-guidelines","manual/Signatures/SignatureNames.html#signature-naming-rules","manual/Signatures/SignatureNames.html#examples-official-signatures","manual/Development.html#clamav-development","manual/Development.html#pull-request-basics","manual/Development.html#clamav-git-work-flow","manual/Development.html#working-with-your-fork","manual/Development.html#reviewing-pull-requests","manual/Development.html#building-for-development","manual/Development.html#building-the-installer-packages","manual/Development.html#dev-tips--tricks","manual/Development.html#libclamav","manual/Development.html#contribute","manual/Development/github-pr-basics.html#github-pull-request-basics","manual/Development/clamav-git-work-flow.html#clamav-git-work-flow","manual/Development/personal-forks.html#working-with-a-your-own-fork-of-the-clamav-repository","manual/Development/testing-pull-requests.html#reviewing--testing-pull-requests","manual/Development/development-builds.html#building-for-development","manual/Development/development-builds.html#build-dependencies","manual/Development/development-builds.html#download-the-source","manual/Development/development-builds.html#building-clamav-with-cmake-v0104-and-newer","manual/Development/development-builds.html#building-clamav-with-autotools-v0103-and-older","manual/Development/build-installer-packages.html#building-the-installer-packages","manual/Development/build-installer-packages.html#linux","manual/Development/build-installer-packages.html#macos","manual/Development/build-installer-packages.html#windows","manual/Development/tips-and-tricks.html#development-tips--tricks","manual/Development/tips-and-tricks.html#downloading-the-official-ruleset","manual/Development/tips-and-tricks.html#general-debugging","manual/Development/tips-and-tricks.html#hunting-for-memory-leaks","manual/Development/performance-profiling.html#performance-profiling","manual/Development/performance-profiling.html#flame-graph-profiling","manual/Development/performance-profiling.html#call-graph-profiling---callgrind","manual/Development/performance-profiling.html#system-call-tracing--fault-injection","manual/Development/code-coverage.html#computing-code-coverage","manual/Development/code-coverage.html#code-coverage-when-using-cmake-v0104-and-newer","manual/Development/code-coverage.html#code-coverage-when-using-autotools-v0103-and-older","manual/Development/fuzzing-sanitizers.html#building-and-testing-clamav-with-fuzzing-sanitizers","manual/Development/fuzzing-sanitizers.html#build--reproduce-fuzz-reports-using-oss-fuzz-tools","manual/Development/fuzzing-sanitizers.html#build--test-fuzz-targets-sanitizers-in-cmake-v0104-and-newer","manual/Development/fuzzing-sanitizers.html#clamav-with-address-sanitizer-asan-in-autotools-v0103-and-older","manual/Development/libclamav.html#libclamav","manual/Development/libclamav.html#license","manual/Development/libclamav.html#supported-formats-and-features","manual/Development/libclamav.html#api","manual/Development/libclamav.html#cvd-format","manual/Development/Contribute.html#project-ideas","manual/Development/Contribute.html#bugs","manual/Development/Contribute.html#larger-projects","faq/faq.html#clam-antivirus--frequently-asked-questions","faq/faq-whichversion.html#which-version-of-clamav-should-i-use","faq/faq-whichversion.html#stable-release","faq/faq-whichversion.html#beta-and-release-candidates-programs","faq/faq-freshclam.html#freshclam-faq","faq/faq-freshclam.html#failed-to-get-information-about-user-clamav","faq/faq-freshclam.html#cant-create-freshclamdat-in-usrlocalshareclamav","faq/faq-freshclam.html#problem-with-the-ssl-ca-cert","faq/faq-freshclam.html#invalid-dns-reply-falling-back-to-http-mode-or-error-cant-query-currentcvdclamavnet","faq/faq-freshclam.html#error-connection-with--failed","faq/faq-freshclam.html#warning-incremental-update-failed-trying-to-download-dailycvd","faq/faq-freshclam.html#database-update-process-failed-downloaded-database-had-lower-version-than-advertised","faq/faq-freshclam.html#update-failed-your-network-may-be-down-or-the-clamav-database-content-delivery-network-is-experiencing-an-outage","faq/faq-freshclam.html#update-failed-updating-too-frequently-with-an-outdated-version","faq/faq-freshclam.html#your-clamav-installation-is-outdated","faq/faq-freshclam.html#warning-current-functionality-level--1-required--2","faq/faq-freshclam.html#ignoring-mirror--has-connected-too-many-times-with-an-outdated-version","faq/faq-freshclam.html#http-error-codes","faq/faq-freshclam.html#for-all-other-database-update-related-failures","faq/faq-cvd.html#clamav-virus-database-faq","faq/faq-cvd.html#how-do-i-keep-my-virus-database-up-to-date","faq/faq-cvd.html#how-often-is-the-virus-database-updated","faq/faq-cvd.html#the-last-cvd-update-crashed-my-clamav-installation-why","faq/faq-cvd.html#the-last-cvd-update-detects-a-lot-of-false-positives-on-my-system-why","faq/faq-cvd.html#i-tried-to-submit-a-sample-through-the-web-interface-but-it-said-the-sample-is-already-recognized-by-clamav-my-clamscan-tells-me-its-not-i-have-already-updated-my-database-and-clamav-engine-whats-wrong-with-my-setup","faq/faq-cvd.html#i-found-an-infected-file-in-my-hdusbmailbox-but-clamav-doesnt-recognize-it-yet-can-you-help-me","faq/faq-cvd.html#im-running-clamav-on-a-lot-of-clients-on-my-local-network-can-i-serve-the-cvd-files-from-a-local-server-so-that-each-client-doesnt-have-to-download-them-from-your-servers","faq/faq-cvd.html#i-cant-wait-for-you-to-update-the-database-i-need-to-use-the-new-signature-now","faq/faq-cvd.html#can-i-download-the-virus-database-manually","faq/faq-cvd.html#i-am-getting-error-codes-such-as-403-429-etc-when-freshclam-or-other-update-system-attempts-to-download-updates","faq/faq-misc.html#miscellaneous-faq","faq/faq-misc.html#i-see-you-have-bugzilla-and-github-issues-which-one-should-i-use","faq/faq-misc.html#i-reported-a-bug-on-bugzilla-but-no-one-can-see-it-what-do-i-do","faq/faq-misc.html#where-can-i-find-the-bug-ticket-for-a-security-bug-fix","faq/faq-misc.html#where-can-i-find-a-test-file-to-prove-that-a-security-bug-doesnt-affect-me-or-has-been-fixed-in-my-version","faq/faq-misc.html#can-phishing-be-considered-one-kind-of-spam-clamav-should-not-detect-it-as-some-kind-of-malware","faq/faq-misc.html#why-is-my-legitimate-html-newsletteremail-detected-by-clamav-as-phishingheuristicsemailspoofeddomain","faq/faq-misc.html#my-legitimate-emails-from-yourdomaintld-are-detected-as-phishingheuristicsemailspoofeddomain","faq/faq-misc.html#can-i-convert-the-new-database-format-to-the-old-one","faq/faq-misc.html#how-do-i-read-inside-the-cvd-files","faq/faq-misc.html#im-using-clamav-in-a-production-environment-and-a-brand-new-virus-is-not-being-recognized-by-clamav-how-long-do-i-have-to-wait-before-clamav-can-start-filtering-the-virus","faq/faq-misc.html#why-is-clamav-calling-the-xxx-virus-with-another-name","faq/faq-misc.html#i-get-many-false-positives-of-oversizedzip","faq/faq-misc.html#what-is-pua-i-get-a-lot-of-false-positives-named-pua","faq/faq-misc.html#can-clamav-disinfect-files","faq/faq-misc.html#when-using-clamscan-is-there-a-way-to-know-which-message-within-an-mbox-is-infected","faq/faq-misc.html#what-platforms-does-it-support","faq/faq-misc.html#where-can-i-find-more-information-about-clamav","faq/faq-ml.html#mailing-lists-faq","faq/faq-ml.html#where-can-i-ask-questions-about-using-clamav","faq/faq-ml.html#i-want-to-take-part-to-the-development-of-clamav-where-can-i-get-more-info","faq/faq-ml.html#the-mailing-lists-generate-too-many-messages-per-day-i-cant-handle-them-what-shall-i-do","faq/faq-ml.html#i-sent-a-message-to-one-of-clamavs-mailing-lists-but-the-mail-was-rejectedheld-for-approval-why","faq/faq-ml.html#i-read-the-mailing-list-from-the-gmane-news-gateway-can-i-post-to-the-mailing-list","faq/faq-ml.html#ive-been-unsubscribed-from-one-of-the-mailing-lists-what-happened","faq/faq-ml.html#how-do-i-disable-mail-delivery-from-the-mailing-list-im-subscribed-to","faq/faq-safebrowsing.html#safebrowsing","faq/faq-safebrowsing.html#about","faq/faq-safebrowsing.html#current-status","faq/faq-safebrowsing.html#history","faq/faq-troubleshoot.html#troubleshooting-faq","faq/faq-troubleshoot.html#after-clamav-is-installed-then-what-how-do-i-update--refresh-the-virus-database","faq/faq-troubleshoot.html#how-many-times-per-hour-shall-i-run-freshclam","faq/faq-troubleshoot.html#i-get-this-error-when-running-freshclam--invalid-dns-reply-falling-back-to-http-mode--or--error-cant-query-currentcvdclamavnet---what-does-it-mean","faq/faq-troubleshoot.html#what-does--warning-dns-record-is-older-than-3-hours--mean","faq/faq-troubleshoot.html#i-get-this-error-when-running-freshclam--error-connection-with--failed---what-shall-i-do","faq/faq-troubleshoot.html#how-do-i-know-if-my-ip-address-has-been-blocked","faq/faq-troubleshoot.html#i-cant-resolve-currentcvdclamavnet-is-there-a-problem-with-yourmy-dns-servers","faq/faq-scan-alerts.html#interpreting-scan-alerts-faq","faq/faq-scan-alerts.html#clamav-alerted-on-a-file-during-a-scan-what-do-i-do","faq/faq-scan-alerts.html#clamav-alerted-on-a-file-in-the-clamav-source-code-am-i-infected","faq/faq-upgrade.html#upgrading-clamav","faq/faq-upgrade.html#clamav-from-packages","faq/faq-upgrade.html#install-clamav-from-source","faq/faq-upgrade.html#webmin-and-yum","faq/faq-rust.html#clamav-rust-faq","faq/faq-rust.html#why-is-rust-required-to-compile-clamav-in-version-0105","faq/faq-rust.html#if-rust-is-required-should-i-run-cargo-instead-of-cmake-to-build-clamav","faq/faq-rust.html#ive-heard-that-rust-requires-an-internet-connection-to-work-will-i-need-the-internet-to-compile-clamav","faq/faq-win32.html#clamav-on-microsoft-windows-faq","faq/faq-win32.html#what-is-the-difference-between-clamav-immunet-and-clamwin","faq/faq-win32.html#is-immunet-free-for-commercial-use","faq/faq-win32.html#will-immunet-send-any-sensitive-data-from-my-computer-to-the-cloud","faq/faq-win32.html#are-you-going-to-make-use-of-the-cloud-in-clamav","faq/faq-win32.html#can-i-use-immunet-with-my-current-av-solution","faq/faq-win32.html#where-should-i-report-false-positives-or-undetected-malware","faq/faq-win32.html#are-there-64-bit-versions-of-clamav-for-windows-as-well-as-32-bit","faq/faq-pua.html#potentially-unwanted-applications-pua","faq/faq-pua.html#pua-config-options","faq/faq-pua.html#current-pua-categories","faq/faq-pua.html#pua-category-descriptions","faq/faq-ignore.html#how-do-i-ignore-a-clamav-signature","faq/faq-ignore.html#creating-an-ignore-file","faq/faq-ignore.html#ignore-individual-signatures","faq/faq-uninstall.html#uninstalling-clamav","faq/faq-uninstall.html#if-you-installed-from-source","faq/faq-uninstall.html#if-you-installed-from-packages","faq/faq-uninstall.html#caveats","faq/faq-eol.html#end-of-life-eol-policy","faq/faq-eol.html#long-term-support-lts-feature-releases","faq/faq-eol.html#regular-non-lts-feature-releases","faq/faq-eol.html#definitions","faq/faq-eol.html#version-support-matrix","faq/faq-eol.html#additional-detail-about-critical-patch-support","community_resources/CommunityResources.html#community-resources","community_resources/CommunityResources.html#build-guides","community_resources/CommunityResources.html#configuration-guides","community_resources/CommunityResources.html#scripts","community_resources/CommunityResources.html#other","appendix/Appendix.html#appendix","appendix/Terminology.html#terminology","appendix/Terminology.html#general-terminology","appendix/Terminology.html#clamav-components","appendix/CvdPrivateMirror.html#private-local-mirrors","appendix/CvdPrivateMirror.html#use-cvdupdate-to-serve-whole-databases-and-database-patch-files-from-a-private-mirror","appendix/CvdPrivateMirror.html#use-freshclam-to-serve-only-whole-database-files-from-a-private-mirror","appendix/CvdPrivateMirror.html#use-an-http-proxy","appendix/Authenticode.html#microsoft-authenticode-signature-verification","appendix/Authenticode.html#about-microsoft-authenticode","appendix/Authenticode.html#authenticode-and-clamav","appendix/Authenticode.html#helpful-info-for-working-with-authenticode-signatures","appendix/Authenticode.html#format-specifications","appendix/Authenticode.html#verifying-the-signature","appendix/Authenticode.html#extracting-the-signature","appendix/Authenticode.html#inspecting-the-signature","appendix/Authenticode.html#creating-signed-executables","appendix/Authenticode.html#samples-with-interesting-authenticode-signatures","appendix/Authenticode.html#additional-references","appendix/FileTypes.html#clamav-file-types","appendix/FileTypes.html#target-types","appendix/FileTypes.html#file-types","appendix/FunctionalityLevels.html#versions--functionality-levels-flevels","appendix/FunctionalityLevels.html#clamav-version-to-flevel-chart"],"index":{"documentStore":{"docInfo":{"0":{"body":70,"breadcrumbs":2,"title":1},"1":{"body":29,"breadcrumbs":3,"title":2},"10":{"body":24,"breadcrumbs":4,"title":3},"100":{"body":40,"breadcrumbs":6,"title":2},"101":{"body":154,"breadcrumbs":7,"title":3},"102":{"body":86,"breadcrumbs":5,"title":1},"103":{"body":110,"breadcrumbs":8,"title":3},"104":{"body":148,"breadcrumbs":7,"title":3},"105":{"body":0,"breadcrumbs":6,"title":3},"106":{"body":80,"breadcrumbs":6,"title":3},"107":{"body":61,"breadcrumbs":6,"title":3},"108":{"body":34,"breadcrumbs":7,"title":4},"109":{"body":13,"breadcrumbs":7,"title":3},"11":{"body":456,"breadcrumbs":3,"title":2},"110":{"body":138,"breadcrumbs":8,"title":4},"111":{"body":29,"breadcrumbs":9,"title":5},"112":{"body":340,"breadcrumbs":15,"title":11},"113":{"body":59,"breadcrumbs":8,"title":4},"114":{"body":29,"breadcrumbs":10,"title":5},"115":{"body":15,"breadcrumbs":7,"title":2},"116":{"body":124,"breadcrumbs":6,"title":1},"117":{"body":25,"breadcrumbs":7,"title":2},"118":{"body":139,"breadcrumbs":7,"title":2},"119":{"body":454,"breadcrumbs":9,"title":2},"12":{"body":55,"breadcrumbs":5,"title":4},"120":{"body":148,"breadcrumbs":9,"title":2},"121":{"body":745,"breadcrumbs":10,"title":3},"122":{"body":311,"breadcrumbs":14,"title":7},"123":{"body":89,"breadcrumbs":11,"title":4},"124":{"body":221,"breadcrumbs":10,"title":3},"125":{"body":231,"breadcrumbs":7,"title":4},"126":{"body":233,"breadcrumbs":5,"title":2},"127":{"body":1057,"breadcrumbs":6,"title":3},"128":{"body":192,"breadcrumbs":6,"title":3},"129":{"body":217,"breadcrumbs":6,"title":3},"13":{"body":9,"breadcrumbs":3,"title":2},"130":{"body":131,"breadcrumbs":5,"title":2},"131":{"body":159,"breadcrumbs":8,"title":4},"132":{"body":98,"breadcrumbs":8,"title":4},"133":{"body":17,"breadcrumbs":7,"title":4},"134":{"body":234,"breadcrumbs":6,"title":3},"135":{"body":18,"breadcrumbs":6,"title":3},"136":{"body":9,"breadcrumbs":3,"title":2},"137":{"body":15,"breadcrumbs":4,"title":3},"138":{"body":13,"breadcrumbs":5,"title":4},"139":{"body":12,"breadcrumbs":3,"title":2},"14":{"body":15,"breadcrumbs":2,"title":1},"140":{"body":24,"breadcrumbs":4,"title":3},"141":{"body":27,"breadcrumbs":3,"title":2},"142":{"body":9,"breadcrumbs":4,"title":3},"143":{"body":11,"breadcrumbs":4,"title":3},"144":{"body":23,"breadcrumbs":2,"title":1},"145":{"body":32,"breadcrumbs":2,"title":1},"146":{"body":205,"breadcrumbs":8,"title":4},"147":{"body":153,"breadcrumbs":9,"title":4},"148":{"body":485,"breadcrumbs":7,"title":4},"149":{"body":116,"breadcrumbs":8,"title":4},"15":{"body":154,"breadcrumbs":4,"title":2},"150":{"body":56,"breadcrumbs":5,"title":2},"151":{"body":441,"breadcrumbs":5,"title":2},"152":{"body":35,"breadcrumbs":5,"title":2},"153":{"body":704,"breadcrumbs":8,"title":5},"154":{"body":598,"breadcrumbs":8,"title":5},"155":{"body":43,"breadcrumbs":7,"title":3},"156":{"body":358,"breadcrumbs":5,"title":1},"157":{"body":246,"breadcrumbs":5,"title":1},"158":{"body":305,"breadcrumbs":5,"title":1},"159":{"body":24,"breadcrumbs":7,"title":3},"16":{"body":745,"breadcrumbs":3,"title":1},"160":{"body":37,"breadcrumbs":7,"title":3},"161":{"body":326,"breadcrumbs":6,"title":2},"162":{"body":62,"breadcrumbs":7,"title":3},"163":{"body":0,"breadcrumbs":5,"title":2},"164":{"body":272,"breadcrumbs":6,"title":3},"165":{"body":32,"breadcrumbs":7,"title":4},"166":{"body":425,"breadcrumbs":8,"title":5},"167":{"body":0,"breadcrumbs":7,"title":3},"168":{"body":9,"breadcrumbs":10,"title":6},"169":{"body":84,"breadcrumbs":10,"title":6},"17":{"body":18,"breadcrumbs":4,"title":2},"170":{"body":0,"breadcrumbs":8,"title":5},"171":{"body":57,"breadcrumbs":11,"title":8},"172":{"body":45,"breadcrumbs":11,"title":8},"173":{"body":62,"breadcrumbs":10,"title":7},"174":{"body":26,"breadcrumbs":3,"title":1},"175":{"body":20,"breadcrumbs":3,"title":1},"176":{"body":219,"breadcrumbs":5,"title":3},"177":{"body":1101,"breadcrumbs":3,"title":1},"178":{"body":66,"breadcrumbs":4,"title":2},"179":{"body":105,"breadcrumbs":4,"title":2},"18":{"body":332,"breadcrumbs":6,"title":4},"180":{"body":28,"breadcrumbs":3,"title":1},"181":{"body":2069,"breadcrumbs":4,"title":2},"182":{"body":164,"breadcrumbs":8,"title":5},"183":{"body":6,"breadcrumbs":10,"title":3},"184":{"body":8,"breadcrumbs":9,"title":2},"185":{"body":19,"breadcrumbs":11,"title":4},"186":{"body":52,"breadcrumbs":8,"title":2},"187":{"body":50,"breadcrumbs":10,"title":4},"188":{"body":89,"breadcrumbs":10,"title":4},"189":{"body":96,"breadcrumbs":10,"title":4},"19":{"body":35,"breadcrumbs":5,"title":3},"190":{"body":58,"breadcrumbs":17,"title":11},"191":{"body":41,"breadcrumbs":9,"title":3},"192":{"body":10,"breadcrumbs":13,"title":7},"193":{"body":14,"breadcrumbs":15,"title":9},"194":{"body":23,"breadcrumbs":17,"title":11},"195":{"body":63,"breadcrumbs":12,"title":6},"196":{"body":29,"breadcrumbs":9,"title":3},"197":{"body":21,"breadcrumbs":13,"title":7},"198":{"body":22,"breadcrumbs":14,"title":8},"199":{"body":136,"breadcrumbs":9,"title":3},"2":{"body":256,"breadcrumbs":2,"title":1},"20":{"body":340,"breadcrumbs":4,"title":2},"200":{"body":8,"breadcrumbs":10,"title":4},"201":{"body":55,"breadcrumbs":10,"title":4},"202":{"body":20,"breadcrumbs":11,"title":5},"203":{"body":40,"breadcrumbs":9,"title":3},"204":{"body":13,"breadcrumbs":12,"title":6},"205":{"body":30,"breadcrumbs":14,"title":8},"206":{"body":14,"breadcrumbs":27,"title":21},"207":{"body":43,"breadcrumbs":14,"title":8},"208":{"body":63,"breadcrumbs":23,"title":17},"209":{"body":34,"breadcrumbs":15,"title":9},"21":{"body":261,"breadcrumbs":4,"title":2},"210":{"body":20,"breadcrumbs":10,"title":4},"211":{"body":26,"breadcrumbs":19,"title":13},"212":{"body":43,"breadcrumbs":6,"title":2},"213":{"body":20,"breadcrumbs":10,"title":6},"214":{"body":35,"breadcrumbs":9,"title":5},"215":{"body":46,"breadcrumbs":10,"title":6},"216":{"body":75,"breadcrumbs":14,"title":10},"217":{"body":20,"breadcrumbs":13,"title":9},"218":{"body":18,"breadcrumbs":10,"title":6},"219":{"body":15,"breadcrumbs":9,"title":5},"22":{"body":147,"breadcrumbs":4,"title":2},"220":{"body":14,"breadcrumbs":10,"title":6},"221":{"body":3,"breadcrumbs":8,"title":4},"222":{"body":18,"breadcrumbs":22,"title":18},"223":{"body":33,"breadcrumbs":10,"title":6},"224":{"body":18,"breadcrumbs":8,"title":4},"225":{"body":92,"breadcrumbs":10,"title":6},"226":{"body":30,"breadcrumbs":7,"title":3},"227":{"body":30,"breadcrumbs":12,"title":8},"228":{"body":25,"breadcrumbs":6,"title":2},"229":{"body":46,"breadcrumbs":8,"title":4},"23":{"body":276,"breadcrumbs":4,"title":2},"230":{"body":43,"breadcrumbs":8,"title":3},"231":{"body":5,"breadcrumbs":9,"title":4},"232":{"body":5,"breadcrumbs":12,"title":7},"233":{"body":21,"breadcrumbs":15,"title":10},"234":{"body":8,"breadcrumbs":14,"title":9},"235":{"body":3,"breadcrumbs":14,"title":9},"236":{"body":35,"breadcrumbs":11,"title":6},"237":{"body":37,"breadcrumbs":12,"title":7},"238":{"body":0,"breadcrumbs":6,"title":1},"239":{"body":11,"breadcrumbs":5,"title":0},"24":{"body":35,"breadcrumbs":6,"title":4},"240":{"body":126,"breadcrumbs":7,"title":2},"241":{"body":97,"breadcrumbs":6,"title":1},"242":{"body":52,"breadcrumbs":6,"title":2},"243":{"body":23,"breadcrumbs":10,"title":6},"244":{"body":15,"breadcrumbs":11,"title":7},"245":{"body":30,"breadcrumbs":19,"title":15},"246":{"body":62,"breadcrumbs":11,"title":7},"247":{"body":42,"breadcrumbs":11,"title":7},"248":{"body":33,"breadcrumbs":8,"title":4},"249":{"body":54,"breadcrumbs":11,"title":7},"25":{"body":96,"breadcrumbs":3,"title":1},"250":{"body":43,"breadcrumbs":10,"title":4},"251":{"body":19,"breadcrumbs":11,"title":5},"252":{"body":566,"breadcrumbs":13,"title":7},"253":{"body":0,"breadcrumbs":6,"title":2},"254":{"body":27,"breadcrumbs":6,"title":2},"255":{"body":61,"breadcrumbs":7,"title":3},"256":{"body":260,"breadcrumbs":6,"title":2},"257":{"body":0,"breadcrumbs":7,"title":3},"258":{"body":158,"breadcrumbs":10,"title":6},"259":{"body":20,"breadcrumbs":12,"title":8},"26":{"body":21,"breadcrumbs":3,"title":1},"260":{"body":37,"breadcrumbs":15,"title":11},"261":{"body":134,"breadcrumbs":8,"title":4},"262":{"body":74,"breadcrumbs":9,"title":5},"263":{"body":22,"breadcrumbs":8,"title":4},"264":{"body":46,"breadcrumbs":10,"title":6},"265":{"body":17,"breadcrumbs":9,"title":5},"266":{"body":3,"breadcrumbs":9,"title":5},"267":{"body":10,"breadcrumbs":9,"title":5},"268":{"body":5,"breadcrumbs":12,"title":8},"269":{"body":7,"breadcrumbs":11,"title":4},"27":{"body":154,"breadcrumbs":5,"title":3},"270":{"body":81,"breadcrumbs":10,"title":3},"271":{"body":191,"breadcrumbs":10,"title":3},"272":{"body":215,"breadcrumbs":10,"title":3},"273":{"body":0,"breadcrumbs":7,"title":3},"274":{"body":13,"breadcrumbs":7,"title":3},"275":{"body":15,"breadcrumbs":7,"title":3},"276":{"body":0,"breadcrumbs":6,"title":2},"277":{"body":163,"breadcrumbs":6,"title":2},"278":{"body":36,"breadcrumbs":6,"title":2},"279":{"body":25,"breadcrumbs":5,"title":1},"28":{"body":100,"breadcrumbs":9,"title":5},"280":{"body":51,"breadcrumbs":10,"title":4},"281":{"body":73,"breadcrumbs":12,"title":6},"282":{"body":40,"breadcrumbs":11,"title":5},"283":{"body":270,"breadcrumbs":7,"title":1},"284":{"body":139,"breadcrumbs":9,"title":3},"285":{"body":290,"breadcrumbs":11,"title":5},"286":{"body":32,"breadcrumbs":4,"title":2},"287":{"body":0,"breadcrumbs":4,"title":2},"288":{"body":0,"breadcrumbs":4,"title":2},"289":{"body":0,"breadcrumbs":3,"title":1},"29":{"body":688,"breadcrumbs":6,"title":2},"290":{"body":0,"breadcrumbs":2,"title":0},"291":{"body":16,"breadcrumbs":2,"title":1},"292":{"body":0,"breadcrumbs":3,"title":1},"293":{"body":316,"breadcrumbs":4,"title":2},"294":{"body":201,"breadcrumbs":4,"title":2},"295":{"body":69,"breadcrumbs":8,"title":3},"296":{"body":318,"breadcrumbs":15,"title":10},"297":{"body":258,"breadcrumbs":13,"title":8},"298":{"body":28,"breadcrumbs":8,"title":3},"299":{"body":0,"breadcrumbs":9,"title":4},"3":{"body":9,"breadcrumbs":2,"title":1},"30":{"body":92,"breadcrumbs":7,"title":3},"300":{"body":92,"breadcrumbs":7,"title":2},"301":{"body":139,"breadcrumbs":7,"title":2},"302":{"body":9,"breadcrumbs":10,"title":5},"303":{"body":30,"breadcrumbs":7,"title":2},"304":{"body":140,"breadcrumbs":7,"title":2},"305":{"body":30,"breadcrumbs":7,"title":2},"306":{"body":517,"breadcrumbs":7,"title":2},"307":{"body":34,"breadcrumbs":8,"title":3},"308":{"body":172,"breadcrumbs":9,"title":4},"309":{"body":20,"breadcrumbs":7,"title":2},"31":{"body":19,"breadcrumbs":9,"title":5},"310":{"body":12,"breadcrumbs":9,"title":3},"311":{"body":156,"breadcrumbs":8,"title":2},"312":{"body":457,"breadcrumbs":8,"title":2},"313":{"body":42,"breadcrumbs":9,"title":4},"314":{"body":781,"breadcrumbs":9,"title":4},"32":{"body":14,"breadcrumbs":7,"title":3},"33":{"body":393,"breadcrumbs":6,"title":2},"34":{"body":71,"breadcrumbs":6,"title":2},"35":{"body":15,"breadcrumbs":5,"title":1},"36":{"body":74,"breadcrumbs":9,"title":5},"37":{"body":283,"breadcrumbs":6,"title":2},"38":{"body":19,"breadcrumbs":9,"title":5},"39":{"body":14,"breadcrumbs":7,"title":3},"4":{"body":87,"breadcrumbs":3,"title":2},"40":{"body":252,"breadcrumbs":6,"title":2},"41":{"body":29,"breadcrumbs":6,"title":2},"42":{"body":15,"breadcrumbs":5,"title":1},"43":{"body":99,"breadcrumbs":7,"title":4},"44":{"body":303,"breadcrumbs":5,"title":2},"45":{"body":25,"breadcrumbs":6,"title":3},"46":{"body":530,"breadcrumbs":5,"title":2},"47":{"body":15,"breadcrumbs":4,"title":1},"48":{"body":11,"breadcrumbs":5,"title":2},"49":{"body":163,"breadcrumbs":4,"title":1},"5":{"body":97,"breadcrumbs":4,"title":3},"50":{"body":861,"breadcrumbs":5,"title":2},"51":{"body":279,"breadcrumbs":5,"title":2},"52":{"body":130,"breadcrumbs":5,"title":2},"53":{"body":42,"breadcrumbs":9,"title":4},"54":{"body":131,"breadcrumbs":10,"title":5},"55":{"body":148,"breadcrumbs":8,"title":3},"56":{"body":29,"breadcrumbs":11,"title":6},"57":{"body":10,"breadcrumbs":2,"title":1},"58":{"body":24,"breadcrumbs":2,"title":1},"59":{"body":36,"breadcrumbs":2,"title":1},"6":{"body":59,"breadcrumbs":4,"title":3},"60":{"body":26,"breadcrumbs":2,"title":1},"61":{"body":25,"breadcrumbs":4,"title":3},"62":{"body":65,"breadcrumbs":2,"title":1},"63":{"body":34,"breadcrumbs":3,"title":1},"64":{"body":267,"breadcrumbs":6,"title":4},"65":{"body":220,"breadcrumbs":3,"title":1},"66":{"body":178,"breadcrumbs":3,"title":1},"67":{"body":157,"breadcrumbs":4,"title":2},"68":{"body":61,"breadcrumbs":5,"title":3},"69":{"body":61,"breadcrumbs":3,"title":1},"7":{"body":31,"breadcrumbs":6,"title":5},"70":{"body":13,"breadcrumbs":4,"title":2},"71":{"body":24,"breadcrumbs":7,"title":3},"72":{"body":183,"breadcrumbs":5,"title":1},"73":{"body":113,"breadcrumbs":5,"title":1},"74":{"body":32,"breadcrumbs":5,"title":1},"75":{"body":13,"breadcrumbs":6,"title":2},"76":{"body":10,"breadcrumbs":6,"title":2},"77":{"body":45,"breadcrumbs":3,"title":1},"78":{"body":590,"breadcrumbs":3,"title":1},"79":{"body":262,"breadcrumbs":5,"title":3},"8":{"body":79,"breadcrumbs":3,"title":2},"80":{"body":32,"breadcrumbs":5,"title":3},"81":{"body":73,"breadcrumbs":3,"title":1},"82":{"body":105,"breadcrumbs":5,"title":3},"83":{"body":0,"breadcrumbs":6,"title":2},"84":{"body":21,"breadcrumbs":5,"title":1},"85":{"body":77,"breadcrumbs":5,"title":1},"86":{"body":294,"breadcrumbs":6,"title":2},"87":{"body":228,"breadcrumbs":5,"title":1},"88":{"body":196,"breadcrumbs":6,"title":2},"89":{"body":115,"breadcrumbs":9,"title":5},"9":{"body":32,"breadcrumbs":3,"title":2},"90":{"body":4,"breadcrumbs":7,"title":3},"91":{"body":43,"breadcrumbs":6,"title":2},"92":{"body":0,"breadcrumbs":5,"title":2},"93":{"body":26,"breadcrumbs":8,"title":5},"94":{"body":68,"breadcrumbs":6,"title":3},"95":{"body":127,"breadcrumbs":5,"title":2},"96":{"body":55,"breadcrumbs":4,"title":3},"97":{"body":95,"breadcrumbs":2,"title":1},"98":{"body":295,"breadcrumbs":3,"title":2},"99":{"body":1532,"breadcrumbs":5,"title":4}},"docs":{"0":{"body":"ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. Tip : ClamAV is not a traditional anti-virus or endpoint security suite. For a fully featured modern endpoint security suite, check out Cisco Secure Endpoint . See \"related products\" , below, for more details. ClamAV is brought to you by Cisco Systems, Inc.","breadcrumbs":"Introduction » ClamAV","id":"0","title":"ClamAV"},"1":{"body":"ClamAV has a diverse ecosystem of community projects, products, and other tools that either depend on ClamAV to provide malware detection capabilities or supplement ClamAV with new features such as improved support for 3rd party signature databases, graphical user interfaces (GUI), and more.","breadcrumbs":"Introduction » Community Projects","id":"1","title":"Community Projects"},"10":{"body":"ClamAV is widely available from third party package managers for most operating systems. This is often the quickest way to install ClamAV. It will make also upgrades easier. Check out the Packages page to find installation instructions for your system.","breadcrumbs":"Installing » Installing with a Package Manager","id":"10","title":"Installing with a Package Manager"},"100":{"body":"The .info file format specifies information about the other database files unpacked from a CVD or CLD database archive. This file exists for the purposes of validating the correctness of the official ClamAV database container files and cannot be loaded a la carte. The format is simply: name:size:sha256 name: The database file name. size: The size in bytes of the database. sha256: A SHA256 hash of the database.","breadcrumbs":"Signatures » CVD Info File » Database Info","id":"100","title":"Database Info"},"101":{"body":"ClamAV supports a limited set of configuration options that may be enabled or disabled via settings in the *.cfg database. At this time, these settings are distributed in daily.cfg. The goal of DCONF is to enable the ClamAV team to rapidly disable new or experimental features for specific ClamAV versions if a significant defect is discovered after release. This database is small, and the settings are largely vestigial. The team has not had a need to disable many features in a long time, and so the ClamAV versions in the settings at this time should no longer be in use. The strings and values referenced in daily.cfg are best cross-referenced with the macros and structures defined here: https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.h#L49 https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.c#L54 The format for a DCONF signature is: Category:Flags:StartFlevel:EndFlevel Category may be one of: PE ELF MACHO ARCHIVE DOCUMENT MAIL OTHER PHISHING BYTECODE STATS PCRE Flags: Every feature that may be configured via DCONF is listed in struct dconf_module modules in libclamav/dconf.c. Any given feature may be default-on or default-off. Default-on features have the 4th field set to a 1 and default off are set to 0. The Flags field for a given Category overrides the defaults for all of the options listed under that category. A settings of 0x0, for example, means that all options the category be disabled. The macros listed in libclamav/dconf.h will help you identify which bits to set to get the desired results. StartFlevel: This is the FLEVEL of the minimum ClamAV engine for which you want the settings to be in effect. EndFlevel: This is the FLEVEL of the maximum ClamAV engine for which you want the settings to be in effect. You may wish to select 255 to override the defaults of future releases.","breadcrumbs":"Signatures » Dynamic Configuration Settings » Dynamic Configuration (DCONF)","id":"101","title":"Dynamic Configuration (DCONF)"},"102":{"body":"Consider the OTHER_CONF_PDFNAMEOBJ option in the category OTHER. #define OTHER_CONF_UUENC 0x1 // Default: 1\n#define OTHER_CONF_SCRENC 0x2 // Default: 1\n#define OTHER_CONF_RIFF 0x4 // Default: 1\n#define OTHER_CONF_JPEG 0x8 // Default: 1\n#define OTHER_CONF_CRYPTFF 0x10 // Default: 1\n#define OTHER_CONF_DLP 0x20 // Default: 1\n#define OTHER_CONF_MYDOOMLOG 0x40 // Default: 1\n#define OTHER_CONF_PREFILTERING 0x80 // Default: 1\n#define OTHER_CONF_PDFNAMEOBJ 0x100 // Default: 1\n#define OTHER_CONF_PRTNINTXN 0x200 // Default: 1\n#define OTHER_CONF_LZW 0x400 // Default: 1 All of the OTHER options, including OTHER_CONF_PDFNAMEOBJ are default-on. To disable the option for ClamAV v0.100.X but leave the other options in their default settings, we would need to set the flags to: 0110 1111 1111 ^pdfnameobj off Or in hex: 0x6FF The example setting to place in daily.cfg then woudl be: OTHER:0x6FF:90:99","breadcrumbs":"Signatures » Dynamic Configuration Settings » Example","id":"102","title":"Example"},"103":{"body":"Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;\nNotBefore;Comment[;minFL[;maxFL]] where the corresponding fields are: Name: name of the entry Trusted: bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked Subject: sha1 of the Subject field in hex Serial: the serial number as clamscan --debug --verbose reports Pubkey: the public key in hex Exponent: the exponent in hex. Currently ignored and hardcoded to 010001 (in hex) CodeSign: bit field, specifying whether this cert can sign code. 1 for true, 0 for false TimeSign: bit field. 1 for true, 0 for false CertSign: bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false NotBefore: integer, cert should not be added before this variable. Defaults to 0 if left empty Comment: comments for this entry The signatures for certs are stored inside .crb files.","breadcrumbs":"Signatures » Trusted and Revoked EXE Certificates » Trusted and Revoked Certificates","id":"103","title":"Trusted and Revoked Certificates"},"104":{"body":"ClamAV's primary mechanism for determining file types is to match the file with a File Type Magic signature. These file type signatures are compiled into ClamAV, and may also be overridden dynamically using the definition founds found in a *.ftm file. The ClamAV standard signature database includes these definitions in daily.ftm. The signature format is not too disimilar from NDB body-based signatures. The format is: magictype:offset:magicbytes:name:rtype:type[:min_flevel[:max_flevel]] Where: magictype: Supported magic types include: 0 - direct memory comparison of magicbytes for file types 1 - The magicbytes use the body-based content matching format . 4 - direct memory comparison of magicbytes for partition types (HFS+, HFSX) offset: The offset from start of the file to match against. May be * if magictype is 1. name: A descriptive name for the file type. rtype: Previously detected file type. Usually CL_TYPE_ANY as a wild-card. type: The CL_TYPE corresponding with the file type signature. See the CL_TYPE reference for details. min_flevel: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added. max_flevel: (optional, requires min_flevel field, though the min_flevel number itself can be left empty) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed or replaced.","breadcrumbs":"Signatures » File Type Recognition » File Type Magic","id":"104","title":"File Type Magic"},"105":{"body":"","breadcrumbs":"Signatures » Allow Lists » Allow List Databases","id":"105","title":"Allow List Databases"},"106":{"body":"To allow a specific file use the MD5 signature format and place it inside a database file with the extension of .fp (for \"false positive\"). To allow a specific file with the SHA1 or SHA256 file hash signature format, place the signature inside a database file with the extension of .sfp (for \"SHA false positive\"). To generate FP or SFP signatures, try something like this... MD5: sigtool --md5 /path/to/false/positive/file >> /path/to/databases/false-positives.fp SHA256: sigtool --sha256 /path/to/false/positive/file >> /path/to/databases/false-positives.sfp Here's an example adding the EICAR test file to an allow list by generating a sha256 false positive signature: ❯ clamscan ~/Downloads/eicar.com\n/mnt/c/Users/micah/Downloads/eicar.com: Win.Test.EICAR_HDB-1 FOUND ... ❯ sigtool --sha256 ~/Downloads/eicar.com >> /var/lib/clamav/false-positives.sfp ❯ clamscan ~/Downloads/eicar.com\n/mnt/c/Users/micah/Downloads/eicar.com: OK\n...","breadcrumbs":"Signatures » Allow Lists » File Allow Lists","id":"106","title":"File Allow Lists"},"107":{"body":"To ignore a specific signature from the database you just add the signature name into a local file with the .ign2 extension and store it inside the database directory. E.g: Eicar-Test-Signature Additionally, you can follow the signature name with the MD5 of the entire database entry for this signature. In such a case, the signature will no longer be ignored when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). E.g: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c Historically, signature ignores were added to .ign files. This format is still functional, though it has been replaced by the .ign2 database.","breadcrumbs":"Signatures » Allow Lists » Signature Ignore Lists","id":"107","title":"Signature Ignore Lists"},"108":{"body":"ClamAV may alert on suspicious links with alerts along the lines of \"Heuristics.Phishing.Email.SpoofedDomain\". If you encounter a false positive for this kind of detection, you can create an allow list signature. Allow list signatures for suspicious HTML links are added to the .wdb phishing signature database. Read the Phishing Signature documentation to learn more.","breadcrumbs":"Signatures » Allow Lists » Phishing Heuristic Allow Lists","id":"108","title":"Phishing Heuristic Allow Lists"},"109":{"body":"The easiest way to create signatures for ClamAV is to use filehash checksums, however this method can be only used against static malware.","breadcrumbs":"Signatures » Hash-based Signatures » File hash signatures","id":"109","title":"File hash signatures"},"11":{"body":"Pre-compiled packages provided on the clamav.net downloads page have all external library dependencies statically compiled in. These installers likely differ from packages provided by other packaging tools in that you will need to create and configure the freshclam.conf and clamd.conf files. You may also need to add a clamav service user account and adjust the permissions on the database directory. We hope to round out these sharp corners in the future and to make setup more convenient, but for now be advised that setup from one of these packages is a little bit more work than you may be used to. If you're interested in learning how these packages were built, you can check out these development instructions . Note : In the event that a vulnerability is found in one of the dependencies that may impact ClamAV, we will publish new packages with updated dependencies as soon as we're able. Linux (.deb, .rpm) Beginning with ClamAV 0.104, we offer Debian and RPM packages for x86_64 (64bit) and i686 (32bit) architectures. This will make it easier to get the latest version in the event that a package for your distribution is not readily available and you would prefer not to build ClamAV from source. Note : These packages do not presently include clamav-milter. You can help help us add clamav-milter to the packages by developing a Mussels recipe for building the libmilter.a static library and contributing it to our Mussels cookbook . RPM packages (for CentOS, Redhat, Fedora, SUSE, etc.) These are compiled on CentOS 7. They should be compatible with all RPM-based linux distributions running glibc version 2.17 or newer. To install, download the package for your system use yum or dnf to install the package. For example: sudo dnf install ~/Downloads/clamav-0.104.0-rc2.linux.x86_64.rpm You can verify that the package was installed using: dnf info clamav This package installs to /usr/local. Unlike packages provided by Debian or other distributions, this package does not presently include a preconfigured freshclam.conf, clamd.conf, database directory, or clamav user accounts for FreshClam and ClamD. You can follow these instructions to configure FreshClam and ClamD. You can follow these instructions to create the clamav user account for running FreshClam and ClamD services. And uninstall the package with: sudo dnf remove ~/Downloads/clamav-0.104.0-rc2.linux.x86_64.rpm DEB packages (for Debian, Ubuntu, Mint, etc.) These are compiled on Ubuntu 16.04, and have all external library dependencies statically compiled in. They should be compatible with all Debian-based linux distributions running glibc version 2.23 or newer. sudo apt install ~/Downloads/clamav-0.104.0-rc2.libnux.x86_64.deb You can verify that the package was installed using: apt info clamav This package installs to /usr/local. Unlike packages provided by Debian or other distributions, this package does not presently include a preconfigured freshclam.conf, clamd.conf, database directory, or clamav user accounts for FreshClam and ClamD. You can follow these instructions to configure FreshClam and ClamD. You can follow these instructions to create the clamav user account for running FreshClam and ClamD services. And uninstall the package with: sudo apt remove clamav macOS Beginning with ClamAV 0.104, we offer a PKG installer for macOS. These are universal binaries built for Intel x86_64 and Apple M1 arm64 processors. Disclaimer : The release materials for 0.104.0-rc2 are not signed or notarized. We are working on adding signing and notarization to our CI processes, but for now you may be unable to use this PKG installer on macOS Big Sur or newer. To install, download the macOS .pkg installer. Double-click the installer and follow the directions. This package installs to /usr/local/clamav. This is not in the default system PATH environment variable. You may wish to add /usr/local/clamav/bin and /usr/local/clamav/sbin to your PATH so you can run the ClamAV programs without entering the full path. To do this add this line to ~/.zshrc: export PATH=/usr/local/clamav/bin:/usr/local/clamav/sbin:$PATH Then run source ~/.zshrc or open a new terminal. Unlike packages provided by Homebrew, this package does not presently include a preconfigured freshclam.conf, clamd.conf, or database directory. You can follow these instructions to configure FreshClam and ClamD. macOS package installers do not provide a mechanism for automatically uninstalling the package. In the future, we hope to add a script to aid with uninstallation. But for now, to make it easier to remove, our macOS installer installs to /usr/local/clamav. To uninstall, all you need to do is run: sudo rm -rf /usr/local/clamav Windows The ClamAV team provides official ClamAV builds for Windows on the ClamAV downloads page . You can choose between a traditional executable installer or a portable install ZIP package. To use the executable installer, double-click the installer and follow the instructions. To install from a ZIP package, unzip the portable install package to any directory.","breadcrumbs":"Installing » Installing with an Installer","id":"11","title":"Installing with an Installer"},"110":{"body":"To create a MD5 signature for test.exe use the --md5 option of sigtool: zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb\nzolw@localhost:/tmp/test$ cat test.hdb\n48c4533230e1ae1c118c741c0db19dfb:17387:test.exe That’s it! The signature is ready for use: zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe\ntest.exe: test.exe FOUND ----------- SCAN SUMMARY -----------\nKnown viruses: 1\nScanned directories: 0\nEngine version: 0.92.1\nScanned files: 1\nInfected files: 1\nData scanned: 0.02 MB\nTime: 0.024 sec (0 m 0 s) You can change the name (by default sigtool uses the name of the file) and place it inside a *.hdb file. A single database file can include any number of signatures. To get them automatically loaded each time clamscan/clamd starts just copy the database file(s) into the local virus database directory (eg. /usr/local/share/clamav). The hash-based signatures shall not be used for text files, HTML and any other data that gets internally preprocessed before pattern matching. If you really want to use a hash signature in such a case, run clamscan with --debug and --leave-temps flags as described above and create a signature for a preprocessed file left in /tmp. Please keep in mind that a hash signature will stop matching as soon as a single byte changes in the target file.","breadcrumbs":"Signatures » Hash-based Signatures » MD5 hash-based signatures","id":"110","title":"MD5 hash-based signatures"},"111":{"body":"ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. The format is the same as for MD5 file checksum. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a *.hsb file. The format is: HashString:FileSize:MalwareName","breadcrumbs":"Signatures » Hash-based Signatures » SHA1 and SHA256 hash-based signatures","id":"111","title":"SHA1 and SHA256 hash-based signatures"},"112":{"body":"PE section based hash signatures You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside .mdb (MD5) and .msb files in the following format: PESectionSize:PESectionHash:MalwareName Note that the order of PESectionSize and PESectionHash are essentially reversed from the .hdb signature format. You can generate your own PE section hash signatures using sigtool: sigtool --mdb /path/to/32bit/PE/file ❯ ./sigtool/sigtool --mdb ~/Downloads/ChromeSetup.exe\nLibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment\nLibClamAV debug: Section{0}: 83456:83620eda4d054fe35c19faaa89d515f3\nLibClamAV debug: Section{1}: 28160:ebb39bf5679d566074c9666fd9548d22\nLibClamAV debug: Section{2}: 2560:3cbd45b86866e61bd3cbd759aa40888d\nLibClamAV debug: Section{3}: 1199616:6555d93d90a4642c9b3feb4bdb075ec1\nLibClamAV debug: Section{4}: 4608:80335bb2fda8c0e537fcf4d0af14bc89\nLibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0\nLibClamAV debug: Cleaning up phishcheck\nLibClamAV debug: Phishcheck cleaned up ClamAV also has support for SHA1 and SHA256 section based signatures. The format is the same as for MD5 PE section based signatures. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a *.msb file. Known issues : Support for 64-bit PE files is missing at this time. You can create an section-hash signatures using sigtool. But as of 0.105, the parser stops processing 64bit PE files (PE32+ files) a little before it would try to match those hashes, so they will never alert. PE import table hash signatures (func. level 90) You can create a hash signature for the import table in a PE file. Such signatures shall be stored inside .imp files in the following format: PEImportTableHash:PEImportTableSize:MalwareName Unlike with PE section hash signatures, the file format for PE import table hash signatures is essentially the same as HDB signatures. Some example sigs: f93b5d76132f6e6068946ec238813ce1:154:calc.exe\n1ac946b228ebba41514c52672b33d623:140:calc64.exe You can generate your own PE import table hash signatures using sigtool: sigtool --imp /path/to/32bit/PE/file The details will be in debug log output, like: ❯ ./sigtool/sigtool --imp ./unit_tests/input/clamav_hdb_scanfiles/clam.exe\nLibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment\nLibClamAV debug: Imphash: 98c88d882f01a3f6ac1e5f7dfd761624:39\nLibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0\nLibClamAV debug: Cleaning up phishcheck\nLibClamAV debug: Phishcheck cleaned up The hash is an MD5 hash. Unlike some signature features, you may not rely on the clamscan debug-log to provide imp-hashes. clamscan will only every log out the imp-hash info if you have one or more imp-hash sig loaded. If not, you won't see it. Given the Imphash: line from the sigtool debug log, all that is left is to add a signature name. Like this: 98c88d882f01a3f6ac1e5f7dfd761624:39:clam.exe Known issues : Support for 64-bit PE files is missing at this time. You can create an imp-hash signatures using sigtool. But as of 0.105, the parser stops processing 64bit PE files (PE32+ files) a little before it would try to match those hashes, so they will never alert. Support for *-wildcard import hash table sizes is broken in every release up through 0.105. The size field can technically be a wildcard using the *. But, because of a known issue with the all-match feature, the signature will only alert in all-match mode, which is not the default scanning mode.","breadcrumbs":"Signatures » Hash-based Signatures » Special hash-based signatures for PE files (Windows EXE, DLL, and SYS files)","id":"112","title":"Special hash-based signatures for PE files (Windows EXE, DLL, and SYS files)"},"113":{"body":"ClamAV 0.98 has also added support for hash signatures where the size is not known but the hash is. It is much more performance-efficient to use signatures with specific sizes, so be cautious when using this feature. For these cases, the ’*’ character can be used in the size field. To ensure proper backwards compatibility with older versions of ClamAV, these signatures must have a minimum functional level of 73 or higher. Signatures that use the wildcard size without this level set will be rejected as malformed. Sample .hsb signature matching any size: HashString:*:MalwareName:73 Sample .msb signature matching any size: *:PESectionHash:MalwareName:73","breadcrumbs":"Signatures » Hash-based Signatures » Hash signatures with unknown size","id":"113","title":"Hash signatures with unknown size"},"114":{"body":"ClamAV stores all body-based (content-based) signatures in a hexadecimal format, with exception to ClamAV's YARA rule support. In this section by a hex-signature we mean a fragment of malware’s body converted into a hexadecimal string which can be additionally extended using various wildcards.","breadcrumbs":"Signatures » Content-based Signature Format » Body-based Signature Content Format","id":"114","title":"Body-based Signature Content Format"},"115":{"body":"You can use sigtool --hex-dump to convert any data into a hex-string: zolw@localhost:/tmp/test$ sigtool --hex-dump\nHow do I look in hex?\n486f7720646f2049206c6f6f6b20696e206865783f0a","breadcrumbs":"Signatures » Content-based Signature Format » Hexadecimal format","id":"115","title":"Hexadecimal format"},"116":{"body":"ClamAV supports the following wildcards for hex-signatures: ?? Match any byte. a? Match a high nibble (the four high bits). ?a Match a low nibble (the four low bits). * Match any number of bytes. {n} Match n bytes. {-n} Match n or less bytes. {n-} Match n or more bytes. {n-m} Match between n and m bytes (where m > n). HEXSIG[x-y]aa or aa[x-y]HEXSIG Match aa anchored to a hex-signature, see Bugzilla ticket 776 for discussion and examples. The range signatures * and {} virtually separate a hex-signature into two parts, eg. aabbcc*bbaacc is treated as two sub-signatures aabbcc and bbaacc with any number of bytes between them. It’s a requirement that each sub-signature includes a block of two static characters somewhere in its body. Note that there is one exception to this restriction; that is when the range wildcard is of the form {n} with n<128. In this case, ClamAV uses an optimization and translates {n} to the string consisting of n ?? character wildcards. Character wildcards do not divide hex signatures into two parts and so the two static character requirement does not apply.","breadcrumbs":"Signatures » Content-based Signature Format » Wildcards","id":"116","title":"Wildcards"},"117":{"body":"ClamAV supports the following character classes for hex-signatures: (B) Match word boundary (including file boundaries). (L) Match CR, CRLF or file boundaries. (W) Match a non-alphanumeric character.","breadcrumbs":"Signatures » Content-based Signature Format » Character classes","id":"117","title":"Character classes"},"118":{"body":"Single-byte alternates (clamav-0.96) (aa|bb|cc|...) or !(aa|bb|cc|...) Match a member from a set of bytes (eg: aa, bb, cc, ...). Negation operation can be applied to match any non-member, assumed to be one-byte in length. Signature modifiers and wildcards cannot be applied. Multi-byte fixed length alternates (aaaa|bbbb|cccc|...) or !(aaaa|bbbb|cccc|...) Match a member from a set of multi-byte alternates (eg: aaaa, bbbb, cccc, ...) of n-length. All set members must be the same length. Negation operation can be applied to match any non-member, assumed to be n-bytes in length (clamav-0.98.2). Signature modifiers and wildcards cannot be applied. Generic alternates (clamav-0.99) (alt1|alt2|alt3|...) Match a member from a set of alternates (eg: alt1, alt2, alt3, ...) that can be of variable lengths. Negation operation cannot be applied. Signature modifiers and nibble wildcards (eg: ??, a?, ?a) can be applied. Ranged wildcards (eg: {n-m}) are limited to a fixed range of less than 128 bytes (eg: {1} -> {127}). Note : Using signature modifiers and wildcards classifies the alternate type to be a generic alternate. Thus single-byte alternates and multi-byte fixed length alternates can use signature modifiers and wildcards but will be classified as generic alternate. This means that negation cannot be applied in this situation and there is a slight performance impact.","breadcrumbs":"Signatures » Content-based Signature Format » Alternate strings","id":"118","title":"Alternate strings"},"119":{"body":"Logical signatures allow combining of multiple signatures in extended format using logical operators. They can provide both more detailed and flexible pattern matching. The logical sigs are stored inside *.ldb files in the following format: SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;\nSubsig1;Subsig2;... where: TargetDescriptionBlock provides information about the engine and target file with comma separated Arg:Val pairs. For args where Val is a range, the minimum and maximum values should be expressed as min-max. LogicalExpression specifies the logical expression describing the relationship between Subsig0...SubsigN. Basis clause: 0,1,...,N decimal indexes are SUB-EXPRESSIONS representing Subsig0, Subsig1,...,SubsigN respectively. Inductive clause: if A and B are SUB-EXPRESSIONS and X, Y are decimal numbers then (A&B), (A|B), A=X, A=X,Y, A>X, A>X,Y, ACL_TYPE_*: Specify one or more layers of file types containing the scanned file. This is an alternative to using Container. You may specify up to 16 layers of file types separated by ’>’ in top-down order. Note that the ’>’ separator is not needed if you only specify a single container. The last type should be the immediate container containing the malicious file. Unlike with the Container option, CL_TYPE_ANY can be used as a wildcard file type. (expr; 0.100.0) For a list of possible CL_TYPEs, refer to the File Types Reference . IconGroup1: Icon group name 1 from .idb signature Required engine functionality (range; 0.96) IconGroup2: Icon group name 2 from .idb signature Required engine functionality (range; 0.96) Modifiers for subexpressions: A=X: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched exactly X times; if it refers to a (logical) block of signatures then this block must generate exactly X matches (with any of its sigs). A=0 specifies negation (signature or block of signatures cannot be matched) A=X,Y: If the SUB-EXPRESSION A refers to a single signature then this signature must be matched exactly X times; if it refers to a (logical) block of signatures then this block must generate X matches and at least Y different signatures must get matched. A>X: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches (with any of its sigs). A>X,Y: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches and at least Y different signatures must be matched. AZ above with the change of \"more\" to \"less\". If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches (with any of its sigs). AX,Y. If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches and at least Y different signatures must be matched. Examples: Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656\n6616e;deadbeef Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737\n46566616e Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737\n46566616e;deadbeef Sig4;Engine:51-255,Target:1;((0|1)&(2|3))&4;EP+123:33c06834f04100\nf2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573\n(63|64)61706528;S3+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58\ndcf43987e4f519d629b103375;SL+550:6300680065005c0046006900","breadcrumbs":"Signatures » Content-based Signature Format » Logical Signatures » Logical signatures","id":"119","title":"Logical signatures"},"12":{"body":"There are now official ClamAV images on Docker Hub. You can find the images on Docker Hub under clamav . At present we offer images with builds of the latest development version. We call this \"unstable\". ClamAV 0.104 will be the first stable release that we'll publish on Docker Hub.. Once published 0.104.0+ will be available using a Docker image tag with the specific version number, or using \"stable\" to get the latest stable release. Check out the Docker page to learn how to install and use ClamAV with Docker.","breadcrumbs":"Installing » Official ClamAV Docker Images","id":"12","title":"Official ClamAV Docker Images"},"120":{"body":"ClamAV (clamav-0.99) supports a number of additional subsignature modifiers for logical signatures. This is done by specifying :: followed by a number of characters representing the desired options. Signatures using subsignature modifiers require Engine:81-255 for backwards-compatibility. Case-Insensitive [i] Specifying the i modifier causes ClamAV to match all alphabetic hex bytes as case-insensitive. All patterns in ClamAV are case-sensitive by default. Wide [w] Specifying the w causes ClamAV to match all hex bytes encoded with two bytes per character. Note this simply interweaves each character with NULL characters and does not truly support UTF-16 characters. Wildcards for ’wide’ subsignatures are not treated as wide (i.e. there can be an odd number of intermittent characters). This can be combined with a to search for patterns in both wide and ascii. Fullword [f] Match subsignature as a fullword (delimited by non-alphanumeric characters). Ascii [a] Match subsignature as ascii characters. This can be combined with w to search for patterns in both ascii and wide. Examples: Match 'AAAA'(nocase) and 'BBBBBB'(nocase) clamav-nocase-A;Engine:81-255,Target:0;0&1;41414141::i;424242424242::i Match 'AAA' and 'hello'(fullword) clamav-fullword-A;Engine:81-255,Target:0;0&1;414141;68656c6c6f::f Match 'AAA' and 'hello'(fullword nocase) clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f::fi Match 'AAA' and 'hello'(wide ascii) clamav-wide-B2;Engine:81-255,Target:0;0&1;414141;68656c6c6f::wa Match 'AAA' and 'hello'(nocase wide fullword ascii) clamav-wide-C0;Engine:81-255,Target:0;0&1;414141;68656c6c6f::iwfa","breadcrumbs":"Signatures » Content-based Signature Format » Logical Signatures » Subsignature Modifiers","id":"120","title":"Subsignature Modifiers"},"121":{"body":"Macro subsignatures Introduced in ClamAV 0.96 Format: ${min-max}MACROID$ Macro subsignatures are used to combine a number of existing extended signatures (.ndb) into a on-the-fly generated alternate string logical signature (.ldb). Signatures using macro subsignatures require Engine:51-255 for backwards-compatibility. Example: test.ldb: TestMacro;Engine:51-255,Target:0;0&1;616161;${6-7}12$ test.ndb: D1:0:$12:626262 D2:0:$12:636363 D3:0:$30:626264 The example logical signature TestMacro is functionally equivalent to: TestMacro;Engine:51-255,Target:0;0;616161{3-4}(626262|636363) MACROID points to a group of signatures; there can be at most 32 macro groups. In the example, MACROID is 12 and both D1 and D2 are members of macro group 12. D3 is a member of separate macro group 30. {min-max} specifies the offset range at which one of the group signatures should match; the offset range is relative to the starting offset of the preceding subsignature. This means a macro subsignature cannot be the first subsignature. In the example, {min-max} is {6-7} and it is relative to the start of a 616161 match. For more information and examples please see https://bugzilla.clamav.net/show_bug.cgi?id=164 . Byte Compare Subsignatures Introduced in ClamAV 0.101 Format: subsigid_trigger(offset#byte_options#comparisons) Byte compare subsignatures can be used to evaluate a numeric value at a given offset from the start of another (matched) subsignature within the same logical signature. These are executed after all other subsignatures within the logical subsignature are fired, with the exception of PCRE subsignatures. They can evaluate offsets only from a single referenced subsignature, and that subsignature must give a valid match for the evaluation to occur. subsigid_trigger is a required field and may refer to any single non-PCRE, non-Byte Compare subsignature within the lsig. The byte compare subsig will evaluate if subsigid_trigger matches. Triggering on multiple subsigs or logic based triggering is not currently supported. offset is a required field that consists of an offset_modifier and a numeric offset (hex or decimal offsets are okay). offset_modifier can be either >> or << where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of subsigid_trigger, which allows for byte extraction before the specified match, after the match, and within the match itself. offset must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced subsigid_trigger match within the file buffer to begin the comparison. byte_options are used to specify the numeric type and endianess of the extracted byte sequence in that order as well as the number of bytes to be read. By default ClamAV will attempt to matchup up to the number of byte specified, unless the e (exact) option is specified or the numeric type is b (binary). This field follows the form [h|d|a|i][l|b][e]num_bytes h|d|a|i where h specifies the byte sequence will be in hex, d decimal, a automatic detection of hex or decimal at runtime, and i signifies raw binary data. l|b where l specifies the byte sequence will be in little endian order and b big endian. If decimal d is specified, big-endian is implied and using l will result in a malformed database error. e specifies that ClamAV will only evaluate the comparison if it can extract the exact number of bytes specified. This option is implicitly declared when using the i flag. num_bytes specifies the number of bytes to extract. This can be a hex or decimal value. If i is specified only 1, 2, 4, and 8 are valid options. comparisons are a required field which denotes how to evaluate the extracted byte sequence. Each Byte Compare signature can have one or two comparison_sets separated by a comma. Each comparison_set consists of a Comparison_symbol and a Comparison_value and takes the form Comparison_symbolComparison_value. Thus, comparisons takes the form comparison_set[,comparison_set] Comparison_symbol denotes the type of comparison to be done. The supported comparison symbols are <, >, =. Comparison_value is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided comparison_symbol. PCRE subsignatures Introduced in ClamAV 0.99 Format: Trigger/PCRE/[Flags] PCRE subsignatures are used within a logical signature (.ldb) to specify regex matches that execute once triggered by a conditional based on preceding subsignatures. Signatures using PCRE subsignatures require Engine:81-255 for backwards-compatibility. Trigger is a required field that is a valid LogicalExpression and may refer to any subsignatures that precede this subsignature. Triggers cannot be self-referential and cannot refer to subsequent subsignatures. PCRE is the expression representing the regex to execute. ClamAV identifies the regex string by searching from the beginning of the subsignature for the start-/ and searching from the end for the end-/. You may \\-escape any use of / within the regex string, but it is not required. For backward compatibility, ; within the expression must be expressed as \\x3B. The regex string cannot be empty and (?UTF\\*) control sequences are not allowed. If debug messages are enabled (i.e. clamscan --debug), then named capture groups are displayed in a post-execution report. Flags are a series of characters which affect the compilation and execution of PCRE within the PCRE compiler and the ClamAV engine. This field is optional. g [CLAMAV_GLOBAL] specifies to search for ALL matches of PCRE (default is to search for first match). NOTE: INCREASES the time needed to run the PCRE. r [CLAMAV_ROLLING] specifies to use the given offset as the starting location to search for a match as opposed to the only location; applies to subsigs without maxshifts. By default, in order to facilatate normal ClamAV offset behavior, PCREs are auto-anchored (only attempt match on first offset); using the rolling option disables the auto-anchoring. e [CLAMAV_ENCOMPASS] specifies to CONFINE matching between the specified offset and maxshift; applies only when maxshift is specified. Note : DECREASES time needed to run the PCRE. i [PCRE_CASELESS] s [PCRE_DOTALL] m [PCRE_MULTILINE] x [PCRE_EXTENDED] A [PCRE_ANCHORED] E [PCRE_DOLLAR_ENODNLY] U [PCRE_UNGREEDY] Examples: Find.All.ClamAV;Engine:81-255,Target:0;1;6265676c6164697427736e6f7462797465636f6465;0/clamav/g Find.ClamAV.OnlyAt.299;Engine:81-255,Target:0;2;7374756c747a67657473;7063726572656765786c6f6c;299:0&1/clamav/ Find.ClamAV.StartAt.300;Engine:81-255,Target:0;3;616c61696e;62756731393238;636c6f736564;300:0&1&2/clamav/r Find.All.Encompassed.ClamAV;Engine:81-255,Target:0;3;7768796172656e2774;796f757573696e67;79617261;200,300:0&1&2/clamav/ge Named.CapGroup.Pcre;Engine:81-255,Target:0;3;636f75727479617264;616c62756d;74657272696572;50:0&1&2/variable=(?<nilshell>.{16})end/gr Firefox.TreeRange.UseAfterFree;Engine:81-255,Target:0,Engine:81-255;0&1&2;2e766965772e73656c656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\\x2Eview\\x2Eselection.*?\\x2Etree\\s*\\x3D\\s*null.*?\\x2Einvalidate/smi Firefox.IDB.UseAfterFree;Engine:81-255,Target:0;0&1;4944424b657952616e6765;0/^\\x2e(only|lowerBound|upperBound|bound)\\x28.*?\\x29.*?\\x2e(lower|upper|lowerOpen|upperOpen)/smi Firefox.boundElements;Engine:81-255,Target:0;0&1&2;6576656e742e6\n26f756e64456c656d656e7473;77696e646f772e636c6f7365;0&1/on(load|click)\\s*=\\s*\\x22?window\\.close\\s*\\x28/si Image Fuzzy Hash subsignatures Introduced in ClamAV 0.105 Format: fuzzy_img## For example if you wanted to match on this image... logo.png ...you would make a signature like this: logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7#0 Image fuzzy hash signatures in 0.105 do not support matching with a hamming distance greater than zero. Support for matching with a hamming distance may be added in a future release. The signatures above explicitly set the hamming distance to 0. But you could also omit it, like this: logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7 You can combine the image fuzzy hash subsignature with other logical signature features, like adding additional subsignatures: logo.png-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#af2ad01ed42993c7 or container types: logo.png;Engine:150-255,Target:0,Container:CL_TYPE_HTML;0;fuzzy_img#af2ad01ed42993c7\nlogo.png;Engine:150-255,Target:0,Container:CL_TYPE_MAIL;0;fuzzy_img#af2ad01ed42993c7 ClamAV's image fuzzy hash is very close to, but not 100% identical to, the fuzzy hash generated by the Python imagehash package's phash() function. Note that these are only clean-room approximations of the pHash™️ algorithm. ClamAV's image fuzzy hashes are not expected to match the fuzzy hashes generated using other tools. Some images may match, while others do not. You must use ClamAV to generate the fuzzy hash for the most reliable results. A sigtool option does not yet exist to generate a ClamAV image fuzzy hash. So, to generate the image fuzzy hash you can run this command: clamscan --gen-json --debug /path/to/file The hash will appear in the JSON above the \"SCAN SUMMARY\" under the object named \"ImageFuzzyHash\".","breadcrumbs":"Signatures » Content-based Signature Format » Logical Signatures » Special Subsignature Types","id":"121","title":"Special Subsignature Types"},"122":{"body":"Starting with ClamAV 0.96 it is possible to easily match certain information built into PE files (executables and dynamic link libraries). Whenever you lookup the properties of a PE executable file in windows, you are presented with a bunch of details about the file itself. These info are stored in a special area of the file resources which goes under the name of VS_VERSION_INFORMATION (or versioninfo for short). It is divided into 2 parts. The first part (which is rather uninteresting) is really a bunch of numbers and flags indicating the product and file version. It was originally intended for use with installers which, after parsing it, should be able to determine whether a certain executable or library are to be upgraded/overwritten or are already up to date. Suffice to say, this approach never really worked and is generally never used. The second block is much more interesting: it is a simple list of key/value strings, intended for user information and completely ignored by the OS. For example, if you look at ping.exe you can see the company being \"Microsoft Corporation\" , the description \"TCP/IP Ping command\" , the internal name \"ping.exe\" and so on... Depending on the OS version, some keys may be given peculiar visibility in the file properties dialog, however they are internally all the same. To match a versioninfo key/value pair, the special file offset anchor VI was introduced. This is similar to the other anchors (like EP and SL) except that, instead of matching the hex pattern against a single offset, it checks it against each and every key/value pair in the file. The VI token doesn’t need nor accept a +/- offset like e.g. EP+1. As for the hex signature itself, it’s just the utf16 dump of the key and value. Only the ?? and (aa|bb) wildcards are allowed in the signature. Usually, you don’t need to bother figuring it out: each key/value pair together with the corresponding VI-based signature is printed by clamscan when the --debug option is given. For example clamscan --debug freecell.exe produces: [...]\nRecognized MS-EXE/DLL file\nin cli_peheader\nversioninfo_cb: type: 10, name: 1, lang: 410, rva: 9608\ncli_peheader: parsing version info @ rva 9608 (1/1)\nVersionInfo (d2de): 'CompanyName'='Microsoft Corporation' -\nVI:43006f006d00700061006e0079004e0061006d006500000000004d006900\n630072006f0073006f0066007400200043006f00720070006f0072006100740\n069006f006e000000\nVersionInfo (d32a): 'FileDescription'='Entertainment Pack\nFreeCell Game' - VI:460069006c006500440065007300630072006900700\n0740069006f006e000000000045006e007400650072007400610069006e006d\n0065006e00740020005000610063006b0020004600720065006500430065006\nc006c002000470061006d0065000000\nVersionInfo (d396): 'FileVersion'='5.1.2600.0 (xpclient.010817\n-1148)' - VI:460069006c006500560065007200730069006f006e00000000\n0035002e0031002e0032003600300030002e003000200028007800700063006\nc00690065006e0074002e003000310030003800310037002d00310031003400\n380029000000\nVersionInfo (d3fa): 'InternalName'='freecell' - VI:49006e007400\n650072006e0061006c004e0061006d006500000066007200650065006300650\n06c006c000000\nVersionInfo (d4ba): 'OriginalFilename'='freecell' - VI:4f007200\n6900670069006e0061006c00460069006c0065006e0061006d0065000000660\n0720065006500630065006c006c000000\nVersionInfo (d4f6): 'ProductName'='Sistema operativo Microsoft\nWindows' - VI:500072006f0064007500630074004e0061006d00650000000\n000530069007300740065006d00610020006f00700065007200610074006900\n76006f0020004d006900630072006f0073006f0066007400ae0020005700690\n06e0064006f0077007300ae000000\nVersionInfo (d562): 'ProductVersion'='5.1.2600.0' - VI:50007200\n6f006400750063007400560065007200730069006f006e00000035002e00310\n02e0032003600300030002e0030000000\n[...] Although VI-based signatures are intended for use in logical signatures you can test them using ordinary .ndb files. For example: my_test_vi_sig:1:VI:paste_your_hex_sig_here Final note. If you want to decode a VI-based signature into a human readable form you can use: echo hex_string | xxd -r -p | strings -el For example: echo 460069006c0065004400650073006300720069007000740069006f006e000000000045006e007400650072007400610069006e006d0065006e00740020005000610063006b0020004600720065006500430065006c006c00200047006100\n6d0065000000 | xxd -r -p | strings -el\nFileDescription\nEntertainment Pack FreeCell Game","breadcrumbs":"Signatures » Content-based Signature Format » Logical Signatures » Signatures for Version Information (VI) metadata in PE files","id":"122","title":"Signatures for Version Information (VI) metadata in PE files"},"123":{"body":"While Icon Signatures are stored in a .idb file, they are a feature of Logical Signatures. ClamAV 0.96 includes an approximate/fuzzy icon matcher to help detecting malicious executables disguising themselves as innocent looking image files, office documents and the like. Icon matching is only triggered by Logical Signatures (.ldb) using the special attribute tokens IconGroup1 or IconGroup2. These identify two (optional) groups of icons defined in a .idb database file. The format of the .idb file is: ICONNAME:GROUP1:GROUP2:ICON_HASH where: ICON_NAME is a unique string identifier for a specific icon, GROUP1 is a string identifier for the first group of icons (IconGroup1) GROUP2 is a string identifier for the second group of icons (IconGroup2), ICON_HASH is a fuzzy hash of the icon image The ICON_HASH field can be obtained from the debug output of libclamav. For example: LibClamAV debug: ICO SIGNATURE:\nICON_NAME:GROUP1:GROUP2:18e2e0304ce60a0cc3a09053a30000414100057e000afe0000e 80006e510078b0a08910d11ad04105e0811510f084e01040c080a1d0b0021000a39002a41","breadcrumbs":"Signatures » Content-based Signature Format » Logical Signatures » Icon Signatures for PE files","id":"123","title":"Icon Signatures for PE files"},"124":{"body":"The extended signature format is ClamAV's most basic type of body-based signature since the deprecation of the original .db database format. Extended sigantures allow for specification of additional information beyond just hexidecimal content such as a file \"target type\", virus offset, or engine functionality level (FLEVEL), making the detection more reliable. The format is: MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]] MalwareName: The virus name. Should conform to the standards defined here . TargetType: A number specifying the type of the target file: Target Types Offset: An asterisk or a decimal number n possibly combined with a special modifier: * = any n = absolute offset EOF-n = end of file minus n bytes Signatures for PE, ELF and Mach-O files additionally support: EP+n = entry point plus n bytes (EP+0 for EP) EP-n = entry point minus n bytes Sx+n = start of section x’s (counted from 0) data plus n bytes SEx = entire section x (offset must lie within section boundaries) SL+n = start of last section plus n bytes All the above offsets except * can be turned into floating offsets and represented as Offset,MaxShift where MaxShift is an unsigned integer. A floating offset will match every offset between Offset and Offset+MaxShift, eg. 10,5 will match all offsets from 10 to 15 and EP+n,y will match all offsets from EP+n to EP+n+y. Versions of ClamAV older than 0.91 will silently ignore the MaxShift extension and only use Offset. Optional MinFL and MaxFL parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside *.ndb files. HexSignature: The body-based content matching format . min_flevel: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added. max_flevel: (optional, requires min_flevel) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed.","breadcrumbs":"Signatures » Content-based Signature Format » Extended Signatures » Extended signature format","id":"124","title":"Extended signature format"},"125":{"body":"ClamAV can process YARA rules. ClamAV virus database file names ending with .yar or .yara are parsed as YARA rule files. The link to the YARA rule grammar documentation may be found at https://virustotal.github.io/yara/ . There are currently a few limitations on using YARA rules within ClamAV: YARA modules are not yet supported by ClamAV. This includes the “import” keyword and any YARA module-specific keywords. Global rules (global keyword) are not supported by ClamAV. External variables(contains and matches keywords) are not supported. YARA rules pre-compiled with the yarac command are not supported. As in the ClamAV logical and extended signature formats, YARA strings and segments of strings separated by wild cards must represent at least two octets of data. There is a maximum of 64 strings per YARA rule. YARA rules in ClamAV must contain at least one literal, hexadecimal, or regular expression string. In addition, there are a few more ClamAV processing modes that may affect the outcome of YARA rules. File decomposition and decompression - Since ClamAV uses file decomposition and decompression to find viruses within de-archived and uncompressed inner files, YARA rules executed by ClamAV will match against these files as well. Normalization - By default, ClamAV normalizes HTML, JavaScript, and ASCII text files. YARA rules in ClamAV will match against the normalized result. The effects of normalization of these file types may be captured using clamscan --leave-temps --tempdir=mytempdir. YARA rules may then be written using the normalized file(s) found in mytempdir. Alternatively, starting with ClamAV 0.100.0, clamscan --normalize=no will prevent normalization and only scan the raw file. To obtain similar behavior prior to 0.99.2, use clamscan --scan-html=no. The corresponding parameters for clamd.conf are Normalize and ScanHTML. YARA conditions driven by string matches - All YARA conditions are driven by string matches in ClamAV. This saves from executing every YARA rule on every file. Any YARA condition may be augmented with a string match clause which is always true, such as: rule CheckFileSize\n{ strings: $abc = \"abc\" condition: ($abc or not $abc) and filesize < 200KB\n} This will ensure that the YARA condition always performs the desired action (checking the file size in this example),","breadcrumbs":"Signatures » YARA Rules » Using YARA rules in ClamAV","id":"125","title":"Using YARA rules in ClamAV"},"126":{"body":"ClamAV can detect HTML links that look suspicious when the display text is a URL that is a different domain than than in the actual URL. Unfortunately, it is pretty common for a company to contract out web services and to use HTML link display text to make it look like it is a link to the company website. Because this practice is commonplace, ClamAV only does phishing checks for specific websites that are popularly targeted by phishing campaigns. Signatures to identify domains that should be monitored for phishing attempts are listed in ClamAV PDB database files, such as daily.pdb, a file found in the daily.cvd archive. Unfortunately, many websites listed in the PDB phishing database also send emails with links that display a different domain than is in the actual link. To mitigate false positive detections in non-malicious links, ClamAV has allow list signatures in ClamAV WDB database files, such as daily.wdb, another file found in the daily.cvd archive. To help you identify what triggered a heuristic phishing alert, clamscan or clamd will print a message indicating the \"Display URL\" and \"Real URL\" involved in a heuristic phishing alert. For example, suppose that amazon.com were listed in ClamAV's loaded PDB database, you might observe this message before the alert when scanning an email with a link that claims to be for https://www.amazon.com/ but is in fact linking to https://someshadywebsite.example.com/: LibClamAV info: Suspicious link found!\nLibClamAV info: Real URL: https://someshadywebsite.example.com\nLibClamAV info: Display URL: https://www.amazon.com\n/path/to/suspicious/email.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND Table of Contents Phishing Signatures Database file format PDB format GDB format WDB format Hints Examples of PDB signatures Examples of WDB signatures Example for how the URL extractor works How matching works RealURL, DisplayedURL concatenation What happens when a match is found Extraction of RealURL, DisplayedURL from HTML tags Example Simple patterns Regular expressions Flags Introduction to regular expressions Special characters Character classes Escaping Alternation Optional matching, and repetition Groups How to create database files How to create and maintain the allow list (daily.wdb) How to create and maintain the domain list (daily.pdb) Dealing with false positives, and undetected phishing mails False positives Undetected phish mails","breadcrumbs":"Signatures » Phishing Signatures » Phishing Signatures","id":"126","title":"Phishing Signatures"},"127":{"body":"PDB format This file contains urls/hosts that should be monitored for phishing attempts. It contains lines in the following format: R:DisplayedURL[:FuncLevelSpec]\nH:DisplayedHostname[:FuncLevelSpec] R Regular expression, for the concatenated URL. The last 3 characters of the regular expression cannot regex special characters and much be an exact match. H Matches the DisplayedHostname as a simple pattern (literally, no regular expression). The pattern can match either the full hostname. Or a subdomain of the specified hostname. To avoid false matches in case of subdomain matches, the engine checks that there is a dot(.) or a space( ) before the matched portion. RealURL Is the URL the user is sent to, example: href attribute of an html anchor ( tag). DisplayedURL Is the URL description displayed to the user, where its claimed they are sent, example: contents of an html anchor ( tag). DisplayedHostname Is the hostname portion of the DisplayedURL. FuncLevelSpec An (optional) functionality level, 2 formats are possible: minlevel all engines having functionality level >= minlevel will load this line. minlevel-maxlevel engines with functionality level >= minlevel, and < maxlevel will load this line. GDB format This file contains URL hashes in the following format: S:P:HostPrefix[:FuncLevelSpec]\nS:F:Sha256hash[:FuncLevelSpec]\nS1:P:HostPrefix[:FuncLevelSpec]\nS1:F:Sha256hash[:FuncLevelSpec]\nS2:P:HostPrefix[:FuncLevelSpec]\nS2:F:Sha256hash[:FuncLevelSpec]\nS:W:Sha256hash[:FuncLevelSpec] S: These are hashes for Google Safe Browsing - malware sites, and should not be used for other purposes. S2: These are hashes for Google Safe Browsing - phishing sites, and should not be used for other purposes. S1: Hashes for blocking phishing sites. Virus name: Phishing.URL.Blocked. S:W: Locally allowed hashes. HostPrefix 4-byte prefix of the sha256 hash of the last 2 or 3 components of the hostname. If prefix doesn’t match, no further lookups are performed. Sha256hash sha256 hash of the canonicalized URL, or a sha256 hash of its prefix/suffix according to the Google Safe Browsing “Performing Lookups” rules. There should be a corresponding :P:HostkeyPrefix entry for the hash to be taken into consideration. To see which hash/URL matched, look at the clamscan --debug output, and look for the following strings: Looking up hash, prefix matched, and Hash matched. To ignore .gdb entries, create a local.gdb file, and adding a line S:W:. WDB format This file contains url pairs for links that may look suspicious but are safe and should be allowed. It contains lines in the following format: X:RealURL:DisplayedURL[:FuncLevelSpec]\nM:RealHostname:DisplayedHostname[:FuncLevelSpec] X Regular expression, for the entire URL , not just the hostname. The regular expression is by default anchored to start-of-line and end-of-line, as if you have used ^RegularExpression$ A trailing / is automatically added both to the regex, and the input string to avoid false matches. The regular expression matches the concatenation of the RealURL, a colon(:), and the DisplayedURL as a single string. It doesn’t separately match RealURL and DisplayedURL! The last 3 characters of the regular expression cannot regex special characters and much be an exact match. M Matches hostname, or subdomain of it, see notes for H above. Hints Empty lines are ignored The colons are mandatory Don’t leave extra spaces on the end of a line! If any of the lines don’t conform to this format, ClamAV will abort with a Malformed Database Error See section Extraction-of-RealURL for more details on RealURL/DisplayedURL Examples of PDB signatures To check for phishing mails that target amazon.com, or subdomains of amazon.com: H:amazon.com To do the same, but for amazon.co.uk: H:amazon.co.uk Alternatively, you could use a regex PDB signature to check both: R:.+\\.amazon\\.(com|co\\.uk)([/?].*)? You can limit the signatures to certain engine versions . For example... Restrict so that engine versions 20 through 30 can load it, but not 31+: H:amazon.co.uk:20-30 Restrict so that engine versions >= 20 can load it: H:amazon.co.uk:20- Restrict so that engine versions <= 20 can load it: H:amazon.co.uk:0-20 In a real situation, you’d probably use the second form. A situation like that would be if you are using a feature of the signatures not available in earlier versions, or if earlier versions have bugs with your signature. Its neither case here, the above examples are for illustrative purposes only. Examples of WDB signatures To allow Amazon’s country specific domains and amazon.com, to mix domain names in DisplayedURL, and RealURL: X:.+\\.amazon\\.(at|ca|co\\.uk|co\\.jp|de|fr)([/?].*)?:.+\\.amazon\\.com([/?].*)?:17- Explanation of this signature: X: this is a regular expression :17- load signature only for engines with functionality level >= 17 The regular expression is the following (X:, :17- stripped, and a / appended) .+\\.amazon\\.(at|ca|co\\.uk|co\\.jp|de|fr)([/?].*)?:.+\\.amazon\\.com([/?].*)?/ Explanation of this regular expression (note that it is a single regular expression, and not 2 regular expressions splitted at the :). .+ any subdomain of \\.amazon\\. domain we are allowing (RealURL part) (at|ca|co\\.uk|co\\.jp|de|fr) country-domains: at, ca, co.uk, co.jp, de, fr ([/?].*)? recomended way to end the real-url, this protects against embedded URLs (evilurl.example.com/amazon.co.uk/) : RealURL and DisplayedURL are concatenated via a :, so match a literal : here .+ any subdomain of \\.amazon\\.com allowed DisplayedURL ([/?].*)? recommended way to end displayed url part, to protect against embedded URLs / automatically added to further protect against embedded URLs When you add an entry, make sure you check that both domains are owned by the same entity. This signature allows links claiming to point to amazon.com (DisplayedURL), when in fact they really go to a country-specific domain of amazon (RealURL). Example for how the URL extractor works Consider the following HTML file: \n 1.displayedurl.example.com\n\n 2 di
    splayedurl.example.com\n\n 3.nested.example.com  4.displayedurl.example.com \n\n
     sometext   5.form.nested.link-displayedurl.example.com \n\n 6.displ  ayedurl.example.com\n\n