ClamAV 0.96 adds new malware detection mechanisms
The developers of the free ClamAV virus scanner have released version 0.96, adding various improvements and closing several security holes. For instance, ClamAV's improved heuristics are now said to detect Windows malware which tries to disguise itself as a harmless application using bogus icons and fake PE headers. The scanner can now inspect archives in 7zip, InstallShield and CPIO format, as well as files compressed with UPX 3.0. It also supports the analysis of 64-bit ELF files and Mac OS X universal binaries with Mach-O. ClamAV's general performance has also been improved and its resource utilisation optimised.
Less important for end users but rather handy for developers is the option to build ClamAV natively in Visual Studio under Windows. This simplifies the integration of the LibClamAV library into third-party applications under Windows. A bytecode interpreter which comes with the library is designed to help signature writers create and distribute very complex detection routines.
The now closed security holes allowed attackers to smuggle malware past the scanner by making use of specially crafted CAB archives or to trigger memory errors which caused the scanner to crash via specially compressed files (Quantum compression). According to an advisory by Secunia, the holes can also be exploited to inject and execute arbitrary code on a vulnerable system.
All users are advised to update to the 0.96 release as soon as possible. As announced at the end of last year, the developers will also disable obsolete versions of ClamAV (older than 0.95) at the end of next week. For this purpose, the ClamAV team intends to deploy a special signature which will disable older scanners. The reason for this drastic measure is a bug in the Freshclam update service which prevents incremental updates from working with signatures longer than 980 bytes in the versions that preceded ClamAV 0.95. This reportedly prevents complex signatures from being distributed and causes server overloads due to full updates being carried out instead. The project plans to start releasing longer signatures in May.
More details about the release can be found in the release announcement and upgrade notes. ClamAV 0.96 is available to download from the project's website and is released under the GNU General Public License (GPL).
- ClamAV 0.94.x to go end-of-life, a report from The H.
- ClamAV 0.94 increases detection capabilities, a report from The H.