Clam AntiVirus / News: Recent posts

This is the last release candidate for 0.90 .
Please report any problems through our bugzilla: http://bugs.clamav.net . If you are running ClamAV 0.90RC1.1 or 0.90rc2, you are strongly encouraged to upgrade to the latest RC. Remember to try the experimental code by using "./configure --enable-experimental" at compile time.

Our new Wiki site is now in production. Visit http://wiki.clamav.net and register yourself! You are welcome to document all the steps you did to integrate ClamAV with your favourite content scanner. Also feel free to post your success stories about ClamAV on http://wiki.clamav.net/Main/SuccessStories . Let's share your know-how on ClamAV with the rest of our user community!
We really hope that this new Wiki will serve for this purpose better than the previous one. We learned the lesson the hard way: the new wiki features a more user friendly interface, a WYSIWYG editor and some very important antispam protections.

Heise Security reports that ClamAV was among the first virus scanners to detect a trojan distributed by a forged version of Wikipedia. You can read the full article at http://www.heise-security.co.uk/news/80729

The second release candidate of the long awaited
ClamAV 0.90 is ready for general testing! If you are running ClamAV 0.90RC1.1, you are strongly encouraged to upgrade to the latest RC. Remember to try the experimental code by using "./configure --enable-experimental" at compile time. Please note that we do not accept bug reports against 0.90RC1.1 anymore.

Our donate page now features a PayPal button. Keeping the virus database up to date is a time consuming task: we need to process a lot of malware every day and generate new signatures for it. The ClamAV team provides you with timely updates and continuosly implement new features to make your favourite antivirus (and its derivative products) more effective.
Visit http://www.clamav.net/donate.html#pagestart and contribute to our project.

The first release candidate of the long awaited
ClamAV 0.90 is ready for general testing!

The 0.9x series introduces lots of improvements
in terms of detection rate and performance, like
support for many new packers and decryptors, RAR3
and SIS archives, and a new phishing signatures
format that proves to be very effective.

The email decoding has been improved to reduce
both the memory requirements and the time taken
to process attachments.
We have been working hard also on the ClamAV
Virus Database: we now have more than 73.000
signatures and we keep on reviewing hundreds of
samples everyday.... read more

In the hope to get more detailed bug reports and coordinate the work of people testing our experimental code, we decided to open a bug tracker.
After checking many different bug tracker, we decided to stick to the well known Bugzilla.
Please use it wisely: http://bugs.clamav.net

Summer of Code 2006 is a program sponsored by Google, that offers student developers stipends to create new open source programs or to help currently established projects. The ClamAV project is happy to join this event and get some help from emerging developers to quickly implement some of the features (see http://www.clamav.net/news/soc2006.html\) that are currently on our TODO list.

Google will give 5000 USD per accepted student, of which 4500 USD goes to the student and 500 USD goes to the mentoring organization.
Students who wish to join the program and help the ClamAV project will be paid 500 USD upon acceptance of their application, 2000 USD mid program (assuming they have made sufficient progress on the project), and 2000 USD at close of program (assuming they have completed the project).
See http://code.google.com/soc/studentfaq.html for more information.

W32.Polipos.A is a complex polimorphic virus infecting 32-bit Windows executables. The virus uses advanced techniques, such as entry point obscuring, to make the detection even harder. It can also spread via P2P networks and contains procedures against security software.

Extensive tests in our secure environments showed that ClamAV 0.88.2 was able to detect 100% W32.Polipos.A infections without producing a single false positive alert.

On April 12, the security company SonicWALL announced Day Zero protection against vulnerability in Clam AntiVirus. The press release (see: http://biz.yahoo.com/prnews/060412/sfw078.html?.v=47\) bewildered ClamAV developers. The problem described in the press release was... already fixed in the 0.88.1 version of ClamAV published on April 4. Moreover, it was ranked by the Clam AntiVirus programmers as low risk.... read more

Electric Mail (http://www.electricmail.com), one of the first e-mail service providers in 1994, now processing more than 10 million e-mail messages day, decided to compare Clam AntiVirus effectiveness in mail filtering with two of the top five antivirus vendors in the world. They timed how long it took each vendor to release a signature update from the time the virus was first seen. The results were very surprising to the company's engineering group: ClamAV outranked the other two antivirus vendors by a wide margin, being first 77% of the time for the last 50 new virus variants
checked. Full story at: http://www.linuxpipeline.com/166400446

Many people ask how fast ClamAV is in responding to new threats. Here are a few links to reaction time stats for some recent malware:

Sober.P: http://www.pcwelt.de/news/sicherheit/111012/index2.html

Sober.L: http://www.pcwelt.de/news/sicherheit/108562/index.html

Sober.I: http://www.heise.de/security/news/meldung/53427

All of the above statistics were collected by third parties.

The purpose of the survey conducted by Dr. Katherine Stewart from University of Maryland was to gain an understanding of user views regarding the pros and cons of OSS adoption. This survey was a first step in a larger study aimed at assessing the applicability of prior theories of user adoption in the OSS context, identifying adoption factors that are unique to OSS, and incorporating those factors into a broader theoretical framework.
By courtesy of Dr. Stewart we publish the summary of the survey on Clam AntiVirus:
Results from ClamAV respondents paralleled those of the larger population. Respondents were generally impressed with the quality of the product and the level of support available. One respondent noted "I felt convinced by ClamAV's speed of development and project members responsiveness as exhibited in the mailing list." Many believed that the product's level of quality derived from the open source development
model. One user noted "[ClamAV's effectiveness] is due to the development model ? end users submit suspicious emails or executables to the development team which can act as soon as a new threat is seen,
unlike a corporate model where end user participation is more limited."
ClamAV users noted with great frequency that ClamAV "tends to beat all competitors in terms of response times to new virus outbreaks." Unlike other respondents who had adopted software they felt "had a steep
learning curve", ClamAV users adopted the program because of its "simplicity."

Visit the ClamAV merchandise shop at http://www.cafepress.com/clamav/ . A big thank you to Finndesign (http://www.finndesign.fi) which volunteered to design the whole line of products, including: t-shirt (for women and men), sweatshirt, coffee mug, mousepad, scrapbook and many stickers.
By purchasing our merchandise, you contribute to the development of ClamAV and help us making it a better product.
We thought that some of you may want to show their appreciation for the project by adding an extra donation to their purchase on our store, so we made available a highly overpriced (25$) magnet button (http://www.cafepress.com/clamav.18387537). You can add as many magnet buttons as you want to your shopping cart. The money will be used to cover the running costs of the project.
Before making your purchase, carefully review the payment:
http://www.cafepress.com/cp/info/help/cppayment.aspx
and shipping conditions:
http://www.cafepress.com/cp/info/help/shipping.aspx
For more information please visit the following URL:
http://www.clamav.net/donate.html#merchandise... read more

Sensory Networks, the leading provider of hardware acceleration for network security applications, started a partnership with us to provide hardware acceleration support for the Clam AntiVirus suite.

"We are very excited about providing commercial support to the fast growing Clam AntiVirus project in the form of high performance acceleration for the suite" said Matt Barrie, Chief Executive Officer of Sensory Networks, "We are strong supporters of open source software, as it has a very strong role to play in the information security industry".
Support for Sensory Networks' NodalCore acceleration in Clam AntiVirus will be available in version 0.90 of the software suite in Q3 2005. ... read more

The new version of the anti-virus scanner protects against
malicious files attempting to exploit the MS05-002 vulnerability
("Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution).

Thanks to its executable inspection capabilities and generic signatures ClamAV was proactively blocking various MyDoom variants in September 2004. Recently ClamAV users have been protected against the latest Bagle outbreak. The worm is detected as Trojan.Downloader.Small-165, which was added on 8th November 2004.

The scan engine has been improved. The internal mail scanner now supports multipart/partial messages, and support for decoding non-standard mail files was greatly enhanced. clamav-milter by default uses libclamav and scans emails itself without the use of clamd. libclamav can now extract RFC2397 encoded data within HTML documents, block zip archives with modified information in local header, and scan HQX files. PE file structure rebuilding from compressed executables was improved too.
An important note to clamdwatch users: please upgrade to the latest version (it is under contrib/) as soon as possible.

WatchGuard Technologies, Inc. (Nasdaq: WGRD), a leading provider of network security solutions worldwide, announced WatchGuard Gateway AntiVirus for E-mail for the Firebox X line of security appliances. The unique deep application inspection capability integrated into WatchGuard security appliances examines traffic for protocol anomalies to determine if the content is malicious and blocks threats before they reach the anti-virus engine to avoid unnecessary processing overhead. If no threat is detected, the data is passed to ClamAV where it is analysed for viral content. Visit http://www.watchguard.com/press/releases/wg294.asp for more information.

Since releasing the new version of Clam AntiVirus, we have been continuously receiving very good opinions on its stability and efficiency.
Our users appreciate advanced mechanisms that protect against new type of malware, including image and HTML exploits, and phishing attacks as well.
Again, we encourage users of the older versions to update.

We are seeing a lot of useless traffic on our mirror servers.
It looks like there are many broken freshclam clients still running.

Once again, we urge you to upgrade to ClamAV 0.80 and take advantage of the new DNSDatabaseInfo option, which allows to check for a new version of the database with a single DNS query. Verify that your freshclam.conf contains:

DNSDatabaseInfo current.cvd.clamav.net

Check out the doc for more info.... read more

Many users are afraid of upgrading ClamAV because they fear they could break their mail system.
Writing an extensive guide about all the possible problems one may encounter during the process would require a big effort. So we decided to go for a Wiki-style doc: you can find it at http://wiki.clamav.net .
We hope that experienced users will contribute stuff, especially to http://wiki.clamav.net/index.php/UpgradeInstructions .
You can edit any page except the Home Page.

After a few months of extensive development a new major release of ClamAV is available for download. A lot of new features and improvements will make the neverending fight
against malware much more effective.

ClamAV 0.80rc3 successfuly detects JPEG files with modified comment section that allows attackers to remotely execute arbitrary code on unpatched Windows machines.

You can find the latest release of ClamAV here:

https://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197

New mechanisms in the development version of ClamAV have successfully protected against the new versions R,S,T,U, and V of the infamous Mydoom worm detecting them as Worm.Mydoom.Gen before virus was analysed and specific signatures added by the ClamAV database maintainers. That means servers running the latest devel version of ClamAV (with the new engine) have detected and blocked 100% of Mydoom attacks!