... | ... |
@@ -1,9 +1,39 @@ |
1 |
-0.95.2 |
|
1 |
+0.96rc1 |
|
2 |
+------- |
|
2 | 3 |
|
3 |
-This version improves handling of archives, adds support for --file-list |
|
4 |
-in clamscan and clamdscan, and fixes various issues found in previous |
|
5 |
-releases. |
|
4 |
+This release of ClamAV introduces new malware detection mechanisms and other |
|
5 |
+significant improvements to the scan engine. The key features include: |
|
6 |
+ |
|
7 |
+ - The Bytecode Interpreter: the interpreter built into LibClamAV allows |
|
8 |
+ the signature writers to create and distribute very complex detection |
|
9 |
+ routines and remotely enhance the scanner's functionality |
|
10 |
+ |
|
11 |
+ - Heuristic improvements: improve the PE heuristics detection engine by |
|
12 |
+ adding support of bogus icons and fake PE header information. In a |
|
13 |
+ nutshell, ClamAV can now detect malware that tries to disguise itself |
|
14 |
+ as a harmless application by using the most common Windows program icons. |
|
15 |
+ |
|
16 |
+ - Signature Improvements: logical signature improvements to allow more |
|
17 |
+ detailed matching and referencing groups of signatures. Additionally, |
|
18 |
+ improvements to wildcard matching on word boundaries and newlines. |
|
19 |
+ |
|
20 |
+ - Support for new archives: 7zip, InstallShield and CPIO. LibClamAV |
|
21 |
+ can now transparently unpack and inspect their contents. |
|
22 |
+ |
|
23 |
+ - Support for new executable file formats: 64-bit ELF files and OS X |
|
24 |
+ Universal Binaries with Mach-O files. Additionally, the PE module |
|
25 |
+ can now decompress and inspect executables packed with UPX 3.0. |
|
26 |
+ |
|
27 |
+ - Performance improvements: overall performance improvements and memory |
|
28 |
+ optimizations for a better overall resource utilization experience. |
|
29 |
+ |
|
30 |
+ - Native Windows Support: ClamAV will now build natively under Visual |
|
31 |
+ Studio. This will allow 3rd Party application developers on Windows |
|
32 |
+ to easily integrate LibClamAV into their applications. |
|
33 |
+ |
|
34 |
+The complete list of changes is available in the ChangeLog file. For upgrade |
|
35 |
+notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes096 |
|
6 | 36 |
|
7 | 37 |
-- |
8 | 38 |
The ClamAV team (http://www.clamav.net/team) |
39 |
+ |
... | ... |
@@ -2,6 +2,55 @@ Note: This README/NEWS file refers to the source tarball. Some things described |
2 | 2 |
here may not be available in binary packages. |
3 | 3 |
-- |
4 | 4 |
|
5 |
+0.96rc1 |
|
6 |
+------- |
|
7 |
+ |
|
8 |
+This release of ClamAV introduces new malware detection mechanisms and other |
|
9 |
+significant improvements to the scan engine. The key features include: |
|
10 |
+ |
|
11 |
+ - The Bytecode Interpreter: the interpreter built into LibClamAV allows |
|
12 |
+ the signature writers to create and distribute very complex detection |
|
13 |
+ routines and remotely enhance the scanner's functionality |
|
14 |
+ |
|
15 |
+ - Heuristic improvements: improve the PE heuristics detection engine by |
|
16 |
+ adding support of bogus icons and fake PE header information. In a |
|
17 |
+ nutshell, ClamAV can now detect malware that tries to disguise itself |
|
18 |
+ as a harmless application by using the most common Windows program icons. |
|
19 |
+ |
|
20 |
+ - Signature Improvements: logical signature improvements to allow more |
|
21 |
+ detailed matching and referencing groups of signatures. Additionally, |
|
22 |
+ improvements to wildcard matching on word boundaries and newlines. |
|
23 |
+ |
|
24 |
+ - Support for new archives: 7zip, InstallShield and CPIO. LibClamAV |
|
25 |
+ can now transparently unpack and inspect their contents. |
|
26 |
+ |
|
27 |
+ - Support for new executable file formats: 64-bit ELF files and OS X |
|
28 |
+ Universal Binaries with Mach-O files. Additionally, the PE module |
|
29 |
+ can now decompress and inspect executables packed with UPX 3.0. |
|
30 |
+ |
|
31 |
+ - Performance improvements: overall performance improvements and memory |
|
32 |
+ optimizations for a better overall resource utilization experience. |
|
33 |
+ |
|
34 |
+ - Native Windows Support: ClamAV will now build natively under Visual |
|
35 |
+ Studio. This will allow 3rd Party application developers on Windows |
|
36 |
+ to easily integrate LibClamAV into their applications. |
|
37 |
+ |
|
38 |
+The complete list of changes is available in the ChangeLog file. For upgrade |
|
39 |
+notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes096 |
|
40 |
+ |
|
41 |
+-- |
|
42 |
+The ClamAV team (http://www.clamav.net/team) |
|
43 |
+ |
|
44 |
+0.95.3 |
|
45 |
+------ |
|
46 |
+ |
|
47 |
+ClamAV 0.95.3 is a bugfix release recommended for all users. |
|
48 |
+Please refer to the ChangeLog included in the source distribution |
|
49 |
+for the list of changes. |
|
50 |
+ |
|
51 |
+-- |
|
52 |
+The ClamAV team (http://www.clamav.net/team) |
|
53 |
+ |
|
5 | 54 |
0.95.2 |
6 | 55 |
------ |
7 | 56 |
|
... | ... |
@@ -71,7 +71,7 @@ |
71 | 71 |
\vspace{3cm} |
72 | 72 |
\begin{flushright} |
73 | 73 |
\rule[-1ex]{8cm}{3pt}\\ |
74 |
- \huge Clam AntiVirus -devel\\ |
|
74 |
+ \huge Clam AntiVirus 0.96rc1\\ |
|
75 | 75 |
\huge \emph{User Manual}\\ |
76 | 76 |
\end{flushright} |
77 | 77 |
|
... | ... |
@@ -83,7 +83,7 @@ |
83 | 83 |
\noindent |
84 | 84 |
\begin{boxedminipage}[b]{\textwidth} |
85 | 85 |
ClamAV User Manual, |
86 |
- \copyright \ 2007 - 2009 Sourcefire, Inc. |
|
86 |
+ \copyright \ 2007 - 2010 Sourcefire, Inc. |
|
87 | 87 |
Authors: Tomasz Kojm\\ |
88 | 88 |
This document is distributed under the terms of the GNU General |
89 | 89 |
Public License v2.\\ |
... | ... |
@@ -127,15 +127,20 @@ |
127 | 127 |
\item{POSIX compliant, portable} |
128 | 128 |
\item{Fast scanning} |
129 | 129 |
\item{Supports on-access scanning (Linux and FreeBSD only)} |
130 |
- \item{Detects over 570.000 viruses, worms and trojans, including |
|
130 |
+ \item{Detects over 720.000 viruses, worms and trojans, including |
|
131 | 131 |
Microsoft Office macro viruses, mobile malware, and other threats} |
132 |
+ \item{Built-in bytecode interpreter allows the ClamAV signature writers |
|
133 |
+ to create and distribute very complex detection routines and |
|
134 |
+ remotely enhance the scanner's functionality} |
|
132 | 135 |
\item{Scans within archives and compressed files (also protects |
133 | 136 |
against archive bombs), built-in support includes: |
134 | 137 |
\begin{itemize} |
135 | 138 |
\item Zip (including SFX) |
136 | 139 |
\item RAR (including SFX) |
140 |
+ \item 7Zip |
|
137 | 141 |
\item ARJ (including SFX) |
138 | 142 |
\item Tar |
143 |
+ \item CPIO |
|
139 | 144 |
\item Gzip |
140 | 145 |
\item Bzip2 |
141 | 146 |
\item MS OLE2 |
... | ... |
@@ -145,6 +150,7 @@ |
145 | 145 |
\item BinHex |
146 | 146 |
\item SIS (SymbianOS packages) |
147 | 147 |
\item AutoIt |
148 |
+ \item InstallShield |
|
148 | 149 |
\end{itemize}} |
149 | 150 |
\item{Supports Portable Executable (32/64-bit) files compressed or obfuscated with:} |
150 | 151 |
\begin{itemize} |
... | ... |
@@ -159,6 +165,7 @@ |
159 | 159 |
\item Upack |
160 | 160 |
\item Y0da Cryptor |
161 | 161 |
\end{itemize} |
162 |
+ \item{Supports ELF and Mach-O files (both 32- and 64-bit)} |
|
162 | 163 |
\item{Supports almost all mail file formats} |
163 | 164 |
\item{Support for other special files/formats includes:} |
164 | 165 |
\begin{itemize} |
... | ... |
@@ -203,18 +210,19 @@ |
203 | 203 |
\section{Base package} |
204 | 204 |
|
205 | 205 |
\subsection{Supported platforms} |
206 |
- Most popular UNIX operating systems are supported. Clam AntiVirus 0.9x was |
|
207 |
- tested on: |
|
208 |
- \begin{itemize} |
|
209 |
- \item{GNU/Linux} |
|
210 |
- \item{Solaris} |
|
211 |
- \item{FreeBSD} |
|
212 |
- \item{OpenBSD} \footnote{Installation from a port is recommended.} |
|
213 |
- \item{Mac OS X} |
|
214 |
- \end{itemize} |
|
215 |
- Some features may not be available on your operating system. If you |
|
216 |
- are successfully running Clam AntiVirus on a system not listed above |
|
217 |
- please let us know. |
|
206 |
+ \subsubsection{UNIX} |
|
207 |
+ The most popular UNIX operating systems are supported. Clam AntiVirus 0.9x is |
|
208 |
+ regularly tested on: |
|
209 |
+ \begin{itemize} |
|
210 |
+ \item{GNU/Linux} |
|
211 |
+ \item{Solaris} |
|
212 |
+ \item{FreeBSD} |
|
213 |
+ \item{OpenBSD} \footnote{Installation from a port is recommended.} |
|
214 |
+ \item{Mac OS X} |
|
215 |
+ \end{itemize} |
|
216 |
+ |
|
217 |
+ \subsubsection{Windows} |
|
218 |
+ Starting with 0.96 ClamAV builds natively under Visual Studio. |
|
218 | 219 |
|
219 | 220 |
\subsection{Binary packages} |
220 | 221 |
You can find the up-to-date list of binary packages at our website: |
... | ... |
@@ -223,7 +231,9 @@ |
223 | 223 |
\section{Installation} |
224 | 224 |
|
225 | 225 |
\subsection{Requirements} |
226 |
- The following elements are required to compile ClamAV: |
|
226 |
+ The following components are required to compile ClamAV under UNIX: |
|
227 |
+ \footnote{For Windows instructions please see win32/README in the |
|
228 |
+ main source code directory.} |
|
227 | 229 |
\begin{itemize} |
228 | 230 |
\item zlib and zlib-devel packages |
229 | 231 |
\item gcc compiler suite (tested with 2.9x, 3.x and 4.x series)\\ |
... | ... |
@@ -428,7 +438,7 @@ $ CK_FORK=no ./libtool --mode=execute valgrind unit_tests/check-clamav |
428 | 428 |
section. |
429 | 429 |
|
430 | 430 |
\subsection{clamav-milter} |
431 |
- ClamAV 0.95 includes a new, redesigned clamav-milter. The most notable |
|
431 |
+ ClamAV $\ge0.95$ includes a new, redesigned clamav-milter. The most notable |
|
432 | 432 |
difference is that the internal mode has been dropped and now a working |
433 | 433 |
clamd companion is required. The second important difference is that now |
434 | 434 |
the milter has got its own configuration and log files. To compile ClamAV |
... | ... |
@@ -746,15 +756,14 @@ N * * * * /usr/local/bin/freshclam --quiet |
746 | 746 |
|
747 | 747 |
\subsection{Licence} |
748 | 748 |
Libclamav is licensed under the GNU GPL v2 licence. This means you are |
749 |
- \textbf{not allowed} to link commercial, close-source applications |
|
750 |
- against it\footnote{You can still use clamd or clamscan instead}. |
|
751 |
- All software using libclamav must be GPL compliant. |
|
749 |
+ \textbf{not allowed} to link commercial, closed-source software |
|
750 |
+ against it. All software using libclamav must be GPL compliant. |
|
752 | 751 |
|
753 |
- \subsection{Supported formats} |
|
752 |
+ \subsection{Supported formats and features} |
|
754 | 753 |
|
755 | 754 |
\subsubsection{Executables} |
756 |
- The library has a built-in support for 32/64-bit Portable Executable files |
|
757 |
- and 32-bit ELF files. Additionally, it can handle PE files compressed or |
|
755 |
+ The library has a built-in support for 32- and 64-bit Portable Executable, |
|
756 |
+ ELF and Mach-O files. Additionally, it can handle PE files compressed or |
|
758 | 757 |
obfuscated with the following tools: |
759 | 758 |
\begin{itemize} |
760 | 759 |
\item Aspack (2.12) |
... | ... |
@@ -779,7 +788,9 @@ N * * * * /usr/local/bin/freshclam --quiet |
779 | 779 |
\begin{itemize} |
780 | 780 |
\item Zip (+ SFX) |
781 | 781 |
\item RAR (+ SFX) |
782 |
+ \item 7Zip |
|
782 | 783 |
\item Tar |
784 |
+ \item CPIO |
|
783 | 785 |
\item Gzip |
784 | 786 |
\item Bzip2 |
785 | 787 |
\item MS OLE2 |
... | ... |
@@ -790,6 +801,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
790 | 790 |
\item SIS (SymbianOS packages) |
791 | 791 |
\item AutoIt |
792 | 792 |
\item NSIS |
793 |
+ \item InstallShield |
|
793 | 794 |
\end{itemize} |
794 | 795 |
|
795 | 796 |
\subsubsection{Documents} |
... | ... |
@@ -824,7 +836,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
824 | 824 |
#include <clamav.h> |
825 | 825 |
\end{verbatim} |
826 | 826 |
|
827 |
- \subsection{Initialization} |
|
827 |
+ \subsubsection{Initialization} |
|
828 | 828 |
Before using libclamav, you should call \verb+cl_init()+ to initialize |
829 | 829 |
it. When it's done, you're ready to create a new scan engine by calling |
830 | 830 |
\verb+cl_engine_new()+. To free resources allocated by the engine use |
... | ... |
@@ -866,6 +878,10 @@ N * * * * /usr/local/bin/freshclam --quiet |
866 | 866 |
Initialize the phishing detection module and load .wdb and .pdb files. |
867 | 867 |
\item \textbf{CL\_DB\_PUA}\\ |
868 | 868 |
Load signatures for Potentially Unwanted Applications. |
869 |
+ \item \textbf{CL\_DB\_OFFICIAL\_ONLY}\\ |
|
870 |
+ Only load official signatures from digitally signed databases. |
|
871 |
+ \item \textbf{CL\_DB\_BYTECODE}\\ |
|
872 |
+ Load bytecode. |
|
869 | 873 |
\end{itemize} |
870 | 874 |
\verb+cl_load()+ returns \verb+CL_SUCCESS+ on success and another code on |
871 | 875 |
failure. |
... | ... |
@@ -916,7 +932,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
916 | 916 |
} |
917 | 917 |
\end{verbatim} |
918 | 918 |
|
919 |
- \subsection{Limits} |
|
919 |
+ \subsubsection{Limits} |
|
920 | 920 |
When you create a new engine with \verb+cl_engine_new()+, it will have |
921 | 921 |
all internal settings set to default values as recommended by the |
922 | 922 |
ClamAV authors. It's possible to check and modify the values (numerical |
... | ... |
@@ -937,7 +953,7 @@ const char *cl_engine_get_str(const struct cl_engine *engine, |
937 | 937 |
Please don't modify the default values unless you know what you're doing. |
938 | 938 |
Refer to the ClamAV sources (clamscan, clamd) for examples. |
939 | 939 |
|
940 |
- \subsection{Database reloading} |
|
940 |
+ \subsubsection{Database checks} |
|
941 | 941 |
It's very important to keep the internal instance of the database up to |
942 | 942 |
date. You can watch database changes with the \verb+cl_stat..()+ family |
943 | 943 |
of functions. |
... | ... |
@@ -955,7 +971,8 @@ const char *cl_engine_get_str(const struct cl_engine *engine, |
955 | 955 |
cl_statinidir(dbdir, &dbstat); |
956 | 956 |
\end{verbatim} |
957 | 957 |
To check for a change you just need to call \verb+cl_statchkdir+ and check |
958 |
- its return value (0 - no change, 1 - some change occured): |
|
958 |
+ its return value (0 - no change, 1 - some change occured). Remember to reset |
|
959 |
+ the \verb+cl_stat+ structure after reloading the database. |
|
959 | 960 |
\begin{verbatim} |
960 | 961 |
if(cl_statchkdir(&dbstat) == 1) { |
961 | 962 |
reload_database...; |
... | ... |
@@ -963,7 +980,20 @@ const char *cl_engine_get_str(const struct cl_engine *engine, |
963 | 963 |
cl_statinidir(cl_retdbdir(), &dbstat); |
964 | 964 |
} |
965 | 965 |
\end{verbatim} |
966 |
- Remember to reset the \verb+cl_stat+ structure after each reload. |
|
966 |
+ Libclamav $\ge0.96$ includes and additional call to check the number of |
|
967 |
+ signatures that can be loaded from a given directory: |
|
968 |
+ \begin{verbatim} |
|
969 |
+ int cl_countsigs(const char *path, unsigned int countoptions, |
|
970 |
+ unsigned int *sigs); |
|
971 |
+ \end{verbatim} |
|
972 |
+ The first argument points to the database directory, the second one |
|
973 |
+ specifies what signatures should be counted: |
|
974 |
+ \verb+CL_COUNTSIGS_OFFICIAL+ (official signatures),\\ |
|
975 |
+ \verb+CL_COUNTSIGS_UNOFFICIAL+ (third party signatures), |
|
976 |
+ \verb+CL_COUNTSIGS_ALL+ (all signatures). The last argument points |
|
977 |
+ to the counter to which the number of detected signatures will |
|
978 |
+ be added (therefore the counter should be initially set to 0). |
|
979 |
+ The call returns \verb+CL_SUCCESS+ or an error code. |
|
967 | 980 |
|
968 | 981 |
\subsubsection{Data scan functions} |
969 | 982 |
It's possible to scan a file or descriptor using: |
... | ... |
@@ -82,7 +82,7 @@ typedef enum { |
82 | 82 |
#define CL_DB_DIRECTORY 0x800 /* internal */ |
83 | 83 |
#define CL_DB_OFFICIAL_ONLY 0x1000 |
84 | 84 |
#define CL_DB_BYTECODE 0x2000 |
85 |
-#define CL_DB_SIGNED 0x4000 |
|
85 |
+#define CL_DB_SIGNED 0x4000 /* internal */ |
|
86 | 86 |
|
87 | 87 |
/* recommended db settings */ |
88 | 88 |
#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE) |