Cisco has announced the release of ClamAV 1.5.0, a significant update to the open-source antivirus engine that introduces major security enhancements, new document scanning capabilities, and extensive API improvements.
This version strengthens the platform’s detection and verification mechanisms, with a particular focus on Microsoft Office documents, PDF files, and overall cryptographic integrity, providing users with more robust tools to combat modern malware threats.
A key addition in ClamAV 1.5.0 is the ability to determine if a Microsoft Office document based on the OLE2 format is encrypted. This feature helps security systems identify potentially malicious files that use encryption to evade detection.
Furthermore, the update enhances metadata generation by introducing the capability to record Uniform Resource Identifiers (URIs) found within HTML and PDF files.
When the generate-JSON-metadata feature is enabled, ClamAV can now extract and log these links, providing valuable data for threat analysis.
Users who require the JSON metadata feature but do not wish to record URIs have granular control through new configuration options, such as JsonStoreHTMLURIs and JsonStorePDFURIs, which can be set in clamd.conf or via the command line.
Strengthened Security and Signature Verification
Version 1.5.0 brings substantial improvements to the security and integrity of the scanning process. A major change is the introduction of CVD signing and verification with external .sign files.
Freshclam will now download these external signature files alongside database and patch files, allowing for more secure verification. To support this, ClamAV now installs a certs directory and provides new configuration options to manage it.
Additionally, the release introduces a FIPS-like limits option that disables the use of MD5 and SHA1 for verifying digital signatures and trusting files.
This change mitigates concerns over weaker hashing algorithms and is critical for environments requiring FIPS compliance. The clean-file scan cache has also been upgraded from MD5 to the more secure SHA2-256 algorithm.
This release delivers a wealth of API enhancements and other notable improvements for developers and administrators.
The public API has been updated with new functions like cl_cvdverify_ex and extended hashing functions that allow callers to bypass FIPS hash limits when necessary.
A new class of scan callback functions has been added, providing fine-grained control at various stages of the scanning process, including before hashing, before scanning, and upon alert generation.
Other improvements include regex support for the OnAccessExcludePath option, more precise byte-scanned counters in ClamScan, and new command-line options for providing hash and file-type hints.
The update also addresses numerous bugs, including a stack buffer overflow in the phishing signature load process, an infinite loop when scanning certain email files, and various issues identified through static analysis.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
