ClamAV 0.98.3 adds features and asks for statistics

The latest update to the ClamAV open-source antivirus scanner, has been released, bringing with it IPv6 support, improved performance, and an option to contribute virus-detection statistics back to the project. Although virus scanning is a comparatively rare task on Linux desktops, it still remains an important issue for those on other operating systems. Thus, a quality open-source program like ClamAV provides a useful alternative to the proprietary offerings, whether it is deployed on a mail server or run on individual Windows desktop machines.

The new release is numbered 0.98.3, and arrived on May 7. Source is available for download from SourceForge, as are Windows binaries for the ClamAV engine and its official Windows front-end Immunet. There are also unofficial Linux builds available for a variety of distributions.

The release announcement highlights a few functional changes outside of the core virus-recognition task. This includes the fact that ClamAV is now fully compatible with IPv6 addressing. The various components of a ClamAV deployment (such as the clamd scanning daemon, the freshclam virus-database updater, and clamdtop monitoring program) can run over TCP sockets, but adding support for IPv6 has been a slow and piecemeal process, starting with ClamAV 0.94 back in 2008. Its completion in 0.98.3 hopefully means that the feature will be subjected to more rigorous testing.

ClamAV relies on hash functions to test possible virus payloads against its database of known malware. The new release moves from internal implementations of the various hash functions to using the implementations supplied by the OpenSSL library. The OpenSSL implementations are said to amount to a 70% performance speed-up, which is certainly a welcome improvement, but the change also makes OpenSSL a hard dependency. The ClamAV license has also been updated to include a GPL exception permitting the binary to be linked with OpenSSL. Such exceptions are not out of the ordinary (particularly for OpenSSL), but are still noteworthy for anyone who redistributes ClamAV.

The third major change in the new release is an option for users to submit virus-detection statistics back to the project. The feature is opt-in; it must be activated by supplying the appropriate (non-default) parameter to either the clamscan program or clamd daemon. The statistics collected cover the number and names of viruses identified, plus the sizes and hashes of files scanned. Collecting this type of information should, in theory, allow ClamAV to grow as a project; rather than rely solely on external information sources, it can analyze the threats its own users encounter.

Collecting virus-detection numbers is only part of that process, however. In February, the project launched another initiative to collect the actual signatures of viruses caught by ClamAV. Signatures contributed (through a web submission form, not as email attachments, for obvious reasons) by the community will be included in subsequent updates to ClamAV's virus database.

There are also several new features in ClamAV 0.98.3's virus-detection capabilities. The first of these is support for scanning additional raw disk image formats; new is support for master boot record (MBR), GUID Partition Table (GPT), and Apple Partition Map (APM) disks, though only those with 512-byte sectors. There is also improved detection of malware scripts embedded within image files, and the closing of a nasty bug through which a specially-crafted icon in a Windows Portable Executable (PE) file could be used to crash clamscan or clamd.

Finally, ClamAV has added initial support for working with OpenIOC files. OpenIOC is an XML-based format for storing and reporting security threat information (the acronym in the name stands for "Indicators of Compromise"). The OpenIOC format can be used to record a variety of different security issues; ClamAV's support at this time is limited to extracting file hashes from any virus-detection incidents. The extracted information is then added to ClamAV's own signature database. OpenIOC support is marked as experimental; it is not clear whether the ClamAV project has any interest in doing more than reading OpenIOC files.

On the whole, version 0.98.3 is another small but stable update from ClamAV. It is good to see the project take steps toward assembling its own virus database information; if done correctly that is certainly a valuable contribution that the ClamAV community can add. ClamAV's parent company Sourcefire was acquired by Cisco in July 2013; at the time the project made an announcement to reassure users that the acquisition would not weaken the project's commitment to the open-source community. So far, it seems to be a positive move for the project, as stable releases of both the software and virus database continue.

Those of us who live and work entirely within the sphere of Linux and free software can, at times, forget how important virus-scanning programs are to others, merely because of how much more prevalent viruses are on Windows machines. But, as Linux is often the operating system that dominates the server room, projects like ClamAV are critical even if most of the virus they stop are targeting someone else.