• The Bytecode Interpreter: the interpreter built into LibClamAV allows
  the signature writers to create and distribute very complex detection
  routines and remotely enhance the scanner’s functionality
  


• Heuristic improvements: improve the PE heuristics detection engine by
  adding support of bogus icons and fake PE header information. In a
  nutshell, ClamAV can now detect malware that tries to disguise itself
  as a harmless application by using the most common Windows program
  icons.
  


• Signature Improvements: logical signature improvements to allow more
  detailed matching and referencing groups of signatures. Additionally,
  improvements to wildcard matching on word boundaries and newlines.
  


• Support for new archives: 7zip, InstallShield and CPIO. LibClamAV
  can now transparently unpack and inspect their contents.
  


• Support for new executable file formats: 64-bit ELF files and OS X
  Universal Binaries with Mach-O files. Additionally, the PE module
  can now decompress and inspect executables packed with UPX 3.0.
  


• Support for DazukoFS in clamd
  


• Performance improvements: overall performance improvements and
  memory optimizations for a better overall resource utilization
  experience.
  


• Native Windows Support: ClamAV will now build natively under
  Visual Studio. This will allow 3rd Party application developers on
  Windows to easily integrate LibClamAV into their applications.
  

The complete list of changes is available in the ChangeLog file. For
upgrade notes and tips please see:

https://wiki.clamav.net/Main/UpgradeNotes096

This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates.

So far we haven’t released any signatures which exceed this limit.
Before we do we want as many users as possible to upgrade to the latest version of ClamAV.

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

It’s now time to select the winner among the 10 finalists in each category.
Head over to Sourceforge website and cast your vote! Our project is listed under the Best tool for sysadmin category:

Vote for us!

We prepared a video message for all of you, to say thanks for everything you did to make this project grow: be it submit a malware sample, report a false positive, open a bug report, edit the wiki, or answer a message on our mailing-lists:

[Share it on Facebook]

Let us know if you enjoy the video :) maybe we’ll try to make more in the future.

More information on Sourceforge Community Choice Awards 2009 is available at http://sf.net/cca .

June 24 – 2:00pm
“ClamAV Basics, Common Usage, Tips & Tricks”

The presentation will provide a broad introduction to Clam AntiVirus, its main features and advantages. Tomasz will focus his remarks on the following aspects of ClamAV:
Software design and core components (libclamav, clamd, clamscan, clamdscan, freshclam);
Installation
Virus detection techniques
Detection of Phishing and Potentially Unwanted Applications
Clamscan, clamd & clamdscan in practice
Configuration tips and best practices
Troubleshooting

June 26 – 2:00pm
“Introduction to the ClamAV Engine and Signatures.”

The presentation, aimed toward System Administrators and advanced users, will be an introduction to ClamAV internals. Tomasz will discuss how the scan engine works and how to create various types of signatures, including phishing and logical signatures. Although the official virus databases are released on a regular basis by ClamAV Researchers, the ability to use in-house or 3rd party developed signatures makes the system highly flexible. Tomasz will also discuss the basic API and how it can be used to perform file scanning.

Register: http://www.dojosec.com/?page_id=37
Directions: http://www.capitol-college.edu/visit-campus/directions-campus

Abstract

About Alain Zidouemba

Alain Zidouemba was born in Ouagadougou, Burkina Faso. He studied Mathématiques Supérieures and Mathématiques Spéciales at the Lycée Jacques Amyot in France and Electrical and Computer Engineering at Howard University in the US. He worked in the area of network modelling and simulation at OPNET Technologies before taking a position at PestPatrol as a Spyware researcher. He later joined Computer Associates to work on intrusion prevention and behavioral malware analysis. Alain recently became part of the Vulnerability Research Team (VRT) at Sourcefire and performs research in the areas of intrusion prevention and anti-malware.

Abstract

ClamAV is an open source anti-virus toolkit for UNIX systems. The main purpose of this software lies in the integration with mail servers enabling mail attachment scanning before the end user receives a virus. As with other anti-virus software, the engine for ClamAV has pattern matching technology at its heart. Updates to the malware signatures are released on a regular basis by ClamAV Researchers.
However, what if no signatures are available to detect a given piece of malware, or if updates are not coming fast enough? Fortunately, ClamAV signatures are “open” and this enables the administrators to fill in the gap for themselves. This presentation covers the methods behind creating effective malware signatures for ClamAV and introduces the new malware “logical signature” format that makes it even easier to write custom detections.
The event will finish with a Q&A session of about 15 minutes.

About the Presenter

Alain Zidouemba studied Mathématiques Supérieures and Mathématiques Spéciales at the Lycée Jacques Amyot in France and Electrical and Computer Engineering at Howard University in the United States. He worked in the area of network modelling and simulation at OPNET Technologies before taking a position at PestPatrol, Inc. as a Spyware Researcher. He later joined Computer Associates to work on intrusion prevention and behavioural malware analysis. Alain is a member of the Vulnerability Research Team (VRT) at Sourcefire and performs research in the areas of intrusion prevention and anti-malware.

How to Hear The Presentation

To register for this webinar please visit https://sourcefire.webex.com/sourcefire/onstage/g.php?d=798010302&t=a.
After you have registered you will receive an email that will contain the instructions on how to listen to the webinar. For most people the procedure is to visit a URL, which will be given, enter in an password (the event password is clamav) and then either listen on the your computer’s speakers, or dial-in to listen over the telephone. The interface you get on the PC will be the same whichever audio method you choose.
The phone numbers for the U.S. and Canada are 866-469-3239 (free), 1-650-429-3300 (charged). To see the worldwide call-in numbers please visit https://sourcefire.webex.com/sourcefire/globalcallin.php?serviceType=EC&ED=111325642&tollFree=1.
To find out about the toll-free dialling restrictions: http://www.webex.com/pdf/tollfree_restrictions.pdf.
The session will be archived and available later from www.clamav.net.

ClamAV detects Downadup, also known as Conficker, as Worm.Downadup. Once on a system it downloads components that ClamAV detects as members of the Trojan.Downloader- family of signatures.

The virus primarily exploits MS08-067; it can also spread through USB sticks. Since the virus is not spread by email we don’t expect to see much activity in our core user-base, which tends to use ClamAV to scan emails. We are, nevertheless, keeping an eye out for it through freshclam’s statistics gathering system – we are yet to see any obvious spike of activity from it. If we hear anything we’ll let you know.