Mailing List Archive

Hi there,

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:

> We want to get the latest stable version of clamav and use it in our
> environment. From the release note
> (https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html),
> we see the v0.105.0 is released with 0.104.3 and 0.103.6(it seems
> the latest stable version has also upgraded to 0.105.1 now). ...

Please look again at the blog. You will see that updates have been
published very recently.

> when we intall the package via yum, we still only get the version 103

You did not say which distribution you are using but they all have
their own policies on updates. Some of them backport security patches
for you. You must look to the distribution for more information about
it, the ClamAV development team can't help you very much with that.

> 1. ClamAv 0.105,0, 0.104.3, 0.103.6 got released on the same day. We
> don't see any major version change. Then why ClamAv released patch
> for 0.014 and 0.103 when 0.105 is release. Since its a minor version
> change, we think everyone should get the update?

Are you offering to pay for extra work to be done?

> 2. What are the differences between 0.105 and 0.103.6? We see the
> yum and rpm packages currently only support latest clamav version as
> 0.103.6 although these versions seem released in the meantime. Are
> there any new changes in 0.105 causing the delay in package
> distribution update?

Please read the blog and the release notes for information about the
enhancements. You may also wish to follow developments on Github.

> 3. Do you have any suggestions that except downloading latest source
> package for clamav

What's wrong with the source package? There's a school of thought
which holds that for security software, the only way to go is to do
exactly that.

> how can we make sure we get the latest version without delay?

You can subscribe to the announcement mailing list:

https://lists.clamav.net/mailman/listinfo/clamav-announce

and then watch your distribution's equivalent (if there is one).

> Yum and rpm don?t have the latest 105 version for now. While we?re
> wondering if you know any other package provider and its repo may
> always have the latest updates.

Yum and RPM are simply package installation tools. They are used to
obtain packages from repositories. The repositories are maintained by
people who are not part of the ClamAV development team and who usually
have a set of guidelines to which they work - often only when they can
find the time - and which differ from one repository to the next. It's
up to you to choose a repository which has policies which suit you and
your intended use of the packages they provide. The alternative to the
use of repositories is to build software from source. It's up to you.

Version 0.103.x is now provided with Long Term Support.

What do you plan to do with ClamAV?

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi Ged,

Thank you for your reply! Let me explain more about what we plan to use clamav for, or the previous questions might be confusing. We're planning to use clamav in company's internal platform to do malware scanning. Downloading the source package is the best way to make sure we have the latest stable version and it's pretty convenient to do so as a user(we appreciate it very much). While since we use it at company, I'm not so sure if it complies with company's open source software usage policy and we might need to contact the related team to discuss this. Getting the package from package distribution is an easier way for us as such usage is already approved by the open source team at our company. Thank you for the information you provide, based on your response, I still wanna ask several more questions to make sure I understand correctly.

1. If we use a relatively older version, for example, 0.103.6, which is supported by "RedHat & Fedora" and "Fedora & EPEL" package distribution currently. I will expect some new features and changes added to version 105 don't exist in version 103. While could I still assume version 103 is still supported(new patches will be added) and could still give decent malware scanning results?

2. If we already use older versions (like version 103), upgrading it to a minor version with patch release(like 103.6) will install the bug fixes and give us a better using experience. While upgrading it to a new major version(like 105) may require more extra work, such as rust toolchain setup which is mentioned in the release note. I guess that's the reason why we release new major version 105 and patch release versions for 103 and 104 together?

Sorry I may have some misunderstanding before. I thought we must upgrade to the latest version 105 or there might be security concern. So we're exploring ways to get the latest version installed in the internal platform once the new version is available. While if the previous versions still work, the delay might be acceptable and we can get more time to investigate into the downloading source package approach and see how we can apply it to our platform.

Thank you very much! Looking forward to hearing from you.

Best,
Jiayi






?On 7/27/22, 12:10 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Hi there,

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:

> We want to get the latest stable version of clamav and use it in our
> environment. From the release note
> (https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html),
> we see the v0.105.0 is released with 0.104.3 and 0.103.6(it seems
> the latest stable version has also upgraded to 0.105.1 now). ...

Please look again at the blog. You will see that updates have been
published very recently.

> when we intall the package via yum, we still only get the version 103

You did not say which distribution you are using but they all have
their own policies on updates. Some of them backport security patches
for you. You must look to the distribution for more information about
it, the ClamAV development team can't help you very much with that.

> 1. ClamAv 0.105,0, 0.104.3, 0.103.6 got released on the same day. We
> don't see any major version change. Then why ClamAv released patch
> for 0.014 and 0.103 when 0.105 is release. Since its a minor version
> change, we think everyone should get the update?

Are you offering to pay for extra work to be done?

> 2. What are the differences between 0.105 and 0.103.6? We see the
> yum and rpm packages currently only support latest clamav version as
> 0.103.6 although these versions seem released in the meantime. Are
> there any new changes in 0.105 causing the delay in package
> distribution update?

Please read the blog and the release notes for information about the
enhancements. You may also wish to follow developments on Github.

> 3. Do you have any suggestions that except downloading latest source
> package for clamav

What's wrong with the source package? There's a school of thought
which holds that for security software, the only way to go is to do
exactly that.

> how can we make sure we get the latest version without delay?

You can subscribe to the announcement mailing list:

https://lists.clamav.net/mailman/listinfo/clamav-announce

and then watch your distribution's equivalent (if there is one).

> Yum and rpm don¢t have the latest 105 version for now. While we¢re
> wondering if you know any other package provider and its repo may
> always have the latest updates.

Yum and RPM are simply package installation tools. They are used to
obtain packages from repositories. The repositories are maintained by
people who are not part of the ClamAV development team and who usually
have a set of guidelines to which they work - often only when they can
find the time - and which differ from one repository to the next. It's
up to you to choose a repository which has policies which suit you and
your intended use of the packages they provide. The alternative to the
use of repositories is to build software from source. It's up to you.

Version 0.103.x is now provided with Long Term Support.

What do you plan to do with ClamAV?

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi Jiayi,

Thanks for the extra information. To answer your questions:

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:

> 1. If we use a relatively older version, for example, 0.103.6, which
> is supported by "RedHat & Fedora" and "Fedora & EPEL" package
> distribution currently. I will expect some new features and changes
> added to version 105 don't exist in version 103.

You are correct that new developments will take place in versions
which began their lives later in time, but supported versions are kept
patched for security vulnerabilities.

ClamAV versions are made up entirely of digits and dots but they
aren't really numbers because they have two dots. The digit after the
second dot can be considered the 'patch level'. At the moment three
versions are officially supported by Cisco's Talos, the authors of the
software. The latest patch versions are 0.103.7, 0.104.4 and 0.105.1,
as you can see at

https://blog.clamav.net/

Unfortunately headlines in the announcements to the mailing list and
in the blog are wrong, stating that version 0.104.1 was released on
July 26th, but as you can see from the text it is really 0.104.4 which
was actually released. At the time I write the version support matrix

https://docs.clamav.net/faq/faq-eol.html#version-support-matrix

is out of date - it does not show the latest released versions. The
quality control at Talos leaves something to be desired which I have
mentioned on more than one occasion on this list.

Version 0.103.x source code uses the 'autotools' build system. It is
the last version which will use autotools. Versions 0.104.x, 0.105.x
and later use 'cmake'. Support for 0.104.x will probably end soon, as
in the release announcements it's stated that 0.104.4 will be the last
patch version for the 0.104.x series. I don't know what will happen
if a serious vulnerability is found before the stated end of support
for 0.104.x in the support matrix and I doubt that Talos does either.
My guess is that support would be withdrawn immediately rather than as
stated in the support matrix.

> While could I still assume version 103 is still supported (new
> patches will be added)

The version is 0.103 not 103 but yes, that is the 'Long Term Support'
version which will be supported until September 2023 according to the
version support matrix.

> and could still give decent malware scanning results?

I would never recommend that anyone rely on one single defence.

Every installation has particular sensitivities and will reside in a
different threat landscape, you'll need to make your own assessments
of the performance based on your own experience. Mine are on record
in the archives of this mailing list, but bear in mind that we do not
scan machines for viruses, we only scan mail. Primarily we scan for
spam, and incidentally for threats like viruses which are of little
concern to us here because of the very defensive way that we operate.

> 2. If we already use older versions (like version 103), upgrading it
> to a minor version with patch release(like 103.6) will install the
> bug fixes and give us a better using experience. While upgrading it
> to a new major version(like 105) may require more extra work, such
> as rust toolchain setup which is mentioned in the release note.

Correct, but (1) the toolchain setup is a once-only thing, and (2) if
you use a major Linux distribution and a reasonably well-supported
architecture you should have little difficulty installing the tools.
I did it on a Raspberry Pi just to see if it could be done. It could,
but it took four hours to build it the first time.

> I guess that's the reason why we release new major version 105 and
> patch release versions for 103 and 104 together?

Your guess is as good as mine. :)

> Sorry I may have some misunderstanding before. ...

No need for apologies. :)

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

> At the moment three versions are officially supported by Cisco's Talos, the authors of the software.

Cisco's Talos are the *current* authors of the software.

ClamAV was started in 2001 by Tomasz Kojm and a group of Open Source enthusiasts. In 2007, they sold the software to Sourcefire (of Snort fame), and the principal developers joined Sourcefire as employees.

Cisco acquired Sourcefire in 2013. Since the original software was covered by the GPLv2 license, Cisco has kept the source code open (as they must), including the many improvements they have made.


The Wikipedia article on ClamAV barely mentions its origin, but it does have two links:

https://web.archive.org/web/20120206053729/http://www.emailbattles.com/2005/08/31/virus_aabejfhaib_ag/
(Tomasz Kojm interview)

https://web.archive.org/web/20080828173858/http://www.clamav.net/about/

The latter in turn links to the original developer team:

https://web.archive.org/web/20080828173858/http://www.clamav.net/about/team/


Disclaimer: I have never been associated with the development of ClamAV, but I have used it since well before the Sourcefire acquisition. (I even have a copy of the 0.88.4 source code from 2006!)

In any case, I think the originators of ClamAV should get proper credit.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

ClamAV is a Cisco project. There’s no arguing that.

All of the original team are observed here: https://www.clamav.net/about

So, not sure what you’re getting at.

—
Sent from my ? iPhone

> On Jul 28, 2022, at 16:56, Paul Kosinski via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
>>
>> At the moment three versions are officially supported by Cisco's Talos, the authors of the software.
>
> Cisco's Talos are the *current* authors of the software.
>
> ClamAV was started in 2001 by Tomasz Kojm and a group of Open Source enthusiasts. In 2007, they sold the software to Sourcefire (of Snort fame), and the principal developers joined Sourcefire as employees.
>
> Cisco acquired Sourcefire in 2013. Since the original software was covered by the GPLv2 license, Cisco has kept the source code open (as they must), including the many improvements they have made.
>
>
> The Wikipedia article on ClamAV barely mentions its origin, but it does have two links:
>
> https://web.archive.org/web/20120206053729/http://www.emailbattles.com/2005/08/31/virus_aabejfhaib_ag/
> (Tomasz Kojm interview)
>
> https://web.archive.org/web/20080828173858/http://www.clamav.net/about/
>
> The latter in turn links to the original developer team:
>
> https://web.archive.org/web/20080828173858/http://www.clamav.net/about/team/
>
>
> Disclaimer: I have never been associated with the development of ClamAV, but I have used it since well before the Sourcefire acquisition. (I even have a copy of the 0.88.4 source code from 2006!)
>
> In any case, I think the originators of ClamAV should get proper credit.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Hi Ged, Jiayi,

> I don't know what will happen
> if a serious vulnerability is found before the stated end of support
> for 0.104.x in the support matrix and I doubt that Talos does either.
> My guess is that support would be withdrawn immediately rather than as
> stated in the support matrix.

As per the EOL policy (https://docs.clamav.net/faq/faq-eol.html) the ClamAV 0.104 release would continue to get security patch versions until 4 months after 0.105 is released, or until the next feature release (1.0) is published. We're getting close to 3 months since 0.105.0 was published. Vulnerability reports generally have a 90 day non-disclosure window from the moment they're reported, and we often use all that time to craft/review/test fixes before publishing a release. Unless a critical vulnerability is publicly disclosed without giving us a non-disclosure window in which to fix the issue, it is highly unlikely that we'll have to publish security fixes before 0.104 exceeds that end-of-life. For this reason, the release announcement includes a notice to prepare users still on 0.104 for a move to 0.105.

> > I guess that's the reason why we release new major version 105 and
> > patch release versions for 103 and 104 together?
>
> Your guess is as good as mine. :)

We published patch versions for 0.103 and 0.104 at the same time as 0.105.0 was published because we had critical security fixes for all supported versions. We could have published 0.105.0 a few weeks before, and then published 0.105.1 with the patch versions for 0.103/0.104 for the security fixes almost immediate afterwards, but that would have been more work for everyone. So, we delayed 0.105.0 to align it with the security patch release.

Sorry about the "0.104.1" in the blog (and copy-pasted announcement) title. The typo was missed by me and by the reviewer. I've corrected the typo in the blog.

Best regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, July 28, 2022 12:29 AM
To: Yang, Jiayi via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Inquire about clamav latest stable version -

Hi Jiayi,

Thanks for the extra information. To answer your questions:

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:

> 1. If we use a relatively older version, for example, 0.103.6, which
> is supported by "RedHat & Fedora" and "Fedora & EPEL" package
> distribution currently. I will expect some new features and changes
> added to version 105 don't exist in version 103.

You are correct that new developments will take place in versions
which began their lives later in time, but supported versions are kept
patched for security vulnerabilities.

ClamAV versions are made up entirely of digits and dots but they
aren't really numbers because they have two dots. The digit after the
second dot can be considered the 'patch level'. At the moment three
versions are officially supported by Cisco's Talos, the authors of the
software. The latest patch versions are 0.103.7, 0.104.4 and 0.105.1,
as you can see at

https://blog.clamav.net/

Unfortunately headlines in the announcements to the mailing list and
in the blog are wrong, stating that version 0.104.1 was released on
July 26th, but as you can see from the text it is really 0.104.4 which
was actually released. At the time I write the version support matrix

https://docs.clamav.net/faq/faq-eol.html#version-support-matrix

is out of date - it does not show the latest released versions. The
quality control at Talos leaves something to be desired which I have
mentioned on more than one occasion on this list.

Version 0.103.x source code uses the 'autotools' build system. It is
the last version which will use autotools. Versions 0.104.x, 0.105.x
and later use 'cmake'. Support for 0.104.x will probably end soon, as
in the release announcements it's stated that 0.104.4 will be the last
patch version for the 0.104.x series. I don't know what will happen
if a serious vulnerability is found before the stated end of support
for 0.104.x in the support matrix and I doubt that Talos does either.
My guess is that support would be withdrawn immediately rather than as
stated in the support matrix.

> While could I still assume version 103 is still supported (new
> patches will be added)

The version is 0.103 not 103 but yes, that is the 'Long Term Support'
version which will be supported until September 2023 according to the
version support matrix.

> and could still give decent malware scanning results?

I would never recommend that anyone rely on one single defence.

Every installation has particular sensitivities and will reside in a
different threat landscape, you'll need to make your own assessments
of the performance based on your own experience. Mine are on record
in the archives of this mailing list, but bear in mind that we do not
scan machines for viruses, we only scan mail. Primarily we scan for
spam, and incidentally for threats like viruses which are of little
concern to us here because of the very defensive way that we operate.

> 2. If we already use older versions (like version 103), upgrading it
> to a minor version with patch release(like 103.6) will install the
> bug fixes and give us a better using experience. While upgrading it
> to a new major version(like 105) may require more extra work, such
> as rust toolchain setup which is mentioned in the release note.

Correct, but (1) the toolchain setup is a once-only thing, and (2) if
you use a major Linux distribution and a reasonably well-supported
architecture you should have little difficulty installing the tools.
I did it on a Raspberry Pi just to see if it could be done. It could,
but it took four hours to build it the first time.

> I guess that's the reason why we release new major version 105 and
> patch release versions for 103 and 104 together?

Your guess is as good as mine. :)

> Sorry I may have some misunderstanding before. ...

No need for apologies. :)

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Thu, 28 Jul 2022, Paul Kosinski via clamav-users wrote:
> On Thu, 28 Jul 2022, I wrote:
>
>> At the moment three versions are officially supported by Cisco's Talos, the authors of the software.
>
> Cisco's Talos are the *current* authors of the software. ...

Gladly I stand corrected.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Thu, 28 Jul 2022 17:38:20 -0400
Joel Esler <joel.esler@me.com> wrote:

> ClamAV is a Cisco project. There’s no arguing that.
>
> All of the original team are observed here: https://www.clamav.net/about
>
> So, not sure what you’re getting at.

The phrase "*the* authors of the software" rather implies that Cisco's Talos are the only authors of the software. And G.W. Haywood seems to have agreed with me on this that the phrasing could be misinterpreted.


Cisco's Talos has indeed made ClamAV a lot better than it was years ago, but they have kept much of the basic structure and, I would guess, some of the original code.

I have attached a file list of the contents of the source code that comprised clamav-0.88.4 (from the tar of August 2006) and it indicates that the current structure is quite similar to the original.

P.S. The reason I have 0.88.4 is that whenever I download a new ClamAV, I keep the old one just in case I need to revert (it is security software, after all). I don't think I ever have, but disk storage has gotten so cheap that I haven't bothered to cull what are, by modern standards, fairly small files.

> On Aug 1, 2022, at 15:36, Paul Kosinski <clamav-users@iment.com> wrote:
>
> ?On Thu, 28 Jul 2022 17:38:20 -0400
> Joel Esler <joel.esler@me.com> wrote:
>
>> ClamAV is a Cisco project. There’s no arguing that.
>> All of the original team are observed here: https://www.clamav.net/about
>> So, not sure what you’re getting at.
>
> The phrase "*the* authors of the software" rather implies that Cisco's Talos are the only authors of the software. And G.W. Haywood seems to have agreed with me on this that the phrasing could be misinterpreted.
>
>
> Cisco's Talos has indeed made ClamAV a lot better than it was years ago, but they have kept much of the basic structure and, I would guess, some of the original code.

Well of course. When ClamAV was acquired by Sourcefire, Sourcefire hired the original developers until they all left to start another company. ClamAV has continued to live on through the Cisco acquisition, and is continued to be developed by Cisco. All code must pass through Cisco employees to be committed to the code base. Occasionally open source contributions are made to ClamAV, but even when that happens, it must pass through Cisco’s QA tests.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat