Joel,
First congrats to you and the team, from the sounds of it, this took a lot of
late nights and caffeine. Quick question, are any of the official sigs
{main/daily/bytecode} changing names (or extensions)? That does not seem to be
the case but I figure it would be good to confirm in order to avoid any
surprises.
Cheers,
- Rafael
Rafael Ferreira
Uva Software, LLC | scanii.com <http://scanii.com/>
☎ 623.252.0441
> On Mar 16, 2016, at 8:24 PM, Joel Esler (jesler) <jes...@cisco.com> wrote:
>
>
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.htm<http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html?m=1>l
>
> ClamAV Signature Interface maintenance is now complete! New Main.cvd!
> Our ClamAV Signature Interface maintenance is now complete. While we
> apologize for the delay, the rollout of the the new Signature Interface
> inside of ClamAV will result in several new features for the community, and I
> wanted to tell you about some of them:
>
> First, the first new “main.cvd” in about two years. This main.cvd has been
> completely re-written from scratch, and while the function of the “main” is
> largely the same, it’s been rewritten to not only enforce order to the
> signatures, but naming convention as well. For example:
>
> W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
> Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
> Adware.Smshoax has moved to Win.Adware.Smshoax
>
> Re-naming of the signatures may affect a local user’s whitelist. If you have
> excluded certain signatures in the past that are now firing, we ask that you
> both submit the file to us for false positive remediation (if you believe it
> to be a false positive), and rename the signature whitelist on your side.
>
> This new main is 109Mb in size, and contains 4 million signatures for ClamAV.
> Now that the main.cvd has been rewritten, it is now easier for us to create
> diffs, which means upgrading the main more often, and making the “daily.cvd”
> smaller more often.
>
> Second, we now have the ability to offer different types of CVDs. For
> instance, we now have the ability to distribute 3rd party signatures that are
> officially signed by ClamAV, but updated through the ClamAV global mirror
> network. If we wanted to separate out “policy” type signatures from the
> daily.cvd into their own cvd, we can now do that.
>
> Third, while we have not removed some of the older signature formats, we did
> convert those older signatures to the newer formats to empty those older
> “cvd”s out.
>
> For example:
> “db" signatures were consolidated into “ndb" signatures
> “zmd" and “rmd" archive signatures we moved to the “cdb" container signature
> format
>
> These formats are not new, they simply have never been published before. This
> includes other formats such as “hsb", “msb", “sfp", and “crb". The older
> formats are supported for now, we are simply no longer publishing them.
>
> Fourth, newer features, like the ability to write signatures based on the
> SHA256 of a file have been added to the system, and we can now publish that
> type of detection.
>
> We’d like to thank you for your patience.
>
> ClamAV team
> _______________________________________________
> Community-sigs mailing list
> community-s...@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
