Version 8.0.0
First release since 7.2.5 (March 2021). This release consolidates the unreleased dev branch, every applicable community PR, fixes for the long-standing open issues, and modernises the project for the current ClamAV and signature-source landscape. Verified against ClamAV 1.4.4 (LTS) and 1.5.3 (stable) with real end-to-end runs.
Highlights
- Modern ClamAV (1.x) support — robust version parsing/comparison (
1.4.x,1.5.x,0.103.x,-rc/-devel/+dfsgsuffixes) for the yara gate, self-update and config checks - Official Docker image —
ghcr.io/extremeshok/clamav-unofficial-sigs, built on the official ClamAV image, all-in-one and updater-sidecar modes, one-shot arg passthrough, an honest healthcheck (detects never-completed, failed, and stalled update loops), multi-arch (amd64/arm64) with weekly rebuilds — thanks @mnalis for the original Dockerfile concept. See guides/docker.md - urlhaus finally works — two root causes fixed: the missing
dbs-uhwork directory /urlhausytypo (dev branch + #420/#414/#400/#402, thanks @robert-scheck @Devstellar @amartin-git @stimpy23), AND urlhaus was missing from the current-databases tracking list, so the cleanup pass deletedurlhaus.ndbright after each install (#398) - Two new signature sources (verified loading in ClamAV 1.4.4/1.5.3, disabled by default): ditekshen/detection (#396) and twinclams (#397, actively updated by Splunk/TwinWave); disabled optional sources never delete same-named databases installed by other means
- rsync is now optional for https-only setups (#366) — internal cp fallback, with a clear error when sanesecurity (which genuinely needs rsync) is enabled without it
- ~380 lines of copy-paste removed — per-source test-and-install logic unified into shared helpers; fixed bugs hidden in the duplication (all
keep_db_backupbackups collapsed onto one_file-bakfile — including the sanesecurity copy; LMD restorecon on the wrong file) - GitHub Actions CI replaces defunct Travis-CI/Code Climate: shellcheck (clean with zero CLI excludes), config-parse smoke matrix with real clamav, every os config parse-tested, an upgrade-path guard (the 7.2.5 parser must parse the new master.conf), a Docker build + smoke job with a real signature download, and a weekly source-liveness probe
Community PRs merged
#427 rsync wildcards for additional dbs (@amulet1) · #422 stray backslash (@code-chicken) · #415 bank_rule.yar removal (@mnalis) · #404 clam_user/group defaults (@VVelox) · #408 percent signs (@stevenhardey) · #418 guide links (@sammcj) · plus the dev branch (#389 #390 #393 #394 #395)
#405 was reviewed and rejected: the script builds ${urlhaus_url}/${db_file}, so the existing base URL already produces the correct .../downloads/urlhaus.ndb; applying #405 would double the filename.
Bug fixes (issue refs)
- #388 multiple CLI options were ignored (misplaced
breaks) - #403/#424 config parser stripped quotes via
xargson Solaris →--reload: command not found; plus a clamd-socketRELOADfallback (perl/socat/nc) whenclamd_reload_optfails - #383 portable
stat(BSD%OLp) for upgrade permission preservation - #417
/opt/homebrewconfig dir for Apple Silicon; missing-config error no longer fires before-c/--configis parsed;-cnow derives the config dir for--upgrade - #411
-wwhitelisting producedName;Enginegarbage for ldb signatures - #381 MalwarePatrol lines >8189 chars are filtered (single pass, atomic); Google-Drive filter no longer clobbers the download status and is BSD-portable
- #398 urlhaus removed by cleanup after every install (missing tracking entry)
- Sanesecurity GPG key setup no longer runs (and aborts the whole run on failure) when sanesecurity is disabled
- wget downloads with a renamed output file use a temp file — a failed transfer no longer truncates the last good copy; LMD version checks now work on wget-only hosts
- os.alpine.conf executed
clamdscan --reloadduring config parsing (stray unquoted line) - cron minute off-by-one; wget symlink/cd workarounds removed;
work_dir_linuxmalwaredetectoverride fixed; #427 wildcard loop no longer clamscan-tests the literal glob on no-match
Sources
- New: ditekshen/detection (
clamav.ldb,indicator_rmm.ldb) — disabled by default (#396) - New: twinclams (
twinclams.hdb,twinclams.ldb,twinwave.ign2whitelist) — disabled by default (#397) - SecuriteInfo premium: added
securiteinfo.pdb,securiteinfo.wdb,securiteinfo.yara(#416) - yararulesproject is now DISABLED by default (#406) — upstream repo unmaintained, some rules crash modern clamav; re-enabling prints a deprecation warning
- OITC/winnow, MiscreantPunch, RookSecurity annotated as dead upstreams (files still ship via Sanesecurity mirrors); MalwarePatrol free product code now defaults to 32
OS / packaging / docs
- New
os.rhel.conf(RHEL/Rocky/Alma 8-10) + guides/rhel.md, newos.macos.applesilicon.conf, newos.docker.conf os.debian.conf/os.ubuntu.confrefreshed (modern/runpaths,clamd_reload_opt, #392); EOL configs marked deprecated in comments, kept for packagerssystemd/clamd.scan.service: legacy.include(removed in systemd 240) replaced with drop-in override instructions- README: false-positive/whitelisting FAQ (answers #409 #399 #413 #380, incl. the yara-cannot-be-ignored-via-ign2 ClamAV limitation), Docker quick start, refreshed OS list
- user.conf: examples for optional sources and a security-hardening section
Upgrade notes
- Existing v7.x installs upgrade in place:
clamav-unofficial-sigs.sh --upgradefetches this release and migrates the config.config_versionis now 100;minimum_required_config_versionintentionally stays 96 so v7.x installs still start and can upgrade. - Users with
remove_disabled_databases="yes"(default) will have their yararulesproject files removed on the next run — intended, but worth calling out. - Docker users:
docker pull ghcr.io/extremeshok/clamav-unofficial-sigs:8.0.0(also:latest).