I am considering this already, but as of now, versions 1.0 and 1.1 do not seem to be mature enough, e.g. they have issues on big endian architectures.

Given that upstream recently extended the LTS period for version 0.103 by one year until September 2024 we might even skip 1.0 and 1.1 and go directly to the next LTS release, which I expect to be available by that time.

BTW, are there any particular features for which you need the newer versions?

If you want to give my preliminary 1.1 package a try, you find it in OBS under

home:rmax:branches:security/clamav

Hello,

I've stumbled over this bug report. It seems something changed since 0.105 and in some cases scanning performance has gone down.

https://github.com/Cisco-Talos/clamav/issues/590

Seems like continuing with 0.103 is the better option.

Thanks for the input. Yes, that's definitely one more reason to stick with 0.103f for the time being.

Dirk, can you please have a look at the upstream bug report linked in comment 2 and tell us what you think of the performance drop that is reported there, given that you recently told me that you are seeing significant performance boosts with the new versions?

(In reply to Reinhard Max from comment #4)
> Dirk, can you please have a look at the upstream bug report linked in
> comment 2 and tell us what you think of the performance drop that is
> reported there, given that you recently told me that you are seeing
> significant performance boosts with the new versions?

These are drops because of the newer version by default scanning really large files, while previously really large files were not scanned at all. It is true that scanning a file is slower than not scanning it. 

We do not generally have such large files as build results, so it wouldn't be a problem we're facing. Plus scanning large files is a feature.

Yes, the defaults for various limits were increased, so now files get scanned that didn't get scanned as deeply before, or did not get scanned at all. But the bug report was about scanning many files, not particularly large ones, and the slowdown was reported to still show when setting the limits back to the old defaults.

https://github.com/Cisco-Talos/clamav/issues/590#issuecomment-1149669598

Reading through the comments again, it looks like particularely PDF files are affected by the slowdown, so I'll investigate further in that direction.

BTW, we don't have ClamAV only for our own needs within the build service, we also ship it to our customers who might have very different workloads.

Both true, but I think that shouldn't prevent us from providng the newer version that has more features (and hopefully better/more accurate detection). Safety first, performance later.

In my tests I couldn't find a PDF file so far that scans significantly slower on the newer versions for another reason than the increased default limits.

As for "Safety first, performance later": I generally agree, but heavily degraded performance (even when it is for good reasons) can also affect safety when suddenly a lot more ressources are needed for the same workload.

Don't get me wrong, I am not generally against adopting the new version, I am just not yet convinced that it won't break more than it improves.

BTW, do you have any particular feature in mind for which you want the newer version or is it just a "more features is always better" approach?

(In reply to Reinhard Max from comment #8)
> BTW, do you have any particular feature in mind for which you want the newer
> version or is it just a "more features is always better" approach?

As far as I can see the major new changes are the ability to scan password protected documents (when its one of the easy to guess passwords) and the ability to detect images that are used in phishing attacks. both very useful features. 

I do not have a concrete other reason to upgrade. I have however noticed that in my limited test cases the newer version is a bit faster. so it doesn't seem to be universally slower.

*** Bug 1215295 has been marked as a duplicate of this bug. ***

Clamav 1.2.1 is out, and tiers security provider start dropping old signatures.

I'm using securiteinfo.com additional signature to protect my email server.

I've seen a small effort on obs to get 1.2 into Factory, now seems to be the perfect time frame  ;-)

>Hello,
>You are using our additional signatures for ClamAV. We thank you very much !
>Sadly, your are using ClamAV version 0.103.9, and this version is outdated.
>
>According to the official website of ClamAV, versions 0.102 and below and >versions 0.104.x and 0.105.x cannot download new signatures from >database.clamav.net. 
>
>See more information here : https://docs.clamav.net/faq/faq-eol.html >https://blog.clamav.net/2023/03/clamav-eol-of-0104x-versions.html and >https://blog.clamav.net/2021/12/reminder-clamav-0102-0101-end-of-life.html
>
>Moreover versions 0.103.7, 0.105.1, 1.0.0 and lower are vulnerable to remote >code execution. The version 0.104 will *not* be patched. More information at the >official blog of ClamAV: 
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

>At the moment, we (SecuriteInfo.com) are still supporting the version you use >(0.103.9), but this version will be abandonned soon and you will not be able to >download our signature databases anymore.

>Furthermore, the lastest version of ClamAV got a lot of improvements to detect >the newest malwares, and correct a lot of vulnerabilities.

>For all these reasons, we suggest you to update as soon as possible your ClamAV >antivirus at version 0.103.10 or 1.2.0. Download the lastest version on the >official website : https://www.clamav.net/downloads
>Bien cordialement / Best regards / Saludos cordiales
>Arnaud Jacques
>CEO of SecuriteInfo.com
>https://www.securiteinfo.com

(In reply to Bruno Friedmann from comment #11)

> I've seen a small effort on obs to get 1.2 into Factory, now seems to be the
> perfect time frame  ;-)

I don't see it any better now than it was half a year ago with unsolved build issues on some architectures and performance issues that upstream doesn't seem to care about.

I mean most of the work was there to have this package.

I've quickly build and tested 1.2.1 and I agree there's a performance issue at least with traditional clamscan, but there's also more virus known, and if I add the functionality that tier can offer I would be more interested by protecting myself from threads than counting performance.

clamscan -r --infected Documents/
----------- SCAN SUMMARY -----------
Known viruses: 8677705
Engine version: 1.2.1
Scanned directories: 113
Scanned files: 1380
Infected files: 0
Data scanned: 5498.37 MB
Data read: 3326.20 MB (ratio 1.65:1)
Time: 1056.323 sec (17 m 36 s)
Start Date: 2023:11:06 17:01:45
End Date:   2023:11:06 17:19:21


clamscan -r --infected Documents/
----------- SCAN SUMMARY -----------
Known viruses: 8677603
Engine version: 0.103.11
Scanned directories: 113
Scanned files: 1380
Infected files: 0
Data scanned: 3728.95 MB
Data read: 3326.20 MB (ratio 1.12:1)
Time: 505.956 sec (8 m 25 s)
Start Date: 2023:11:06 16:43:00
End Date:   2023:11:06 16:51:26

What is really strange is the amount of Data Scaned (almost twice in 1.2.1)

But of course this is my humble needs on restricted number of platform (TW 64bits).

Hope this can be sorted out soon.

Well, one reason for the higher amount of data scanned is the raised defaults for several limits since 0.104 or 0.105, but that also revealed a performance issue with certain PDF documents that already existed in 0.103 (and probably before), but is much more visible with the higher limits, and I am really concerned to ship a newer ClamAV before that has been identified and resolved.

Look like upstream got numerous new pdf report, and action will may happen.
In the meantime, I've forked the package, and use it for my small email server.

Will see how this goes.

(In reply to Bruno Friedmann from comment #15)
> Look like upstream got numerous new pdf report, and action will may happen.

So far I was only aware of https://github.com/Cisco-Talos/clamav/issues/590 , but I just found https://github.com/Cisco-Talos/clamav/issues/1067 which refers to the first one. Are there more related tickets that you know about?

Hi Max

Since then, I was hit also by https://github.com/Cisco-Talos/clamav/issues/1082 which seems to be soon fixed.

Otherwise yes the two are there.
Testing 0.103 compared 1.2.1 needs a lot of adjustment in terms of default so as monkey we compare almost banana with banana ;-)

Rereading the issue 500 I was wondering if with our package debug we can provide their flame graph (if it as any utility).

Interesting too was to find the following remarks from October

```
BTW, if you want to stick with an older version for now, it might be better to stay with LTS version 0.103 which will be supported for another 11 months,
```

So I would say you still have time :-)

Flamegraph page clamav staff point out

https://docs.clamav.net/manual/Development/performance-profiling.html?highlight=flame#flame-graph-profiling

Hi Max, clamav has release 1.3.0

I've updated my own package, which may one day go back to the main repo.

I've tested mail scanning working well for my small use case.
But still the performance diff is huge with older version.


Package state work quite well, now still the performance issue compared to old 0.103 version is big

time clamscan --alert-exceeds-max=yes --max-scantime=200000 --max-filesize=1200M --max-scansize=1200M

Compare same dataset with version 0.103.11 and 1.3.0

----------- SCAN SUMMARY -----------
Known viruses: 8685650
Engine version: 0.103.11
Scanned directories: 1855
Scanned files: 48387
Infected files: 54
Data scanned: 434653.76 MB
Data read: 520577.31 MB (ratio 0.83:1)
Time: 22522.202 sec (375 m 22 s)
Start Date: 2024:02:21 21:09:28
End Date:   2024:02:22 03:24:51

real    375m22.239s
user    347m58.001s
sys     18m26.387s


----------- SCAN SUMMARY -----------
Known viruses: 13563050
Engine version: 1.3.0
Scanned directories: 1864
Scanned files: 48189
Infected files: 54
Data scanned: 435221.32 MB
Data read: 521109.31 MB (ratio 0.84:1)
Time: 63007.335 sec (1050 m 7 s)
Start Date: 2024:02:21 21:05:42
End Date:   2024:02:22 14:35:50

real    1050m7.353s
user    1042m32.975s
sys     17m14.573s

The performance drop may be caused by slow scanning of PDF files, as reported recently:

https://lists.clamav.net/pipermail/clamav-users/2024-February/013746.html

Thanks, Arjen for that link.

The fact that certain PDFs drive ClamAV slow has been known for quite a while and there are at least two long-standing items about it in the upstream bug tracker (referenced in comment 16), but there hasn't been much activity by the upstream maintainers about it.

Let's hope that the analysis that Eric has posted on the mailing list will finally get things going.

OK, let's try to proceed with what we have and see where it gets us. I've just submitted the latest state of my 1.x preparation branch to security/clamav .

Please test and give feedback before I pass it on to Factory.

BTW, the old package of version 0.103.x can now be found under security/clamav0 .

Done. ClamAV 1.3.1 finally is in Factory.