ClamAV 0.94: End of Life

16 Apr

The makers of ClamAV recently (well October 5th 2009, actually) announced that 0.94.x would no longer be supported from 15th April 2010.

All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)

This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates.

So far we haven’t released any signatures which exceed this limit.
Before we do we want as many users as possible to upgrade to the latest version of ClamAV.

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

As well as the post on their site, they also sent out notifications to the ClamAV mailing list warning people of the approaching deadline. Even so, as I check my mailbox today, I see several emails from people complaining that the antivirus on their servers had suddenly stopped working and they’re no longer able to process email.

Now, I realize that the decision to remotely disable old versions of ClamAV was always going to be a hugely controversial one, and that causing mail servers around the world to intentionally break may  have have been a bit naughty. Who gives third party companies the right to decide what versions of software you run on your mail server, right?

Well, actually, I applaud the makers of ClamAV for this move. They must have known there would be people still using old versions who don’t read (or understand) the website and/or mailing lists, but were prepared to accept this negative publicity in order to give people the kick up the arse they need to upgrade from old versions which are known to be broken. It is widely known and accepted that old versions of antivirus software are less effective than their newer counterparts.

To all those red faced sysadmins saying that they weren’t informed about this  in advance: you are responsible for running your mail server. That includes putting yourself in the loop so that you’re aware of these sorts of issues/announcements. What did you expect, a representative of ClamAV to deliver you a hand written note? Perhaps you would prefer to continue running ineffectual versions of antivirus software, blissful in your ignorance.

I can happily report that we’ve been running 0.95.x for several weeks without any issues at all.


Posted by on April 16, 2010 in Security


2 responses to “ClamAV 0.94: End of Life

  1. cmddotexe

    April 16, 2010 at 12:21 pm

    I’ve had a couple more thoughts about this issue.

    First, a lot of people are comparing the ClamAV situation to other software such as RedHat, stating that just because old versions of RedHat are no longer supported, they still work.

    My answer here would be: does your old unsupported RedHat box run exposed to the Internet and does it handle a critical function involving security? I suspect not.

    The other thought, seeing the dozen or so emails from people stating that they thought this was a bad idea: why wait until now to voice that opinion? If you thought it was a bad idea, would it not have made sense to have mentioned this BEFORE the killbit signature was released?!

  2. cmddotexe

    April 17, 2010 at 7:30 am

    Last comment I’m going to make to my own post:

    To all the folks spouting the “if it ain’t broke, don’t fix it” line as some kind of defense for not upgrading their ClamAV 0.94 installation: It is broke.

    Did it break when the ClamAV team disabled it? Sure.

    Was it broke before that? Yes! Out of date antivirus software is worse than no antivirus software because you get that warm fuzzy feeling that you’re protected, when it fact, you’re possibly MORE vulnerable because someone may be able to exploit your system using known vulnerabilities in the older version of the software you have neglected to maintain.


Add Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: