The team behind ClamAV has announced the availability of the ClamAV 1.5 release candidate, giving users an early look at what’s coming in the next major version of this highly popular open-source antivirus engine.
One of the biggest highlights in this release is the introduction of a FIPS-compliant method for verifying CVD and CDIFF signature database files. While the feature is included in this candidate, ClamAV developers aren’t yet distributing the associated “.cvd.sign” files for the main databases.
For now, this means systems running in strict FIPS mode will still see Freshclam updates fail. However, the release candidate does include test keys and certificates so developers can begin trying out the new signing and verification workflow.
Beyond FIPS support, ClamAV 1.5 brings a wide range of changes across the engine, tools, and build system. Key improvements include:
- Security-focused updates: Freshclam, ClamD, and ClamScan gain a FIPS-limits mode that disables weak hash algorithms like MD5 and SHA1. Clean-file caching has also been upgraded to SHA-256.
- Expanded metadata options: Users can now configure whether URIs found in HTML and PDFs are recorded in JSON metadata. Additional hash types can also be stored if desired.
- New administrative controls: ClamD now supports disabling sensitive commands such as shutdown and reload for tighter operational security.
- Improved scanning capabilities: Precision counters for scanned data, extended hashing functions, and new scan functions provide developers with more granular control and insight.
- Enhanced configuration and usability: Inline comments are now supported in config files, recursion limits have been hardened, and regex support has been added for path exclusions.
There are also several practical changes for developers and system administrators. For example, ClamAV now installs a dedicated certs directory to manage external signatures, with flexible configuration options across command-line tools, environment variables, and configuration files.
Additionally, sigtool has gained updated commands for signing, verifying, and handling external signature files.
On the platform side, the release adds support for AI model file types, improved handling of malformed ZIP archives, and better support for UTF-8 file names on Windows. At the same time, long-standing issues have been addressed, including crashes in ClamBC, buffer overflow vulnerabilities, and inconsistencies in memory reporting.
As with every RC, the ClamAV development team is encouraging users to test the software and share feedback. Reports can be submitted through GitHub, the ClamAV mailing list, or on Discord.
The testing phase is expected to last around two to four weeks, depending on feedback and whether further stabilization work is needed. For a deeper dive on all changes, see the announcement.
