It’s been five years since IPS vendor Sourcefire acquired ClamAV‘s intellectual property and personnel resources. Since then, the open source antivirus project has prospered under Sourcefire’s guidance and is now complemented by commercial antivirus tools for consumer and enterprise marketsbased that are based on ClamAV.
This past week, the four founders of ClamAV — Tomasz Kojm, Alberto Wu, Luca Gibelli, and Edwin T?r?k — announced they were leaving Sourcefire. But the departures are not a sign that the 10-year-old ClamAV project is in trouble, according to Sourcefire executives.
“The group was upfront about leaving and they explained that it was time to move on,” Matt Watchinski, vice president of Sourcefire’s Vulnerability Research Team (VRT), told eSecurity Planet. “They truly did feel that they had accomplished what they wanted with ClamAV and wanted to try something new. I think that’s a common situation with innovators.”
Of course, with the former ClamAV leaders moving away, there is always a possibility that they might start a competitive project — but Watchinski says that Sourcefire is supportive of their former employees future endeavors, whatever they may be.
“As a practice, we always stand confident in our own innovation,” Watchinski said.
Sourcefire’s innovations are many. The company first rose to prominence as the leader of the open source Snort IPS system, which remains the cornerstone of its technology platform. As for ClamAV, Sourcefire has moved that technology forward in a few different ways.
On the consumer side, Sourcefire integrated ClamAV into the commercial Immunet consumer anti-malware product for Windows. Sourcefire acquired Immunet in 2011 for its cloud-based antivirus technology. That technology has been expanded with ClamAV as a core scanning engine used by over 2 million consumers.
“We also added additional malware analysts for signature creation, so that in field efficacy is much higher, as well as added a ton of backend improvements for content creation and malware classification,” Watchinski said. “Externally, for the community, we developed a bytecode engine for more complex detection, improved PDF file support for PDF-based malware, and re-wrote the milter interface for faster gateway scanning and better integration with mailers.”
For enterprise users, Sourcefire’s FireAMP technology leverages ClamAV to help secure larger networks.
While ClamAV has its roots in signature-based detection, the platform today has multiple detection engines. Watchinski explained that some are heuristic based, some are signature based, and the byte code engine is very powerful from a detection perspective.
“ClamAV also has an extensive file unpacking infrastructure for dealing with common packers and other things that malware authors use to hide from detection,” Watchinski said.
The anti-virus marketplace is a crowded one dominated by proprietary commercial vendors including Symantec and McAfee. While ClamAV is a freely available open source technology, over the last ten years it has managed to hold its own in the market for certain use cases.
“The goal of ClamAV has always been to create a solid malware detection engine that can be easily utilized by other front ends,” Watchinski said. “You can see this in how ClamAV is deployed today. It is integrated with mail servers, Proxy servers, desktop AV, and hundreds of other applications.”
One Release At A Time
The most recent ClamAV release is version 0.97.5, which is a security release to fix some evasions that where reported in certain file types by external researchers to the project. According to Watchinski, what’s in the pipeline for the next release is still in discussion and a roadmap is set to be published soon on clamav.net.
After ten years of development, ClamAV is still not a 1.0 release and it’s not likely to get there with the next release either.
“I like to plan one major release at a time, which is currently 0.98,” Watchinski said.