Windows Security Gets Boost from ClamAV


The open source ClamAV project is often used on servers as a way to scan and secure e-mail gateways and Windows file shares. Now ClamAV is coming to the Windows desktop too, by way of the cloud.

Sourcefire (NASDAQ: FIRE) the lead commercial sponsor behind the ClamAV antivirus project, this week announced a new effort called ClamAV for Windows. The new product is the result of a parternship with security vendor Immunet that leverages both the desktop and the cloud to help secure Windows desktops. While the ClamAV for Windows effort uses open source technology, the entire solution is not open source, though it is currently all free.

"One of the things that ClamAV has never really done a whole lot of was actual desktop installs," Matt Watchinski, the senior director of Sourcefire's vulnerability research team, told "A lot of people use ClamAV for their mail gateways and we wanted to bring that brand and experience to the Windows desktop market."

PC security

While the core ClamAV open source project has not focused on desktop Windows installs, there is a separate project called ClamWin that already provides ClamAV for Windows desktops. However, the ClamWin project has some shortcomings: It does not scan files on access. Instead, it needs to be run manually or at a scheduled interval to scan a file or drive. The new ClamAV for Windows solution from Sourcefire, on the other hand, will perform on-access scanning.

Additionally, ClamAV for Windows melds both the cloud and the desktop, with one benefit being a reduced processing load on users' systems. The solution relies on a desktop client that Watchinski described as being lightweight and fast, and which connects to a cloud service to do the heavy lifting.

"What we do on the Windows desktop is take parts of files and send them to the cloud for external processing -- whether it's unpacking or any of the stuff that eats up resources," Watchinski said.

Security update

While the core ClamAV technology is all open source, ClamAV for Windows also includes some proprietary bits, as well. Watchinski explained that the ClamAV for Windows solution includes multiple anti-virus and anomaly-detection engines from Immunet that are not open source. ClamAV open source runs alongside the Immunet engines so that anything that comes into the cloud infrastructure for analysis is scanned by multiple engines. The actual desktop GUI for ClamAV for Window is also not open source.

Though the entire solution is not open, Watchinski noted that ClamAV for Window is free. However, the companies plan to develop a professional version of the solution that will add some extra enterprise functionality.

Sourcefire, perhaps best known as the lead commercial sponsor behind the open source SNORT IDS , acquired antivirus project ClamAV in 2007. Over the last three years, Watchinski said that the ClamAV engine has improved and is now as much as 25 percent faster while using less memory.

The ClamAV project is now working on its 0.96 release with the first release candidate set for this month. Watchinski noted that the new release will further advance the platform with a byte code interpreter, which will allow for complicated detections in code.

"We can actually emulate code inside of the engine to detect malicious binaries," Watchinski said. "In my opinion, we're really advancing the underlying detection technology inside of ClamAV."

Even as Sourcefire continues to improve ClamAV, Watchinski is realistic about the broader competitive marketplace for Windows antivirus technologies.

"I don't think we're going to try and displace a Symantec or McAfee anytime soon," Watchinski said. "We'll make a solid product. Hopefully it's fast and solves people's needs. I'm not going to put a bull's-eye on anyone and say we're coming after your space, but if I end up taking it, great."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.