The open source e-mail virus scanner is known for responding quickly to new outbreaks.

by Jeff Goldman [April 5, 2006]

Tomasz Kojm created the e-mail virus scanner ClamAV in 2002 as a supplement to the now-defunct OpenAntiVirus project. "OpenAntiVirus was probably the first open source attempt for anti-virus," Kojm says. "It was written in Java, and to be honest, I didn't like it—Java is not that light, and it was causing big overloads on our servers."

Because Java takes a few seconds to start, OpenAntiVirus by necessity lacked a command line scanner—so Kojm says that was his first aim in developing ClamAV. At first, ClamAV was an add-on to OpenAntiVirus, but it soon became so popular that Kojm developed his own daemon application and started working on ClamAV as a separate solution.

The application's first big boost came when it was published on FreshMeat. After that, Kojm says, more and more people got involved in the project, and the core team now consists of 16 developers distributed worldwide.

ClamAV has more than 120 officially published mirrors in 39 countries, and it's still early days yet—the project hasn't yet reached version 1.0, though Kojm says that's likely to come in the next year or so. "ClamAV is still a young project in the anti-virus field," he says. "Most of the commercial products have a history of ten years or longer."

Advantages of open source
Kojm says there's a lot to be said for the open source model, particularly for a solution like anti-virus. "Everyone can look into it and check if it contains any possible back doors or things like that," he says. "Also, many people audit open source software, so we are able to react very quickly to new bugs."

And any anti-virus solution, Kojm notes, requires constant updating—which the open source model helps to support. "It's not like developing an image viewer," he says. "You need to update the system, you need to update the virus detection techniques, you need to constantly develop new methods for fighting viruses."

ClamAV also boasts a number of active mailing lists, which Kojm says keep most users from having to turn to commercial support for help. "The mailing list is sufficient in most cases, especially because ClamAV is generally very easy to install," he says.

And there's a wiki too.

Responding to outbreaks
Ferris Research analyst Richi Jennings says the open source model seems to work well for ClamAV. "If you look at the independent tests that are done by people like AV-Test.org, for example, the well-known names in anti-virus actually don't do a tremendously good job of being responsive to new virus outbreaks," he says.

When a new virus appears, Jenning says, the major providers often aren't the fastest responders. "The big names who you might think have a lot of resources behind them actually do a mediocre job, generally speaking," he says. "And the people who are doing a good job tend to be smaller names, less well known."

AV-Test.org's Andreas Marx agrees that ClamAV's strength lies in its speedy response to new outbreaks. He notes, though, that it has some problems with false positives and detection rates. "It only has an 85 percent detection rate in the case of WildList viruses and a 35 percent detection rate for Zoo malware, while commercial scanners usually have 100 percent WildList and 95 percent + Zoo detection rates," Marx says.

Strength in numbers
Yankee Group Senior Analyst Andrew Jaquith says ClamAV does extremely well in competition with commercial solutions—but he advises against deploying any single anti-virus solution on its own. "We think that doubling up coverage on your AV is a good idea," he says. "And Clam could certainly be an example of a second engine to provide that coverage."

Jaquith notes that many companies have expressed an impressive amount of confidence in ClamAV. "Mac OS X Server, for instance, bundles ClamAV, so they think it's good enough," he says. "Barracuda bundles ClamAV, and a variant of IBM's AIX has it as an option as well—so it's enough for many uses."

Jaquith says it all comes down to the management of the ClamAV project itself. "From what I've been able to tell, it seems like it's a pretty good example of how open source ought to be working—a cohesive development organization, responsive and passionate users, and flexibility," he says. "I think that's what you want, and it seems like they're doing it."

Getting into the code
Jan-Pieter Cornet is a senior sysadmin at the European ISP XS4ALL. Because XS4ALL likes to use open source solutions (see, for example, our article on the open source trouble ticketing system Best Practical RT), Cornet says ClamAV was an obvious choice. "It's the only open source product I know that's specifically aimed at catching e-mail viruses on a mail server," he says.

But like Jaquith, Cornet says it's always a good idea to deploy more than one AV product—in fact, he says ClamAV is XS4ALL's third scanner, and for good reason. "ClamAV actually only scans for about 46,000 different viruses, where a commercial scanner detects maybe 100,000 different viruses," he says. "But in practice it doesn't matter, because Clam catches practically every e-mail borne virus that's out there—so the fact that the other scanners pick up the occasional boot sector virus from 1995 that's still floating around is irrelevant."

And Cornet says XS4ALL has taken advantage of having access to ClamAV's source code by disabling the solution's phishing signatures. "Standard ClamAV comes with a couple of signatures for phishing e-mails," he says. "We don't think a virus scanner should stop that sort of e-mail—but because it's open source, you can look at how it works and you can simply remove those signatures."

While a smaller ISP that isn't used to dealing with open source software might want to deploy a commercial product just for the sake of receiving a straightforward installation CD, Cornet says ClamAV should be ideal for most deployments. "If you have your own expertise, I don't see a reason why an ISP shouldn't trust ClamAV," he says. "In my opinion, it's pretty solid—and it's proven itself."

Easy to maintain
Paul Peeler is Unix Systems Engineer at Carolina Internet, which he describes as "very much an open source shop." As a result, Peeler says, ClamAV was the obvious choice for anti-virus. "It's really easy to use," he says. "They have very quick updates—they respond very quickly—so it's been one of the best pieces of software that we've put in here."

The speed of ClamAV's response to new viruses, Peeler says, has been a key asset. "We've had several customers call in and say, 'Oh my God, we're getting hit with this virus through e-mail: can you help us out?'—and it turns out there's a definition for it already," he says. "They've got Symantec or some other scanner on their machine locally, which they're furiously updating and still are unable to catch and remove it."

Thanks to Carolina Internet's in-house expertise and ties to the developer community, Peeler says, open source products like ClamAV are actually much easier to maintain than most commercial solutions. "We're not opposed to paying for software if it fits a need or if it's a demand from a customer, but we find that the largest amount of wasted time is spent beating our way up [a commercial provider's] support chain when there's a problem that we can't fix locally," he says.

And even less experienced ISPs, Peeler says, should take a look at ClamAV. "If you have a good, solid team and competent people, then a very mildly tech-savvy person could find the answers to their own problems," he says. "It's a very well-documented system."

—End