Open Source Not Ready for Anti-Virus

By Larry Seltzer  |  Posted 2004-08-09 Print this article Print

Anti-virus software is definitely a challenge for the open-source model, and while there is at least one active program, there's no good evidence of how well it works.

The anti-virus business is an interesting one. On the one hand, its amazingly competitive on a worldwide basis, even if Symantec dominates the U.S. consumer market; there are a lot of companies in this business. But its also a disappointing business technologically. The companies are not out to solve a problem as much as to acquire an annuity stream in the form of subscriptions for signature updates. So where does the free software movement fit in all this? For their own purposes, viruses and the other things a signature-based scanner would find are a comparatively minor problem. If youre a Linux or BSD user, there arent many viruses that can attack you. But there are plenty of file and mail servers running on Linux that service Windows users.

Commercial anti-virus vendors such as Trend Micro also offer Linux versions of their products, from basic file server protection to protection of Linux groupware applications such as Lotus Domino (available some time this year). But these are not "free" in the GNU sense.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.
A true free anti-virus effort would be an opportunity to challenge many theories out there about this market, including the one that suggests that in order to keep their subscription-based business model alive, the anti-virus companies have suppressed truly effective heuristic techniques. A free effort would have no such perverse incentives. (Of course, the whole notion that heuristics are being suppressed is a stupid conspiracy theory, but its still fun to find yet another way to challenge it.)

Everyone in the anti-virus business will tell you that the real work is not building the product, its keeping up with the oftentimes overwhelming flood of new malware. Its this part of the project that you would think would be the hardest for a free software effort, but that is the way both projects were designed. They didnt start out doing the secret heuristic model, and Im not aware of any other project that does.

I searched around and found two projects. The first one, OpenAntiVirus, was formed about four years ago with high ideals, but it seems moribund now. The site itself says that its not a product to rely on yet, just "a set of toys to play with," and the most recent set of signatures is dated May 29, 2004.

Clam AntiVirus is much more successful. Developers keep it up-to-date and it seems to have a fair-sized following. Its basically a *NIX program, but there is a Windows port with a GUI front end called ClamWin. I briefly tested it, but not enough to draw any conclusions.

Keeping up with the signatures means you need a group of quality volunteers available on a moments notice to develop signatures. This isnt the kind of need you usually have in a free software project, and the kind that usually requires paid experts in three time zones. Clam AntiVirus has a good reputation for updating its database quickly, but all Ive seen is praise, not numbers.

Based on a Usenet search, it would appear that lots of people are running ClamAntiVirus—or at least attempting to do so. But I searched long and hard on Usenet and the Web for objective tests of ClamAntiVirus—especially comparative tests against commercial products—and failed to find any. Im pretty sure nobody has done them, at least not for publication. The anti-virus companies have probably done internal testing, but theyre not sharing it with me.

Now, clearly ClamAntiVirus finds viruses. As evidence, someone has posted a ClamAntiVirus log file on a Web page. It seems to use nonstandard virus names more often than the others. For example, it looks like ClamAntiVirus calls the very popular Netsky worm "SomeFool."

The ClamAV Database includes about 20,000 defined patterns, far short of the more than 60,000 "Internet security-related threats" in Symantecs files.

Next page: The "sigtool" controversy.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel