Open Source Not Ready for Anti-Virus

Anti-virus software is definitely a challenge for the open-source model, and while there is at least one active program, there's no good evidence of how well it works.

The anti-virus business is an interesting one. On the one hand, its amazingly competitive on a worldwide basis, even if Symantec dominates the U.S. consumer market; there are a lot of companies in this business. But its also a disappointing business technologically. The companies are not out to solve a problem as much as to acquire an annuity stream in the form of subscriptions for signature updates.

So where does the free software movement fit in all this? For their own purposes, viruses and the other things a signature-based scanner would find are a comparatively minor problem. If youre a Linux or BSD user, there arent many viruses that can attack you. But there are plenty of file and mail servers running on Linux that service Windows users.

Commercial anti-virus vendors such as Trend Micro also offer Linux versions of their products, from basic file server protection to protection of Linux groupware applications such as Lotus Domino (available some time this year). But these are not "free" in the GNU sense.

28571.gif

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

A true free anti-virus effort would be an opportunity to challenge many theories out there about this market, including the one that suggests that in order to keep their subscription-based business model alive, the anti-virus companies have suppressed truly effective heuristic techniques. A free effort would have no such perverse incentives. (Of course, the whole notion that heuristics are being suppressed is a stupid conspiracy theory, but its still fun to find yet another way to challenge it.)

Everyone in the anti-virus business will tell you that the real work is not building the product, its keeping up with the oftentimes overwhelming flood of new malware. Its this part of the project that you would think would be the hardest for a free software effort, but that is the way both projects were designed. They didnt start out doing the secret heuristic model, and Im not aware of any other project that does.

I searched around and found two projects. The first one, OpenAntiVirus, was formed about four years ago with high ideals, but it seems moribund now. The site itself says that its not a product to rely on yet, just "a set of toys to play with," and the most recent set of signatures is dated May 29, 2004.

Clam AntiVirus is much more successful. Developers keep it up-to-date and it seems to have a fair-sized following. Its basically a *NIX program, but there is a Windows port with a GUI front end called ClamWin. I briefly tested it, but not enough to draw any conclusions.

Keeping up with the signatures means you need a group of quality volunteers available on a moments notice to develop signatures. This isnt the kind of need you usually have in a free software project, and the kind that usually requires paid experts in three time zones. Clam AntiVirus has a good reputation for updating its database quickly, but all Ive seen is praise, not numbers.

Based on a Usenet search, it would appear that lots of people are running ClamAntiVirus—or at least attempting to do so. But I searched long and hard on Usenet and the Web for objective tests of ClamAntiVirus—especially comparative tests against commercial products—and failed to find any. Im pretty sure nobody has done them, at least not for publication. The anti-virus companies have probably done internal testing, but theyre not sharing it with me.

Now, clearly ClamAntiVirus finds viruses. As evidence, someone has posted a ClamAntiVirus log file on a Web page. It seems to use nonstandard virus names more often than the others. For example, it looks like ClamAntiVirus calls the very popular Netsky worm "SomeFool."

The ClamAV Database includes about 20,000 defined patterns, far short of the more than 60,000 "Internet security-related threats" in Symantecs files.

Next page: The "sigtool" controversy.