The anti-virus business is an interesting one. On the one hand, its amazingly competitive on a worldwide basis, even if Symantec dominates the U.S. consumer market; there are a lot of companies in this business. But its also a disappointing business technologically. The companies are not out to solve a problem as much as to acquire an annuity stream in the form of subscriptions for signature updates.
So where does the free software movement fit in all this? For their own purposes, viruses and the other things a signature-based scanner would find are a comparatively minor problem. If youre a Linux or BSD user, there arent many viruses that can attack you. But there are plenty of file and mail servers running on Linux that service Windows users.
Commercial anti-virus vendors such as Trend Micro also offer Linux versions of their products, from basic file server protection to protection of Linux groupware applications such as Lotus Domino (available some time this year). But these are not “free” in the GNU sense.
A true free anti-virus effort would be an opportunity to challenge many theories out there about this market, including the one that suggests that in order to keep their subscription-based business model alive, the anti-virus companies have suppressed truly effective heuristic techniques. A free effort would have no such perverse incentives. (Of course, the whole notion that heuristics are being suppressed is a stupid conspiracy theory, but its still fun to find yet another way to challenge it.)
Everyone in the anti-virus business will tell you that the real work is not building the product, its keeping up with the oftentimes overwhelming flood of new malware. Its this part of the project that you would think would be the hardest for a free software effort, but that is the way both projects were designed. They didnt start out doing the secret heuristic model, and Im not aware of any other project that does.
I searched around and found two projects. The first one, OpenAntiVirus, was formed about four years ago with high ideals, but it seems moribund now. The site itself says that its not a product to rely on yet, just “a set of toys to play with,” and the most recent set of signatures is dated May 29, 2004.
Clam AntiVirus is much more successful. Developers keep it up-to-date and it seems to have a fair-sized following. Its basically a *NIX program, but there is a Windows port with a GUI front end called ClamWin. I briefly tested it, but not enough to draw any conclusions.
Keeping up with the signatures means you need a group of quality volunteers available on a moments notice to develop signatures. This isnt the kind of need you usually have in a free software project, and the kind that usually requires paid experts in three time zones. Clam AntiVirus has a good reputation for updating its database quickly, but all Ive seen is praise, not numbers.
Based on a Usenet search, it would appear that lots of people are running ClamAntiVirus—or at least attempting to do so. But I searched long and hard on Usenet and the Web for objective tests of ClamAntiVirus—especially comparative tests against commercial products—and failed to find any. Im pretty sure nobody has done them, at least not for publication. The anti-virus companies have probably done internal testing, but theyre not sharing it with me.
Now, clearly ClamAntiVirus finds viruses. As evidence, someone has posted a ClamAntiVirus log file on a Web page. It seems to use nonstandard virus names more often than the others. For example, it looks like ClamAntiVirus calls the very popular Netsky worm “SomeFool.”
The sigtool controversy
I asked a few of the big anti-virus companies about ClamAntiVirus, and especially about their controversial “sigtool” program. Sigtool allows users to make their own signatures based on the detection behavior in another scanner. They basically do a progressive truncation of the file being scanned until they have the smallest portion from which the scanner will find the virus, and that is the signature.
This capability was what originally interested me about ClamVirus because its basically stealing other companies work. In fact, some anti-virus companies now prohibit such behavior as part of their licenses and the sigtool docs warn you to check the license for such a restriction. The ClamAntiVirus docs also say that this is not the method they use to develop “official” distributions of signatures.
The other method is either not documented or too simplistic to take seriously. The documentation basically tells you to go into a hex editor and find a sufficiently unique string. Theres a lot more to it. Even just relying on a single static string would mean that ClamAntiVirus couldnt find any polymorphic viruses, and there are a lot of polymorphic viruses. Incidentally, the sigtool automated detection specifically cant find polymorphic viruses. But ClamAntiVirus appears to be able to do polymorphic detection.
I scanned the ClamAntiVirus database for a virus I knew to be polymorphic (MiMail.Q) and its in there. Furthermore, the signature (which the database will happily show you) is not a simple hexadecimal constant, but contains sequences like “90*9090????90??9090*.” Hmmm … Those look like wildcards. Probably input to a regular expression parser. So ClamAntiVirus is more capable than I was originally led to believe by one anti-virus company and third parties, but I still suspect its not as sophisticated as the commercial products, which use such techniques as instruction frequency detection as well as simple pattern detection. We dont know because there are no numbers—at least not recently.
ClamAntiVirus has a lot of the basic functionality of commercial anti-virus systems, but not all of it. It cant disinfect files, although I consider this a minor problem. Viruses dont infect files anymore, they create their own files. The techniques used to infect files are too easy to detect.
Clearly the biggest need these days in an anti-virus system is for scanning e-mail, and heres where ClamAntiVirus scares me. According to the manual, mail support is turned off by default because it “is still under development and may cause stability problems.” Yikes!
In certain circles ClamAntiVirus is highly respected, but thats at least partially for lack of anything else to respect. And as a second or third scanner, its basically no-lose—unless it has false positives. According to Steve Stern, manager of the WUGNET VirusCentral Forum, both SourceForge.net and CompuServe use ClamAntiVirus to scan e-mail. Is that all they use to test?
At this point, with no real objective data to compare it with anything else—not even the wild list—and with mail server support still officially unfinished, its hard to see how you could rely on it for a real organization, unless you actually have no budget. Im rooting for them in a way and perhaps a successful ClamAntiVirus could put pricing pressure on the Symantecs and McAfees of the world, who have raised their prices pretty consistently over the years and made it more difficult to protect ourselves.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer