Antivirus Gets An Open-Source Boost

Standing The Test Of Time
Clam AntiVirus does have shortcomings, especially when implemented on a Windows-based platform: The product lacks a memory-scanning mechanism (making it suitable only for detecting malware that has not yet executed on a target system), nor can it detect "stealth" viruses masked using a rootkit. In addition, AV-Test.org determined that while most commercial scanners can detect 100 percent of the malware entries maintained by The WildList Organization International , Clam AntiVirus detects just 80 percent, mostly involving older malware whose existence predates the project itself. Clam AntiVirus also appears to generate a rather high amount of false positives, compared to the commercial products, and it can only delete an infected file, not repair it.

"[ClaimAV's] current detection routines are mainly simple pattern matching. Advanced detection mechanisms are missing. It does not include a code emulator, advanced heuristics, or Sandbox-like routines," Marx says.

While ClamAV falls short in some key areas, however, most of its flaws are due to the fact that it is still a relatively new product rather than due to inherent design or programming failures. In addition, say ClamAV developers, some key shortcomings will be rectified in the next major release, which will feature new heuristic detectors, a signature code interpreter, and support for other file formats including WinRAR 3.0 archives. ClamAV will also add support for hardware acceleration, thanks to a partnership formed between the ClamAV project team and Sensory Networks, Inc., a network security hardware maker.

Kapersky's Shane Coursen says the biggest question facing ClamAV is one any open-source project must address: Can it sustain itself in the long run, without a commercial vendor to provide dedicated resources and support? "Any open-source project must prove that it can sustain a level of development and support required in a security software product," Coursen said. "I've seen many good open-source projects begin only to end prematurely or fail altogether because interest in it is lost," says Coursen, who, obviously, feels a commercial product stands a better chance to have sustained development and support.

But Electric Mail's Hyde says ClamAV has passed his company's tests with flying colors. The proof for him lies in its day-to-day performance: "Clam AntiVirus is well-maintained. The pattern update process is clean, unlike some of the commercial vendors, and works well."

"We run around 10 million messages a day through Clam AntiVirus and have found it to be a very stable product."