Is Antivirus Ready for Open Source?
Published: September 19, 2006
by Alex Woodie
The open source software movement has come a long way. A decade ago, nobody but the actual participants in open source projects and other IT enthusiasts gave the movement much chance of succeeding, but today, it's tough to deny the success of open source products. However, when it comes to security tools and antivirus software--the thin blue line separating our computers from certain infection on the Internet--there is less agreement that open source can secure as well as traditionally developed, closed-source products.
There is no denying the huge impact that open source development has had, and continues to have, on the IT industry. Indeed, one only has to look as far as Linux, which is the second-most popular operating system (to Windows), and the fastest growing operating system in terms of usage. Apache remains, by far, the most popular HTTP server on the Net, and the Eclipse Java framework is rapidly gaining market and mind-share, and is now a real threat to Microsoft in development tool supremacy.
The popularity of open source has both philosophical and practical roots. It used to be that developers and users would choose open source primarily because it didn't come from Microsoft. They might overlook some shortcomings in the product, such as an unattractive interface, because they felt strongly about the need for diversity. Not anymore. Nowadays, open source tools, such as PHP, Perl, and JBoss, are getting use because they're easy to get, easy to use, and they do the job. In many cases (but not all), open source software is also cheaper, and that will always be a factor in some people's minds.
Backers of open source software commonly cite the frequency of updates as one of the advantages of their method. Having a worldwide network of motivated enthusiasts and experts on hand to scour source code, make additions, and fix bugs is better than waiting for months for a vendor with questionable motivations to roll out an update, they say.
This is one of the advantages cited by ClamAV, an open source project that has been developing an antivirus tool for Unix servers for the last three years. ClamAV claims that the open source process enables it to respond to new malware threats quicker than the commercial antivirus vendors. In fact, on any given day, the group will publish a dozen or so new definitions protecting its users against the latest viruses, worms, and Trojans.
Hundreds of organizations, ISPs, and schools around the world are using ClamAV to protect their e-mail, according to the group's Web site. These users have the option of buying commercial support contracts from some 70 businesses, mostly ISPs. One of the most prominent users is SourceForg.net, the online development community. The ClamAV took away third place in the 2006 Community Choice Awards, in the networking category.
However, not everybody is enamored with ClamAV, nor open source security tools in general. In fact, the battle of proprietary antivirus versus open source antivirus software came to a head earlier this year when two established OS/400 security vendors squared off over the matter. The disagreement involved Bytware, which sells a native OS/400 version of the popular McAfee antivirus engine, and Raz-Lee, which sells a version of ClamAV's antivirus engine that runs in an iSeries Linux partition, and which has been further modified for the iSeries.
Raz-Lee took issue with a product comparison Bytware published on its Web site that casts Raz-Lee's ClamAV-based product, called iSecurity, in an unfavorable light. The part of Bytware's comparison that irked Raz-Lee the most was using the label of "useless" to describe the ClamAV product. Bytware's product comparison table can be found at www.bytware.com/products/sgav.html.
While describing a competitor's product as "useless" may seem like par for the course in the cut-throat enterprise software market, in fact Bytware borrowed the term from a respected and long-running comparison of antivirus scanning engines by the University of Hamburg's Virus Test Center (see agn-www.informatik.uni-hamburg.de/vtc/naveng.htm).
Indeed, in July 2004, the Virus Test Center found that the ClamAV scanner performed very poorly in tests to find both known "zoo" viruses, as well as current "in-the-wild" viruses, including file, macros, and script viruses. While most of the commercial antivirus scanners detected between 90 and 100 percent of the viruses, including the McAfee antivirus scanner and many other well-known brands, the ClamAV scanner could find only between 20 and 40 percent of the viruses (anything below 50 percent gets a "useless" rating by the center). The only other product to score that low was the scanner from the now-defunct open source OpenAV project.
In ClamAV's defense, those test results are more than two years old. The tests were also performed when the product had been around for less than a year. It has now been in development for more than three years, but there hasn't been another University of Hamburg test since July 2004. Shmuel Zailer, CEO and CTO of Raz-Lee, doesn't think results from that test bear much relevance today.
"Taking old and outdated information is, in my opinion, unprofessional and intentionally misleading," Zailer wrote in a statement e-mailed to IT Jungle. "If you look at the data that the Bytware comparison table is based on, it goes back to 2004. This is not a serious way to deal with such issues. In this day and age, product data becomes irrelevant within days, especially antivirus software where new threats and viruses appear daily."
Raz-Lee also took issue with other parts of Bytware's comparison table, including the lack of "on-access" scanning in the ClamAV product. While the ClamAV product does, indeed, lack on-access capabilities, Raz-Lee says it has added the on-access feature to its implementation, so that it scans a file any time it is touched, in real-time. Other changes that Raz-Lee made include the addition of an "exclude" feature, which speeds scanning by removing predefined libraries from the scanning list, and by allowing administrators to remove certain files that have already been scanned from future scans.
Raz-Lee claims Bytware's comparison was a case of sour grapes, because Bytware's StandguardAV had been the only antivirus scanning solution for iSeries users until Raz-Lee launched iSecurity about a year ago. "We were surprised to see that Bytware has chosen such tactics in order to stay in the race. Naturally, it hurts to lose part of the market, however, it is simply dishonest to publish a biased comparison table that does no justice to your competitors," Raz-Lee said in a company statement.
However, Bytware stands by its comparison table. "Personally, I'm glad Raz-Lee has an AV product. We need more vendors educating the iSeries community about the real issues," says Mike Grant, president of the Reno, Nevada.
Grant points out that there's a significant difference in the number of viruses, worms, and other malware that the two products can detect. McAfee currently has definitions for more than 200,000 threats, while ClamAV detects somewhere between 35,000 and 60,000. (The exact number is in dispute. One part of ClamAV's Web site says 60,000, while their current user's guide says 35,000.) "Would you really unload your commercial AV product in favor of ClamAV on your personal Windows computer, and feel safe surfing the Internet knowing it detects less than half of the threats?" Grant asks. "I wouldn't. So why would you run that on a server?"
In the end, Grant says open source isn't yet up to snuff when it comes to security. "Open source's nickname in the industry is 'open sores.' I agree with that," he says. "Perhaps it has its place in e-mail and other things that are stable and have standards. That does not apply to antivirus."
ClamAV developers did not respond to requests for comment.
Raz-Lee defends the ClamAV product, and says it's more than ready for enterprise deployments. "One of the reasons we chose ClamAV for our signature files is due to the excellent response time and implementation of new threats that Clam AV provides," Zailer says. "You can be certain that we wouldn't have jeopardized the excellent reputation we have in the market, and use an unproven signature file, if we were not 100 percent confident that it would do the job."