August 17th, 2007

Questions swirl as Sourcefire buys ClamAV

Posted by Ryan Naraine @ 12:24 pm

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Hackers, McAfee, Metasploit, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Sourcefire Inc., Open Source, Ryan Naraine

Sourcefire’s acquisition (Techmeme discussion) of the ClamAV project — a deal that includes trademarks and copyrights of the popular open-source anti-virus toolkit — has raised eyebrows among industry watchers worried about the future of free security products.

The skinny on today’s transaction:

Under terms of the transaction, Sourcefire has acquired the ClamAV project and related trademarks, as well as the copyrights held by the five principal members of the ClamAV team including project founder Tomasz Kojm. Sourcefire will also assume control of the open source ClamAV project including the ClamAV.org domain, web site and web site content and the ClamAV Sourceforge project page. In addition, the ClamAV team will remain dedicated to the project as Sourcefire employees, continuing their management of the project on a day-to-day basis.

In accounting for the transaction, Sourcefire anticipates a one-time charge in the third quarter of 2007 of between $0.09 and $0.12 per share for the immediate write-off of in-process research and development, which will be classified as an extraordinary item. Details of the transaction consideration are not being disclosed.

For Sourcefire, the deal makes perfect sense. It brings together two of the security industry’s most widely adopted open source security projects — Snort and ClamAV — and gives the newly public company a strong anti-virus component to go along with its IPS/IDS capabilities. When you factor in Sourcefire’s recent licensing agreement with Fyodor/Nmap, you get a clear vision of the future of Sourcefire.

But, this vision is fraught with problems, especially among customers who rely heavily on the integration of open-source (er, free) technologies into their products. In October 2005, when Tenable changed Nessus to a proprietary (closed source) license, the move caused major friction among open-source developers.

Sourcefire is clearly aware of a possible backlash from UTMs and other enterprises that rely heavily on ClamAV remaining a free, open-source offering. In a statement announcing the acquisition, the company addressed this very issue:

Sourcefire is a well respected company in the open source arena, and they really understand how to balance open source community investment with the commercial needs of their customers.

On security mailing lists, the questions are already swirling. Here’s a sample of the what’s being asked:

Anybody feels like placing bets on how long it’s going to take SourceFire to pull the same trick with ClamAV signatures they pulled with Snort signatures where you’ll need to “conveniently” license the signatures from SourceFire to have the latest ones to be properly protected :-)

The engine source code will be useless if you don’t have the very latest AV sigs…

To be fair, Sourcefire has kept Snort open-source — the license has been modified slightly to control how it’s used by for-profit third parties — but that does not stop people from complaining.

StillSecure’s Alan Shimel is among those worried about the effects of the ClamAV buy.

[Any] AV is only as good as its latest update. We will see similar to what was done with Snort, a VRT certified, pay for AV signature update feed? Will people not paying for the feed get updated AV signatures on a delayed basis? What about all of these people using ClamAV in their UTMs? Will we see a “clarification” to the ClamAV license that says they can’t use it as part of UTMs? Will Sourcefire know seek to commercially license the product to all of these UTM and MSSP vendors? I don’t know, but it seems likely, based upon their past moves.

AV is not exactly a cutting edge technology but it can be a cash cow. There are lots of options in the AV market. If I was a UTM provider or MSSP using ClamAV right now, I would be exploring my options, waiting for the other shoe to drop here. I think this once again shows that if you are incorporating open source tools into your technology as a vendor, unless you own the copyrights, do so at your own risk.

This is a discussion that won’t go away very soon.