Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2007
06:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Sourcefire Buys Open-Source Antivirus Project

ClamAV software used in UTM, Web gateway, and email gateway products

Sourcefire today announced that it has snapped up open-source antivirus project ClamAV as part of its strategy to expand into unified threat management. (See Sourcefire Goes Gigabit, Sourcefire, Insecure.org Team Up, Sourcefire Fires Up for IPO, and A Public Snort.)

ClamAV is anti-malware software used by service providers and incorporated into some enterprise UTM, Web gateway, and email gateway products, including WatchGuard's product line. Sourcefire would not provide a full list of all the vendors and service providers that use the open source technology.

"This [acquisition] is a continuation of Sourcefire's trend in moving toward what it calls enterprise threat management," says Nick Selby, enterprise security analyst for The 451 Group, which estimates that Sourcefire is making $55 million in revenues despite concerns about less-than-rosy financial reports. "They are doing IDS, IPS, and moving to behavior anomaly detection, AV at the gateway, and I would guess data leakage" as well, he says.

ClamAV was in the news last week as one of only three antivirus products that caught all viruses thrown at it during a live test of antivirus products for Linux conducted at LinuxWorld. (See Antivirus Tools Underperform When Tested in LinuxWorld 'Fight Club'.)

"This [deal] broadens and doubles our open systems footprint," says Wayne Jackson, chairman and CEO of Sourcefire, who noted that the company is still putting the final touches on its product plans with the ClamAV technology. Jackson says the two organizations' technologies would be complementary for an SMB-type UTM product. "But we also anticipate ClamAV serving as a foundational component for more specialized" products.

"This will be the key foundation of UTM for deeply inspecting embedded threats," Jackson says. "I think that will be the core requirement for a number of specialized gateways, and IM inspection, too."

The 451 Group's Selby says ClamAV extends anti-malware scanning beyond standard signatures "into the kinds of obscure file formats spammers and hackers are using to embed malware." Sourcefire, which will control the licensing of ClamAV and retain the five ClamAV developers, also gets ClamAV's 120 mirrored sites from which to push out signature updates, Selby notes.

Sourcefire wouldn't release details on the transaction, except that it would take a one-time charge in the third quarter of this year of between $0.09 and $0.12 per share to write off research and development.

"Sourcefire is one of the few remaining security vendors that champions open-source software... Acquiring ClamAV fits with their company model and ensures that the only open-source AV will continue to improve," says HD Moore, founder of the open-source Metasploit tool, as well as director of security research for BreakingPoint Systems.

Moore, who has done some high-profile IDS/IPS hacking, says it's a matter of knowing what you're buying when it comes to these signature-based tools. "IDS/IPS/AV do a decent job of filtering common, widespread attacks. They don't usually catch targeted exploits or custom Trojans, but they don't need to in order to be worth using."

In the first quarter of 2008, Sourcefire will offer an alternative form of commercial OEM licensing for vendors that want to integrate with ClamAV "but prefer not to disturb their own solution," Sourcefire's Jackson says. And late next year, Sourcefire will begin offering threat management products that use ClamAV, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Sourcefire Inc. (Nasdaq: FIRE)
  • The 451 Group
  • BreakingPoint Systems Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Commentary
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    Edge-DRsplash-10-edge-articles
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-34682
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    CVE-2021-31811
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-31812
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-32552
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
    CVE-2021-32553
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.