Sourcefire today announced that it has snapped up open-source antivirus project ClamAV as part of its strategy to expand into unified threat management. (See Sourcefire Goes Gigabit, Sourcefire, Insecure.org Team Up, Sourcefire Fires Up for IPO, and A Public Snort.)
ClamAV is anti-malware software used by service providers and incorporated into some enterprise UTM, Web gateway, and email gateway products, including WatchGuard's product line. Sourcefire would not provide a full list of all the vendors and service providers that use the open source technology.
"This [acquisition] is a continuation of Sourcefire's trend in moving toward what it calls enterprise threat management," says Nick Selby, enterprise security analyst for The 451 Group, which estimates that Sourcefire is making $55 million in revenues despite concerns about less-than-rosy financial reports. "They are doing IDS, IPS, and moving to behavior anomaly detection, AV at the gateway, and I would guess data leakage" as well, he says.
ClamAV was in the news last week as one of only three antivirus products that caught all viruses thrown at it during a live test of antivirus products for Linux conducted at LinuxWorld. (See Antivirus Tools Underperform When Tested in LinuxWorld 'Fight Club'.)
"This [deal] broadens and doubles our open systems footprint," says Wayne Jackson, chairman and CEO of Sourcefire, who noted that the company is still putting the final touches on its product plans with the ClamAV technology. Jackson says the two organizations' technologies would be complementary for an SMB-type UTM product. "But we also anticipate ClamAV serving as a foundational component for more specialized" products.
"This will be the key foundation of UTM for deeply inspecting embedded threats," Jackson says. "I think that will be the core requirement for a number of specialized gateways, and IM inspection, too."
The 451 Group's Selby says ClamAV extends anti-malware scanning beyond standard signatures "into the kinds of obscure file formats spammers and hackers are using to embed malware." Sourcefire, which will control the licensing of ClamAV and retain the five ClamAV developers, also gets ClamAV's 120 mirrored sites from which to push out signature updates, Selby notes.
Sourcefire wouldn't release details on the transaction, except that it would take a one-time charge in the third quarter of this year of between $0.09 and $0.12 per share to write off research and development.
"Sourcefire is one of the few remaining security vendors that champions open-source software... Acquiring ClamAV fits with their company model and ensures that the only open-source AV will continue to improve," says HD Moore, founder of the open-source Metasploit tool, as well as director of security research for BreakingPoint Systems.
Moore, who has done some high-profile IDS/IPS hacking, says it's a matter of knowing what you're buying when it comes to these signature-based tools. "IDS/IPS/AV do a decent job of filtering common, widespread attacks. They don't usually catch targeted exploits or custom Trojans, but they don't need to in order to be worth using."
In the first quarter of 2008, Sourcefire will offer an alternative form of commercial OEM licensing for vendors that want to integrate with ClamAV "but prefer not to disturb their own solution," Sourcefire's Jackson says. And late next year, Sourcefire will begin offering threat management products that use ClamAV, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.