Tomasz Kojm, original author of ClamAV

Introduction

Table of Contents

• What is a Security Thought Leader - Updated November 18th, 2009
  
• Framework for Security Thought Leader Interview - August 26th, 2009
  
• Lance Spitzner, Securing The Human, founder - Updated November 29th, 2012
  
• Bill Pfeifer, Juniper Networks - March 4th, 2011
  
• Chris Pogue, Senior Security Analyst - July 8th, 2010
  
• John Kanen Flowers - May 26th, 2010
  
• Kees Leune, Leune Consultancy, LLC - February 13th, 2010
  
• Joel Yonts, CISO - February 12th, 2010
  
• Maury Shenk, TMT Advisor, Steptoe & Johnson - January 31st, 2010
  
• Chris Wysopal, CTO, Veracode - January 27th, 2010
  
• Amir Ben-Efraim, CEO, Altor Networks - November 25th, 2009
  
• Ed Hammersla, COO, Trusted Computer Solutions - Updated November 19th, 2009
  
• Amit Klein, CTO, Trusteer - September 27th, 2009
  
• An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
  
• A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
  
• Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
  
• Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
  
• Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
  
• John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
  
• Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
  
• Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
  
• Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
  
• Andrew Hay, Q1 Labs - May 13th, 2008
  
• Gene Schultz, CTO of High Tower - April 4th, 2008
  
• Tomasz Kojm, original author of ClamAV - April 3rd, 2008
  
• Bill Johnson, CEO TDI - April 2nd, 2008
  
• Gene Kim, Tripwire - March 14th, 2008
  
• Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
  
• Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
  
• Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
  
• Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
  
• Interview with Dr. Robert Arn, CTO of Itiva - November 1st, 2007
  
• Interview with Charles Edge - September 15th, 2007
  
• Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
  
• Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
  
• Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
  
• Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
  
• Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
  
• Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
  
• Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
  
• An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
  

Tomasz Kojm, original author of ClamAV

April 3rd, 2008
By Stephen Northcutt

Tomasz Kojm is the original author of ClamAV, which is the antivirus software I decided to switch to after Symantec said they were going to charge my credit card automatically for renewal. Anyway, it is really wonderful to have this chance to interview Tomasz for the SANS Security Thought Leader series, and we certainly thank him for his time.


Tomasz, when did you get interested in security?
I’ve been working in or researching security for more than 10 years now. As I became familiar with Linux, I started experimenting with its security mechanisms. I was playing with various exploits and thinking about generic prevention methods. My first serious security project was a Linux kernel module for quickly creating chroot-like environments for selected groups of users.


Whew! Mucking with a kernel ten years ago was fairly brutal, and how did you get interested in malware?
Malware has always been an interesting topic to me and I'd been fascinated with the great battles between virus writers and antivirus vendors back in the days of DOS. I personally analyzed my first Virus in 2000, named FunLove, that targeted Windows files and was causing quite a few problems for some friends running an Internet café. I had a lot of fun with researching FunLove and succeeded in creating a dedicated counter measure for this virus.


FunLove eh, wasn't that the virus that Warner Brothers shipped with the Powder Puff Girls DVD and had to recall? So, you took a look at FunLove, got the malware bug. What caused you to write ClamAV?
In 2001, I discovered a project called OpenAntiVirus, one of the first open-source AV solutions. I found it very interesting but a bit problematic to use – the entire program was written in Java (and at the time it had serious performance problems on older hardware). Further, it lacked a command line scanner and automated signature updates. I tried to address these shortcomings in the ClamAV project, yet still follow the KISS principle, so popular in the UNIX world.


So Thomasz, how did things go in the early days, like before Luca 'NERvOus' Gibelli helped you move operations to SourceForge?
The response was truly amazing. I was very excited about the volume and quality of feedback I received from the open source community just days after the initial release. In a short time I was receiving dozens of e-mails each day - people sending patches, suggestions and lots of kind words and thanks. This really encouraged me to continue my work on ClamAV making it what I spent the majority of my free time on. Some contributors expressed an interest joining the project, others we invited, and two years later we’d assembled ClamAV’s core development team. Great support from the open source community allowed us to build a global network infrastructure for signature distribution. As of today, ClamAV has 130 database mirrors in 44 countries providing signature updates to more than 1 million unique IP addresses.


Can you tell me about the Sourcefire acquisition, do you still remember when they first made contact?
Marty Roesch, the creator of Snort and founder and CTO of Sourcefire, contacted me at the end of 2006 and offered the opportunity to work together. Sourcefire was in the process of becoming a public company and management was evaluating complementary technologies. After a number of discussions between the core team of ClamAV and Sourcefire, we agreed to combine our efforts. We believe that developing ClamAV as a part of Sourcefire would be mutually beneficial, positioning us to deliver better solutions to ClamAV users and Sourcefire customers. The critical point in the decision was that Sourcefire and the ClamAV core team shared a similar commitment to open source security. This commitment has been demonstrated through their ongoing commitment to and management of the Snort project. Like Snort, the ClamAV engine and signature database will continue to be licensed and distributed under the GPL. As we integrate ClamAV into Sourcefire’s commercial products, the enhancements to ClamAV will be released to the open source community. This is where open source community will really see the benefits of the acquisition.


What are your current goals for ClamAV?
The first ClamAV release under Sourcefire is 0.93 which includes many improvements to the scanning engine, most notably detection and speed. The next major release will be 0.94. In that release we’re planning a number of exciting new features such as logical signatures, a disassembling engine, a DLP module and better Windows support. We're also continuously improving our internal infrastructure, which handles important processes like signature checks, database updates and regression testing to make everything smoother and faster. Finally, we plan on continuing to integrateClamAV into Sourcefire's commercial product set and leveraging Sourcefire's resources to upgrade the ClamAV development infrastructure and website.


What scares you the most about the malware out there?
What I worry about most these days is that the majority of malware is being created for criminal purposes. The most common of these scenarios are the theft of confidential information or zombies that can be later used for malicious purposes.


When you examine malware, what kind of an environment do you use?
Our researchers use a set of virtual machines and professional debugging and disassembling tools. Virtual machines are especially useful in dealing with malware because they allow us great flexibility in our test suite and can easily be restored to a point before infection.


Are you familiar with Norman’s Sandbox? Do you think large organizations should have a capability like that?
In my opinion, automated malware analysis can be a very effective tool in the hands of professional researchers. However, I wouldn't recommend using automated analyzers as standalone, self-sufficient solutions. I believe malware analysis is an art and cannot be fully automated.


I understand you are working on some Data Loss Prevention (DLP) technology for ClamAV, can you tell me a bit about that?
The DLP module will be able to detect transmission of sensitive information such as credit card or social security numbers inside all kind of objects that can be decoded by the ClamAV engine. Some examples are e-mail messages, archives or document files. The originator and author of the DLP code for ClamAV is Sourcefire's CTO Marty Roesch. It’s really exciting when we can bring all of the open source experience and innovation from both the Snort and ClamAV communities together on a project like this.


Most of the early DLP solutions have been really expensive, do you think an organization can make a go of it using tools like ClamAV, content rules with Snort and the Nessus DLP plugin?
The tools you mentioned, especially ClamAV and Snort, are complementary and very suitable for things like DLP. ClamAV can protect file-based services while Snort can inspect network streams. Together Snort and ClamAV can provide broad protection against sensitive data leaks.


If you had one message to share about information security what would that be?
All organizations and businesses need to place more emphasis on computer security education and awareness. A proper education program is the key to effective security and risk reduction. We’ll never be able to entirely replace these underpinnings with tools and software (even though we try *smile*)


Can you tell us a bit about yourself? When you are not in front of a computer, what do you like to do?
I spend most of my free time with my fiancée and our dog, Bono. A few of my other passions are water turtles, traveling, photography and interesting books.
<< Thought Leader Home