Register now for SANS Cyber Defense Initiative 2016 and save $400.

Thought Leaders

Table of Contents


Tomasz Kojm, original author of ClamAV

Stephen Northcutt - April 3rd, 2008

Tomasz Kojm is the original author of ClamAV, which is the antivirus software I decided to switch to after Symantec said they were going to charge my credit card automatically for renewal. Anyway, it is really wonderful to have this chance to interview Tomasz for the SANS Security Thought Leader series, and we certainly thank him for his time.


Tomasz, when did you get interested in security?
I’ve been working in or researching security for more than 10 years now. As I became familiar with Linux, I started experimenting with its security mechanisms. I was playing with various exploits and thinking about generic prevention methods. My first serious security project was a Linux kernel module for quickly creating chroot-like environments for selected groups of users.


Whew! Mucking with a kernel ten years ago was fairly brutal, and how did you get interested in malware?
Malware has always been an interesting topic to me and I'd been fascinated with the great battles between virus writers and antivirus vendors back in the days of DOS. I personally analyzed my first Virus in 2000, named FunLove, that targeted Windows files and was causing quite a few problems for some friends running an Internet café. I had a lot of fun with researching FunLove and succeeded in creating a dedicated counter measure for this virus.


FunLove eh, wasn't that the virus that Warner Brothers shipped with the Powder Puff Girls DVD and had to recall? So, you took a look at FunLove, got the malware bug. What caused you to write ClamAV?
In 2001, I discovered a project called OpenAntiVirus, one of the first open-source AV solutions. I found it very interesting but a bit problematic to use – the entire program was written in Java (and at the time it had serious performance problems on older hardware). Further, it lacked a command line scanner and automated signature updates. I tried to address these shortcomings in the ClamAV project, yet still follow the KISS principle, so popular in the UNIX world.


So Thomasz, how did things go in the early days, like before Luca 'NERvOus' Gibelli helped you move operations to SourceForge?

The response was truly amazing. I was very excited about the volume and quality of feedback I received from the open source community just days after the initial release. In a short time I was receiving dozens of e-mails each day - people sending patches, suggestions and lots of kind words and thanks. This really encouraged me to continue my work on ClamAV making it what I spent the majority of my free time on. Some contributors expressed an interest joining the project, others we invited, and two years later we’d assembled ClamAV’s core development team. Great support from the open source community allowed us to build a global network infrastructure for signature distribution. As of today, ClamAV has 130 database mirrors in 44 countries providing signature updates to more than 1 million unique IP addresses.


Can you tell me about the Sourcefire acquisition, do you still remember when they first made contact?

Marty Roesch, the creator of Snort and founder and CTO of Sourcefire, contacted me at the end of 2006 and offered the opportunity to work together. Sourcefire was in the process of becoming a public company and management was evaluating complementary technologies. After a number of discussions between the core team of ClamAV and Sourcefire, we agreed to combine our efforts. We believe that developing ClamAV as a part of Sourcefire would be mutually beneficial, positioning us to deliver better solutions to ClamAV users and Sourcefire customers. The critical point in the decision was that Sourcefire and the ClamAV core team shared a similar commitment to open source security. This commitment has been demonstrated through their ongoing commitment to and management of the Snort project. Like Snort, the ClamAV engine and signature database will continue to be licensed and distributed under the GPL. As we integrate ClamAV into Sourcefire’s commercial products, the enhancements to ClamAV will be released to the open source community. This is where open source community will really see the benefits of the acquisition.


What are your current goals for ClamAV?

The first ClamAV release under Sourcefire is 0.93 which includes many improvements to the scanning engine, most notably detection and speed. The next major release will be 0.94. In that release we’re planning a number of exciting new features such as logical signatures, a disassembling engine, a DLP module and better Windows support. We're also continuously improving our internal infrastructure, which handles important processes like signature checks, database updates and regression testing to make everything smoother and faster. Finally, we plan on continuing to integrateClamAV into Sourcefire's commercial product set and leveraging Sourcefire's resources to upgrade the ClamAV development infrastructure and website.


What scares you the most about the malware out there?

What I worry about most these days is that the majority of malware is being created for criminal purposes. The most common of these scenarios are the theft of confidential information or zombies that can be later used for malicious purposes.


When you examine malware, what kind of an environment do you use?

Our researchers use a set of virtual machines and professional debugging and disassembling tools. Virtual machines are especially useful in dealing with malware because they allow us great flexibility in our test suite and can easily be restored to a point before infection.


Are you familiar with Norman’s Sandbox? Do you think large organizations should have a capability like that?
In my opinion, automated malware analysis can be a very effective tool in the hands of professional researchers. However, I wouldn't recommend using automated analyzers as standalone, self-sufficient solutions. I believe malware analysis is an art and cannot be fully automated.


I understand you are working on some Data Loss Prevention (DLP) technology for ClamAV, can you tell me a bit about that?

The DLP module will be able to detect transmission of sensitive information such as credit card or social security numbers inside all kind of objects that can be decoded by the ClamAV engine. Some examples are e-mail messages, archives or document files. The originator and author of the DLP code for ClamAV is Sourcefire's CTO Marty Roesch. It’s really exciting when we can bring all of the open source experience and innovation from both the Snort and ClamAV communities together on a project like this.


Most of the early DLP solutions have been really expensive, do you think an organization can make a go of it using tools like ClamAV, content rules with Snort and the Nessus DLP plugin?

The tools you mentioned, especially ClamAV and Snort, are complementary and very suitable for things like DLP. ClamAV can protect file-based services while Snort can inspect network streams. Together Snort and ClamAV can provide broad protection against sensitive data leaks.


If you had one message to share about information security what would that be?

All organizations and businesses need to place more emphasis on computer security education and awareness. A proper education program is the key to effective security and risk reduction. We’ll never be able to entirely replace these underpinnings with tools and software (even though we try *smile*)


Can you tell us a bit about yourself? When you are not in front of a computer, what do you like to do?
I spend most of my free time with my fiancée and our dog, Bono. A few of my other passions are water turtles, traveling, photography and interesting books.