ClamAV's Plan To Open (Source) the AV Market

Tomasz Kojm: ClamAV's Plan To Open (Source) the AV Market   -   March 2004

by Gian Trotta


Tomasz Kojm is the Project Leader of ClamAV, a GPL antivirus toolkit for UNIX.

RAE Reporter: What circusmstances prompted you to begin working on ClamAV? And what made you choose that particular name?


Tomasz Kojm: I heard about the OpenAntiVirus project in 2001 but found its main components hard to install and use. The biggest disadvantage of the project was the lack of a command-line scanner and an auto updater for the virus database. These tools formed the first version of ClamAV.

My real hobby was always turtles, but when I was a child I caught a clam and in my naivete started to raise him in belief I would eventually find a big, shining pearl inside of his shell. Unfortunately, he wasn't very responsive and died closed.

ClamAV is still in its infancy, but anyone can easily check what it hides under the shell without any special tools.


RAE Reporter: Commerical antivirus vendors are not so happy with ClamAV -- do you think that ClamAV poses a threat to them?


Tomasz Kojm: For a long time, ClamAV was considered a research project that could not replace commercial scanners or provide an effective protection against computer viruses, especially worms. The idea of an open source antivirus scanner that can quckly react to new threats was so utopian that most people just didn't belive it was possible to put it into practice.

But thanks to our virus submitters (who are in most cases experienced system administrators) and the hard work of the database maintainance team, ClamAV was one of the leaders in reaction time for almost all of this year's big outbreaks.

The most important thing for an anti-virus vendor is access to new virus samples, and we can't complain about that. ClamAV is known for its fast updates, and users often ask themselves, 'Do we really need to spend a huge amount of money to use a commercial scanner that probably won't do a better job for us?'


RAE Reporter: What is your five-year vision for Clam? Is your goal market proliferation, building good software or some other objective?


Tomasz Kojm: The main goal is the 1.0 version, and I really hope it will be released in the next year. We primarily concentrate on creating a high-quality code because that's a showcase of every open source project.

The upcoming big changes in ClamAV will concern the scanning engine -- there will be a new signature format and probably some heuristics that will allow us to fight new virus techniques more effectively.


RAE Reporter: What technical advantages and disadvantages do customers have in deploying an open source antivirus product versus a commercial AV product?


Tomasz Kojm: The biggest advantage over closed source software is portability. ClamAV can be easily build on every POSIX-compliant platform that provides a C compiler. That allows users to optimize the output code for their operating systems and even processors.

It's very significant that ClamAV can be easily integrated with a wide range of software such as mail-transfer agents, POP3, Web and Samba servers using the third-party programs as detailed at

The main package provides a complete antivirus toolkit: both command line and daemonized scanners, a C library, a plugin for Sendmail and even a tool for database management. We have over thirty very fast database mirrors all over the world ( and thanks to our advanced mirror mechanisms we are able to update them all in less then one minute.


RAE Reporter: Can you break into the lower end of the anti-virus software market without breaking the entire sector's business and revenue models?


Tomasz Kojm: Don't forget we're software developers and not businessmen. The evolution of ClamAV is rapid and rather unpredictable.

Currently, there are about 50,000 installations, but ClamAV is becoming more and more popular with every bigger virus outbreak.

It's already quite a big player in the UNIX antivirus field. But I repeat: ClamAV was never aimed against the commercial antivirus scanners. We have great respect for their achievements and we are open to every dialogue.

There must be, however an open-source and fully available solution because most of the commercial antivirus software is just too expensive. We have no business plans, but budget cuts and top-heavy administration in schools, universities and hospitals make our mission necessary.


RAE Reporter: Why should an end user trust an open source antivirus solution?


Tomasz Kojm:There are at least a few reasons. Because the software is open, the user can audit its code and make sure it doesn't contain any backdoors. Some people believe binary programs are more secure but that's only 'security by obscurity.' Binary programs are vulnerable to bugs and their later exploitation as much as open source software.

Anyone who has ever worked with popular open source programs knows that they're trustworthy. Especially in ClamAV, which usually affects the most important service of email delivery, we're very sensitive about security. The code is regularly audited by our users and we react to all bug reports very quickly.

The code itself is designed with security in mind and particular elements work on different privilege levels. In contrast to other vendors, our databases are digitally signed and we have a very strict internal private key policy -- even our developers don't have direct access to the secret data; instead they use a special service to generate the digital signatures. The virus database must protect itself because there are a lot of ClamAV mirrors all over the world and we cannot guarantee their security.

The most important thing is our update service. As I already mentioned, ClamAV was one of the top leaders in the reaction time to new outbreaks this year and last year. You can verify that by looking at the archives of the clamav-virusdb mailing list (where we also announce all database updates) at


RAE Reporter: What's your outlook for the success of Microsoft's antivirus intiatives?


Tomasz Kojm: This is a hard question to answer because I was not following Microsoft's decisions in the antivirus field. I remember that in the DOS days there was a tool called msav.exe -- Microsoft AntiVirus -- but it has been quickly displaced by more advanced third-party software.

The latest acquisition of RAV was a well thought-out move because that software is known for its very good virus database and scanning engine.

I'm sure that this time Microsoft will not waste its chance for anti-virus market domination. Because RAV will stop UNIX support very soon, administrators are looking for alternatives and they very often decide to install ClamAV.


RAE Reporter: What if any additional observations would you like to make on the state of the antivirus industry?


Tomasz Kojm:The antivirus industry just hit some hard times. Worm techniques we were discussing on our mailing lists in the last year are in common use now. The latest threat -- worms which propagate via e-mails with encrypted attachments and random password saved in a graphic -- make the detection process very hard.

In my opinion, user education will be far more helpful than an antivirus software because it is the real motor for most internet worms.