Sourcefire has bought the ClamAV project for an extraordinary, one-time charge in the third quarter of 2007 of between 9¢ and 12¢ per Sourcefire share. ClamAV is an open source project that has created an anti virus engine, packages that support its use on Linux, Unix, BSD and Win32, and a signature database that currently contains more than 147,000 signatures. It is by most estimates the most commonly used open source anti virus product in the world.

The deal covers the intellectual property, copyrights, logo, domain names, Sourceforge and Freshmeat areas, naming rights and other rights to Clam, the Open source anti virus engine and signature database. The ClamAV team - in particular Tomasz Kojm, will become Sourcefire employees and continue their management of the project on a day-to-day basis.

The 451 Take
This is an important deal with ramifications in the open source and proprietary software and enterprise security software industries. The acquisition, Sourcefire’s first since going public, extends and builds upon Sourcefire’s successful Snort efforts, proving the community/commercial hybrid model can not only work but work in such a way as to support a company which (current stock price woes aside) is publicly traded. Almost immediately Clam will begin to see engineering and technical support from the Sourcefire team, meaning that issues involved in Clam’s supply chain - detecting, identifying, writing signatures, testing and pushing out new signatures - will be streamlined and improved. We daresay that the Sourcefire team may learn a thing or two from the to-date under-funded Clam guys as well. Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically. This positions Sourcefire to release both commercial support options for ClamAV - a potentially lucrative activity, as well as to release a Unified Threat Management product sometime in 2008 - a move that could accelerate its moves into the growing SMB security business.

ClamAV Profile
Clam has seen more than 10 million downloads on SourceForge - and this represents only a percentage of total downloads, due to diverse sources of downloads sources for this application. Few open source projects have obtained this level of ubiquity. Regardless, ClamAV is one of a few ’shining stars’ in the desktop open source space, and is one area that is ripe for the elusive SMB market. More than a million unique IP addresses download ClamAV updates daily from Clam’s 120 mirror servers located in 38 countries. Additionally several commercial products, notably Barracuda’s successful anti-malware appliances, use Clam.

Some reasons for its popularity are its independence, its cross platform capabilities and the fact that it works well with so many popular third party mail products, such as amavisd-new, several projects that support Sendmail, Postfix, QMail, Exim and others.

Despite its open source status, Clam has done a very effective job of providing support for malware detection within popular document formats such as MS Office and MacOffice files, HTML, RTF and PDF. Its virus database is updated several times a day, and as of version 0.90 update files are provided as differential updates as opposed to shoving down the whole kit and caboodle; an issue we have noted is of increasing concern to buyers of anti malware and which we have mentioned was one stated reason that a major Fortune 20 company we recently discussed in our Market Insight Service switched from Symantec to Sophos. Especially in the developing world, large anti virus update files choke precious bandwidth.

Clam supports on-access scanning for Linux and FreeBSD, and many of the additions to the last two versions have ben centered around its support of various and variously obscure archive formats, including of course Zip but also flavors of RAR, Tar, Gzip, Bzip2, OLE2 Cabinet, CHM, BinHex, SIS, etc, and built-in support for almost all mail file formats. Clam also offers built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others. Its lack of a real, marketable client-side agent (it does work with mail programs) is consistent with Sourcefire’s network-based agentless approach, and we believe that culturally there will be a great match here.

Update
On its analyst call to discuss the acquisition, Sourcefire CEO and Chairman, Wayne Jackson, confirmed that all five of the founding team members will come over as employees of Sourcefire, and repeated Sourcefire’s commitment to keeping both the Clam source code and signature database open source. Jackson said that the Clam code license would eventually match that of Snort’s GPL2 license, discussed by Marty Roesch here. The company also announced that phase I of the integration would be commercial support, phase II, upon getting a clean copy of the Clam code would be a licenseable version for vendors wishing to release products based on Clam under non-GPL agreements, and phase III, in 2008, a gateway UTM product.

We will have more complete coverage throughout the day in our TechDealmaker service.

What this means for Clam

• Immediately Clam will begin to see engineering and technical support from the Sourcefire team, meaning that issues involved in Clam’s supply chain - detecting, identifying, writing signatures, testing and pushing out news signatures - will be streamlined and improved. We daresay that the Sourcefire team may learn a thing or two from the to-date under-funded Clam guys as well.
• Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically.
• Still unclear is what this means to ClamAV OEM’s, such as Untangle, though we understand from Sourcefire that it intends to develop Clam as a license-friendly product provided that its flavor of the GPL 2 license (under which Snort is distributed) is adhered to.

What this means for Sourcefire

• Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically. This positions Sourcefire to release both commercial support options for ClamAV - a potentially lucrative activity, as well as to release a Unified Threat Management product sometime in 2008 - a move that could accelerate its moves into the growing SMB security business.
• Sourcefire continues to enjoy a great reputation with the open source community for the simple reason that it does what it promises to do: returns to the community the fruits of its labor improving Snort for use in its commercial project. This will further enhance Sourcefire’s open source cred (the usual zealots will shout about co-option).
• Most important, this extends and builds upon Sourcefire’s successful Snort efforts, proving the community/commercial hybrid model can not only work but work in such a way as to support a company which (stock woes aside) is publicly traded).
• This diversifies Sourcefire’s portfolio and illuminates a broader company vision as one of a few public ‘open source’ companies. This is good for the open source vendor community.
• The worldwide network of mirrors provides Sourcefire with a greater network to push out more effectively and efficiently updates not just to Clam signatures but also Snort signatures.

What this means for Clam AV users and the product:

• Continued support and updates, possibly even more than before with dedicated support and engineering on the payroll. Fixes to vulnerabilities and completed signatures may have a faster turnaround time.
• More users, more ClamAV dominance in the open source anti-virus space, a bit more competition for Symantec, McAfee, etc.