Sourcefire acquires ClamAV open-source anti-malware project

Acquisition brings together the Snort and ClamAV open-source security technologies

Network security specialist Sourcefire announced Friday that it has acquired ClamAV, an open-source gateway anti-malware project whose technologies are used in the products of a number of other vendors.

Sourcefire said that under the terms of the deal, it has purchased all of the project's technology and related trademarks, as well as the copyrights controlled by all developers involved in the effort, including its founder Tomasz Kojm.

The company will also assume ownership of all of the project's online properties and continue to involve all of ClamAV's existing five-person team in the continued development of its technologies, with those individuals becoming Sourcefire employees and retaining management of the effort on a daily basis.

ClamAV claims that its software updates currently cover roughly 120 million IP addresses, with the technology embedded in the products and services offered by vendors including Barracuda Networks, Demon, and WatchGuard, as well as a handful of Internet service and e-mail providers.

Sourcefire, a Columbia, Md.-based provider of integrated network defense tools, already controls Snort, an open-source intrusion prevention and detection technology created in 1998 by company founder and chief technology officer Martin Roesch.

The acquisition stands as the first major strategic move made by Sourcefire since its March 2007 initial public offering (IPO).

The company's stock feel by over 25 percent earlier this month when it announced mixed second-quarter results. Shares of its stock opened at roughly $9.75 on Friday, up from a low of just under $9 after the earnings announcement at the beginning of August.

Sourcefire said that it expects to report a one-time charge in the third quarter of 2007 of between $0.09 and $0.12 per share to write off research and development expenses related to the deal. Other details of the transaction weren't disclosed.

"This acquisition gives Sourcefire the ability to bring together two of the security industry's most widely adopted open-source projects Snort and ClamAV," Roesch said in a statement. "Sourcefire will continue to invest in the ClamAV technology, much as we have with Snort and Snort.org."

In a conference call, Sourcefire executives said that the company would mirror its model for Snort, which balances enterprise licensing with open source development.

The deal should also allow the company to move into a number of other security markets, said Wayne Jackson, the company's chief executive officer.

ClamAV's technology is currently being used in unified threat management (UTM) systems, as well as Web and messaging gateways.

For its part, Sourcefire's flagship Enterprise Threat Management (ETM) product offering already offers integrated intrusion protection, network accesses control and vulnerability assessment technologies.

"This acquisition not only effectively broadens Sourcefire's open source footprint, essentially doubling it, but opens significant opportunities in growing security markets," Jackson said.

The CEO said on the call that Sourcefire is still finalizing its specific plans for future product roll-outs based on the deal, but reported that the company will likely soon create a set of tools that integrate its existing technologies with ClamAV's UTM capabilities.

The ClamAV technologies will also serve as the "foundation" for a range of specialized next-generation gateway security offerings, Jackson said. The company did not rule out a potential leap into the desktop security market.

Under Sourcefire's initial plans, it will extend new support and training services for existing ClamAV users during the fourth quarter of 2007, in a model similar to the one used by Red Hat for its enterprise Linux products, according to the CEO.

After a clean-up of the project's code base, Sourcefire will likely create a new license for third party providers of the technology during the first quarter of 2008.

While Sourcefire has promised to continue to distribute versions of ClamAv software that meet the parameters of the open source general product license (GPL), the OEM licensing model will not necessarily adhere to all elements of the GPL, Jackson said. The arrangement fits the same model Sourcefire has pursued with Snort.

During the latter half of 2008, the company plans to release its new product offerings that incorporate ClamAV into its own enterprise products.

Industry watchers observed that the ClamAV assets could become an intriguing opportunity for Sourcefire if it can devise an effective way to monetize its existing customer base and push the companies that have licensed its anti-malware engine for free, and continue to do so, to pay for updates or extensions to the technology.

In his blog, network access control guru Alan Shimel -- the chief strategy officer at rival network access control (NAC) technology provider StillSecure -- predicted that Sourcefire would likely pursue such a strategy.

"[Anti-virus] is not exactly a cutting-edge technology, but it can be a cash cow, there are lots of options in the AV market," said Shimel. "If I was a UTM provider or [managed services provider] using ClamAV right now, I would be exploring my options, waiting for the other shoe to drop here. I think this once again shows that if you are incorporating open source tools into your technology as a vendor, unless you own the copyrights, do so at your own risk."

Join the discussion
Be the first to comment on this article. Our Commenting Policies