Annually, Sourcefire provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.
To be eligible, you must meet the legal criteria found here on our website, sign up for the scholarship here, and following that, on or about May 16, 2011, two winners will be selected.
For further information, please see the links above, also found linked here.
Friday, April 1, 2011
Friday, March 25, 2011
Here's an interesting article on integrating ClamAV with PureFTPD on OpenSUSE. From the article:
How To Integrate ClamAV Into PureFTPd For Virus Scanning On OpenSUSE 11.3 | HowtoForge - Linux Howtos and Tutorials
This tutorial explains how you can integrate ClamAV into PureFTPd for virus scanning on an OpenSUSE 11.3 system. In the end, whenever a file gets uploaded through PureFTPd, ClamAV will check the file and delete it if it is malware.Interesting use of ClamAV to automatically clean the "bad" files from your FTP server upon upload.
I do not issue any guarantee that this will work for you!
How To Integrate ClamAV Into PureFTPd For Virus Scanning On OpenSUSE 11.3 | HowtoForge - Linux Howtos and Tutorials
Monday, March 21, 2011
Millions of people manage ClamAV installations everyday, and the millions of users protected by those installations reap the benefits of its protection engines as their first line of defense against malware threats. ClamAV is deployed inside numerous global ISPs, national telcos, hosting providers, and is utilized by numerous AV gateway vendors like Barracuda and OS vendors like Apple. Without specifically counting all the installations, it’s a pretty easy guess that ClamAV probably has the largest email AV presence in the entire world. I’d even go as far as saying it’s the de-facto standard in gateway AV technology. The main reason for this, based on feedback, is that ClamAV is easy to deploy, works with just about all the MTAs (Sendmail, PostFix, etc), provides pretty darn good protection, is easy to customize, and it’s cheap, heck it’s free.
Whenever I talk to people about ClamAV I always hear the same thing - great mail gateway AV, easy to setup, easy to customize, and it just works. I also always hear the same misconceptions. I think the price of being an ubiquitous technology is people think you do one thing, do that thing really well, and whatever that thing is, you still do it the same way and never evolve. This always leads me to long conversations about things people just don’t know about ClamAV - its engine, the technology, and the people who build it.
Whenever I talk to people about ClamAV I always hear the same thing - great mail gateway AV, easy to setup, easy to customize, and it just works. I also always hear the same misconceptions. I think the price of being an ubiquitous technology is people think you do one thing, do that thing really well, and whatever that thing is, you still do it the same way and never evolve. This always leads me to long conversations about things people just don’t know about ClamAV - its engine, the technology, and the people who build it.
The Top 5 Misconceptions about ClamAV:
- It’s only a Mail Gateway Scanner.
ClamAV is actually a framework. At the core of that framework is what we call libClamAV, this is where all the actual detection happens. This library can be used anywhere that can link to it, so if any application wants to use the power of ClamAV and its detection capabilities the application just needs to link against it. The rest of the framework is all the supporting applications that ClamAV comes with for connecting and running ClamAV in different settings. For instance the ClamD service allows for fast full system and single file scans, clamscan allows for simple on-demand scans, ClamAV-Milter allows for simple integration with MTAs, and freshclam handles keeping everything up to date.
This framework concept makes plugging ClamAV’s detection capabilities into any application really easy and is one of the main reasons ClamAV is used everywhere.
- It’s just a bunch of Open Source hippies writing code in their spare time.
Sourcefire acquired ClamAV in 2007, and retained the entire ClamAV team, eventually the ClamAV team became part of the VRT. These guys are top notch, and do one hell of a job banging out code for ClamAV. The ClamAV feature set has not remained static. On the contrary, in 2010 alone these guys cranked out 6 feature-packed releases, adding tons of new detection features, optimizations, and signature language improvements. On the release front, to put it in context, commercial AV products in the enterprise space get released once every 1 - 2 years.
On top of that we crank though 100s of thousands of new malware samples every day with our automated sandboxes and malware evaluation systems. If you think ClamAV is just an Open Source project, without the same type of systems, data feeds, and technologies in the back office that other AV vendors have, you’d be grossly underestimating our capabilities.
Additionally, the VRT is well known for kicking ass, taking names, and chewing bubble gum in 3rd party validation tests like NSS (where we have consistently come out on top). This industry excellence isn’t limited to Sourcefire’s IPS.
- ClamAV only has a simple content based signature language.
The ClamAV detection engine is multi faceted - heuristics, support for numerous archivers (Zip,Rar,OLE,etc,etc), tons of unpacking support (UPX, PeTite, NSPack, etc), and several different content inspection engines. These content inspection engines range from the simplistic (basic hashing signatures), to the extremely complex (ByteCode engine). In the middle are numerous content matching signature types that support everything you would expect from wildcards, character sets, Boolean logic, and negation. Support for PDF files, Javascript, and HTML files is also included in the engine, along with Mach-O binary support for all the shinny Apple devices out there. With all that support the ClamAV detection engine has everything necessary to detect today’s malware threats, exploits, adware, Trojans, spyware, keyloggers, and much more.
Sometimes detecting those threats requires some real heavy lifting. If that’s the case, the ByteCode engine allows a signature writer to do just about anything they can imagine. Need to implement a quick unpacker for that new piece of malware? Easy. Need to implement a new archiver to unpack something unique? Trivial. Have to do something complex with PDF files? No problem.
The other great thing about ClamAV is that the signature language is open, easy to use, and anyone can add new signatures to their ClamAV installs. If you’ve got something you need to do, and you need to do it now, cause your boss told you to, or the world is ending, it’s pretty darn simple to write your own signatures and add them to your setup.
Also we’ve got some pretty aggressive new features heading out for 0.98 later this year. More on those in the next blog post.
- ClamAV only runs on Unix.
ClamAV has traditionally supported just about every Unix variant on the planet, but as a fully integrated engine in Immunet Protect 3.0 (http://www.immunet.com/), we’ve moved to officially supporting Windows. If you’d like to learn a bit more about Immunet and ClamAV on Windows check out the other posts on the ClamAV blog here.
Immunet Protect adds some additional detection capabilities on Windows platforms including but not limited to:
- Real-Time cloud based protections - No need to download AV updates when running Cloud only protection mode.
- Advanced Machine-Learning detection capabilities.
- Community based protections - Share protection with other members of your Immunet community.
- Real-Time cloud based protections - No need to download AV updates when running Cloud only protection mode.
- ClamAV just can’t be as good as a commercial AV engine, it’s Open Source.
This perception doesn’t surprise me anymore, it’s something we’ve had to deal with since the early days of Snort. There are still a lot people out there that truly believe if it’s a commercial product it’s better than an Open Source product. Normally, this is where the Open Source guys trot out the hundreds of examples of solid Open Source software that have proven they are as good, or better, than commercial offerings. Let's just start with DNS, just about every look up for any Internet request, such as a website, starts out with a DNS query, and those DNS queries are predominately answered by BIND, a solid Open Source Nameserver. Then it’s pretty easy to say MySQL or PostgreSQL run a large portion of your favorite Internet destinations. This list could probably go on for hundreds of paragraphs, just naming all the really excellent Open Source tools that compete for market share with commercial offerings every day.
At the end of the day, though, it’s really not about market share. When you try and compare commercial and Open Source solutions, it’s about effectiveness in solving the problem you, the end user, have. To draw a corollary with Snort, it’s all about detection of the latest network threats. If Snort doesn’t do this correctly, it definitely won’t solve the problem people are expecting it to solve. The only real way to get a handle around this is third-party testing and evaluation, and Snort has done exceptionally well in this area, earning honors for best overall detection at NSS two years running, and certified by ICSALabs in their IPS testing methodology.
When it comes to third-party evaluation of ClamAV, there are a couple of tests to look at. MRG did a third-party evaluation of Immunet Protect (uses ClamAV as one of its engines) where it outscored 15 other leading AV vendors and was the ONLY product that had a 100% detection rate. Additionally, ShadowServer does daily evaluations of numerous AV technologies; while ClamAV doesn’t come in number one, we do beat out numerous commercial AVs on a daily and yearly basis. Here are the stats for the last year: http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats.
Wednesday, March 16, 2011
This article over at Datamation talks about 59 Open Source Tools that can Replace Popular Security Software.
It talks about ClamAV in two instances, saying that ClamAV is a replacement for antivirus software, referencing Immunet. Then it mentions ClamAVWin for Windows. ClamAV for the Windows OS is now officially rolled up into Immunet 3.0 - powered by ClamAV. So while Datamation gives ClamAV two plugs, for the Windows platform, we are calling it Immunet, for Unix based platforms, ClamAV retains the same name.
While there is no mention of Snort in the article, funnily enough, many other products that are in the article incorporate Snort. So we're sure it's just an oversight. There are a lot of OpenSource tools out there, support your communities, support OpenSource, and use the tools. Provide code, feedback, and information. Help us all make the tools easier to use and loads more powerful.
It talks about ClamAV in two instances, saying that ClamAV is a replacement for antivirus software, referencing Immunet. Then it mentions ClamAVWin for Windows. ClamAV for the Windows OS is now officially rolled up into Immunet 3.0 - powered by ClamAV. So while Datamation gives ClamAV two plugs, for the Windows platform, we are calling it Immunet, for Unix based platforms, ClamAV retains the same name.
While there is no mention of Snort in the article, funnily enough, many other products that are in the article incorporate Snort. So we're sure it's just an oversight. There are a lot of OpenSource tools out there, support your communities, support OpenSource, and use the tools. Provide code, feedback, and information. Help us all make the tools easier to use and loads more powerful.
Monday, February 21, 2011
One of the major features in Immunet 3.0 powered by ClamAV is the integration of the full ClamAV engine for "offline protection, advanced archive and unpacking support, and custom signature creation". What does that mean though?
First of all it means that when you are not connected to the cloud then you are protected by the locally installed ClamAV engine. What may not be clear from that feature description is that ClamAV is also used when you are online, and it is used for realtime protection (on-access scanning) too!
Is the ClamAV engine enabled by default in Immunet 3.0?
That depends on how you install it, but you can always change the settings later. In fact it is easy to test if the local ClamAV engine is enabled and working, as I'll show you next:
Download the Immunet 3.0 powered by ClamAV installer from here, and run it.
Make sure you select Cloud + ClamAV as shown here, and then proceed with the installation:
Once installed you can check whether ClamAV is enabled (and enable if not):
Then check that archive and packed file scanning is enabled:
Finally click on "Update Now" to make sure your antivirus database is up-to-date:
To test the local ClamAV engine you can use the following test file, (which is completely safe, it is not even executable):
Open notepad, then Copy and Paste this text exactly as shown here:
$CEliacmaTrESTuScikgsn$FREE-TEST-SIGNATURE$EEEEE$
Once you save the file (lets call it clam.txt for example) you should get a popup from Immunet showing that it has detected Clam.ClamAV-Test-Signature:
You can open the folder you tried to save the file in, and check that it is really gone.
Now you should be confident that you are protected by ClamAV's engine in "Immunet 3.0 powered by ClamAV".
How do you know which engine detected the file?
works together with the cloud read on.
A scan can be triggered by:
If a malware is detected the file is quarantined, and the malicious process is blocked, prevented from execution.
So you see when you have both the cloud and ClamAV enabled it performs a more thorough scan than when scanning with both individually.
What if a file is detected by both the cloud and the local ClamAV engine?
Currently the detection from the cloud wins, but that may change as we work on optimizing the integration of the engine. Also just because you see a cloud detection, it doesn't mean the local engine wouldn't have detected it.
First of all it means that when you are not connected to the cloud then you are protected by the locally installed ClamAV engine. What may not be clear from that feature description is that ClamAV is also used when you are online, and it is used for realtime protection (on-access scanning) too!
Is the ClamAV engine enabled by default in Immunet 3.0?
That depends on how you install it, but you can always change the settings later. In fact it is easy to test if the local ClamAV engine is enabled and working, as I'll show you next:
Download the Immunet 3.0 powered by ClamAV installer from here, and run it.
Make sure you select Cloud + ClamAV as shown here, and then proceed with the installation:
Once installed you can check whether ClamAV is enabled (and enable if not):
Then check that archive and packed file scanning is enabled:
Finally click on "Update Now" to make sure your antivirus database is up-to-date:
To test the local ClamAV engine you can use the following test file, (which is completely safe, it is not even executable):
Open notepad, then Copy and Paste this text exactly as shown here:
$CEliacmaTrESTuScikgsn$FREE-TEST-SIGNATURE$EEEEE$
Once you save the file (lets call it clam.txt for example) you should get a popup from Immunet showing that it has detected Clam.ClamAV-Test-Signature:
You can open the folder you tried to save the file in, and check that it is really gone.Now you should be confident that you are protected by ClamAV's engine in "Immunet 3.0 powered by ClamAV".
How do you know which engine detected the file?
- if the virusname starts with "W32." then it is a cloud detection
- if it starts with "W32.SPERO.", it is a cloud detection from the SPERO heuristic engin
- if it starts with "W32.ETHOS.", it is a cloud detection from the ETHOS heuristic engine
- if it starts with "W32.Clam.", it is a file that was detected by ClamAV on the cloud
- if it starts with "Clam.", it is a local ClamAV detection
- if it starts with "Clam." and ends with ".UNOFFICIAL", then it is your custom signature
works together with the cloud read on.
A scan can be triggered by:
- on-access, i.e. realtime protection: when you launch an application, copy or move files
- on-demand, via the "Scan Now" button
- scheduled scan, which can be configured in "Scan Settings", "Add New Scheduled Scan
- scans the file using the cloud (by sending the file's fingerprints), if you are online
- if the ClamAV engine is enabled it starts scanning the file, as usual:
- using its (official or custom) signatures database
- scanning files inside archives (if enabled in Settings)
- scanning inside packed executables (if enabled in Settings)
- each of these inner files (inside archives, packed executables) is
- scanned using the cloud as well
- ClamAV checks its local whitelist when it detects a virus
- as soon as either engine finds a malware, scanning is stopped
- the cloud also checks its whitelist for both its own detections and ClamAV's detections
If a malware is detected the file is quarantined, and the malicious process is blocked, prevented from execution.
So you see when you have both the cloud and ClamAV enabled it performs a more thorough scan than when scanning with both individually.
What if a file is detected by both the cloud and the local ClamAV engine?
Currently the detection from the cloud wins, but that may change as we work on optimizing the integration of the engine. Also just because you see a cloud detection, it doesn't mean the local engine wouldn't have detected it.
Friday, February 11, 2011
Immunet 3.0 is Sourcefire’s new cloud-based desktop anti-malware solution for Microsoft Windows. For best performance, an Internet connection is recommended. Additionally, Immunet 3.0 is powered by ClamAV, which allows users to stay protected even when not connected to the Immunet cloud. ClamAV built its reputation over the years on the UNIX platform as being a robust and capable enterprise-level anti-malware solution, which allows the advanced user to create their own signatures to complement the ones supplied and updated several times a day by Sourcefire.
Why is being able to use your custom signatures a great feature? Well, it’s because you can make your anti-malware program look for threats that you are the first to see or that you will be the only one to see (e.g. Advanced Persistent Threats, or APT). Or, you could have found that an older version of a proprietary program that's running on your network is vulnerable and you want to make sure that users only run the latest version. Writing a custom signature that targets the older program, can help you enforce that policy.
Here's how to get started on writing your own custom ClamAV signatures for Immunet 3.0.
Download the ClamAV command-line Signature Tool, sigtool (MD5:838f6b4ea87199b86f04e9efb96241c3). Now let’s say that test.exe is the file you want to create a signature for. To create a signature that will match only that file, use the --md5 option of sigtool (in this example, I am redirecting the output from sigtool into a file with a .hdb extension):
Pic.1: Signature using full MD5 hash of file.
Now, in this case the signature will match on only one file. You may want to write something that matches on multitple files. For example, in the case of executable files you may want to write a signature that will match a particular PE-section, and all files that have the same PE-section. To do so, break up your executable into its different PE-sections either manually or by using tools, identify the one you want to write a signature for (typically the sections are labelled .text, .rdata, .data, .idata, etc..) and use the --mdb option of sigtool (in this example I am redirecting the output from sigtool into a file with a .mdb extension):
Pic.2: Signature using the hash of the PE-section of an executable.
Another way to have ClamAV detect a file is to base your signature on a hexadecimal fragment contained within the body of the file. Let's say you have a text file that contains the text I look like a benign file but actually I am a bad script and I will pwn your machine, if you don't pay attention. We decide that our detection will be based on detecting the phrase I am a bad script in any text files. To write a signature, we can start by echoing I am a bad script into sigtool --hex-dump (this time I'm not redirecting output into a file just yet):
Pic.3: Signature using the a hex fragment of a file.
Then I'm going to create a signature that has the format Name:TargetType:Offset:HexSignature and redirect it to a file with a .ndb extension, like I did at the end of the example above. You'll notice that I did not include the line break 0d0a in the hex signature.
For more in-depth information on how to create signatures, check out the documentation on Creating Signatures for ClamAV. There is also a webcast on the topic as well as a blog entry on how to create logical signatures for ClamAV.
Well, all that is good and I've created signatures, how do I load them into Immunet 3.0? You may very well ask.
First things first: Make sure that the ClamAV detection engine is turned on. Open Immunet 3.0, select “Settings” and switch the ClamAV “on”. Click on “Apply”.
Pic.4: Making sure that the ClamAV engine is turned on.
Optional (but highly recommended): Back in the main pane, click on “Update Now” to download the latest official ClamAV signatures.
Pic.5: "Update Now" to get the latest official ClamAV signatures.
Next, launch SigUI from Start->All Programs->Immunet 3.0->Custom Signature Tool.
Pic.6: SigUI's interface.
SigUI is a graphical user interface used to configure a back-end tool called Freshclam, which is used to download ClamAV signatures. Under the "Updater configuration”tab, you can enter proxy settings if you access the Internet using a proxy. To ensure that the settings have been entered properly, click on "Run freshclam to test configuration". Upon successfully accessing the Internet, Freshclam will exit without error (“Freshclam exited with code: 0”) (see Pic. 7):
Pic.7: Freshclam running.
Next, from the pull-down menu "Download Official Signatures from mirror", select where you want to download official ClamAV signatures from. By default, official signatures will be fetched from db.local.clamav.net. Although this works well most of the time, you may get better performance by using a server closer to your location. Mirrors are in the form db.XY.clamav.net, where XY is a two-letter country code. Alternatively, you can manually enter a hostname, such as your own server if that is where you are hosting the official ClamAV signatures. This completes the configuration for the automatic retrieval of official signatures.
To deploy your own signatures (or signatures provided by third-parties), you can either:
- specify their full URI (URL or UNC path) under Custom signatures URLs (see Pic. 6). The signatures can be in any format that ClamAV understands
- add the signatures file(s) under the "Local signature management tab" (see Pic. 8). At that point the signature aren’t yet installed. You must click on Verify and Install signatures to test the new signatures (see Pic. 9). The ones that pass verification will be installed and ClamAV will load them at the next database update
Pic.8: SigUI's "Local signature management" tab
Pic.9: Signatures installed after verification
Your custom signatures will be copied to the ClamAV signatures folder and loaded the next time the system is idle.
Voila! You now know how to write and deploy your own ClamAV signatures. You can also load third-party signatures written in the a format that ClamAV understands the same way you would your custom signatures. Again, you don't have to write your own signatures, but you can if you want and that is a powerful feature at your disposal. Feel free to contribute your signatures to our online forum. Feel free to post your questions to our mailing list. Additionally, you will find someone to answer your questions in the IRC chat room #clamav on irc.freenode.net.
Why is being able to use your custom signatures a great feature? Well, it’s because you can make your anti-malware program look for threats that you are the first to see or that you will be the only one to see (e.g. Advanced Persistent Threats, or APT). Or, you could have found that an older version of a proprietary program that's running on your network is vulnerable and you want to make sure that users only run the latest version. Writing a custom signature that targets the older program, can help you enforce that policy.
Here's how to get started on writing your own custom ClamAV signatures for Immunet 3.0.
Download the ClamAV command-line Signature Tool, sigtool (MD5:838f6b4ea87199b86f04e9efb96241c3). Now let’s say that test.exe is the file you want to create a signature for. To create a signature that will match only that file, use the --md5 option of sigtool (in this example, I am redirecting the output from sigtool into a file with a .hdb extension):
Pic.1: Signature using full MD5 hash of file.
Now, in this case the signature will match on only one file. You may want to write something that matches on multitple files. For example, in the case of executable files you may want to write a signature that will match a particular PE-section, and all files that have the same PE-section. To do so, break up your executable into its different PE-sections either manually or by using tools, identify the one you want to write a signature for (typically the sections are labelled .text, .rdata, .data, .idata, etc..) and use the --mdb option of sigtool (in this example I am redirecting the output from sigtool into a file with a .mdb extension):
Pic.2: Signature using the hash of the PE-section of an executable.
Another way to have ClamAV detect a file is to base your signature on a hexadecimal fragment contained within the body of the file. Let's say you have a text file that contains the text I look like a benign file but actually I am a bad script and I will pwn your machine, if you don't pay attention. We decide that our detection will be based on detecting the phrase I am a bad script in any text files. To write a signature, we can start by echoing I am a bad script into sigtool --hex-dump (this time I'm not redirecting output into a file just yet):
Pic.3: Signature using the a hex fragment of a file.
Then I'm going to create a signature that has the format Name:TargetType:Offset:HexSignature and redirect it to a file with a .ndb extension, like I did at the end of the example above. You'll notice that I did not include the line break 0d0a in the hex signature.
For more in-depth information on how to create signatures, check out the documentation on Creating Signatures for ClamAV. There is also a webcast on the topic as well as a blog entry on how to create logical signatures for ClamAV.
Well, all that is good and I've created signatures, how do I load them into Immunet 3.0? You may very well ask.
First things first: Make sure that the ClamAV detection engine is turned on. Open Immunet 3.0, select “Settings” and switch the ClamAV “on”. Click on “Apply”.
Pic.4: Making sure that the ClamAV engine is turned on.
Optional (but highly recommended): Back in the main pane, click on “Update Now” to download the latest official ClamAV signatures.
Pic.5: "Update Now" to get the latest official ClamAV signatures.
Next, launch SigUI from Start->All Programs->Immunet 3.0->Custom Signature Tool.
Pic.6: SigUI's interface.
SigUI is a graphical user interface used to configure a back-end tool called Freshclam, which is used to download ClamAV signatures. Under the "Updater configuration”tab, you can enter proxy settings if you access the Internet using a proxy. To ensure that the settings have been entered properly, click on "Run freshclam to test configuration". Upon successfully accessing the Internet, Freshclam will exit without error (“Freshclam exited with code: 0”) (see Pic. 7):
Pic.7: Freshclam running.
Next, from the pull-down menu "Download Official Signatures from mirror", select where you want to download official ClamAV signatures from. By default, official signatures will be fetched from db.local.clamav.net. Although this works well most of the time, you may get better performance by using a server closer to your location. Mirrors are in the form db.XY.clamav.net, where XY is a two-letter country code. Alternatively, you can manually enter a hostname, such as your own server if that is where you are hosting the official ClamAV signatures. This completes the configuration for the automatic retrieval of official signatures.
To deploy your own signatures (or signatures provided by third-parties), you can either:
- specify their full URI (URL or UNC path) under Custom signatures URLs (see Pic. 6). The signatures can be in any format that ClamAV understands
- add the signatures file(s) under the "Local signature management tab" (see Pic. 8). At that point the signature aren’t yet installed. You must click on Verify and Install signatures to test the new signatures (see Pic. 9). The ones that pass verification will be installed and ClamAV will load them at the next database update
Pic.8: SigUI's "Local signature management" tab
Pic.9: Signatures installed after verification
Your custom signatures will be copied to the ClamAV signatures folder and loaded the next time the system is idle.
Voila! You now know how to write and deploy your own ClamAV signatures. You can also load third-party signatures written in the a format that ClamAV understands the same way you would your custom signatures. Again, you don't have to write your own signatures, but you can if you want and that is a powerful feature at your disposal. Feel free to contribute your signatures to our online forum. Feel free to post your questions to our mailing list. Additionally, you will find someone to answer your questions in the IRC chat room #clamav on irc.freenode.net.
Wednesday, February 9, 2011
Columbia, MD – February 09, 2011 -- Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced the availability of Immunet™ 3.0, which leverages a cloud-based collective immunity platform to deliver real-time protection against zero-day attacks. Immunet 3.0 enables businesses and consumers to create custom anti-malware signatures for more accurate protection against targeted attacks and offers an innovative Cloud Recall™ feature, which can remediate previously approved files, automatically quarantining them in real time based on new threat information.
“Immunet 3.0 changes the way anti-malware works. By leveraging the cloud and allowing users to create custom signatures, Sourcefire is increasing the speed and accuracy of its protection to align with the demands of today’s environments,” said Charles Kolodgy, research Vice president at IDC. “With the added ability to protect against malware introduced by non-traditional means, including rootkits and USB drives, Immunet 3.0 is offering customers the functionality they require, while filling significant holes that have been left by more traditional solutions.”
Backed by the additional resources of Sourcefire®, Immunet 3.0 offers significant advancements that enable consumers and businesses to protect their PCs from Client-Side attacks. These include:
“When it comes to protecting against new and targeted threats, traditional anti-malware solutions typically fall short because of the time it takes to push new signatures,” said Martin Roesch, Sourcefire’s CTO and Founder. “Sourcefire’s approach is revolutionizing the way consumers and organizations protect their endpoints. By leveraging our innovative cloud platform and enabling customers to create custom signatures, Immunet 3.0 is offering consumers and businesses the ability to take a more proactive stance with their anti-malware investments and better protect against the latest attacks that traditional solutions miss.”
About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions. Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, RNA® (Real-time Network Awareness) and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.
SOURCEFIRE®, Sourcefire IPS™, SNORT®, RAZORBACK™, the Sourcefire logo, the Snort and Pig logo, SECURITY FOR THE REAL WORLD™, SOURCEFIRE DEFENSE CENTER®, SOURCEFIRE 3D®, RNA®, RUA®, DAEMONLOGGER™, CLAMAV®, IMMUNET™ and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.
“Immunet 3.0 changes the way anti-malware works. By leveraging the cloud and allowing users to create custom signatures, Sourcefire is increasing the speed and accuracy of its protection to align with the demands of today’s environments,” said Charles Kolodgy, research Vice president at IDC. “With the added ability to protect against malware introduced by non-traditional means, including rootkits and USB drives, Immunet 3.0 is offering customers the functionality they require, while filling significant holes that have been left by more traditional solutions.”
Backed by the additional resources of Sourcefire®, Immunet 3.0 offers significant advancements that enable consumers and businesses to protect their PCs from Client-Side attacks. These include:
- Custom Signature Creation – While customization is available in some enterprise security solutions, including Intrusion Prevention Systems, traditional antivirus offerings continue to take a “black box” mentality to customization. With Immunet 3.0, customers now have the power to create signatures for their specific requirements, significantly improving the effectiveness of Immunet.
- Cloud Recall – This new, innovative feature leverages the power of the Immunet platform to provide increased endpoint protection. Through continuous file processing in the cloud, Immunet 3.0 can retroactively quarantine a file that was originally cleared, but later deemed to be malware. The Immunet Community is updated automatically as new threats are discovered. Cloud Recall provides a significant advantage over traditional approaches to solving this problem, which include sending 20,000 - 40,000 signatures down to each and every endpoint on a daily basis, then invoking a resource-intensive full system scan.
- Collective Immunity™ – A key benefit of Immunet 3.0 is Collective Immunity, which allows users to harness the collective presence of Immunet’s 850,000 worldwide users for increased endpoint protection. This cloud-based approach enables organizations to better protect against zero-day attacks with real-time protection driven by intelligence from the user community. Each time someone in this collective community encounters a threat, everyone else in the community automatically gains protection from that same threat in real time. Customers no longer have to rely on the isolated security of their traditional antivirus vendor.
“When it comes to protecting against new and targeted threats, traditional anti-malware solutions typically fall short because of the time it takes to push new signatures,” said Martin Roesch, Sourcefire’s CTO and Founder. “Sourcefire’s approach is revolutionizing the way consumers and organizations protect their endpoints. By leveraging our innovative cloud platform and enabling customers to create custom signatures, Immunet 3.0 is offering consumers and businesses the ability to take a more proactive stance with their anti-malware investments and better protect against the latest attacks that traditional solutions miss.”
About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions. Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, RNA® (Real-time Network Awareness) and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.
SOURCEFIRE®, Sourcefire IPS™, SNORT®, RAZORBACK™, the Sourcefire logo, the Snort and Pig logo, SECURITY FOR THE REAL WORLD™, SOURCEFIRE DEFENSE CENTER®, SOURCEFIRE 3D®, RNA®, RUA®, DAEMONLOGGER™, CLAMAV®, IMMUNET™ and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.
Tuesday, February 8, 2011
Tomorrow, February 9th, will mark the day that the Immunet 3.0 product from Sourcefire officially rolls out. Immunet 3.0, not only has the familiar Immunet cloud based anti-virus product that you are used to, but it also builds in the ClamAV 0.97 engine for even more detection from threats.
We are no longer calling the product "ClamAV for Windows 3.0", we are now referring to the product as "Immunet 3.0".
New Features:
We are no longer calling the product "ClamAV for Windows 3.0", we are now referring to the product as "Immunet 3.0".
New Features:
- Offline Protection -- This is the ClamAV portion, allowing you to stay protected even while not connected to the Immunet cloud.
- Cloud Recall -- Even if the file that Immunet scanned today is "clean", and tomorrow it's discovered the file is bad, Immunet will still get it.
- Custom Signature Generation -- This gives advanced users the ability to create your own anti-virus signatures for new emerging threats. With the Immunet 3.0 release, we are the only Windows based anti-virus product to allow you to do this.
This is a great release, building in a lot of features and combining the power of ClamAV with the power of the cloud of Immunet is quite an achievement.
Check out the blog post from Al Huger over on the Immunet blog for further information. I'll put a formal announcement up tomorrow.
Monday, February 7, 2011
Since the release of ClamAV 0.97rc, there have been several bug fixes:
ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for signatures based on SHA1 and SHA256, better error detection, as well as speed and memory optimizations. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097
Download: http://downloads.sourceforge.net/cla...av-0.97.tar.gz
PGP sig: http://downloads.sourceforge.net/cla....97.tar.gz.sig
Bugfixes: http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://www.clamav.net/release-info/changelog/0.97
We'll have further information regarding ClamAV this week, stay tuned to the blog to find out more!
* libclamav/vba_extract.c: fix error path double free (bb#2486) * libclamav/phishcheck.c: fix some missed safebrowsing URLs (bb #2514) * libclamav/matcher-bm.c: fix error message (bb#2513) * libclamav/matcher-hash.c: stop leaking virusnames (nopool mode)So anyone using the RC, or a previous version of ClamAV should go ahead and take the opportunity to update to 0.97 now.
ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for signatures based on SHA1 and SHA256, better error detection, as well as speed and memory optimizations. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097
Download: http://downloads.sourceforge.net/cla...av-0.97.tar.gz
PGP sig: http://downloads.sourceforge.net/cla....97.tar.gz.sig
Bugfixes: http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://www.clamav.net/release-info/changelog/0.97
We'll have further information regarding ClamAV this week, stay tuned to the blog to find out more!
Wednesday, February 2, 2011
The release candidate for ClamAV 0.97 is available for download.
ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support
for signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is
available in the ChangeLog file. For upgrade notes and tips please see:
https://wiki.clamav.net/Main/UpgradeNotes097
We encourage as many people as possible to test this release.
If you don't have access to a test machine you can still help
by downloading it and checking for us that it compiles and links
on your platform and by running "make check".
If you do have a test machine/model/network please help us by loading
ClamAV 0.97rc and testing.
All bug reports should be filed at http://bugs.clamav.net.
We also encourage all 3rd party developers of products and
distribution/port maintainers to download and check this update so that
you can go live as soon as the final version is released.
Download : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97rc
ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support
for signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is
available in the ChangeLog file. For upgrade notes and tips please see:
https://wiki.clamav.net/Main/UpgradeNotes097
We encourage as many people as possible to test this release.
If you don't have access to a test machine you can still help
by downloading it and checking for us that it compiles and links
on your platform and by running "make check".
If you do have a test machine/model/network please help us by loading
ClamAV 0.97rc and testing.
All bug reports should be filed at http://bugs.clamav.net.
We also encourage all 3rd party developers of products and
distribution/port maintainers to download and check this update so that
you can go live as soon as the final version is released.
Download : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97rc
Subscribe to:
Posts
(
Atom
)