ClamAV®

ClamAV 0.97.8 has been released!

2013-04-23T13:21:00.000-04:00

Dear ClamAV users,

"ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to Felix Groebert of the Google Security Team for finding and reporting these issues."

Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/

You want to become a ClamAV mirror?

2013-04-15T10:31:00.000-04:00

One of the questions I receive in my inbox quite frequently is:

"Does ClamAV need any more mirrors for virus definitions?"

The quick answer is "Yes!" We'll always take more mirrors that we can get, as we increase output of virus definitions and such, we need more infrastructure to be able to handle the load.

If you are interested in becoming a ClamAV mirror, please follow the instructions here:

https://github.com/vrtadmin/clamav-faq/blob/master/mirrors/MirrorHowto.md

ClamAV 0.97.7 has been released!

2013-03-15T09:25:00.002-04:00

Dear ClamAV users,

"ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues."

Download: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

--
The ClamAV team (http://www.clamav.net/lang/en/about/team/

Resolving Issues With Freshclam

2013-02-26T16:05:00.000-05:00

Certain users are experiencing database update issues due to the failed Authenticode database push. This blog post will show how to check if you're one of those affected users and how to fix freshclam.

Validate You're Affected

You can validate that you're having this particular issue by a number of ways:

Check the hash of your daily.cvd. You are affected if the hash matches the following:

MD5: 89dedb45609e59b0244fb5202ab6fa56
SHA1: 9947ec90e60499ab7c3331670d5b26b4eaac76e4

Check your freshclam log file for repeated errors that look like:

Ignoring mirror [Mirror's IP address here] (has connected too many times with an outdated version)

Check the version number and the functional level of the daily.cvd by using sigtool:

sigtool --info daily.cvd will show a version number of 16681 and a functionality level of 73

How To Fix Freshclam

If you are expereincing the problem, please do the following: Stop the freshclam daemon if it's running, delete both mirrors.dat and daily.cvd, then restart the freshclam daemon. Freshclam will then download a new daily.cvd and will be up-to-date.

We apologize for any inconvenience this has caused and thank you for using ClamAV. If you have any further issues, please send a message to the ClamAV user's list or contact us via IRC.

Planned Infrastructure Maintenance - 04 Mar 2013

2013-02-25T13:00:00.000-05:00

In preparation for the ClamAV 0.98 release, we will be performing maintenance on the infrastructure beginning at 5:00 PM EST on 04 Mar 2013.

We will be pushing out a new signature database that does not have a corresponding cdiff file. This means that clients will pull down a full copy of the daily.cvd database, which will cause an increase in download traffic from the mirrors.

The maintenance is estimated to take one hour. No impact to users, beyond the downloading of a new daily.cvd, is anticipated.

We would like to extend our thanks to the mirror providers for their contributions, and thank you for using ClamAV.

Post-Mortem Analysis Of Virus Database Push Issues

2013-02-25T10:00:00.000-05:00

On Thursday, 14 Feb 2013, in preparation for the coming ClamAV 0.98 release, a new database was scheduled to be made available to users. We had a set of issues while performing this upgrade, and we feel that it is appropriate to let our users and mirror providers know what happened, what has done to fix the issues, and what is being done to prevent these issues from happening again.

So first, What Happened?

14 Feb 2013 0800 EST: Start of our scheduled work on our infrastructure.
14 Feb 2013 0815 EST: A new, custom daily.cvd (our virus definition database) was published. This database was generated with ClamAV 0.98, which in turn caused freshclam to think that a new version of ClamAV was available (not yet, but there will be).
14 Feb 2013 0830 EST: Published a new daily.cvd, generated with ClamAV 0.97.6, the current version of ClamAV. This corrected the issue with incorrect notifications of a new version of ClamAV.
14 Feb 2013 1100 EST: Clients report errors with updating. Investigation starts.
14 Feb 2013 1130 EST: The problem was isolated. The new database wasn't copied into a critical directory on our internal Signature server. The database publishing infrastructure didn't know that a custom database had been published. The custom database was overwritten with a new database. This resulted in some users being unable to use the .cdiff files (our incremental update files) for updating, leading to users who had downloaded the custom database to be unable to update.
14 Feb 2013 1330 EST: A new database was published to resolve the issues. Issues should now be resolved for most users.
19 Feb 2013 1700 EST: Issues resolved for all remaining users by modifying the set of available .cdiff files.

Fixes That Have Been Performed

We've deleted all database files that would cause errors. This should fix the remainder of issues for our users. However, any users who are still seeing errors should delete the mirrors.dat file in their database directory to force a reset of mirror selection.

Prevention

We've put in place a workflow that will prevent issues like this from popping up. A full change-management process is in place, with an emphasis on peer-reviewed planning, comprehensive test plans and appropriate personnel assignments. Change plans will be approved by a senior administrator, a ClamAV developer and a representative from the analyst team.

For the convenience of our mirror providers, there is now a set maintenance window for routine changes: Monday 5pm EST through midnight EST. As always, we will aim to notify mirror providers a week in advance of any change. In the case of emergent issues, a different time or a shorter notification may be required.

We apologize for any inconvenience caused by the problems outlined in this post. We will continue to review our processes to ensure that we are providing the best experience for both our users and our mirror providers.

Authenticode Certificate Chain Verification

2013-02-13T15:14:00.000-05:00

Introduction

Microsoft introduced digitally signing PE object files (authenticode) in Windows 98. Hardware drivers eligible for the Windows Logo Program are required to contain a valid authenticode signature. Since then, Microsoft has expanded the program to executable object files (EXEs) and DLLs.

Microsoft has its own public key infrastructure (PKI). There are four trusted root certificate authorities: two by Microsoft, Thawte, and Verisign. Microsoft's own executables for Windows are signed.

Authenticode At Work

The Problem

It's becoming more common for malware authors to sign their executables. Malware authors are known to steal existing certificates or forge certificates (the certificate forging link talks about SSL certificates; though you can't use certificates used for web browsing with authenticode, the concept still applies). Stealing and forging existing certificates can trick unsuspecting users into trusting the malware.

The Solution

ClamAV 0.98 now parses and validates the authenticode certificates. ClamAV now ships a database of trusted and revoked certificates. If the PE file being scanned is flagged as a virus, ClamAV follows this logic in validating the certificate chain contained inside the PE file:

Load the chain in full
Validate each certificate in the chain:

If no certificate matches one of the four trusted roots, the whole chain is considered invalid and is subsequently ignored. Further chain processing is stopped.
If one certificate matches a revoked entry in the database, the whole chain is considered invalid. Report PE file being scanned is a virus.
If no certificates match a revoked entry in the database, the PE file is marked as clean. No virus is reported for the PE file being scanned.

Generating A Certificate Revocation Entry

Since the authenticode chain is verified only after a file has been flagged as virus by the ClamAV engine, you have to first create a signature for the file if one doesn't already exist. If a signature exists, yet the file is reported as clean, chances are that the file is being whitelisted due to having a valid authenticode signature. You can verify that the file is being whitelisted by passing --debug --verbose to clamscan and looking for the word authenicode (yes, that is indeed misspelled, but that works out to our advantage). If you see that word, then the file is being whitelisted and a certificate revocation entry needs to be created.

First, we need to dump the certificate chain so that we can find the certificate to revoke. You can tell ClamAV to dump the certificate chain to stderr by passing --dumpcerts to clamscan. You will then match the certificate that is dumped with the public key of the lowest certificate in the chain that Windows shows. Windows shows a few bytes before the public key actually starts. Don't worry, if that confuses you, I have screenshots:

Windows Certificate Information

Validating and Dumping Authenticode Certificate Information via ClamAV

Certificate revocation entries go into a .crtdb file in your ClamAV database directory. Its format is as follows: name;trusted;subject;serial;pubkey;exponent;codesign;timesign;certsign;notbefore;comment[;minFL[;maxFL]]

Where:

Name: a descriptive name for the certificate entry
Trusted: a bit field (0 or 1) whether this entry is trusted or revoked
Subject: the subject reported by ClamAV
Serial: the serial reported by ClamAV
Pubkey: the public key reported by ClamAV
Exponent: The exponent of the certificate. Set this to 010001.
Codesign: A bit field (0 or 1) whether this certificate can sign code
Timesign: A bit field (0 or 1) whether this certificate can generate a timestamp signature
Certsign: A bit field (0 or 1) whether this certificate can sign other certificates
Notbefore: The notbefore field of the certificate. Defaults to 0 if empty.
Comment: any comments about this entry
MinFL: The minimum ClamAV feature level needed for this entry. Required only if MaxFL is set.
MaxFL: The maximum ClamAV feature level supported by this entry

Let's return back to the example. We now have enough information to create the certificate revocation entry. It would look like:

Descriptive name here;0;fe72355be4b6893d8e5b628d1a9ae8863d202b6f;a58d94ce010afa9865e732870971428768c92d64;ba0532ff862861cfaf8c22601fe479e3697b6ab94ff01c3254d105018c93bdb47f4c3fc1fb1d20172c46a727fb589f310cf6b081517ee472d145dfd4939c7d4652aad06c3ee6722f15703e88bbd8bc4d56fe7030b21f105fa9817b625103273caf46072628207e81bc13ac6ba18cdd3e93b97c9761730eb14ce36464cc997075;010001;1;0;0;0;

After adding that revocation entry to our certs database, ClamAV now flags the sample as a virus:

clamscan Reporting Virus

Contribute signatures to ClamAV

2012-11-27T16:54:00.000-05:00

Back in February, Joel Esler who is our Open Source Community Manager, explained how you could contribute rules to Snort. We just wanted to let you know that the VRT is seeking and accepting your contribution on the ClamAV side as well.

One of the best features of ClamAV is the openness of the signatures database. There are very few anti-malware products out there that will allow you see exactly how a signature is constructed and let you use your own custom signatures. We strive to provide the best protection we can to our users through the official signature releases we provide several times a day. However, the nature of our field makes it that you will at some point (if you haven't already) come across malware for which there are no official signatures to detect it.

That's where your contribution is sought and would be highly appreciated. If you come across malware that isn't detected with the official ClamAV signatures and you have your own signature to detect it, please provide it to us! It will go through our regular QA cycle and we will provide you with personal feedback. Your signature will be tweaked if necessary and tested against our clean files in order to prevent false positives once released. We will also give you credit for the signature your contributed unless you choose to remain anonymous.

You have a few ways of contributing signatures:

- Go to http://www.clamav.net/lang/en/sendvirus/submit-malware/

In the description field, provide your signature along with supporting evidence. Attach your sample and submit.

- Submit your password protected zip (a typical password is 'infected') along with your research and signature via email to vrt[at]sourcefire.com

We prefer "body-based" signatures as opposed to "checksum-based" signatures. Hex (body) signatures are based on a fragment of a malware sample's body converted into a hexadecimal string which can be extended using various wildcards. More on how to write ClamAV signatures here and here.

Of course we are always accepting false positive submissions here.

Open Source Antivirus: ClamAV by Dejan Lukan

2012-10-09T23:09:00.003-04:00

For someone just getting started with ClamAV, I noticed this easy to read and understand blog post here. If you know someone who is just getting started with ClamAV, or you yourself came to this blog looking to get started. Check that blog post out!

ClamAV Wiki Documents

2012-09-25T17:37:00.005-04:00

We've had much interest in the documents that were contained within our Wiki before we took it down here at ClamAV. We've managed to salvage the useful pieces of the Wiki and publish them on our github site. Check it out here:

https://github.com/vrtadmin/clamav-faq

ClamAV Stats, we need more of them, we need your help

2012-09-18T18:23:00.000-04:00

We've been working pretty hard behind the scenes over here on ClamAV, its backend infrastructure, and moving the codebase as well as its detection up the ladder.

In order for us to get some accurate statistics about what you all are seeing out there, in the field, we need as many people as possible to "opt-in" to some statistics gathering features that we have built into the code base.

If you've ever browsed around ClamAV.net, I'm sure you've probably bumped into this page:

http://www.clamav.net/lang/en/download/cvd/malware-stats/ at some point. These are statistics that are provided by you all, the users of ClamAV, collected and correlated on our backend systems here. It allows us to see trends across signatures and allows us to check in on what you are seeing in the actual real world.

We need more people to opt-in to this feature. We are looking at growing the detection rate and feature set of ClamAV's detection functionality, and this type of data will allow us to see where we need to pinpoint resources.

If you can participate in the program, please go here:

http://www.clamav.net/lang/en/faq/faq-cctts/stats-howto/

Follow the instructions above and you should be good to go! Thanks!

Windows versions of ClamAV 0.97.6 posted!

2012-09-18T16:57:00.002-04:00

All:

If you are a Windows user of ClamAV, you'll be happy to know that we have released the Windows builds for ClamAV 0.97.6 to our Sourceforge site here:

http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.6/

Please feel free to download, use, and provide feedback via the ClamAV-Users list here:

http://lists.clamav.net/mailman/listinfo/clamav-users

Thanks!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

ClamAV 0.97.6 has been released.

2012-09-17T15:36:00.000-04:00

Dear ClamAV users,

ClamAV 0.97.6 includes minor bug fixes and detection improvements.

Download: http://downloads.sourceforge.net/clamav/clamav-0.97.6.tar.gz
PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.6.tar.gz.sig
ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

The ClamAV team (http://www.clamav.net/lang/en/about/team/)

ClamAV's Wiki

2012-07-03T09:23:00.000-04:00

The ClamAv Wiki is currently down. It hadn't been updated for some time (several years!) and it was time to covert it into something more useable.

We are currently converting the relevant documentation that was in the Wiki into something more useful and it will be forthcoming.

Introducing the new ClamAV team

2012-06-22T14:55:00.000-04:00

Earlier this week we announced a new chapter for ClamAV with the departure of Tomasz Kojm, Alberto Wu, Luca Gibelli and Edwin Török. While we are sad to see them go, we are grateful for the contributions they have made and are committed to carrying on the project with the community in mind.

As Tomasz mentioned in his own email, ClamAV just had its 10th birthday. Over the years we've been able to integrate ClamAV into our own product suite and it is now used by millions of mail filters, operating systems and millions of file scans per day. It's big, and we want it to be even bigger, with open source commitment at its core.

So, now that we've begun this new chapter, I’d like to introduce you to some new members of the ClamAV team. These folks might be new to ClamAV, but they have been with the Sourcefire Vulnerability Research Team (VRT) for quite some time, and all have worked on other open source projects. Without further ado, they are:

Matthew Olney is the project development lead for ClamAV and lead architect for the Razorback framework. Pulling from his experience as a network and security engineer, he’s also a detection specialist for Snort and a frequent contributor of signatures to the ClamAV engine itself.

Ryan Pentney is the lead bytecode engine developer for ClamAV; a perfect complement to his role as lead developer for file format detection for the Razorback framework. He also is a contributor to both the Snort and ClamAV engines.

Tom Judge has a strong background in systems and security operations. He is a FreeBSD committer, a lead developer for the Razorback framework and a long-time user of ClamAV. On the ClamAV development team, he concentrates on FireAMP integration, virtual machine interfacing and freshclam development.

David Raynor is the core engine developer for ClamAV. He was a developer of a major scalable security system for the United States Department of Homeland Security before coming to Sourcefire.

Nigel Houghton has been with Sourcefire as the lead of the Department of Intelligence Excellence for almost 10 years. Nigel has vast knowledge of programming, operating systems, administration, and security. His team is responsible for the ClamAV supporting infrastructure as well as releasing signature updates.

As I mentioned, all of the above are members of the VRT, led by Matt Watchinski, who has overseen the ClamAV project since Sourcefire acquired it in 2007. We remain committed to continuing the open source nature of the project, pushing the growth of the project even farther.

As always, you can reach us on the ClamAV Mailing lists found here: http://www.clamav.net/lang/en/ml/. We look forward to hearing your ideas and feedback. Thanks for using ClamAV and we look forward to working with you.

Joel Esler
Open Source Community Manager
Senior Research Engineer, VRT
Sourcefire

A New Chapter for ClamAV

2012-06-19T11:02:00.001-04:00

Earlier today, Tomasz Kojm sent an email to the ClamAV mailing list on behalf of himself and three of his teammates - Alberto Wu, Luca Gibelli, Edwin Török. As he wrote in his email, since they joined us via acquisition in 2007, we’ve been able to work together on some great projects. And now, as we celebrate the 10-year anniversary of ClamAV, the team has decided to move onto new development projects outside of Sourcefire. From his email:

“...it is time for us to make a change. ClamAV is now mature software and we are confident that Sourcefire will successfully continue its development, move it forward and maintain the integrity of its infrastructure.”

And mature it has. Today the solution has more than 2 million active installations and scans hundreds of millions of files every day. I am incredibly proud of the leadership of Tomasz and the tenacity of his team in all of these development projects. While I am remiss to see them go, I am excited and looking forward to what they come up with next.

Now, what does this mean for you, our ClamAV users and community? The good news is that I will continue to oversee the development project, as I have done since our acquisition of the company in 2007. Joel Esler, our Open Source community manager, will still be your main point of contact. I do want you to be aware of a few changes to come:

ClamAV source package signing. The signing key will no longer be tkojm@clamav.net. It will be research@sourcefire.com. This is the main VRT GPG key, and has been signed by tkojm@clamav.net.
New faces

Matt Olney
David Raynor
Tom Judge
Nigel Houghton

0.97.5 New Release

If you need to reach us for any reason, email vrt@sourcefire.com. In the meantime, please join me in expressing thanks to Tomasz, Alberto, Luca and Edwin for all of their contributions to the ClamAV project.

ClamAV 0.97.5 has been released!

2012-06-15T10:16:00.000-04:00

Just released is version 0.97.5 of ClamAV. Below is the changelog:

Fri Jun 1 13:15:50 EST 2012 (dar)
---------------------------------
 * libclamav: Scan output at end of truncated tar (bb#4625) 

Wed May 30 17:27:00 EST 2012 (dar)
----------------------------------
 * libclamav: Fix handling of tar file with malformed header
         (bb#4627)

Fri May 25 13:05:40 EST 2012 (dar)
----------------------------------
 * libclamav: Scan chm with invalid handling (bb#4626)

Thu May 10 15:45:56 CEST 2012 (tk)
----------------------------------
 * freshclam: give custom dbs higher priority during update

Tue May  8 15:31:51 CEST 2012 (acab)
------------------------------------
 * libclamav: detect read races and abort the scan with an error
       (bb#4669)

Tue Apr 10 17:04:20 CEST 2012 (tk)
----------------------------------
 * libclamav/pe.c: drop old header check (bb#4699)

We are currently experiencing some problems updating our freshmeat account, however, in the meantime ClamAV, as always, is available from http://www.clamav.net

ClamAV vs. ContentIQ Test series

2012-06-01T10:29:00.000-04:00

I wanted to call attention to a series of blog posts that Alain is writing over on the VRT blog about the ContentIQ test and ClamAV's results with that test. Enjoy:

http://vrt-blog.snort.org/2012/02/clamav-vs-content-iq-test-part-1.html
http://vrt-blog.snort.org/2012/03/clamav-vs-content-iq-test-part-2.html
http://vrt-blog.snort.org/2012/04/clamav-vs-content-iq-test-part-3.html

Building a Computer Disaster Recovery Toolkit

2012-05-28T08:56:00.002-04:00

In this article over at CNET, one of the things they discuss is using An Ubuntu Live CD, included with ClamAV to help repair infected computers.

Article here

ClamAV as a service on Windows with Kerio Connect / Mailserver

2012-05-24T21:38:00.001-04:00

A quick blog post about installing ClamWin with Kerio Connect.

http://blog.campodoro.org/?p=269

ClamAV needs an Intern

2012-04-09T14:36:00.000-04:00

The VRT is looking for an Intern to assist with the ClamAV and Razorback projects. If you are a C coder, we'd like to hear from you.

We are looking for resumes sent to research [at] sourcefire.com. Please let us know that you are interested in the Intern position with the VRT, and that you saw the blog post here on the ClamAV blog!

On-access scanning for OS X

2012-03-21T10:52:00.003-04:00

The ClamAuth kernel extension enables ClamAV to provide on-access scanning for Mac OS X 10.5 and later.

The current version works in a passive mode only - ClamAV will log the detection but won't block access to the infected file. However, it's possible to perform special actions (eg. quarantine files) with the VirusEvent directive of clamd.

Usage
-----

1. Run ClamAuth_load to load the kernel extension (you can edit the script to change or add more paths that will be monitored).
2. Add "ClamAuth yes" to your clamd.conf (ClamAV 0.97.4) or "ScanOnAccess yes" (ClamAV-devel)
3. Start clamd with root privileges ('sudo /usr/local/sbin/clamd')

If clamd properly connects to the driver, you should see a line like this in the log file:

ClamAuth: Driver version: 0.3, protocol version: 2

ClamAV is now monitoring the paths specified in ClamAuth_load.

If you have any questions or feedback about this module please send it to the ClamAV mailing list here:
http://www.clamav.net/lang/en/ml/

ClamAV 0.97.4 has been released!

2012-03-19T10:00:00.000-04:00

ClamAV 0.97.4 includes minor bugfixes, detection improvements and
initial support for on-access scanning under Mac OS X (see
contrib/ClamAuth).

This update is recommended for all users.

Wed Feb 29 18:35:45 CET 2012 (acab)
-----------------------------------
 * libclamav/bytecode.c: reset to BYTECODE_AUTO mode at db reload so that
    we don't fail to re-enable or re-disable it again
    (bb#3789)

Tue Jan 17 11:15:57 CET 2012 (acab)
-----------------------------------
 * misc: performance improvement for HP-UX PA-RISC - patch from 
  Michael Pelletier <michael.v.pelletier*raytheon.com> (bb#3926)

Fri Nov  4 00:52:21 CET 2011 (acab)
-----------------------------------
 * libclamav/pe.c: parse vinfo where varfileinfo occours before stringfileinfo
     (bb#3062)

Fri Mar  2 19:48:36 CET 2012 (tk)
---------------------------------
 * clamd: add support for on-access scanning on OS X with ClamAuth (beta)

Wed Feb 29 17:02:18 EET 2012 (edwin)
------------------------------------
 * libclamav/bytecode_api*: Fix Sparc crash (bb #4324)

Tue Feb  7 23:23:48 CET 2012 (tk)
---------------------------------
 * libclamav: fix bytecode whitelisting

Wed Jan 25 18:56:44 CET 2012 (tk)
---------------------------------
 * libclamav: fix macro detection in OLE2BlockMacros (bb#4269)

Thu Dec  1 15:07:49 CET 2011 (tk)
---------------------------------
 * libclamav/readdb.c: allow comments in all db files (bb#3930)

Fri Nov 18 15:23:50 CET 2011 (tk)
---------------------------------
 * libclamav/scanners.c: use lsigs when scanning vba data (bb#3922)

Fri Nov 18 15:48:59 EET 2011 (edwin)
-----------------------------------
 * libclamav/matcher-hash.c: Fix SIGBUS on PA-RISC (big-endian) architectures (bb #3894).

Download : http://downloads.sourceforge.net/clamav/clamav-0.97.4.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97.4.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97.4
ChangeLog: http://www.clamav.net/release-info/changelog/0.97.4

Are you a ninja? Want to become one?

2012-02-28T12:37:00.000-05:00

Then we want to talk to you! While you can look up the different openings that the Vulnerability Research Team (VRT) has, what you won't see if why you should choose Sourcefire for your next job. This is why I love working here, in no particular order:

1. The people. We come from different backgrounds and bring a wealth of talent and knowledge to the table. Most of us were using computers pre-Internet before we were 10 years old. Back then, our friends were just happy to have a gaming console and didn't see the point of having a computer. We are curious by nature and didn't stop learning when we got our various degrees. When you engage in conversation with the VRT, be assured that there will be someone who knows at least as much as you on any topic. The VRT is made of smart, smart! individuals and we are looking for people who are driven and can fit in the team culture.

2. Open-source philosophy. Whether it's ClamAV, Snort, or Razorback (and their respective signatures/rules), we believe in letting users see and understand what we do, how we do it, and why we do it. This pushes us to excel at our job and always put the customer first.

3. Fun work environment. We are productive and have crunch times, yet we always know how to have fun. Do you know what "tea time" is? "Truffle shuffle"? "Hit box!"? Do you know what it is "to be slothed"? What does it mean when someone calls "car"? Who's the "grammar police"? Come find out :-)

4. Hobbies. If you like biking, riding motorcycles, playing the guitar, photography, playing tennis or soccer, you will likely find an after-hours hangout buddy with similar interest in the VRT.

5. Lunch. Delivered to you every day between 12PM and 2PM. Just choose what you like from 3 different and rotating restaurant menus and lookout for the the daily email that says that your lunch has arrived. For free. Yup, just like that (well technically it's part of your benefits).

6. Training. Whether you want to informally learn about malware or vulnerability research, attend a conference or a week-long training, or formally work towards a Bachelor's or Master's degree, we'll hook you up.

7. Leadership and Innovation. Snort is the de facto standard for Intrusion Detection and Prevention. ClamAV sets the standard for open-source antivirus and anti-malware solutions. Razorback advances complex threat detection and protection.

I could really go on and on about why you should choose us. If you think you have the right skills, if you think you can grow and most importantly if you are driven, contact us with your resume at research at sourcefire dot com.

Open Source Fact and Fiction: Sourcefire Stays True To Its Roots

2012-01-25T08:19:00.000-05:00

Open Source Fact and Fiction: Sourcefire Stays True To Its Roots

Alan Shimel writes a great article about our new product FireAMP, and it's roots, not only with ClamAV but many other OpenSource technologies. It's a quick read, but really shows what we are trying to do here at Sourcefire and how OpenSource is not only the foundation of our products, but really, is baked into everything that we do here.