I responded in the DSL Forums to a question about AV software. The other person made a point about preferring an open source product, and my answer was that I have a different criteria for security software than for other things. After all, this isn’t like the difference between text editors or image editing programs.
Nothing can be more important when it comes to anti-virus and anti-malware software than if it works well. What good is it to make a “principled” stand for open source software if it’s not one of the best possible options?
I’m sure ClamAV does quite well in many circumstances. As I noted, I can recommend the PortableApps version of ClamWin for those who need a quick and dirty AV tool on a known-clean partition (in this case, USB stick).
But in nearly every test I’ve seen it compared to closed-source offerings from Kapersky, BitDefender, AVG, Avast, MacAffee, and others, it has come in far short of what the others do. (The lone exception was a test run by someone pushing ClamAV — not an independent test, but a conflict of interest.)
When it comes to the security of my computers or those of people I know and love, 27th of 29 isn’t good enough. It’s not about open versus closed source, it’s not about blindly adhering to principles. It’s about being practical. It’s about being safe.
During my search for other tests, I found this site which runs weekly tests. My link to it is sorted by rank. ClamAV in this past week’s test wasn’t the worst by far, but it detected 17% of viruses. Compare that to other AV programs that beat it in the other test I linked. BitDefender detected 51% — triple the rate of ClamAV.
As good as a lot of open source software is, it isn’t a panacea. Sourceforge and other sites are filled with half-fulfilled open source ambitions that are fully realized in the world of proprietary software. You’re not just buying someone else’s code with proprietary software, you’re also buying measures of accountability and assurances that the company producing it intends to continue improving their product so that it works as it’s supposed to. Companies that keep their code closed aren’t limited to small staffs of volunteer programmers who work on things as they have time, this is their real job.
Sometimes you really do get what you pay for. Or would have to pay for if the free personal versions of the better proprietary applications weren’t readily available. ClamAV may be free as in freedom and free as in beer, but that’s pointless if you’re not going to audit their code and make changes. Much better free-as-in-beer AV software is available. Same price. Works better.
You can have your own principles. So can I. One of mine is being open-minded and practical enough to use the best available tool for the job.