Slashdot Mirror
ClamAV Forced Upgrade Breaks Email Servers
An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"
The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."
And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.
Diagnostic-Code: smtp; /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory) at (eval 55) line 310.
/usr/bin/clamscan unexpected exit 50, output="LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later.
451-4.5.0 Error in processing, id=02792-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x83d7540) Too many retries to talk to
ClamAV-clamscan av-scanner FAILED:
At least their error messages are descriptive and informative.
It exists for a reason.
"I use a Mac because I'm just better than you are."
This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.
Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.
I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.
It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.
morcego
The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.
See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/
/~mikeg
Should have switched to Norton. They would have had weeks of impossible-to-ignore yellow and black pop-ups demanding their credit card number as ample warning...
Those freetards just don't understand the valuable features provided by quality proprietary software.
...and guess what! I'm almost sure I have had enough of free software.
Not to say that it odes not do its work but because there is no incentive "not to break stuff", read 'continued revenue streams', folks just do as they please and we get hurt.
Heck! Is this the "freedom" you want?
If it breaks because a remote server went away it sounds like it is time to possibly have another look at that code.
Got Code?
End of Life Announcement: ClamAV 0.94.x
Oct 5, 2009
All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)
This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.
We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.
We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.
Thanks for your cooperation!
FUCK JEWS
When they are exceedingly attractive, female, not married, and expressing interest, I do.
Reply to That ||
IIRC, ClamAV doesn't have real-time scanning anyway. Does it have a first party mail server scanning plugin now, or am I totally misunderstanding the issue here.
SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).
How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?
How about all those Windows Vista users who haven't upgraded to Windows 7?
Firefox 2 users who haven't upgraded to 3.
Users who are still using IE6.
Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?
As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.
/~mikeg
I just tried to update:
/etc/debian_version
... /var/lib/clamav/daily.cld: Malformed database
:(
# cat
5.0.4
aptitude output during update:
Setting up clamav-daemon (0.94.dfsg.2-1lenny2)
Starting ClamAV daemon: clamd LibClamAV Warning:
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning:
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load
ERROR: Malformed database
It appears debian repositories also need to be updated.
NOTE: I removed the * (star) chars from the warnings due to junk filter.
This space is not for rent.
Be careful, though. Natalie Portman might pour hot grits on you.
Where do I sign up sir?
Reply to That ||
With a name like ClamAV, my bet would be the Scientologists.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Or maybe people should ... you know ... not apply updates directly to their production servers without testing them first ?
No, that would be too radical. Who ever heard of updates causing problems ? It would never happen.
morcego
First you complain when Microsoft releases an update that won't install on compromised systems because it would break them entirely.
Now ClamAV is put in a similar position. They have three choices due to the bug in 0.94:
1. Continue supporting 0.94, flood out their update servers with full updates since incrementals won't work with that version much longer.
2. Stop supporting 0.94, leaving users who don't know to update basically unprotected.
3. Send a clear message to users who haven't updated that their antivirus solution is now broken and they need to upgrade.
To me, 3 is the obvious choice. If this was a paid solution or if it cost a fucking dime to upgrade I might see a point to complaining, but to anyone who was still using 0.94 just man the fuck up, apt-get update, apt-get upgrade, and get on with it.
This is not like Microsoft disabling XP to get you to upgrade to Vista, this is more comparable to an aircraft with faulty parts being grounded by the FAA. Those using 0.94 were doomed to a broken solution one way or another, they could not continue using it and expect it to do its job, so they needed a kick in the ass to upgrade.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
If any of those examples were providing services where support ending means the thing is not doing its job anymore, you might have a point.
In this case, no more updates for 0.94 means 0.94 effectively does not work. There is nothing at all preventing any user from upgrading to the current version, so there's nothing wrong with forcing them to do so when the old solution is no longer working.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
A lot of server stuff in linux work so well that you can even forget that it is running at all, for years. Clamav is such kind of software, you install/configure it, set the automatic signature updates, and forget that it is there. But still, some periodic checks in logs that all are working as expected is good, even if is just some artificial ignorance well applied, specially when clamav started warning on this months ago.
I totally agree. I was bitten by this on several servers. The sad part is that in some cases this is NOT really always our choice here.
Sometimes management or customers (in my case) CHOOSE to not allow me to spend the time or money to do more than the minimums. In this current economy, it's become a serious situation.
I really appreciate CLAM and the coders that support and maintain it. It is their prerogative to make the call. I just wish they would have done it differently. If a closed-vendor did this (see the examples in the parent post), there would be geek-riots in the street.
I was lucky - I had been planning this move for awhile, so I had everything happy rather quickly.
Now, on another note - if the maintainers had pushed an announcement of the result of this plan to Slashdot, Digg, etc. maybe there would be less howling. I have to maintain MANY different Open Source products, no matter how hard I try, I can't keep track of each of them through web pages and announce lists.
-- I really need to bleed off some of this
Or maybe people should ... you know ... not apply updates directly to their production servers without testing them first ?
No, that would be too radical. Who ever heard of updates causing problems ? It would never happen.
Tell me, do you sandbox a full environment and test every virus signature update prior to rolling it out?
If so, what is the length of your pre-deployment testing cycle? How many people are dedicated to your test team, and how do you justify their salaries?
(Not trying to be a dick, I'm genuinely curious if anyone goes to this level of overkill, and how they manage to get it approved. I had to fight uphill both ways in the snow to get a dev environment built...)
/~mikeg
"ClamAV forced upgrade breaks email servers" should read "Failure to upgrade despite six months warning breaks email servers" or "Inattentive server admins cause massive downtime".
The problem here is that once support services end, they stop writing new signatures for the old version of ClamAV. If an administrator has been ignoring (or has been unaware of) the impending end-of-life of ClamAV for the past 6 months, they are going to remain unaware of the problem basically forever.
There are four ways to handle this:
1. Contact all of your users. How?? Those who have subscribed to the updates list already know. You don't have to register to have ClamAV, so for most of the rest they won't have an email address.
2. Make the software tell the user it is about to expire. How?? There isn't a communications process written into ClamAV that can send a signal up to the GUI and most people don't monitor every line of their syslogs.
3. Just shut down the update server so you won't offer the users signature updates any more. Users will continue along for long periods of time with increasingly outdated antivirus definitions. This is a really, really bad idea.
4. Give people ample warning over as many channels as you can, then break it so people notice that something is wrong.
#4 is not ideal. But it's the best of the options.
Personally, I have ClamAV on all of my machines, but it's the Ubuntu/Mint supported version out of the repositories, so it gets updated. I think ClamAV would be well-served putting up Debian and RPM repositories and making people install the software using the repos, and not offering it for direct download any more.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Anti-Virus updates are considered priorities here.
It is tested on a server, if it works good we update production. It takes less than 15min of my time..
Menzoberranzan Networks
You're missing the fundamental issue. Upgrading to .95 _was_ the minimum requirement. You should have gone to your clients and said "This work needs to be performed to keep your AntiVirus current for your email server.".
This is the best Slashdot post I've read all week.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Exactly!
Anyways, the e-mail telling thing will break as been sent many times..
Menzoberranzan Networks
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
<SARCASM>
Mmhmm, yes. I agree 1000%. Don't update your virus signatures. Because ya know, new viruses don't get created very often. You can run with signatures over a year old and still have great protection!
</SARCASM>
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
<SARCASM>
Yes, because distributing software for several versions of Free/Net/OpenBSD, each Linux distribution, Windows, Solaris, AIX, HP-UX, etc. is totally feasible for a free project.
It's not like they would have to fund the time, equipment and distribution bandwidth for that, or have to deal with irate admins screaming about how ClamAV breaks their change control policies by automatically installing binaries on production servers.
And software with automatic updates never ships an update that bricks production servers (*cough*Exchange*cough*), so this is a perfect solution.
</SARCASM>
Sometimes I really wonder what happened to the Slashdot crowd's common sense.
/~mikeg
This is why you rely on package management software. There are actual maintainers out there who keep up-to-date on issues like this, that affect their packages.
For instance, if you're running any version of Ubuntu, you are on v0.95.3 or v0.96 right now, so you would not have even known about this EOL had it not been on slashdot. Every time you log into Ubuntu, it will warn you if you need to do some updates.
If you are not a professional system administrator (neither am I, by the way, so I feel for you), you should not bother trying to subscribe to all of the mailing lists for all of the packages you use. You should instead rely on the hard, thankless work put in by the package maintainers to keep you out of trouble.
Make sure you do the security updates for your distro of choice. Choose a stable release of your distro if you don't enjoy constant upgrades.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I guess it all boils down to "which is worse":
1. A broken security tool that is obviously broken, or
2. A half-broken security tool that looks like it's working OK?
Umm, I'll take #1 for priceless security, Alex.
As soon as ClamAV stops sending out freshclam for a version, that version should fail. As spectacularly and noisily as possible. It should scream of its obsolescence from the rooftops, and prevent any service depending on it from doing jack schitt until it gets fixed.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
You really should use the volatile repository. It provides updated versions of packages that are required to change (like antivirus), compiled for stable. You end up with stable + required updates.
I woke up this morning to urgent "my site is down" calls from clients on one of my old servers. It turns out that ClamAV was trying to update itself. It would download the update, fail to update, then download again and again until it filled up the hard drive. We don't even do email on this particular server, so it must have gotten turned on months/years ago and then never noticed. We've disabled it, but it was kind of an annoying way to be woken up.
Heh, good ol' Seinfeld :)
Uh, Linux geek since 1999.
If you use a system that has aptitude, then it might be worth it to routinely (at least monthly?) run the following:
sudo aptitude update
sudo aptitude safe-upgrade
You'll get a lot of security updates, if they are out there, which is a good thing!
(your mileage may vary)
Uh, Linux geek since 1999.
I'd likely to be modded down by open source zealots, but using Clamav to solely protect Windows PCs from malware spread by e-mail is insane. ClamAV has one of the lowest malware detection rate amongst other commercial AV solutions. I tested my own sample of around 140 new viruses found on different Windows PCs during last six months and ClamAV could detect only 70 of them. That's ridiculous ... and fearful to say at least.
Wow. How is that modded Troll?
For people in the real world who use servers as tools to get work done, one year is a very short time in the life of software.
Actually, I would argue the other way. Not, why are you running year old software? But rather, why are you running a version less than a year old?
I need software to get things done, not to serve as beta tester for the vendor.
Sir, you're no Mel Gibson...
ELOI, ELOI, LAMA SABACHTHANI!?
apparently you dropped the vendor of your spellchecker.
this was not standard operating procedure, this was a unique situation that required a unique solution. the clamav team made the choice that they felt was best. given the facts as I understand them, I agree with their decision.
if your IT department cannot be bothered to read the announcements for the software they use, or even to review your own server logs, then you should certainly not be using open source software. just pay someone to do this type of thing for you, as many companies do. FOSS is not for you.
-Lod
SUPPORT WILL END does not imply killing instances in production.
Indeed.
Its the kind of arrogance that I'd expect more from a Microsoft or an Apple than any opensource 'vendor'.
In the free world the media isn't government run; the government is media run.
Actually, #2 happened. The software was informed, six months ago, and was constantly writing messages in the log file.
If corporations are people, aren't stockholders guilty of slavery?
Because nobody PAID for support?
I assume, then, that I can look at any vulnerability for the past three years and be confident of exploiting it on your systems, because you won't have upgraded past that.
When security software has bugs, responsible vendors update it as soon as they safely can, and that appears to be what ClamAV did. However, not only did they not have signed service contracts, they didn't have email addresses, so they tried communicating in every way they could, for six months, that there was a serious problem with an older version. They weren't charging for the update.
If you can't keep yourself informed about your security software, and when it has problems and needs to be updated, well, your organization deserves what it gets, but lots of other people (like your customers and botnet victims) don't.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Here is what they should have done, to wake up all the system administrators who didn't happen to notice the announcements: Gradually wean people off the old version by shutting down the ClamAV server for an hour, then six hours, then a day, then three days, and finally shut it down permanently. At the end of that process I guarantee you there would be almost zero affected systems left to break after the permanent shutdown deadline. The better admins and bigger systems will notice the problem immediately during the short shutdowns and have plenty of time to upgrade. The systems that are still vulnerable after the entire weaning process need to be broken anyway so that someone will finally pay attention and fix them.
Shutting it down permanently, even after making "announcements" for a few months will never allow every single user of any product sufficient time to notice that something is about to happen. It's a simple fact of life, not every system admin is a computer expert, not every admin knows what the last admin did or is subscribed to the same mailing lists or visits the same technical websites. Stopping an external service like that on a temporary and gradually increasing basis would allow almost 100% of the end users to finally figure out or do the research to realize what was happening and upgrade their systems in time for the final permanent shutdown.
Things like this always remind me of the Hitchhiker's Guide where they posted the "announcement" that the Earth would be destroyed, giving everyone on Earth plenty of time to leave. Unfortunately the announcement was posted in an office on the home planet of the aliens who came through and destroyed the Earth, so no one on Earth ever saw it, and it was only posted for like 30 days anyway. People always have this weird idea that just because something is "announced" to a specific community that is paying attention it means that everyone else will magically know you made an announcement, but that isn't how the real world works. People also have this weird idea that not knowing everything about everything in the technical universe is somehow the same as being incompetent. The world is not perfect. Upgrade procedures and policies for any external software service must acknowledge this or suffer the wrath of the 90% of the system admin community who are NOT God-like in their omniscience.
No, they delivered a virus patterns update containing a rule to prevent the scanner from running at all.
If they just modified their servers to refuse to deliver updates to the old version of the software, it would not be a front page news item.
we would drop said vendor immideately
So if the vendor promised to you that they'd continue to support a 6-month-old buggy version that was incapable of downloading new virus signatures, you'd be glad to run that version for 5+ years without updating?
How's that McAfee '05 doing for you?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Totally my own damned fault for not staying upgraded.
Do you enjoy whipping yourself too???
You had working but out of date anti-virus. That's bad, but not as bad as no anti-virus at all, and arguably not as bad as disruption of your business and no functionality. Yet you choose to blame yourself? What about the schmuck who has an out of date piece of software that doesn't play nice with a later version? Providing free software does not mean you get to fuck with my business! What is the point of having antivirus software anyway? It is to prevent disruptions to your business by viruses? The trade off for slowing down your system with antivirus scanning is suppose to be reduced risk and disruption for your business.
It is your fault. Your fault not just for failing to update your antivirus, but for being so accepting of this from an antivirus company. Security types seem to have lost their mind and lost their ability to reason lately.
These posts express my own personal views, not those of my employer
Where does Microsoft enter into a discussion about an open source antivirus running on Linux based servers?
Don't take life so seriously. No one makes it out alive.
I understand the ClamAV team's motivation, but hitting a kill switch on software that is only a year old is extremely rude. Had a proprietary vendor done it, /. posters would have been up in arms.
We have many customers running ClamAV. We managed to upgrade almost all of them before the kill switch, and the rest (the ones we were unable to contact) we got within hours after the kill switch.
However, I'm now being forced into the ironic position of having to recommend non-open-source software over open-source software. Here's why: Some of our clients specify that we're not allowed to provide software with a built-in "kill switch". We know ClamAV has such a switch, so we may be disqualified from using it. (Sure, proprietary software may have a similar switch, but we don't know for a fact it does... unlike ClamAV.)
All in all, Sourcefire handled this very badly, IMO. They could have done it much more gracefully.
I assume, then, that I can look at any vulnerability for the past three years and be confident of exploiting it on your systems, because you won't have upgraded past that.
Support. This word doesn't mean what you think it means.
True, though the only communications medium open to them (throwing exceptions to syslog) is obviously ignored by many ClamAV users. Those who were paying attention went to the URL and did the upgrade.
Those who did not were about to get a nonfunctional copy of Clam (no more updates, and AV is worse than useless without recent updates - it gives you a false sense of security which is far more dangerous than a real sense of fear). So you might as well kill it off with some fanfare so people who don't monitor their syslogs notice something is wrong.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
It would be nice if package managers integrated this for the sysadmin. Maybe the output of chkconfig could be consulted.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You've entirely missed that having decent rules to deal with attachments solves 99% of the virus problem. These days email server antivirus scans are to catch a virus hidden inside a zip file. If it's a directly executable attachment it should be blocked to save MS Outlook users from it, and of course the scanners look at the file type instead of trusting what the file name says it is.
On a web proxy it would be a far bigger deal but most web traffic isn't virus scanned yet.
Back to addressing the rant, as others have said clamav has the error message "LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***", along with a few other lines.
As for the open/closed argument I had a very similar problem with a commercial antivirus program that made a lot of changes which stopped it running on my mail server - that's why I started running clamav in the first place to cover the gap. Now I run both.
If you had joined their announce mailing list and you would have know about this issue 4 times over the last six months.
Once recently I had to call a guy in noc to tell him all our people were getting warnings from Thunderbird that an email about to be sent contained a virus attached in a pdf. When he looked into it, (he had just gotten home to his terminal as he talked to me on his mobile) he started doing stuff. He started getting me to test mail.example1.com, then mail.example2.com ...etc. the three servers that handle mail in out company. In the end, he just said 'fuck it' and disabled it completely.
This can also cause DansGuardian to break if you use ClamAV on your web proxy. As others have said, for Debian, etc. the fix is in the volatile repos. Ubuntu 8.04 LTS on the other hand...
To be fair, the ClamAV authors have been pushing the upgrade for months...
--
Ubuntu: An African word meaning "Crippled Debian".
no more updates for 0.94 means 0.94 effectively does not work.
No, if someone sent me an email containing an old virus, it would still protect against that using the last updates it ever got. When they sent the kill switch, they did one of two things: prevented email from working (apparently a default setting for a lot of those affected), or allowed all viruses through (clamav no worky, but email chugs away). While option 1 is safer than allowing clamav to run, option 2 is decidedly less safe.
So if the vendor promised to you that they'd continue to support a 6-month-old buggy version that was incapable of downloading new virus signatures, you'd be glad to run that version for 5+ years without updating?
How's that McAfee '05 doing for you?
I haven't gotten a file flagged as infected in years!
--
Buy Viagra Cheap!
Zeus, for all your botnet needs.
Read the story.
TFA is unclear.
Just go to the primary source (and note that the warning dates back from october 2009)
They didn't just disable new updates. They disabled the Antivirus engine altogether.
There isn't such a thing as the ability to remotely disable the engine. There's no such thing as a built-in remote kill switch.
Simply : Up to .94, ClamAv can't have signature much longer that 900-something bytes long in incremental update.
Up until now, they haven't needed such long and complex signature yet.
But now they need to be able to ship such signatures (they enable more complex detection algorithms).
Thus 2010-04-15's update contains a longer signature.
If you don't update the signatures and use an older file or pull the whole signature file instead of the incremental backup, the outdated ClamAV will still work.
If you update, the signatures will cause ClamAv to output an error message.
That's all of it.
Given that : .94 is two generation old (current is not .95, but .96) ...their action doesn't seem illogical.
-
- that the warnings are dating back from october (ample time for admins to react)
- that they always insist (and even display warning messages from clamav it self) that the best protection is to always use the latest clamav version
- they need the ability to do longer than-900 signature soon, it's important for complex detections.
- non-incremental updates are not an option due to the excessive stress they would put onto the mirror server
The alternative would be to keep refraining from using the long signatures, although they are needed for complex detections. On the grounds that there are still a couple of admins still using .94 despite all of the above.
Or start distributing long signature in full signature files and kill their mirror servers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I work at Sourcefire (however I do not work directly with ClamAV) and I believe their action is justified. Why should Sourcefire have to lend its name to an inferior product that is superseded by a year of development efforts?
Sure, support means what I think it does. It means answering questions, providing bugfixes, updating information, and when necessary providing upgrades.
In this case, ClamAV may well have made a mistake. The options were to hush it up or to admit it. If you deal with a vendor that has never admitted making a bad decision early in a project, you may want to wonder why that is.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes