Problems? See this thread at archive.org.
A Revised Guide to Antivirus Software
By omneus
Last updated: March 24 2008
*This is an expanded version of the previously posted guide http://forum.notebookreview.com/showthread.php?t=61129*
Table of Contents
Introduction
How They Work
Usage
Free vs. Paid
Single Scanner vs. Multiple Scanners
Alternative Strategies
Overview of Software
Review of Software
Selecting your Scanner
Good Sources
Introduction
Nowadays, Virus’s are everywhere. Without proper antivirus software, you are bound to get your system infected and run into lots of problems later. AV software is preventative. They are intended to be installed on a clean system, and to be used to prevent an infection from occurring later. Most good scanners will find and clean most viruses, but expecting a scanner to miraculously find and cure every infected file is somewhat unrealistic. As most would recommend, common sense and safe-usage habits will help to minimize/prevent most problems that could happen, but nevertheless some sort of security system should exist so that if the worst-case scenario occurs some sort of defence is present.
How They Work
AV software uses a combination of two separate systems to detect viruses. They either use a signature-based detection system, or a heuristic-based system. In a signature-based scanner whenever a new virus is found, the AV Company analyzes it and creates a signature. The scanner detects a virus by matching it to the signature. Theoretically, as long as the scanner is up to date, it should be able to detect anything. The reality is however, that very few companies update often enough to keep up with the release of new viruses, and many of the more difficult to detect/encrypted viruses end up slipping through the cracks. Due to this, the heuristic systems were created. Heuristic systems identify viruses based on behaviour rather than signatures. If a virus tries to corrupt a file for instance, the scanner will detect the action, recognize the virus, and neutralize it. The weakness in this system is that some viruses perform difficult-to-identify actions. For instance, backdoor viruses could theoretically remain dormant within a computer for a long time before the scanner ever finds it. The advantage of a heuristic system is that it can be used to detect newer threats even without updating, since it scans for behaviour and not signatures. Most scanners use a combination of both methods. Some are better heuristically, while others have more signatures.
Usage
There are two ways to use AV software. You can use it for real-time protection, and rely on it to stop threats as they are happening. Or you can manually scan your computer with it, and use it to clean whatever problems you have at the time (On-demand). Due various reasons, such as resource-consumption, scanning speed, and software conflicts, most software is better suited for one or the other of these functions for a particular user. Some scanners are problematic real-time, but are perfect on-demand. Others are fine real-time, but aren’t really very effective for on-demand. Generally, people should use at least two different scanners; one scanner for real-time, and a different one for on-demand scanning.
Free vs. Paid
There have always been questions relating to what product should I use; should I pay $50 for this, or should I use this free one instead. Every user uses their computer differently. Some people have lots of vital information on it and can’t afford to get a virus. Others use their computer casually, and even if they get infected, it isn’t a total catastrophe. Many security experts would tell you that you would be far better off paying money and buying professional AV products. What they fail to mention is that most users don’t actually need to have industrial-strength protection. Good paid products are usually better than good free products. If you buy Kaspersky for instance, you will probably be better off than the person who uses AVG. But you should only buy Kaspersky if you need it; ether because of how valuable your computer’s information is, or for piece of mind. Paid products are better than free products, but you should only buy them after determining if you need them, and by trying their free trials afterward. Free products have also made significant advancements in the last few years, and these days are equal to or better than most paid products also.
Single AV Scanner vs. Multiple AV Scanners
A common misconception is that you can only use one antivirus product. Using multiple scanners is dangerous, since they could conflict and create unnecessary problems. However, most of those conflicts either occur openly, and can be identified and resolved, or don’t occur at all. Generally when you try to use an incompatible AV product, it will either tell you during the installation to get rid of the other product, pop-up with an error message because the other product is incompatible, disable a module due to a conflict, or crash the computer. Rarely will a scanner ever appear to work fine when actually it isn’t. Although most people don’t really advise it, having multiple scanners will increase detection rates, and can be much better overall. The purpose of an AV product is to detect viruses and to protect you from them. No single product is perfect and will fulfill this function 100% of the time. By having a second product, you have significantly increased your security, because even if a virus evades your first scanner, the odds of it evading two different scanners are unlikely. In the case of multiple scanners, all scanners also don’t have to be used simultaneously. One scanner could be active for real-time protection while the other is used on-demand, and in this case there should be minimal performance loss or conflict. Also, in the event that using multiple scanners doesn’t work, there are also online scanners which can help in to fulfill the same function of the second scanner. Having a multi-layered defence is far more effective than having only one form of detection.
Alternative Strategies
Other than using antivirus software, there are several other ways you can protect yourself. First of all, use discretion and common-sense. Not every advertisement saying your computer is infected is real, and if a website or download looks suspicious, don’t just view/download it anyway. You can’t get infected if you don’t do anything that exposes you to infections. Secondly, most viruses get into your computer through the internet. Microsoft’s Internet Explorer 6 is partly to blame, since it is full of security flaws/weaknesses and is highly vulnerable by design. Switching to a more secure internet browser could help reduce the infections that occur as well. Mozilla’s Firefox and Opera are the best alternative browsers currently available. There are also other types of security-related products that can prevent against viruses other than virus scanners; Intrusion Prevention/Detection Systems (IPS/IDS, HIPS), using virtual machines/sandboxes, using generic heuristic detection systems, etc. In the event that having AV scanners isn’t enough it could be worthwhile to look into such alternative products as well. AV products are the best at stopping viruses, but if you continue to suffer problems even with them, than supplementing your defences with an HIPS program may fix the problem.
Overview of Software
Rather than being forced to read the entire review of the software to find out which is better, I decided to summarize the information. For more information, either read the review or reply to the thread. The ‘best paid’ products are Kaspersky, NOD32, BitDefender, or Symantec’s Norton. The best ‘free’ products and Avast, AVG, and Avira’s AntiVir. You should avoid using McAfee, and PC-Cillin, ClamAV, or more obscurely tested products and should not rely on AV products bundled with internet security suites, ISP’s, etc. to be your primary defence.
Review of Software
The products I analyzed are Avira’s AntiVir, G-Data’s AVK, Alwil’s Avast, Grisoft’s AVG, Softwin’s Bitdefender, F-Secure, Kaspersky AV, McAfee VirusScan, Eset’s NOD32 (now ESS), and Symantec’s Norton AV. For all of these products (Except AVK and F-Secure), I downloaded and tested the resource consumption, ease-of-use, and presence of conflicts in the free trials/full version of the software. I used the testing done at http://www.AV-Comparatives.org to determine detection capabilities, and looked through various support forums do help determine which products are better also. Theoretically, you could use any of this software and be somewhat successful, but many of the more common products are actually much worse comparatively than what they would care to admit. Also, it should be noted that the products were evaluated solely for their AV skill, not their ability to act as firewalls or to detect spyware.
The Freebies – Alwil’s Avast, Grisoft’s AVG, and Avira’s AntiVir are the scanners that I refer to as the “freebies”, since their products can be obtained for free. It should also be noted that all three of these scanners are signature-based, and their heuristics are either weak or prone to false positives. AVG, although a popular scanner, is the weakest of the three. It has weaker detection rates than both Avast, and Avira, and has nothing that makes it exceptionally good in any area. Avast is only really only slightly better than AVG, but enough so that it is a probably a better choice. Avira is massively better than either of these other products as far as detection rates, and is actually competitive with most paid products. But it can be more resource consuming, and is probably more suitable for on-demand scanning than real-time usage. For a casual user, using Avast/AVG real-time and Avira as on-demand would be the best set-up. Preference would influence whether Avast is better over AVG, but testing has proven that Avira beats them both in detection.
The Giants – Many years ago, when we were all still using Windows 95 or 98, the virus scanners most people used were Norton AV, McAfee AV, or Trend Micro PC-Cillin. All of these products, over the years, have built up a decent crowd of people who like other products better. All of them are noted for resource consumption, slow scanning speed, conflicts, a bad UI, or for being irritating to uninstall. McAfee and PC-Cillin both have above average signature-based detection rates, but nothing that is really impressive. Norton, although among the best in detection rates there is, has fairly crappy heuristics, and is the most hated of the three. It should be noted however that significant changes have occurred in the latest versions, and while it remains seldom recommended over competitors (due to bad reputation), it has definitely made noticeable strides. Overall, chances are there wouldn’t be any major virus-related problem if you use any of these products, but it would be highly recommended to simply find an alternative to any of these products.
The Elite – The best ‘professional’ products on the market are Kaspersky AV, NOD32, or BitDefender. All have excellent detection rates, and are excellent on-demand or real-time. Kaspersky is considered unofficially to be the most accurate scanner. Unlike NOD32 which uses primarily heuristics, KAV uses a combination of heuristics and signatures to catch a higher amount of threats than any normally would. NOD32 has the most powerful heuristic engine on the market, and is the lightest, most efficient scanner of any that are being compared. However, the current NOD32 product has been upgraded by Eset into ESS (Eset Smart Security) which includes both the NOD32 AV as well as a new firewall module. In this new upgrade, much of the advantage over other products (small size, efficiency, and low resource-consumption) has to an extent been reduced, and unless you do not experience any issues with ESS, it is difficult to easily recommend. BitDefender is the heaviest of these three on resource consumption, but makes up for it by responding to an infection the fastest. It is generally also weaker than these in detection capabilities also, but is a valid choice if you do not prefer KAV or ESS. Any of these products would offer excellent protection, and it is really mostly preference that determines which is considered better since they are all excellent programs.
The Multi-Engines – F-Secure, G-Data AVK, and several other products are known as Multi-Engine products. Rather than using a single virus-scanning engine like most products, these scanners incorporate multiple separate engines together to improve protection. G-Data uses the BitDefender and Kaspersky engines and F-Secure uses 4-5 relatively obscure engines. Both of these scanners have some of the best detection rates there are, but both have flaws. Multi-Engine scanners usually use more resources than regular scanners. They are more likely to experience conflicts or problems, and, in AVKs case, are not really all that well documented or supported. However, the most effective defence against a virus threat is a multi-layered one. Multi-Engine products are like pre-built multi-layered defence systems. Multi-Engine scanners should be used with discretion; if you have them, it’s fine, but if you want something else, it’s also fine. It is also worth mentioning that Trustport AV (which uses AVG, Ewido, Dr. Web, Norman, and VBA32) is also a viable product and has become among the most accurate multi-engine products on the market.
Bundled Products – Nowadays, lots of other companies are offering their own AV scanners as part of security suites. Zone alarm AV, Panda, etc. For the most part, the best AV products are developed by AV companies and labs. Although products like Panda aren’t necessarily bad, they won’t usually stack up against any of the better free/paid for products. When you buy a suite, it usually contains only a few actually good, worth-paying-for features. Many of the other features although useful, are actually not that good when compared to other more-specialized products. If you want an AV scanner, buy an AV scanner; don’t use an AV scanner that is given free from an ISP, or bundled with a random security suite.
Selecting your Scanner
Many of the scanners are considered better simply because they are easy to use, or because of low resource consumption. But for selecting any AV software, the primary factor should always be detection rates. If a scanner can’t detect threats, what’s the point in using it? As far as testing is concerned, most tests that magazines, reviewers, or even virus labs use to assess virus detection ability are in themselves flawed, and are really a crappy indication of how good the software is. They usually have too few virus samples to be very accurate, and put too much emphasis on appearance instead of results. Other factors, like how easy the software is to use, or how fast it is should also be taken into consideration, but basically almost any of these products could fit the criteria. If you want to pick an AV product, the best thing to do would be to download the free trial, see if you like it, and use/buy it if you do. Products like Kaspersky can be much better overall than AVG or Avast, but the majority of users use AVG or Avast anyway since their free. Hopefully, by reading this guide, you will have a better understanding of AV software.
Good Sources
http://www.av-comparatives.org - an independent AV testing lab with links to articles/tests
http://esac.kaspersky.fr/index.php?PageID=9 - Evaluating AV tests/reviews
Security-Related Support Forums
http://www.wilderssecurity.com/
http://gladiator-antivirus.com/forum/
http://www.castlecops.com/forums.html
Online AV Scanners
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://housecall.trendmicro.com/
http://www.pandasoftware.com/products/activescan
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
Thanks for Reading!
-
first of all: great guide! nice intro for all the newbies
I would like to add something about the G-Data one from personal experience..
In the company I work at we are having major problems with it, there have been several false positives. The usage of the recommended engines was so unfeasible, since it took older machines (1GHz, 512MB Ram) ages(up to 10min) to boot at certain times...
Mind you this is a business product, but working with those machines turned out to be a real pain, when the scanner is doing, whatever it is doing ;-) even cutting down to using one engine didn't do all that much...
The management server doesn't seem to like winserver2003 either, so I guess to sum it up... I have seen a great hype about this product but was pretty disappointed seing it in action... -
As far as organization I basically copied what I had written in the previous guide, so since at that time it wasn't considered 'elite' it currently isn't in that section. Most Avira users use the free version, and the free version is identical in AV detection to the paid version and only worse as far as supporting miscellaneous features and detecting spyware/other malware which Avira in general isn't that great in anyway. While it is a great free product, I think it is fine to keep it in the 'freebie' section since the main usage of it is as a freebie anyway. As far as detection it is definitely elite nowadays, but since it is free I think that deserves precedence. There are plenty of people that would argue their AV is 'elite,' but only a handful that can claim their product is viable AND free. Also, "evaluated for their AV skill, not for firewall or AS abilities" refers mainly to AV-comparatives testing using only viruses in their testing, not spyware as well as not evaluating any other components.
AVG Anti-Spyware is actually a product that was developed by Ewido as an anti-trojan product. When Grisoft bought Ewido they re-released and renamed Ewido as AVG Anti-Spware. Although the name is AVG Anti-Spyware it does have reasonable protection against viruses (although less than the regular AVG AV) and it was tested with AVG AV because it does add anti-virus protection that the regular AV misses.
@captainpoch sorry about your experiences with GData. TrustPort or F-Secure might work better for business purposes than GData if your in the market. The price you usually pay for high-detection is higher false positives, although some products (like ESS) have shown this can be false. I'm sure in theory GData is awesome, but sadly I haven't really heard much positive feedback with them.
The reason I didn't right a firewall guide originally is because I don't have much expertise with firewalls. Leak-testing and port-scanning are the only forms of testing widely available, however neither are overly effective in testing the abilities of firewalls. I've used ZoneAlarm, Comodo, Online Armor and Jetico long enough to make a review, however unless you actually experience any problems (like slower internet speeds, bugs, intrusive popups) any would probably be sufficient. If a hacker wanted to access your computer, having a firewall would be a barrier, but most modern firewalls in general are usually sufficient in this capacity and widespread hacking is uncommon anyway. In day-to-day usage, I've found that safer web-browsing, (like prefering HTTPS over HTTP if there's a choice) using VPN or proxy (if speed isn't an issue) or even using TOR (for anonymity) to be reasonably effective for the more conventional forms of attack (like intercepting cookies/transmitted data or monitoring traffic). -
Thanks for the input and the compassion I'll forward this to our rather stubborn admin, who is freakin out because of all the complaints after installing...
A Revised Guide to AntiVirus Software
Discussion in 'Security and Anti-Virus Software' started by Omneus, Mar 24, 2008.
