Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Real time AV's-- Yes or No? (I say NO)


  • Please log in to reply
14 replies to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 16 January 2011 - 05:43 PM

On a political discussion board I sometimes frequent someone posted in their Computer help forum (a pretty good one, for a political forum) this topic:

Running AVAST and Microsoft Security Essentials together.
So far no conflict. Any negatives to doing this you think?


Now I'm well aware that many Security Pros will STRONGLY advise against running two AV's because "they conflict... degrade performance...use vast resources...cause system instability... will slow your computer to a crawl....cause system conflicts and instability.... etc, etc---but very few of these respected & highly credentialed individuals offer little more than "because I'm an MVP & I say so" as a reason WHY all those things MAY (or may not?) occur. Then there's the UN-credentialed opinionated A**HOLES arguing on both sides with little more than "Because I'm smarter than you & I said so" arguments.

I spent a few hours today Googling the subject, and after reading through hundreds of topics on about a dozen sites I came across this post on the CNET forum which offers a very sound & easy to understand argument against running 2 AV's:

Reply # 29 by GoodTimeCharlie @ http://forums.cnet.com/7723-6132_102-309240.html

One needs to keep in mind the difference between products. Generally:

1. Firewall products monitor communications ports ... They must run at (are hooked into) the operating system level.

2. Anti-Virus products monitor a lot of things: File reads/writes, Software installs, E-Mail activity/attachments, Registry changes, Some network activity, Browser add-on install attempts, etc ... To provide 'real-time' protection they must also run at (hooked into) the operating system level, however they do not need to do so just to do an 'on-demand' scan of your system.

3. Anti-Spyware/Anti-Adware tend to look for attempts to access or execute known 'bad' program files, etc ... they are almost always run on-demand thus you may have multiple products installed as they will be self-contained in their own directory (not in the operating systems directory); however, some products offer real-time protection (IE: SpyBot S & D "TeaTimer") and the 'real-time' functions must be run at (hooked into) the OS also.

Each of these toolsets may 'modify' specific parts of the operating system by replacing the operating systems default program with their own (ie: inserting the 'hook') ... I say MAY because obviously a product designed to be manually fired up from an on-line site or the local C: drive usually does not modify the OS, but those products that 'run in the background' (ie: are started when you boot the PC) typically do hook into OS files.

Given this:
4) If you install multiple products that are designed to 'stay within their world' (ie: a firewall product that does not include a built in anti-virus tool and an anti-virus tool that does not include a firewall) you will be OK; however,
5) if you install multiple products that: a) hook into the OS, and B) overlap in function (ie: 2 anti-virus checkers) they may overlay each others 'hooks' in the OS and you may not be OK.
6) keep in mind that every product installed will also modify the system registry (often used by the OS to find the program to be executed for a specific function), reconfiguring it to 'point' to that products executables when a certain condition occurs (ie: an 'open .exe file') ... thus the 'registry hooks' can also be reconfigured multiple times.

Additionally, should you install 2 anti-virus products, when you uninstall one of them, you may really be left with a mix of program files & registry entries that may trash your system effectively.

Note: due to anti-trust laws, etc., the Microsoft defender/firewall tools can 'exist' with other products; however, you should configure your system to have the Microsoft products disabled or you may run into problems and/or have horrible response issues.

I say this based upon working over 40 years as an IT specialist.

Goodtime Charlie, VA


I'd like to hear from you bleeper's on this subject

Thanks
"Thuggie"

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 16 January 2011 - 05:47 PM

Hello.

As you mentioned. . . the answer is NO!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false positives". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Positives: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.


If you have any specific questions about this I'd be happy to try and answer them.

Edited by Blade Zephon, 16 January 2011 - 05:48 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 16 January 2011 - 05:59 PM

There are those that believe it is okay to have more than one AV on a computer as long as only one program is active. Then there are those that disagree and feel strongly that even the presence of a 2nd AV is a recipe for trouble because of the way AV engines patch into the system kernel.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 16 January 2011 - 06:23 PM

Not sure what Goodtime Charlie meant exactly with hooking, but hooking is an older technique were you changed pointers without the OS knowing about this.

Modern AV use specific API functions provided by modern OSs to intercept the datastream they need to scan. For example, to perform on-access-scans of the file system, AVs install a File System Filter. Several File System Filters can be installed at once. The OS knows about these filters and manages them, there are no "hooking" conflicts.
I explained this in more detail in this blogpost: http://blog.didierstevens.com/2006/09/11/malicious-cryptography/

File System Filters have an "altitude", this essentially dictates which filter gets the data first as it goes up and down the driver stack. So if you install 2 AVs that use a File System Filter, they will work together without problem. However, because of the difference in altitude (Microsoft assigns altitudes upon request by the developers), one of the filters will see the data first and thus act first (for example delete the virus). The other filter, which comes second, will not see the data in that case. But if the first filter misses a virus (e.g. because it is not in its signature database), the second filter will see it and can act.

There are other ways modern AV products use to perform on-access-scan. For example, many AVs will scan VBScript and JavaScript scripts prior to execution. I explained in this blogpost how they do this:
http://blog.didierstevens.com/2007/11/03/quickpost-scanning-scripts/
This system too can work fine with 2 AVs, but again, one of the proxies will be the first.

From experience, I know AV vendors are very careful in the design of their installation products. They usually manage installing the filters I describe above without conflicts. But it is true that the uninstaller is sometimes less well designed. I can see, for example, how sloppy uninstallment of the script-scan component would break the chain and disable scripting altogether.

From a performance point of view, if you have a modern multi-processor/multi-core machine, running 2 AVs will not significantly slow down your machine (assuming there are no conflicts).

One reason not to install 2 AVs, is that they might generate false positives on each others artifacts. For example, AV 1 might erroneously detect a virus, while what it is actually seeing is not a real virus, but the file with the signature database of the AV 2. Or AV 2 might have quarantined a file, and AV 1 picks up on this quarantined file. This is not a real false positive, but it's neither a real true positive... You don't need to be alerted twice about the same file.

Another reason against running 2 AVs is vendor support. Most vendors will not provide you with support if you are running their product concurrently with another AV product.

Edited by Didier Stevens, 16 January 2011 - 06:29 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 16 January 2011 - 06:45 PM

What I didn't add because it assumed it is evident, is that there will be conflicts when the AV products do not play by the book and use their own unsupported tricks to intercept data streams. And as AV products are proprietary, closed software, you can never be sure they behave for 100% as Microsoft wants them to.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 16 January 2011 - 09:35 PM

Thanks one and all for the informative replies, it's greatly appreciated.

@Didier Stevens: Welcome to Bleepin where your impeccable reputation precedes you, and thanks for your most informative replies presented in such a way that even an average user such as myself can understand (LOL).

A few comments, if I may. My reply to the post on the political message board I referred to in the OP makes many of the same points you presented (albeit in a much less technically informative manner) in pointing out the possible pitfalls of running two real-time scanners. Here's a snippet of my reply:

...trying to achieve 100% protection 100% of the time is unrealistic and unachievable IMHO plus you'll spend more time maintaining multiple products (and multiple POSSIBLE false-positives/bad definition updates, scheduling said updates, etc) than the effort likely will be worth.

One other thought comes immediately to mind: RESOURCES. I suppose running two real-time AV's...PLUS Dog-knows what else...might be okay if you've got a Quad core with a Bazillion GB RAM, but the average user...not so much....


You wrote: ...For example, AV 1 might erroneously detect a virus, while what it is actually seeing is not a real virus, but the file with the signature database of the AV 2. Or AV 2 might have quarantined a file, and AV 1 picks up on this quarantined file. This is not a real false positive, but it's neither a real true positive... You don't need to be alerted twice about the same file....

I had a somewhat similar experience with Avira a little over a year ago (around Nov-Dec '09 IIRC) While doing some research on the TDSS/TDL3 rootkit I downloaded this file from the Dr Web site and Avira went BONKERS, no matter what I did (add exceptions, etc.), every time I tried to open the file or run a scan. hxxp://www.drweb.com/static/BackDoor.Tdss.565_%28aka%20TDL3%29_en.pdf

I reported it to Avira...with detailed documentation...SEVERAL times... their next reply to me will also be their FIRST, so I dumped Avira & switched to AVAST...but I digress.

Another reason against running 2 AVs is vendor support. Most vendors will not provide you with support if you are running their product concurrently with another AV product.

Question: How would one vendor know about the presence of the other vendor's product and vice-versa? I'm not trying to be naive or noobish, (well maybe a little of both lol) I really would like to know HOW they do know.

Thanks in advance for the anticipated informative replies
"Thug''

Edit to break pdf download link. Slow download from Russian server.





Edited by Union_Thug, 16 January 2011 - 09:41 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 16 January 2011 - 09:46 PM

I don't advise using more than one anti-virus program. Why? One concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms while trying to use it.

Anti-virus vendors recommend that you install and run only one anti-virus program at a timeYou can always supplement your anti-virus by performing an Online Virus Scan.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 17 January 2011 - 04:58 AM

Thanks for the warm welcome Union_Thug.

[/i]Question: How would one vendor know about the presence of the other vendor's product and vice-versa? I'm not trying to be naive or noobish, (well maybe a little of both lol) I really would like to know HOW they do know[i][u].


They don't know this. But it is something that could be revealed during the troubleshooting process, or they might just ask you straight away.
Most help desks (not only AV) will also require you to install the latest version of their product before helping you.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 17 January 2011 - 02:34 PM

If you have any specific questions about this I'd be happy to try and answer them.


A belated thank you for your useful and informative reply.

As for the above quote---you may end up regretting that. :P I think that Didier's, quietman7's, and Budapest's along with your replies have addressed my initial questions more than sufficiently and provided me with enough SOLID info/links/leads/insights that I can now confidently seek answers on the InterNETZ before posting any more Noob-ish questions here.:whistle:

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 17 January 2011 - 02:54 PM

... and provided me with enough SOLID info/links/leads/insights that I can now confidently seek answers on the InterNETZ before posting any more Noob-ish questions here.:whistle:


One more point: AV is notoriously bad at detecting malware in memory. With the explanations we gave you, you should understand why now.
AVs use hooks, APIs and other features of the OS to intercept all kinds of data streams for scanning purposes. But the OS provides nothing to intercept memory writes (inside the process itself). So the AV can't intercept data that is written by a program to its own memory. It has to perform a (linear) scan of the memory space of each process, and that is bad for performance.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 17 January 2011 - 03:44 PM

...But the OS provides nothing to intercept memory writes (inside the process itself). So the AV can't intercept data that is written by a program to its own memory. It has to perform a (linear) scan of the memory space of each process, and that is bad for performance.


I see, said the blind man. This is not the same as Flash memory, which MBAM's paid version offers scanning capability for, am I correct?
Speaking of which, what are your thoughts on MBAM's real-time protection? Seems like $25 (US) well spent, no?

Thanks again!

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 17 January 2011 - 04:10 PM

This is not the same as Flash memory, which MBAM's paid version offers scanning capability for, am I correct?

If with flash memory you mean removable media, like USB sticks, then no. Removable media is accessed through the file system, this is no problem to scan for AV.

BTW, I've developed 2 tools for removable media.
USBVirusScan allows you to configure actions to be taken each time a memory stick is inserted in a Windows machine. The most common use is to start your AV to scan all files on the USB stick.
http://blog.didierstevens.com/programs/usbvirusscan/
Ariad is a file system filter (actually, a mini-filter) designed to restrict access to USB sticks. For example, you can configure it that no program can be launched from a USB stick.
http://blog.didierstevens.com/programs/ariad/

Speaking of which, what are your thoughts on MBAM's real-time protection? Seems like $25 (US) well spent, no?

No opinion, haven't looked at it in detail yet.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 17 January 2011 - 04:43 PM

File System Filters have an "altitude", this essentially dictates which filter gets the data first as it goes up and down the driver stack. So if you install 2 AVs that use a File System Filter.....(Microsoft assigns altitudes upon request by the developers), one of the filters will see the data first and thus act first ....other filter, which comes second, will not see the data in that case....


I ran my own little experiment here. I just recently installed XP SP3 in VMWare player to test an up-to-date post SP3 (all hotfixes, patches, IE8 integrated & patched) slipstreamed & nLited CD I (finally) got to install cleanly after 6-7 badly BOTCHED attempts :thumbsup: I had Avast 5 latest ver installed and installed M$E, then ran the Spycar test with both running in real-time...in every instance MSE detected, blocked and cleaned the malware while Avast remained dormant, then disabled MSE and ran 4 or 5 of the test, which Avast did the same-detected, blocked and cleaned. So it's safe to assume (I would think) that Microsoft would assign it's own product (MSE) a higher altitude than Avast, as evidenced by the result I mentioned. So basically anyone running Avast alongside MSE for "added" virus protection would be doing so for a pretty miniscule number of viruses that MSE does not have in it's VDB that Avast does, at the price of increasing the chances of FP's, System instability & degredation, heavier load on system resources, etc... EXPONENTIALLY.
:wacko: :wacko:

Doesn't sound like a good idea, even to a NOOB like me.

"Thug"


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 17 January 2011 - 07:54 PM

Speaking of which, what are your thoughts on MBAM's real-time protection? Seems like $25 (US) well spent, no?

I recommend taking advantage of the Malwarebytes Anti-Malware (Pro) Protection Module in the full version which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology runs at startup where it monitors every process and helps stop malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Keep in mind that Malwarebytes does not act as a real-time protection scanner for every file like an anti-virus program so it is intended to be a supplement, not a substitute. Enabling the Protection Module feature requires registration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.

If any conflicts between Malwarebytes' and another security program are reported, suggested solutions are usually provided in the Common Issues, Questions, and their Solutions, FAQs thread. I know and have worked with some members of the research team so I can attest that they make every effort to resolve issues as quickly as possible.

Edited by quietman7, 17 January 2011 - 07:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:14 AM

Posted 19 January 2011 - 06:14 AM

Thank You qm7 for the excellent detailed description & analysis as always. I will do that today.

Anybody have/know where to get an MBAM coupon? :hysterical:

Edited by Union_Thug, 19 January 2011 - 06:18 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users