Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Comprehensive Guide To AV Software


  • Please log in to reply
6 replies to this topic

#1 omneus

omneus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 01 July 2006 - 04:14 PM

A Comprehensive Guide to Antivirus Software
By Omneus
Last updated: June 29 2006

Note: This is the first of 2 guides. The Second one can be found here: http://forum.notebookreview.com/showthread.php?t=62240

Introduction

Nowadays, Virusís are everywhere. Without proper antivirus software, you are bound to get your system infected, and run into lots of problems later. What many people donít understand is that virus scanners some products are simply better than others, and only by doing a little research can you actually find a good product. In general, AV software is preventative. They are intended to be installed on a clean system, and to be used to prevent an infection from occurring later. Most good scanners will find and clean most viruses, but expecting a scanner to miraculously find and cure every infected file is somewhat unrealistic. Good scanners, when kept up to date, and properly configured, should be able to find and detect virtually every virus you encounter.

AV software uses a combination of two separate systems to detect viruses. They either use a signature-based detection system, or a heuristic-based system. In a signature-based scanner, whenever a new virus is found, the AV Company analyzes it and creates a signature. The scanner detects a virus by matching it to the signature. Theoretically, as long as the scanner is up to date, it should be able to detect anything. The reality is however, that very few companies update often enough to keep up with the release of new viruses, and many of the more difficult to detect viruses end up slipping through the cracks. Due to this, the heuristic systems were created. Heuristic systems identify viruses based on behaviour rather than signatures. If a virus tries to corrupt a file for instance, the scanner will detect the action, recognize the virus, and neutralize it. The weakness in this system is that some viruses perform difficult-to-identify actions. For instance, backdoor viruses could theoretically remain dormant within a computer for a long time before the scanner ever finds it. The advantage of a heuristic system is that it can be used to detect newer threats even without updating, since it scans for behaviour and not signatures. Most scanners use a combination of both methods. Some are better heuristically, while others have more signatures.

There are two ways to use AV software. You can use it for real-time protection, and rely on it to stop threats as they are happening. Or you can manually scan your computer with it, and use it to clean whatever problems you have at the time. Due to resource-consumption, and scanning speed, most software is better suited for on or the other of these functions. Some are too slow to use real-time, but are perfect on-demand. Others are fine real-time, but arenít really powerful enough to use on-demand. Generally, people should use at least one virus scanner for real-time, and a different one for on-demand scanning.

The Software

The products I analyzed are Aviraís AntiVir, G-Dataís AVK, Alwilís Avast, Grisoftís AVG, Softwinís Bitdefender, F-Secure, Kaspersky AV, McAfee VirusScan, Esetís Nod32, and Symantecís Norton AV. For all of these products (Except AVK and F-Secure), I downloaded and tested the free trials/full version of the software for at least a week. I also read and analyzed all of the major professional reviews recently released, such as articles from PC World. For statistics, the best source is of course http://www.AV-Comparatives.org. Theoretically, you could use any of this software and be somewhat successful, but many of the more common products are actually much worse comparatively than what they would care to admit. Also, it should be noted that all of my testing involved using the software at max settings, and that that the products were evaluated solely for their AV skill, not their ability to act as firewalls, or to detect spyware.

The Freebies Ė Alwilís Avast, Grisoftís AVG, and Aviraís AntiVir are the scanners that I refer to as the ďfreebiesĒ, since their entire full version products can be obtained for free. It should also be noted that all three of these scanners are signature-based, and their heuristics are either weak or prone to false positives. AVG, although a popular scanner, is the weakest of the three. It has noticeably weaker detection rates from both Avast! And Avira, and has nothing that makes it exceptionally good in any area. Avast is a decent product. It is only really only slightly better than AVG, but enough so that it is a suitable to use as a decent on-demand or real-time scanner. Avira on the other hand is different. Detection wise, it is a massively better than either of these other products. But it consumes more resources, and isnít really that good for real-time protection. For a casual user, Using! Avast real-time and Avira as on-demand would be the best set-up among these choices. AVG and Avast have average resource consumption, and ok scanning speeds, and could be used interchangeably for real-time protection (assuming that a different on-demand scanner was used).

The Giants Ė Many years ago, when we were all still using Windows 98 or ME, the virus scanners most people used were Norton AV, McAfee AV, or Trend Micro PC-Cillin. All of these products, over the years, have built up a decent crowd of people who hate them, or people who like other products better. All of them are noted for resource consumption, slow scanning speed, conflicts, a bad UI, or for being irritating to uninstall. McAfee and PC-Cillin both have above average signature-based detection rates, but nothing that is really impressive. Norton, although among the best in detection rates there is, has fairly crappy heuristics, and is the most hated of the three. Chances are there wouldnít be any major virus-related problem if you use them, but it would be highly recommended to simply find an alternative to any of these products.

The Elite Ė The best products on the market are Kaspersky AV, NOD32, or BitDefender. All have excellent detection rates, and are excellent on-demand or real-time. Kaspersky is considered unofficially to be the most accurate scanner there is, NOD32 has the most powerful heuristic engine there is, and BitDefender is an excellent overall scanner. BitDefender is the heaviest of these three on resource consumption, but makes up for it by responding to an infection the fastest. NOD32 is the lightest, most efficient scanner I have ever seen, and as far as a detection/resource consumption ratio, itís the best. KAV is also an excellent product, and unlike NOD32, which uses primarily heuristics, KAV uses a combination of heuristics and signatures to catch a higher amount of threats than any normally would. Any of these products would offer excellent protection, and it is really mostly preference that determines which is considered better.

The Multi-Engines Ė F-Secure, G-Data AVK, and several other products, like TrustPort are Multi-Engine products. Rather than using a single virus-scanning engine like most products, these scanners incorporate multiple separate engines together to improve protection. G-Data uses the BitDefender and Kaspersky engines and F-Secure uses 4-5 relatively obscure and weak engines. Both of these scanners have some of the best detection rates there are, but both have flaws. Multi-Engine scanners usually use more resources than regular scanners. They are more likely to experience conflicts or problems, and, in AVKs case, are not really all that well documented or supported. Although either of these products is good, it would probably be just as effective to use multiple separate scanners, like Avast and Avira, to achieve the same result.

Miscellaneous Ė Nowadays, lots of other companies are offering their own AV scanners as part of security suites. Zone alarm AV, Panda AV, etc. For the most part, the best AV products are developed by AV companies and labs. Although products like Panda arenít necessarily bad, they wonít stack up against any of the better free/paid for products. When you buy a suite, it usually contains only a few actually good, worth-paying-for features. Many of the other features although useful, are actually not that good when compared to other more-specialized products. For instance, in the case of BitDefender Internet Security 9, the AV scanner is excellent, but everything else (firewall, antispam, antispyware) is actually sub-par, and isnít even better than many of the free products which perform those functions. If you want and AV scanner, buy an AV scanner; donít use an AV scanner that is given free from an ISP, or bundled with a random security suite.

Note: A common misconception is that you should only use one antivirus product. Using multiple scanners is dangerous, since they could conflict and create unnecessary problems. However, most of those conflicts either occur openly, and can be identified and resolved, or donít occur at all. Generally when you try to use an incompatible AV product, it will either tell you during the installation to get rid of the other product, pop-up with an error message because the other product is incompatible, disable a module due to a conflict, or crash the computer. Rarely will a scanner ever appear to work fine when actually it isnít. Although most people donít really advise it, having multiple scanners will increase detection rates, and will be much better overall, assuming that there are no conflicts. As long as the noticeable conflicts are found beforehand, you can usually avoid most problems or complications. Products like BitDefender are generally more compatible than products like F-Secure, and by trying out you own combinations, you could actually make your computer much safer overall. I would highly recommend having two different products; not necessarily running together, but having at least one there to use on-demand to find the threats that the other missed.

The Bug Picture

AV software is unique because many of the products are similar, but many are different. Many of the scanners are considered better simply because they are easy to use, or because of low resource consumption. But for selecting any AV software, the primary factor should always be detection rates. If a scanner canít detect threats, whatís the point in using it? As far as testing is concerned, most tests that magazines, reviewers, or even virus labs use to assess virus detection ability are in themselves flawed, and are really a crappy indication of how good the software is.. The only really noteworthy testing/certification that I could find were either the winners of the VB100% award, since they were tested against the official wild list, and the testing done at www.AV-Comparatives.org. Most other tests had too few virus samples to be very accurate, and put too much emphasis on appearance instead of results. Other factors, like how easy the software is to use, or how fast it is should also be taken into consideration, but basically almost any of these products could fit the criteria. If you want to pick an AV product, the best thing to do would be to download the free trial, see if you like it, and buy it if you do. Products like Kaspersky are much better overall than AVG or Avast, but the majority of users use AVG or Avast anyway. Hopefully, by reading this guide, you will have a better understanding of AV software.

Thanks for Reading!

BC AdBot (Login to Remove)

 


#2 Jesse Bassett

Jesse Bassett

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:11:14 AM

Posted 02 July 2006 - 01:17 PM

I agree with most of what you said. As for Norton, we use it at home and there are no issues yet.
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

#3 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:14 AM

Posted 02 July 2006 - 02:10 PM

Perhaps this guide would be more complete if it provided references for the evaluations. Granted that many product reviews use tests which are by necessity based on a chosen set of viruses, one would expect a more thorough discussion of the various tests and an explanation for the choice of one or two tests as a basis for evaluation of different AV products.
I am, moreover, not completely convinced that the average user needs, or can easily use, one than one AV product on their computer. Certainly having several AV products providing real time protection would seem to generate conflicts at some time, and put an unneeded strain on computer resources. Unlike spyware, whose criteria are more open to subject interpretations, virus malware is more precisely defined, and most AV's will find the same (and important or widespread) files, so AV redundancy is less critical for safe computing.
I certainly agree that many products that provide a wide range of security services are only strong in one area, and give but nominal protection in other aspects; this may be explained by companies buying out other specialised concerns and incorporating their modules (sometimes not with most efficient programming results), but not maintaining the focus and expertise that these other companies had.
Best regards,
John
Whereof one cannot speak, thereof one should be silent.

#4 BanditFlyer

BanditFlyer

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 July 2006 - 11:33 AM

Just out of curiosity, has anyone noticed a difference between how these progorams work depending on the OS they are run on?

#5 omneus

omneus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 14 July 2006 - 06:48 AM

Perhaps this guide would be more complete if it provided references for the evaluations. Granted that many product reviews use tests which are by necessity based on a chosen set of viruses, one would expect a more thorough discussion of the various tests and an explanation for the choice of one or two tests as a basis for evaluation of different AV products.
I am, moreover, not completely convinced that the average user needs, or can easily use, one than one AV product on their computer. Certainly having several AV products providing real time protection would seem to generate conflicts at some time, and put an unneeded strain on computer resources. Unlike spyware, whose criteria are more open to subject interpretations, virus malware is more precisely defined, and most AV's will find the same (and important or widespread) files, so AV redundancy is less critical for safe computing.
I certainly agree that many products that provide a wide range of security services are only strong in one area, and give but nominal protection in other aspects; this may be explained by companies buying out other specialised concerns and incorporating their modules (sometimes not with most efficient programming results), but not maintaining the focus and expertise that these other companies had.
Best regards,
John


As far as providing references, when I started the research, I looked at numerous reviews/websites, and didn't really keep track of them. For statistics, I used www.AV-Comparatives.com, but other than that I don't really have any 'formal' record of all my sources. Using multiple realtime scanners could provide an unnecessary strain on computer resources, but it really depends on how much protection is actually necessary. For casual usage, you would only really need a single scanner, whereas for 'risky' usage, it would be worthwile to sacrifice the resources for additional protection. Also, although most AV products will overlap when detecting viruses, it would be more effective to use multiple anway, because if a scanner failed to detect a particular virus that the other one could, than the scanners would serve their purpose.

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:10:14 AM

Posted 14 July 2006 - 12:19 PM

Can you have more than one resident Anti-virus program?
Can you? YES
Should you? NO
Is it a good idea, do you get better protection? NO

The danger, is that one antivirus program may (Read this as eventually will) see
the others definition files as viruses, and will remove them. This is not so much a problem with manual scans, where you only run one Antivirus program at a time, if you pay close attention to what it detects, and where. If you manually configure it to ignore the other program, and its files, then you minimize the risk from this problem.

The big problem, is the silent threat. Most antivirus programs will scan web based (not necessarily all, like P2P, and IM) file transfers. It is quite common, for one antivirus program, to detect the incomming virus updates for the other. Thinking parts of the definition files are viruses in their own right, the AV will strip these out of the update.
The end result? Instead of having two, or even one, up to date fully functional
antivirus programs, you have two severely crippled programs, which are each
missing critical definition, and detection files .

So, it is best to have one antivirus program, and keep it up to date and use it
properly.
Then, if you experience a problem, or question its efficiency, you run an online scan.

http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#7 omneus

omneus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 16 July 2006 - 03:26 AM

The danger, is that one antivirus program may (Read this as eventually will) see
the others definition files as viruses, and will remove them. This is not so much a problem with manual scans, where you only run one Antivirus program at a time, if you pay close attention to what it detects, and where. If you manually configure it to ignore the other program, and its files, then you minimize the risk from this problem.

The big problem, is the silent threat. Most antivirus programs will scan web based (not necessarily all, like P2P, and IM) file transfers. It is quite common, for one antivirus program, to detect the incomming virus updates for the other. Thinking parts of the definition files are viruses in their own right, the AV will strip these out of the update.
The end result? Instead of having two, or even one, up to date fully functional
antivirus programs, you have two severely crippled programs, which are each
missing critical definition, and detection files .


I have used many combinations of multiple scanners, and never once have I ever suffered from any of these problems. Yes, theoretically they are possible, but never, out of all the problems associated with using multiple scanners, has this been a real concern (using recent programs of course). I don't know how every definition file is compiled, but I highly doubt a scanner will flag it as a virus. Sure, updates could be intercepted, but if that was a problem, you could simply download and apply the update manually. I'm not disputing whether multiple scanners is completely better or not, simply that that particular problem isn't common enough to offer real merit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users