A Comprehensive Guide to Anti-virus Software By Omneus Last updated: June 25 2006 Originally Posted at forum.notebookreview.com by me (Omenus) Introduction Nowadays, Virus’s are everywhere. Without proper anti-virus software, you are bound to get your system infected, and run into lots of problems later. What many people don’t understand is that virus scanners some products are simply better than others, and only by doing a little research can you actually find a good product. In general, AV software is preventative. They are intended to be installed on a clean system, and to be used to prevent an infection from occurring later. Most good scanners will find and clean most viruses, but expecting a scanner to miraculously find and cure every infected file is somewhat unrealistic. Good scanners, when kept up to date, and properly configured, should be able to find and detect virtually every virus you encounter. AV software uses a combination of two separate systems to detect viruses. They either use a signature-based detection system, or a heuristic-based system. In a signature-based scanner, whenever a new virus is found, the AV Company analyzes it and creates a signature. The scanner detects a virus by matching it to the signature. Theoretically, as long as the scanner is up to date, it should be able to detect anything. The reality is however, that very few companies update often enough to keep up with the release of new viruses, and many of the more difficult to detect viruses end up slipping through the cracks. Due to this, the heuristic systems were created. Heuristic systems identify viruses based on behaviour rather than signatures. If a virus tries to corrupt a file for instance, the scanner will detect the action, recognise the virus, and neutralize it. The weakness in this system is that some viruses perform difficult-to-identify actions. For instance, back-door viruses could theoretically remain dormant within a computer for a long time before the scanner ever finds it. The advantage of a heuristic system, is that it can be used to detect newer threats even without updating, since it scans for behaviour and not signatures. Most scanners use a combination of both methods. Some are better heuristically, while others have more signatures. There are two ways to use AV software. You can use it for real-time protection, and rely on it to stop threats as they are happening. Or you can manually scan your computer with it, and use it to clean whatever problems you have at the time. Due to resource-consumption, and scanning speed, most software is better suited for on or the other of these functions. Some are too slow to use real-time, but are perfect on-demand. Others are fine real-time, but aren’t really powerful enough to use on-demand. Generally, people should use at least one virus scanner for real-time, and a different one for on-demand scanning. The Software The products I analysed are Avira’s AntiVir, G-Data’s AVK, Alwil’s Avast!, Grisoft’s AVG, Softwin’s Bitdefender, F-Secure, Kaspersky AV, McAfee VirusScan, Eset’s Nod32, and Symantec’s Norton AV. For all of these products (Except AVK and F-Secure), I downloaded and tested the free trials/full version of the software for at least a week. I also read and analysed all of the major professional reviews recently released, such as articles from PC World. For statistics, the best source is of course http://www.AV-Comparatives.org. Theoretically, you could use any of this software and be somewhat successful, but many of the more common products are actually much worse comparatively than what they would care to admit. Also, it should be noted that all of my testing involved using the software at max settings, and that that the products were evaluated solely for their AV skill, not their ability to act as firewalls, or to detect spyware. The Freebies – Alwil’s Avast!, Grisoft’s AVG, and Avira’s AntiVir are the scanners that I refer to as the “freebies”, since their entire full version products can be obtained for free. It should also be noted that all three of these scanners are signature-based, and their heuristics are either weak or prone to false positives. AVG, although a popular scanner, is the weakest of the three. It has noticeably weaker detection rates from both Avast! And Avira, and has nothing that makes it exceptionally good in any area. Avast is a decent product. It is only really only slightly better than AVG, but enough so that it is a suitable to use as a decent on-demand or real-time scanner. Avira on the other hand is different. Detection wise, it is a massively better than either of these other products. But it consumes more resources, and isn’t really that good for real-time protection. For a casual user, Using !Avast real-time and Avira as on-demand would be the best set-up among these choices. AVG and Avast have average resource consumption, and OK scanning speeds, and could be used interchangeably for real-time protection (assuming that a different on-demand scanner was used). The Giants – Many years ago, when we were all still using Windows 98 or ME, the virus scanners most people used were Norton AV, McAfee AV, or Trend Micro Pc-Cillin. All of these products, over the years, have built up a decent crowd of people who hate them, or people who like other products better. All of them are noted for resource consumption, slow scanning speed, conflicts, a bad UI, or for being irritating to uninstall. McAfee and PC-Cillin both have above average signature-based detection rates, but nothing that is really impressive. Norton, although among the best in detection rates there is, has fairly crappy heuristics, and is the most hated of the three. Chances are there wouldn’t be any major virus-related problem if you use them, but it would be highly recommended to simply find an alternative to any of these products. The Elite – The best products on the market are Kaspersky AV, NOD32, or BitDefender. All have excellent detection rates, and are excellent on-demand or real-time. Kaspersky is considered unofficially to be the most accurate scanner there is, NOD32 has the most powerful heuristic engine there is, and BitDefender is an excellent overall scanner. BitDefender is the heaviest of these three on resource consumption, but makes up for it by responding to an infection the fastest. NOD32 is the lightest, most efficient scanner I have ever seen, and as far as a detection/resource consumption ratio, it’s the best. KAV is also an excellent product, and unlike NOD32, which uses primarily heuristics, KAV uses a combination of heuristics and signatures to catch a higher amount of threats than any normally would. Any of these products would offer excellent protection, and it is really mostly preference that determines which is considered better. The Multi-Engines – F-Secure, G-Data AVK, and several other products, like TrustPort are Multi-Engine products. Rather than using a single virus-scanning engine like most products, these scanners incorporate multiple separate engines together to improve protection. G-Data uses the BitDefender and Kaspersky engines, and F-Secure uses 4-5 relatively obscure and weak engines. Both of these scanners have some of the best detection rates there are, but both have flaws. Multi-Engine scanners usually use more resources than regular scanners. They are more likely to experience conflicts or problems, and, in AVKs case, are not really all that well documented or supported. Although either of these products is good, it would probably be just as effective to use multiple separate scanners, like Avast and Avira, to achieve the same result. Miscellaneous – Nowadays, lots of other companies are offering their own AV scanners as part of security suites. Zone alarm AV, Panda AV, etc. For the most part, the best AV products are developed by AV companies and labs. Although products like Panda aren’t necessarily bad, they won’t stack up against any of the better free/paid for products. When you buy a suite, it usually contains only a few actually good, worth-paying-for features. Many of the other features although useful, are actually not that good when compared to other more-specialized products. For instance, in the case of BitDefender Internet Security 9, the AV scanner is excellent, but everything else (firewall, antispam, antispyware) is actually sub-par, and isn’t even better than many of the free products which perform those functions. If you want and AV scanner, buy an AV scanner; don’t use an AV scanner that is given free from an ISP, or bundled with a random security suite. Note: A common misconception is that you should only use one anti-virus product. Using multiple scanners is dangerous, since they could conflict and create unnecessary problems. However, most of those conflicts either occur openly, and can be identified and resolved, or don’t occur at all. Generally when you try to use an incompatible AV product, it will either tell you during the installation to get rid of the other product, pop-up with an error message because the other product is incompatible, disable a module due to a conflict, or crash the computer. Rarely will a scanner ever appear to work fine when actually it isn’t. Although most people don’t really advise it, having multiple scanners will increase detection rates, and will be much better overall, assuming that there are no conflicts. As long as the noticeable conflicts are found beforehand, you can usually avoid most problems or complications. Products like BitDefender are generally more compatible than products like F-Secure, and by trying out you own combinations, you could actually make your computer much safer overall. I would highly recommend having two different products; not necessarily running together, but having at least one there to use on-demand to find the threats that the other missed. The Bug Picture AV software is unique because many of the products are similar, but many are different. Many of the scanners are considered better simply because they are easy to use, or because of low resource consumption. But for selecting any AV software, the primary factor should always be detection rates. If a scanner can’t detect threats, what’s the point in using it. As far as testing is concerned, most tests that magazines, reviewers, or even virus labs use to assess virus detection ability are in themselves flawed, and are really a crappy indication of how good the software is.. The only really noteworthy testing/certification that I could find were either the winners of the VB100% award, since they were tested against the official wild list, and the testing done at www.AV-Comparatives.org. Most other tests had too few virus samples to be very accurate, and put too much emphasis on appearance instead of results. Other factors, like how easy the software is to use, or how fast it is should also be taken into consideration, but basically almost any of these products could fit the criteria. If you want to pick an AV product, the best thing to do would be to download the free trial, see if you like it, and buy it if you do. Products like Kaspersky are much better overall than AVG or Avast!, but the majority of users use AVG or Avast anyway. Hopefully, by reading this guide, you will have a better understanding of AV software. Thanks for Reading!
