A Comprehensive Guide to AV software

Discussion in 'Security and Anti-Virus Software' started by Omneus, Jun 23, 2006.

Thread Status:
Not open for further replies.
  1. Omneus

    Omneus Notebook Geek

    Reputations:
    7
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    15
    A Comprehensive Guide to Antivirus SoftwareBy Omneus
    Last updated: June 29 2006

    Introduction

    Nowadays, Virus’s are everywhere. Without proper antivirus software, you are bound to get your system infected, and run into lots of problems later. What many people don’t understand is that virus scanners some products are simply better than others, and only by doing a little research can you actually find a good product. In general, AV software is preventative. They are intended to be installed on a clean system, and to be used to prevent an infection from occurring later. Most good scanners will find and clean most viruses, but expecting a scanner to miraculously find and cure every infected file is somewhat unrealistic. Good scanners, when kept up to date, and properly configured, should be able to find and detect virtually every virus you encounter.

    AV software uses a combination of two separate systems to detect viruses. They either use a signature-based detection system, or a heuristic-based system. In a signature-based scanner, whenever a new virus is found, the AV Company analyzes it and creates a signature. The scanner detects a virus by matching it to the signature. Theoretically, as long as the scanner is up to date, it should be able to detect anything. The reality is however, that very few companies update often enough to keep up with the release of new viruses, and many of the more difficult to detect viruses end up slipping through the cracks. Due to this, the heuristic systems were created. Heuristic systems identify viruses based on behaviour rather than signatures. If a virus tries to corrupt a file for instance, the scanner will detect the action, recognize the virus, and neutralize it. The weakness in this system is that some viruses perform difficult-to-identify actions. For instance, backdoor viruses could theoretically remain dormant within a computer for a long time before the scanner ever finds it. The advantage of a heuristic system is that it can be used to detect newer threats even without updating, since it scans for behaviour and not signatures. Most scanners use a combination of both methods. Some are better heuristically, while others have more signatures.

    There are two ways to use AV software. You can use it for real-time protection, and rely on it to stop threats as they are happening. Or you can manually scan your computer with it, and use it to clean whatever problems you have at the time. Due to resource-consumption, and scanning speed, most software is better suited for on or the other of these functions. Some are too slow to use real-time, but are perfect on-demand. Others are fine real-time, but aren’t really powerful enough to use on-demand. Generally, people should use at least one virus scanner for real-time, and a different one for on-demand scanning.

    The Software

    The products I analyzed are Avira’s AntiVir, G-Data’s AVK, Alwil’s Avast, Grisoft’s AVG, Softwin’s Bitdefender, F-Secure, Kaspersky AV, McAfee VirusScan, Eset’s Nod32, and Symantec’s Norton AV. For all of these products (Except AVK and F-Secure), I downloaded and tested the free trials/full version of the software for at least a week. I also read and analyzed all of the major professional reviews recently released, such as articles from PC World. For statistics, the best source is of course http://www.AV-Comparatives.org. Theoretically, you could use any of this software and be somewhat successful, but many of the more common products are actually much worse comparatively than what they would care to admit. Also, it should be noted that all of my testing involved using the software at max settings, and that that the products were evaluated solely for their AV skill, not their ability to act as firewalls, or to detect spyware.

    The Freebies – Alwil’s Avast, Grisoft’s AVG, and Avira’s AntiVir are the scanners that I refer to as the “freebies”, since their entire full version products can be obtained for free. It should also be noted that all three of these scanners are signature-based, and their heuristics are either weak or prone to false positives. AVG, although a popular scanner, is the weakest of the three. It has noticeably weaker detection rates from both Avast! And Avira, and has nothing that makes it exceptionally good in any area. Avast is a decent product. It is only really only slightly better than AVG, but enough so that it is a suitable to use as a decent on-demand or real-time scanner. Avira on the other hand is different. Detection wise, it is a massively better than either of these other products. But it consumes more resources, and isn’t really that good for real-time protection. For a casual user, Using! Avast real-time and Avira as on-demand would be the best set-up among these choices. AVG and Avast have average resource consumption, and ok scanning speeds, and could be used interchangeably for real-time protection (assuming that a different on-demand scanner was used).

    The Giants – Many years ago, when we were all still using Windows 98 or ME, the virus scanners most people used were Norton AV, McAfee AV, or Trend Micro PC-Cillin. All of these products, over the years, have built up a decent crowd of people who hate them, or people who like other products better. All of them are noted for resource consumption, slow scanning speed, conflicts, a bad UI, or for being irritating to uninstall. McAfee and PC-Cillin both have above average signature-based detection rates, but nothing that is really impressive. Norton, although among the best in detection rates there is, has fairly crappy heuristics, and is the most hated of the three. Chances are there wouldn’t be any major virus-related problem if you use them, but it would be highly recommended to simply find an alternative to any of these products.

    The Elite – The best products on the market are Kaspersky AV, NOD32, or BitDefender. All have excellent detection rates, and are excellent on-demand or real-time. Kaspersky is considered unofficially to be the most accurate scanner there is, NOD32 has the most powerful heuristic engine there is, and BitDefender is an excellent overall scanner. BitDefender is the heaviest of these three on resource consumption, but makes up for it by responding to an infection the fastest. NOD32 is the lightest, most efficient scanner I have ever seen, and as far as a detection/resource consumption ratio, it’s the best. KAV is also an excellent product, and unlike NOD32, which uses primarily heuristics, KAV uses a combination of heuristics and signatures to catch a higher amount of threats than any normally would. Any of these products would offer excellent protection, and it is really mostly preference that determines which is considered better.

    The Multi-Engines – F-Secure, G-Data AVK, and several other products, like TrustPort are Multi-Engine products. Rather than using a single virus-scanning engine like most products, these scanners incorporate multiple separate engines together to improve protection. G-Data uses the BitDefender and Kaspersky engines and F-Secure uses 4-5 relatively obscure and weak engines. Both of these scanners have some of the best detection rates there are, but both have flaws. Multi-Engine scanners usually use more resources than regular scanners. They are more likely to experience conflicts or problems, and, in AVKs case, are not really all that well documented or supported. Although either of these products is good, it would probably be just as effective to use multiple separate scanners, like Avast and Avira, to achieve the same result.

    Miscellaneous – Nowadays, lots of other companies are offering their own AV scanners as part of security suites. Zone alarm AV, Panda AV, etc. For the most part, the best AV products are developed by AV companies and labs. Although products like Panda aren’t necessarily bad, they won’t stack up against any of the better free/paid for products. When you buy a suite, it usually contains only a few actually good, worth-paying-for features. Many of the other features although useful, are actually not that good when compared to other more-specialized products. For instance, in the case of BitDefender Internet Security 9, the AV scanner is excellent, but everything else (firewall, antispam, antispyware) is actually sub-par, and isn’t even better than many of the free products which perform those functions. If you want and AV scanner, buy an AV scanner; don’t use an AV scanner that is given free from an ISP, or bundled with a random security suite.

    Note: A common misconception is that you should only use one antivirus product. Using multiple scanners is dangerous, since they could conflict and create unnecessary problems. However, most of those conflicts either occur openly, and can be identified and resolved, or don’t occur at all. Generally when you try to use an incompatible AV product, it will either tell you during the installation to get rid of the other product, pop-up with an error message because the other product is incompatible, disable a module due to a conflict, or crash the computer. Rarely will a scanner ever appear to work fine when actually it isn’t. Although most people don’t really advise it, having multiple scanners will increase detection rates, and will be much better overall, assuming that there are no conflicts. As long as the noticeable conflicts are found beforehand, you can usually avoid most problems or complications. Products like BitDefender are generally more compatible than products like F-Secure, and by trying out you own combinations, you could actually make your computer much safer overall. I would highly recommend having two different products; not necessarily running together, but having at least one there to use on-demand to find the threats that the other missed.

    The Bug Picture

    AV software is unique because many of the products are similar, but many are different. Many of the scanners are considered better simply because they are easy to use, or because of low resource consumption. But for selecting any AV software, the primary factor should always be detection rates. If a scanner can’t detect threats, what’s the point in using it? As far as testing is concerned, most tests that magazines, reviewers, or even virus labs use to assess virus detection ability are in themselves flawed, and are really a crappy indication of how good the software is.. The only really noteworthy testing/certification that I could find were either the winners of the VB100% award, since they were tested against the official wild list, and the testing done at www.AV-Comparatives.org. Most other tests had too few virus samples to be very accurate, and put too much emphasis on appearance instead of results. Other factors, like how easy the software is to use, or how fast it is should also be taken into consideration, but basically almost any of these products could fit the criteria. If you want to pick an AV product, the best thing to do would be to download the free trial, see if you like it, and buy it if you do. Products like Kaspersky are much better overall than AVG or Avast, but the majority of users use AVG or Avast anyway. Hopefully, by reading this guide, you will have a better understanding of AV software.

    Thanks for Reading!
     
  2. matt330ci

    matt330ci Notebook Guru

    Reputations:
    0
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    15
    thanks for the thorough writeup!
     
  3. soldier0316

    soldier0316 Notebook Evangelist

    Reputations:
    9
    Messages:
    305
    Likes Received:
    0
    Trophy Points:
    30
    That sure was comprehensive HA
     
  4. JMiles

    JMiles Notebook Consultant

    Reputations:
    52
    Messages:
    158
    Likes Received:
    0
    Trophy Points:
    30
    Wow, excellent guide :D
     
  5. nickster87

    nickster87 Notebook Consultant

    Reputations:
    5
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    30
    Very nice!:) Helpful too!;)
     
  6. Metamorphical

    Metamorphical Good computer user

    Reputations:
    2,618
    Messages:
    2,194
    Likes Received:
    9
    Trophy Points:
    56
    Cool undocumented guide. =) Thanks. Curously, where does Zone Alarms antivirus fall in?
     
  7. Omneus

    Omneus Notebook Geek

    Reputations:
    7
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    15
    I wrote it 2 days ago.

    Chances are ZA antivirus isn't that good, simply because ZA is a firewall product, not an AV product. THe best AV products are the ones designed by AV companies. Suites which offer a host of protection are rarely that good in all the areas that they are supposed to protect. I don't really know how good it is, but I doubt it is really that good.
     
  8. SVTWannabe

    SVTWannabe Notebook Consultant

    Reputations:
    52
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    30
    One other note you may want to add is that some "freebies" might actually include some of the bigger names in anti-virus detection that are offered free-of-charge through internet service providers (ISP's).

    Very thorough writeup!
     
  9. Bwen

    Bwen Notebook Evangelist

    Reputations:
    1
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    30
    Great article! Sticky material!
     
  10. Drio

    Drio Notebook Geek

    Reputations:
    7
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    15
    Good work omeus

    I especially like that you make clear that "resource usage" is probably the worst decision criterion of all. After all using nothing would consume the least resources, isn't it.

    I fully agree with your conclusion on the top 3 (kaspersky NOD32 Bitdefender). Theyare the only ones consistent good over the las two years booth in AV-comparitives retrospective and prosepctive tests.

    What AV-C does is runnign two different tests:
    1.
    using the scanner from three (or 6?) months ago and throw at it viruses detected during the last three months (thus testing inhowfar the engine detects new threats),
    and
    2.
    using the current engine on the known virus population (thus testing how up to date they are).

    The results of test 1 are obviously far worse than 2 (indicating the need of frequent updates), but here it really shows the good ones, most probably capable of detecting tomorrow's threats. See av-comp link from omeus.

    BTW the newer versions of BitDefender are using less resources. I hope they are still as good as the old ones).

    Zone Alarm uses a licensed engine from Computer Associates. It isn't that bad, but it dosn't figure in the test because the CA engine is only licensed to other vendors.
    You could consider to switching to Bitdefender whcih also has an excellent firewall.

    Just to be safe one could use the online options of other vendors (e.g. Kaspersky offers one for free usage) on a regular basis in combination with the installed scanner.



    once again good work!

    Drio
     
Loading...
Thread Status:
Not open for further replies.

Share This Page