The security software we review here--antivirus scanners and their anti-spyware cousins--provide essential defenses. Our tests show that the top antivirus scanners stop almost all the nasties they are designed to catch. But antivirus software does little, if anything, to stop spyware such as surveillance programs or ad-serving apps that monitor your surfing habits. So you need anti-spyware to fill the gap. This two-part review looks at both types of packages--and chooses the best.
In March 2003 we set each program against the 288 viruses and worms (in 576 files) known to be "in the wild"--replicating in the real world--during our tests. We selected these miscreants based on data from The
Using default settings, each program detected 100 percent of the February 2003 WildList viruses and worms, both during hard-disk scans and when the PC accessed an infected file. But performance against the WildList shows only how programs deal with viruses and worms that the antivirus companies should already know about and include in their signature files (databases of threats) that users should update daily. It doesn't indicate how the programs will perform against thousands of so-called zoo viruses and worms that have appeared over the years and that may spread into the wild again or influence the design of future malware. Nor does it show how programs handle Trojan horses (nonreplicating programs with hidden, malicious code), which aren't on the WildList.
To examine these issues, AV-Test.org configured each program at its highest settings and scanned a hard drive holding over 71,000 files containing about 23,000 viruses, worms, and Trojan horses from its "zoo" of malware. F-Secure Anti-Virus 2003, EXtendia AVK Pro, McAfee VirusScan 7.0, and Kaspersky Anti-Virus Personal caught zoo samples in 99.96, 99.95, 99.93, and 99.91 percent of the files, respectively. Norton AntiVirus 2003 (at 99.72) and RAV AntiVirus (at 99.57) trailed the front-runners only slightly, but their results for Win32 file viruses and worms--by far the most prevalent these days--were among the highest.
The other two contenders didn't do as well. PC-cillin 2003 and Panda Antivirus Platinum caught zoo samples in only 97.9 percent and 96.4 percent of the files, respectively. Panda and PC-cillin also had a tough time identifying Trojan horses, detecting them at rates of 91 percent and 83 percent, respectively (compared with an average of 99 percent for the other six products).
No matter how well antivirus products deal with known threats, the biggest potential threat is the unknown. So most programs don't simply scan for exact matches against a database of known threats. They also use heuristics to try to identify new dangers by looking for items that may act like or contain data similar to known malware.
To get an idea of how well heuristics work, we tested versions of the antivirus utilities and signatures that were three and six months out-of-date--from well before the latest crop of malware had appeared--and scanned files containing the newest threats. Performance varied widely, but none of the programs did nearly as well as each had against known threats from the WildList and our zoo. The three-month-old versions of EXtendia AVK Pro and F-Secure did best, finding 75 percent and 72 percent of the files, respectively, with Kaspersky and McAfee close behind at 69 percent and 67 percent. The remaining scanners caught just over 50 percent. The results were 7 to 14 percentage points lower for the six-month-old programs and signatures--suggesting that heuristic capabilities depend in part on knowledge of recent infectors in order to identify new ones. The difference underscores the importance of regularly updating virus signatures; all of these programs can do so automatically (though not with the same frequency).
On May 8, just before we went to press, a worm called Fizzer appeared. None of the scanners found it using heuristics; all required signature updates. Panda issued one that day. Other vendor updates trickled out until as late as May 14--and by then the worm was rapidly spreading worldwide.
For our final performance test, we clocked how long each program took to run on a 2.53-GHz Pentium 4-based PC carrying 512MB of DDR RAM and loaded with Windows XP Professional, Microsoft Office 2000, and other apps and files (7.15GB in all). We did this once with the utility's defaults, and then again with its most thorough configuration. Our conclusion: Slower is usually better. The pokiest programs tended to post the best scan results, and most of them found more malware when the highest settings were enabled.
The best antivirus program should not only perform well in the lab but also run smoothly on your desktop while providing clear information and reliable tech support. For example, once it detects a virus, how well does the program explain the infection and help you eliminate it? Worms and Trojan horses are stand-alone programs that don't infect other files, so simply stopping and deleting them is enough. Viruses are trickier: The file they infect may be important to you, so deletion is the last resort. Disinfection--removing the virus code and repairing the original file--is preferable, but not every program can clean every file. For instance, some of the programs we reviewed can't clean infected files stored inside archives such as .zip files, so you will have to open the archives and manually scan the contents. If a program can't clean or delete a file, it should at least quarantine the file so that the malicious code can't run.
Unless you're an expert, identifying the type of infection you have and the measures to take can be difficult. That's why we like programs that provide advice or that automatically take the most appropriate action. The best in this respect are F-Secure, Panda, Norton, and PC-cillin, which automatically repair, delete, or quarantine dangerous files. The others simply block the file from running or being written to disk and ask you to make the next move.
Unfortunately, ambiguous alerts or confusing configuration options prevented some of the best performers from earning the Best Buy. Kaspersky and RAV, for example, are powerful virus hunters, but their interfaces are byzantine. McAfee is confusing, too, requiring you to drill deep into the program to make adjustments. Norton, in contrast, is a breeze to navigate and configure, with clearly labeled menus that step you through making adjustments. F-Secure also provides a lean interface, but it does so by leaving out key functions such as the ability to schedule hard drive scans.
The days of free telephone support are nearly gone--only Trend Micro and Kaspersky still offer it. Boomerang, GeCad, Network Associates, Panda, and Symantec offer phone support, but with hefty per-minute or per-incident fees. Still, it's nice to have this option, if you ever run into big trouble. (F-Secure doesn't offer support lines for U.S. customers.) Fortunately, all the vendors have helpful, free e-mail tech support. Six responded within two days--typically within a few hours. F-Secure and Kaspersky took over five days to answer, but they did provide useful responses.
Overall, Norton AntiVirus has the best balance of performance and usability, with an intuitive interface and generally high detection rates. If the makers of other top performers in this review manage to clean up their programs' interfaces or bolster their tech support offerings, however, Norton will face some very tough competition.
We included a sampling of spyware in our antivirus zoo tests, with abysmal results. In our first round, only McAfee registered any at all, flagging one spyware component. Later, we downloaded an optional free spyware database from Kaspersky's Web site and were able to catch a handful of items with the antivirus scanner.
One reason for the tepid response from antivirus companies is a hesitancy to label spyware as malicious. While some pieces sneak onto your PC, many spyware programs are disclosed in the end-user license agreements of the freeware programs they ride in on. By accepting the agreement, you permit the installation of spyware that fetches targeted advertising or gathers marketing data.
Reading the fine print is the first step toward avoiding many types of spyware. But if the critters are already on your hard drive (and they likely are), your best defense is to run a program that scans your hard disk for known spyware files, folders, Registry entries, and tracking cookies, and then gives you the option to remove them. In addition, several anti-spyware utilities scan your PC's memory in real time to keep unwanted programs from installing and running in the first place.
Software firewalls, such as
We tested four of the best anti-spyware scanners:
Each product rooted out a large proportion of the freeloaders, with Spybot Search & Destroy catching the most. But no program was perfect. After scanning and opting to remove detected spyware with one program, we found that running a second or third program almost always caught all or part of a spyware item that the first had missed. With each product, we also managed to find and remove additional spyware elements when we reran the scanner. That's because spyware has many hooks into the system that try to reinstall themselves after an attempted removal. So your anti-spyware motto should be: Scan, remove, reboot, repeat.
In addition to scanning best, Spybot Search & Destroy was the most competent at removing spyware without doing harm. In contrast, PestPatrol locked up and refused to run again after we instructed it to delete the spyware it had found.
Like antivirus utilities, the four anti-spyware programs also scan your PC's memory in real time to keep unwanted software from installing in the first place. However, we didn't see stellar performance from any of the programs. In most cases they noticed only a fraction of the spyware as we downloaded and installed it, but Ad-aware Plus performed better than the others. Memory-scanning is a brand-new feature in Spy Sweeper, which failed to find most programs we pitted it against; in Spybot Search & Destroy, it's limited to ActiveX controls and other code embedded in Web pages.
The four programs didn't differ greatly in features. You can set each to load and scan automatically at Windows start-up, and each can instantly notify you when spyware database updates are available. All four also back up files before deleting them (restoring a piece of spyware may be necessary to re-enable the free software it came with).
Anti-Spyware is still an infant class of software, but it's the best tool available right now. We recommend that instead of running any one program you combine our two favorites:
Nationwide ISPs are offering virus scanning as a way to win new customers and hang on to old ones. MSN already scans e-mail messages and attachments on its servers, using software from McAfee; and the MSN client software incorporates a version of McAfee's VirusScan. EarthLink plans to introduce similar server and client virus scanning later this year, and AOL includes e-mail scanning in its client software. However, it's best to see these services as a supplement to, not a replacement for, a full antivirus scanner on your own PC.
"Layers of security are always better," says Brian Burke, IDC research manager. He sees ISPs evolving like other corporations, which have switched from relying solely on desktop antivirus products to adopting centralized, server-based utilities. "From a security standpoint this is very beneficial to consumers, especially those that don't keep their antivirus up-to-date," Burke concludes.
But don't assume that your service provider has you covered. One small-ISP owner we talked to (who prefers to remain anonymous) claims that antivirus scanning isn't worth the grief. "Processing the huge volume of mail an ISP receives is hard enough. Pile antivirus software on top of that, and you've got a lot of CPU and bandwidth requirements," he complains. His customers might welcome the protection of server-based scanning, he admits, but a bigger issue holds him back: "If they do get a virus, they now have someone to blame."