Bigger Threats, Better Defense

Inside Coverage: Antivirus Apps

Though firewalls do block some port-probing network worms and may hinder some mass-mailers, you need an antivirus scanner to stop many threats that arrive via e-mail or file downloads. And only an antivirus scanner can remove the infections. To find the best scanners, we first reviewed a fresh round of testing that AV-Test had performed on 31 antivirus products. We chose six of them for a closer look: the stand-alone programs Grisoft AVG Anti-Virus Professional and Eset NOD32, plus the scanners in the four security suites from our firewall tests.

Each product met our minimum requirement of catching all "in the wild" malware. Such viruses have been sighted by at least two members of the WildList Organization, a cooperative effort of antivirus researchers and member companies worldwide. Though approximately 100,000 viruses exist, only about 250 are considered in-the-wild threats at any given time.

To further challenge the scanners, AV-Test pitted them against its zoo of approximately 60,000 malware samples. Whereas in-the-wild testing gauges whether a scanner can detect current threats, zoo tests indicate how it might handle a particular class of threats or family of viruses. For example, all of our chosen products performed well (ranging between 90.4 percent and 100 percent detection) against a collection of 12,341 viruses and worms that operate in a 32-bit Windows environment--the type of infectors most common on today's WildList. But some fared less well with the zoo collection of 14,288 Trojan horses, malware that can't spread on its own but can be carried by worms or viruses or be hidden within infected downloads. Despite accounting for a significant proportion of all malware, Trojan horses are not included on the WildList. And the antivirus scanners varied considerably more in their handling of these pests: AVG detected just 23.5 percent of the Trojan horses, while the McAfee and Norton scanners nabbed 99 percent and 97.5 percent, respectively.

AV-Test also scanned 20,000 clean files to determine whether the programs would mistakenly identify any as infected. PC-cillin excelled, with no false positives; at the other end of the scale, Eset's NOD32 misidentified 31 clean files. Even a small number of false positives can be a headache, as they may cause innocent and necessary files to be quarantined or even deleted.

Dealing With New Threats

Antivirus scanners rely primarily on exact matches to identify malware, but they can sometimes catch infectors not included in their databases by using heuristics. Strictly speaking, heuristics refers to the ability to identify new malware based on telltale characteristics--for example, the presence of code that exploits a known vulnerability. In practice, however, heuristics also refers to the use of "fuzzy" pattern matching to identify a new variant of a known virus, using the generic definition of a virus such as Netsky.gen, for instance, to nab a particular brand-new variant such as Netsky.R.

AV-Test gauged heuristics by scanning files containing the newest malware with versions of each program that had last been updated three months prior. McAfee and AVG performed best, catching 70.1 percent and 65.6 percent, respectively, of infected files; NOD32 did worst, at 41.4 percent.

For each antivirus program, AV-Test used the highest possible settings to scan an infected hard drive, though NOD32 was a special case. Beyond the level of heuristics available for disk scans, NOD32 has a higher level called Advanced Heuristics for scanning incoming e-mail and Web traffic (the main routes of infection). AV-Test gauged NOD32's Advanced Heuristics using an undocumented command-line instruction (nod32.exe /AH) to turn the feature on for a disk scan. With its Advanced Heuristics enabled, NOD32's detection rate jumped to 53.5 percent.

In our tests, the antivirus scanners in our roundup succeeded only in detecting new members of known malware families. They did not catch any of the truly new viruses--a finding mirrored in AV-Test's separate outbreak response survey. (This additional survey covered 22 antivirus companies but did not include Eset's NOD32.) For example, none of the products tested in the outbreak survey could identify any of the infamous Netsky worms until the vendors issued detection signatures for them; but once McAfee wrote a generic signature, the scanner was able to detect several variants. Our conclusion: Heuristics offers only hit-and-miss protection. Your best defense lies in other security layers--including firewalls and your own common sense. For example, you should frequently update your antivirus scanner and patch your operating system. For more tips, see April's "Lock Down Your PC."

The Smoothest Scanners

Had we based our Best Buy selection on scanning performance alone, McAfee's suite would have won. But McAfee had serious flaws. For example, we received multiple script errors during the update process, and the program erroneously reported that the virus scanner had been updated when it had not.

Though McAfee's suite was the most troublesome, it was not alone in having glitches. No program aced the infection-removal test, in which AV-Test ran each scanner on systems infected with the CTX virus, the Optix backdoor Trojan horse, and the MyDoom.A worm. PC-cillin handled cleanup best, fully removing two infections and never harming the system. McAfee, NOD32, and Panda left the system unusable after attempting (and failing) to remove the CTX virus.

Sluggishness was the biggest drawback to Norton's suite. In informal tests, system startups and shutdowns took about twice as long with Norton installed as with PC-cillin or NOD32, which had the least-discernible performance impact. Norton was the slowest at running a full disk scan, too, requiring about 12 minutes on a Windows XP Pro system equipped with an 800-MHz Pentium III processor, 256MB of RAM, and a 5400-rpm hard drive with 575MB of data. NOD32 was the fastest program, at only 52 seconds. (Norton had better detection rates than NOD32, however.) PC-cillin was the next fastest at just over 2.5 minutes.

We awarded our antivirus Best Buy to Trend Micro PC-cillin Internet Security 2004. Besides offering competent scanning at a moderate price, PC-cillin has an exceptionally clean and intuitive interface. Best of all, PC-cillin was the only software product in our review to provide no-cost telephone technical support--and via a toll-free number, too.

Subscribe to the Security Watch Newsletter

Comments