The New Virus Fighters

Antivirus Tools Strike Back

Antivirus software companies are adapting and upgrading their products in a number of ways. Frequently they now package traditional antivirus applications with other security components, such as antispyware tools and firewalls, to provide more-comprehensive protection; in some cases this extra functionality is baked into the antivirus product itself. Companies are also reducing the length of time it takes them to release signature updates, which individual antivirus utilities download and then use to recognize and destroy newly identified threats.

In addition, vendors are honing their products' heuristics, the mathematical algorithms that can spot new security threats based on their similarity to previously identified pieces of harmful code. "Heuristic scanning by antivirus software engines has shown some improvement over the past few years, with better detection and fewer false alarms," says Douglas Schweitzer, author of Securing the Network From Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans. In false alarms--or false positives--an application wrongly flags a file as malware. This mistake at best wastes users' time and at worst causes them to delete benign files.

Companies are also using behavior-based detection to fight new threats that their products can't yet recognize through signature updates. This technology monitors the parts of your system that a malicious file might target, flags suspicious behavior, and stops it. The drawback associated with this approach is that the malware must already be active on your computer in order for behavior-based monitoring to detect it. For this reason, behavior-based detection works best as a supplemental layer of protection behind the virus-scanning engine, which ideally eliminates the threat before it can execute.

Stand-Alone Apps, Suites, and Free Tools

With these trends in mind, PC World aimed to learn which of today's antivirus products will best protect you against both known and unknown malware. We tested ten products, ranging in price from free to $50. To create a level playing field, we tested stand-alone antivirus apps where available and only the antivirus components of suites that offer other functions such as antispyware protection and network firewalls. Testing the suites with their nonvirus-oriented components enabled would have given them an unfair advantage over the stand-alone antivirus programs, to which you can add (and we recommend that you do add) the firewall and antispyware tools of your choice.

Among our test group, Alwil Software's Avast Home Edition 4.6, AntiVir PersonalEdition Classic 6.32, and Grisoft's AVG Free Edition 7.1 are stand-alone programs that cost nothing. F-Secure Anti-Virus 2006, Kaspersky Lab's Kaspersky Anti-Virus Personal 5.0, McAfee VirusScan 2006, and BitDefender 9 Standard are paid stand-alone applications. Panda Software's Panda Titanium 2006 Antivirus + Antispyware and Symantec's Norton AntiVirus 2006 both include antispyware tools. Trend Micro sells its antivirus tool only as part of the full PC-cillin Internet Security Suite 2006.

One product we didn't rate is Zone Labs' ZoneAlarm Antivirus, our 2005 World Class winner in the category. It combines Computer Associates' Vet Antivirus engine with Zone Labs' network firewall and OSFirewall, a behavior-based prevention technology that flags suspicious system behavior.

AV-Test did evaluate Computer Associates' scanning engine, which performed poorly and was the slowest to release signature updates for new threats. However, for this story AV-Test could not assess the effectiveness of Zone Labs' behavior-based malware prevention. Putting it to the test against AV-Test's malware collection would have taken months, as each file has to be active on the test system. Since the OSFirewall is integral to the Zone Labs product, we excluded the entire product. (Panda's product, which we did rate, also uses behavior-based detection.)

How We Tested

Overall, AV-Test ran five tests (see details on the methodology). First, it determined whether the products could detect 1518 "in the wild" malware samples--a published list of viruses and other threats identified by the WildList Organization as active in public circulation.

Second, it tested the programs' ability to detect non-WildList threats by using its own collection (or zoo) of 136,250 backdoor programs, Trojan horses, and bots (also known as zombies). The zoo includes active malware collected from customers, computer magazines, and honey pots, which are Internet-connected servers that researchers set up to lure malware. Since the WildList is published, is often out-of-date, and intentionally excludes non-self-replicating threats such as Trojan horses and backdoor software, AV-Test's zoo malware complements the WildList malware well.

A network firewall will detect backdoor apps, bots, and Trojan horses; but as with behavior-based detection, a firewall will notify you of trouble only once the threat is active on your PC. "Firewalls stop network traffic," says LURHQ's Stewart. "They might stop a Trojan from phoning home. They're not going to stop a Trojan from running [on your PC]," he says.

Third, AV-Test evaluated each product's heuristic capabilities. To do this, it looked at how well one- and two-month-old versions of the programs, which didn't have the later virus signatures installed, recognized malware that subsequently emerged. Thus, AV-Test determined the programs' ability to detect worms and backdoor software without the benefit of signature updates. Testing for worms and backdoor apps was appropriate because those were common and dangerous threats during the testing period, and brand-new viruses are hard to find, according to AV-Test.

Fourth, AV-Test examined each product's ability to clean up 110 macro viruses that attack Microsoft Office programs. And fifth, it compiled data on the average outbreak-response time by each antivirus software company to 16 outbreaks during eight months in 2005--a measure of how quickly the company deploys signature updates after new malware is identified.

To complete our testing, PC World timed how fast the various products conducted on-demand virus scans, and then we evaluated each product's ease of use, features, and tech support policies.

Subscribe to the Security Watch Newsletter

Comments