• PC World
• » Software
• » Utilities

It's a jungle out there, or at least a well-stocked zoo. Despite the popularity of antivirus software, computer viruses are multiplying like fruit flies. New strains appear at a rate of about 200 per month, and researchers have identified nearly 18,000 to date. The increase of e-mail and Internet downloading offers more ways to get infected, too.

Only about 250 viruses exist in the wild--in circulation--but many of those can cause significant damage, waste time, and cost you and your company money. According to the International Computer Security Association, your chances of falling victim to a computer virus run about 1 in 30. In an office of 100 PCs, at least 3 systems will face a virus incident during the course of the next year. Are you feeling lucky?

Though your company will likely get hit, you needn't panic. As our extensive tests show, most antivirus packages protect effectively against the current crop of viruses and include technologies for catching as-yet-unidentified strains. Okay, so most products do a good job; now how can you choose from among the numerous possibilities? We reviewed seven prominent antivirus products and found that they differ significantly apart from their virus-catching capabilities. Some make it easy to update signatures--the lines of binary code that identify virus behavior--and regular updating is the best way to catch new nasties. Others offer smooth interfaces, quick scan times, or strong support. And the best include all of these: Our Best Buy, Norton AntiVirus 5.0, took less than 13 minutes to scan a 1GB hard drive, caught just about every virus we threw at it, and proved easy to use and update.

Natural Selection

Since we reviewed antivirus software last March (see "Virus Killers 1998"), the antivirus industry has consolidated. Network General first acquired Dr Solomon's and subsequently merged with McAfee; the enlarged company, renamed Network Associates, retained McAfee VirusScan in the lineup and incorporated some of Dr Solomon's technology in subsequent versions. (The products remain separate for now, but Dr Solomon's will eventually disappear.) Meanwhile, McAfee's archrival Symantec purchased IBM's antivirus technology, effectively killing IBM AntiVirus, and incorporated it into Norton AntiVirus. During our testing for this article, Symantec also acquired Quarterdeck, maker of ViruSweep. At press time it remained unclear whether Symantec planned to continue marketing the Quarterdeck product.

What do these mergers mean? It may be too soon to tell. Consolidation or no, the ICSA still certifies 64 antivirus packages from 17 companies. We settled on the six leaders in the field--Command AntiVirus 4.52 (formerly known as F-Prot Professional), McAfee VirusScan 4.0, Norton AntiVirus 5.0, Panda Antivirus 6.005 Platinum, Sophos Anti-Virus 3.13, and a prerelease version of Trend's PC-cillin--plus one new product: InDefense 2.10. Yet another popular program, Inoculan Antivirus 5.0 for Windows 95, is being updated and wasn't available in time. We'll test it as soon as possible.

Despite industry shifts, not much has changed among antivirus packages since our last review. Prices have fallen a bit, from an average of $50 last year to around $40 this year--with the notable exception of Sophos, tagged at the eyebrow-raising price of $99 for a no-updates version. Most still offer extras that range from useful to gimmicky. Several companies have updated their product's look, with a trend toward simplicity.

Feet to the Fire

We called on virus expert Joe Wells to put these packages to the test. Wells tracks worldwide circulation of viruses in his monthly WildList. He tested each package's ability to detect all 254 in-the-wild viruses (80 boot, 89 file, and 85 macro) and 10,606 samples of 7860 zoo viruses (viruses that live in a research lab). Here's how the different critters work: Boot viruses hide in the boot sector of a floppy disk until you boot from the floppy and infect the hard drive. File viruses infect executable files and spread when you run the programs. Macro viruses infect Microsoft Word documents, and, to a lesser (but growing) degree, Excel spreadsheets. Wells tested how well the packages removed the ten most frequently seen viruses of all types, plus the next seven most frequently seen macro viruses, from otherwise clean files. He then timed how long each package took to scan 10,973 files for viruses, and ran further tests.

Three antivirus packages--Command AntiVirus, McAfee VirusScan, and Norton AntiVirus--detected all the wild viruses. Sophos missed 1, and Trend's prerelease version missed 8--statistically indistinguishable from a 100 percent success rate. Panda missed 15--all macro viruses--and is working on a fix. None of the packages found all the zoo viruses, but many of those viruses are new, and current products may not yet have detectors for them. Command, McAfee, Norton, Sophos, and Trend achieved very strong scores (ranging from 97 to 99 percent); Panda found a mere 78.4 percent, a showing the vendor says it is trying to improve. Except for McAfee, all the packages took less than 14 minutes to scan an entire 1GB hard drive. McAfee's scan lasted nearly half an hour. (We couldn't test InDefense's capabilities by the same methods we used to assess the other packages. See "InDefense: An Antivirus Utility With a Difference" for more on its performance.)

Viral Warfare

What were these products up against? A volatile virus scene, full of funky new infectors and die-hard pests that have skulked around for years. "Golden oldie" boot-sector viruses such as Form and AntiEXE continue to flourish, mainly through swapping of infected disks. File viruses still afflict the unwary, though less often than they did a few years ago. HTML viruses, which theoretically spread via viewings of tainted Web pages or e-mail, were "discovered" and then debunked in late 1998. The real explosion over the past year has been in macro viruses; because they can spread through any shared document (including e-mail attachments), their prevalence has grown prodigiously in recent months. The ICSA says macro viruses now represent over 80 percent of computer virus infections.

But there's some good news on the digital microbe front. You may have heard rumors of maliciously booby-trapped, Web site­based ActiveX and Java applets. Thus far, cases of infection by ill-meaning online applets have been more fantasy than fact. In part that's because standard file, boot, and (especially) macro viruses are considerably easier to develop. But because the potential for harm persists, some antivirus utility makers, such as Norton and McAfee, have added Java and ActiveX protection to their products.

Payback Time

More important than the form of the virus is its payload --the visible indicator of damage. A virus that causes major immediate damage effectively kills its host, stopping its own spread. Most of the thousands of viruses in existence are variations on relatively simple themes. The most successful viruses either cause very little damage or include time delays that postpone their damage until days, weeks, or months after they infect your PC. One current example of the time-delay type--a variant of the CIH virus--activates on the 26th of each month and can destroy data on your hard drive. In part because of the widespread publicity it has generated, CIH has caused little damage so far.

Macro viruses are getting more destructive every year. Though most cause no systemwide data damage, macro viruses that affect Excel worksheets can wreak havoc. Case in point: XM/Compat searches Excel worksheets for unprotected data and then makes small, random changes to some data while keeping the number of characters the same. Though current antivirus software can easily detect XM/Compat and remove it, there's no way to fix the damage other than to restore the data from a backup--assuming you have one.

You probably hear episodically about new viruses, mostly via e-mail. But many rumored invaders are urban legends, and the warning message itself, as it gets forwarded and reforwarded, becomes like a virus. To distinguish the real from the mythical, check the U.S. Department of Energy's Computer Incident Advisory Capability, or the independent Computer Virus Myths.