How do I Choose an Anti-Virus Software?
by Rick Smith (October 1998)
Choosing an anti-virus procedure is a daunting task. You have to follow a path between total abstinence (Don't load any new programs) to total abandon (Run any program from anyone on any machine.) Clearly, both of these "methods" of coping with viruses are extreme, but after you lose your data, total abstinence looks really good and there are many companies that are using the total abandon approach and don't realize it (since they are using ineffective anti-virus software).
A virus is a program, deliberately written by a human. They are not natural occurences and are generally written by someone other than the manufacturer of the computer or software you are currently running. "Successful" ones tend to replicate easily. A virus is NOT a hardware failure or a software bug.
Viruses can waste your time, waste your computer resources and help lose your work. Some sound worse than they really are, while others are truly malicious and quite destructive.
It is a fairly common joke that much of the "bloatware" (huge programs to accomplish a fairly simple task), are in themselves viruses, since you waste your time learning them, they are slower than they should be and they crash and you lose your work. Some people have even modified virus scan programs to respond to these commercial packages and trigger a virus alert. Although I believe that these programs should be improved, for the purpose of this discussion, these programs will NOT be considered viruses.
Types of anti-virus programs.
I feel that there are basically three types of anti-virus programs.
|1. Table driven. These are programs that contain tables of "signatures" (byte patterns) of known viruses. The program simply scans each file to see if these signatures exist. If they do, the virus can be recognized and depending on the virus, can be eradicated from the file. Sounds great. If there were no NEW viruses, this program would be perfect. The problem is that new viruses crop up each day, so in order to keep up, new tables need to be created by the anti-virus manufacturers. Depending on how well they keep up with new viruses, your protection can be from excellent to mediocre.|
|If this table has not been updated, you could be scanning your computer for all viruses created before 1994 (or whatever year your virus software was last updated.) I'll repeat, running an old version of table driven software to give yourself a sense of security is an ALMOST complete waste of time. Older viruses rarely exist in the real world, except for anti-virus manufacturers, testing labs, collectors and virus creators. Therefore, determine if your software is a virus table type and make sure to keep it up to date.|
|2. Virus behavior finders. This is a relatively new type of anti-virus program and I'm not convinced that a manufacturer can "out-think" a potential virus. These programs alert to suspicious behavior, writing to boot tracks, writing to a hidden, system file, etc.|
|This sounds like a great idea, but once this program is on the street, virus creators can sometimes come up with clever ways to defeat the program. True, the manufacturer can send out a new version each time, be then this system degrades into the first type of program, where instead of updating the table of signatures, the entire program is updated.|
|3. Inoculation programs. If every executable program on your computer is "registered" in a table which shows it's length, checksum (a mathematical method used to determine if a series of bytes is the same) along with the last modified date and time, a program could easily tell if the program you are now loading had been changed since you ran the inoculation program which creates this "registration" table.|
Every program in the market combines some aspects to these three methods in a customizable fashion. This customization can CREATE trouble if it is not configured properly. Here's an actual story:
|When the Word Macro Virus gained popularity in early 1996, many people felt they had it (they could save their Word documents only as templates), but their anti-virus program couldn't find it. What was the problem? The user? The anti-virus software? What? People wanted answers.|
This company was using Symantec's Anti-Virus which they had bought a site license for. I had a version of Dr. Solomon's Anti-Virus that I had obtained to review for another publication. I created an Anti-Virus boot disk and decided to find out what the real problem was.
|Well, although the Dr. Solomon's could be considered slow because by booting from floppy with it had no memory management, it caught all the viruses every time. In fact, each person whose machine I checked was amazed. They really didn't care about the speed. They learned the first law of virus hunting, speed DOESN'T matter, accuracy DOES. If you miss a virus, the anti-virus program has failed no matter how "quick" it is. They also wondered why the company didn't buy that program and I didn't know why - that was a management problem and I was only a technical consultant.|
|The bottom line was that the Dr. Solomon, (a table driven program (type 1) found the viruses. In fact, on one person's machine, it found over 150 infected files! And the user told me, "But I just ran the [corporate] anti-virus software" - Symantec's Norton Anti-Virus. What was the problem?|
|I decided to look further. In looking through every single option, on every screen - I had no documentation - corporate site licenses assume the corporation will train the users, something that is rarely done. I found that these systems weren't checking every file and I even got an argument with one of the corporate technicians. He told me that they were checking only EXECUTABLE programs, since a virus has to execute in order to infect. I had Dr. Solomon checking every file. After a next Norton "table" update, I checked some systems again and found that a few of the Word Macro viruses that it had previously missed. But what about the 150 files that Norton missed and Dr. Solomon caught? Another option. Norton has the capability to fix an infected file (like Solomon), but you can select to save this file as a VIR file, which you can also decide not to check (another option). The previous owner of this machine was creating a "stash" of infected files that were only ONE rename away from being an active threat to the rest of the users!|
Needless to say, I deleted them.
|Even though Dr. Solomon's was clearly superior, it wasn't a "cute" Windows program. (2nd Law: Viruses will attack you no matter how good looking your anti-virus software is.) Booting a floppy to test your computer and pressing a function key seemed simple, but it wasn't a Windows app. I didn't care and when the users saw the results they didn't care either!|
To sum up, here are my rules of anti-virus.
1. Speed DOESN'T matter, accuracy DOES. If you miss a virus, the anti-virus program has failed no matter how "quick" it is.
2. Viruses will attack you no matter how good looking your anti-virus software is.
3. Keep anti-virus software updated. Running an old virus scanner is ALMOST a complete waste of time.
And finally #4.
Get a second anti-virus checker. This is like having a second fire extinguisher, close at hand - not required, but nice to have, when you need it.
And which ones to use? You must choose a company of dedictated professionals that do anti-virus work, not as a sideline, but as a real occupation. Only then will you assured of the best possible product.
And for those who ask what I do:
Reasonable abstinence (I run the download on a "sacrificial" hard drive, save non-critical, but interesting programs for a few months before using them, in case they have a new virus and finally, I use the latest version of Dr. Solomon I have. After all, he put his name on it and he still works there.
© 1998 Rick Smith All rights reserved.