How to Keep Your Campus Safe from Infection
A head-to-head lookat how 13 antivirussolutions stack up.Which ones will keepyour computersprotected?
For many years, I’ve scanned thetesting results from the industrystandards in antivirus testing; I’veperused the countless pages of information,trying to make sense out of it all. Yet,once I was done, I still didn’t have ananswer to my original question: Whichantivirus program should I buy?
Daily, in my duties at Colby-SawyerCollege (NH), I run across all sorts ofmalware. After all, curious young mindswant to explore all the Internet has to offer.The problem is, the Internet is not always agood place to be curious. As a result, I’veseen all kinds of malware infections—insome cases, as many as 3,000 on a singlecomputer. And I’ve managed to use myunique situation to acquire 10 viruses/Trojans and two exploits. These could beconsidered “zero-day infections,” as mostwere so new that they were not even recognizedby antivirus software (but all wereconfirmed by two or more companies aftersubmission for evaluation). I chose thesethreats because I’ve seen them destroy acomputer and render it useless on and offthe Net. Yet, these infections are not self propagating,which is what a virus is by definition.Propagation is unnecessary whenmany of these infections are packaged withpopular games or peer-to-peer programs,or, in some cases, buried on a Web page thatgets 10,000 hits in a day. Most of these infectionswere far more complicated and time consumingto remove and had worse effectsthan even the dreaded Sasser worm.
Varying Performance Between Products
So why d'esn't every antivirus program detect and remove such infections? A technician from one of the antivirus programs tested in this article explained to me that, although many of the samples I sent him were Trojans and did create a backdoor into a computer, or installed some sort of malicious code that would eventually completely disable a computer, they are primarily used to propagate spyware rather than virus-like activity. And until these infections are actually being used for virus-like activity, or for reasons other than bombarding your computer with spyware, the company will not detect these infections. The technician went on to tell me that one spyware company in the UK was bold enough to take legal action against this antivirus company, and sue under the pretense that its software d'es not self-propagate; therefore, it d'es not meet the legal requirements of a virus. Detection by an antivirus company would most surely lead to bad press for these and other companies developing similar software.
If you ask me, these companies areriding the fine line of the law, skirting legalitiesby saying that since their program d'esnot propagate, it is not a virus. And while Ihaven’t yet encountered a virus that Icouldn’t disable and remove in a short time,I have spent several hours on a singlecomputer trying to remove spyware. It’salso worth noting that, with a few exceptions,people whose computers have virusesusually don’t know their systems areinfected—seldom the case with spyware.
The problem is that these maliciousprograms technically are not spyware either,so they are not detected by any of thespyware programs I have tested. And untilthese programs are removed, a computeruser’s system will become overloaded withspyware and will eventually cease to be functional.For instance, I once saw a computerthat had more than 300 processes runningsimultaneously, and took more than 20minutes just to bring up the Task Manager. In the information security age, antivirus programs that do not detect these spyware/virus crossbreeds simply won't cut it. Users need a complete antivirus solution combined with a good spyware solution with real-time protection. See my results and you tell me where the real threat is.
The antivirus software programs were testedon a fully patched Windows XP Professionalmachine loaded with Service Pack 2 and thelatest software versions and definitions fromeach company. Only consumer productshaving some presence in the US (or at least Ithought they did prior to testing) weretested. I did not read any manuals. Like mostof you, I just want to install my antivirusproduct and know that I am protected sothat I can continue with my chosen activity.The following products were tested on thesame night. The viruses were then e-mailedthat same night to each company (using adistribution list). Exactly a week later, Iupdated all antivirus definitions andretested; those results follow as well.
Additional supporting charts and graphs:
Antivirus Software Vendor Breakdown
Sophos Anti-VirusVersion 3.86.2Web site: www.sophos.comLocal office:
Lynnfield, MAVirus samples: firstname.lastname@example.orgDownload file size:
This program has very fewoptions, no manual update, and no way tounload from memory, which may or maynot be a bad thing. It d'es have an optionto scan for Mac viruses. However, it didlock up when extracting my zippedviruses, which made testing tough. Theprogram is also fairly resource-intensive.When I called on a Saturday night, atechnician answered the phone and wasvery helpful. He e-mailed me a nice scriptto help capture new viruses. It stated thatthey do not detect any Trojans used forspyware. This product has no onlineupdate service. When I downloaded thenew definitions dated November, it wasonly the third week in October.
McAfee VirusScan 9.0Web site: www.mcafee.comLocal office:
Santa Clara, CAPrice:
$39.99Download file size:
N/A (Has onlineinstaller; hard to tell thesize, but I would guess itis quite large.)Virus samples: email@example.comSupport:
This is a great interface forsomeone who has no computer knowledge;it looks pretty easy to use with verylimited options. This program is quite adrain on resources, and it locked up thecomputer when unzipping my viruses. Itsinterface encourages you to buy othersecurity products. Very slow scan speedwhen scanning a single file. It also scansabout 35 extra system files making itagonizingly slow. After sending several ofthe samples, McAfee e-mailed back sayingthey were new viruses, but its software stilldid not detect them a week later. WhenMcAfee e-mailed back the results, theyincluded an updated definition calledextended.dat. However, they didn’t sendany instructions regarding what to do withit. After searching with no results for anexisting file by the same name, I put it in thefolder with the clean.dat and the scan.datfile, but it did not seem to do anything evenafter a reboot.
eTrust AntivirusVersion 7.1Web site: www3.ca.com/Solutions/Product.asp?ID=156Local office:
Islandia, NYVirus samples: firstname.lastname@example.orgSupport:
17.2 MBuncompressed(It came on a CDprovided to me by CA.)Comments:
This program kept lockingup. When I rebooted the computer, theSP2 fire wall prompted me to allow eTrustto connect to the Internet, but it still didn’trun properly until I completely disabledthe firewall. eTrust has two different scanengines you can choose, although neitherone of them found my viruses. Theoptions available were few to moderate. Ittook a lot of work to get this product tofunction, only to have it find one newvirus. The company’s Web page is difficultto navigate, which is why I gave you adirect link to the product (these guysmarket a ton of solutions). You mustdisable the SP2 firewall or manually setpermissions to update.
Kaspersky Anti-VirusPersonal 5.0Web site: www.kaspersky.comLocal office:
$41.50Virus samples: email@example.comSupport:
Russian and English,24 hours a day:800-803-2152(I never could getthrough to support.)Comments:
No reboot required for install;nice, easy-to-use interface, nice options.This product also comes in a professionalversion for the advanced user. Greatarchive scanner prompts user for passwordon locked files. Didn’t update right away,but when I clicked on the update, it told methey were seven days old and updated. Byfar, the best Web site with the most informationand
an online scanner.
NOD32 and Kaspersky were the onlyprograms that caught my viruses as Icopied them into my VMware session,and when I highlighted the file with themouse without opening them. This is definitelyone of the best products out there,and I could not stop laughing as it squealslike a pig when viruses are detected.
PC-cillin Internet Security2005Web site: www.trendmicro.comLocal office:
$49.95(includes firewall software)Virus samples: firstname.lastname@example.orgSupport:
800-864-6027(available weekdays, 5 am -5 pm PST)File size:
38MB with firewall
(No evaluation versionwas availableI had to usea copy of the; product thatwas recently purchased—but soon abandoned—by a colleague.)Comments:
Nice pre-scan on the install;says it can detect spyware. Unfortunately,the program d'esn’t seem to detect muchof anything, but manages to delete anentire archive without asking, even if justone infected file is found.
Panda TitaniumAntivirus 2004Web site: www.pandasoftware.comLocal office:
$49.95Virus samples: email@example.comSupport:
One of the slowest productstested, and it requires the most memory out of the programs tested. However, theprogram did perform fairly well, and thecompany representatives were responsiveto my e-mails.
F-Prot Antivirus forWindows Version 3.15bWeb site: www.f-prot.comLocal office:
$29Virus samples: firstname.lastname@example.orgSupport:
354-540-7400 (Did nothave the US presence Ithought it did.)File size:
Small and fast install, quickupdate (came with virus samples only aweek old), but offered limited options. Attesting, the definitions had not been updatedin almost a month.
Norton AntiVirus 2005Web site: www.symantec.comLocal office:
$49.95Virus samples: email@example.comSupport:
Free online; fee-basedphone supportFile size:
Limited support plan, veryhigh resource usage after install, needsextensive updates and a reboot (a problemfor dial-up users.) Has a built-in pre-scanduring install. Detects spyware, but not theTrojans used to install them. Did not autoupdate;I had to do it manually, and theproduct required a reboot to be effective.
F-Secure Anti-Virus 2005Web site: www.f-secure.comLocal office:
San Jose, CAPrice:
408-938-67008am-6pm CSTFile size:
Appears to consume a largeamount of resources. Needed a reboot towork properly, but product did not indicatethat was the case. Auto-updated aweek later with no manual interactionrequired. Very fast scan, works very well.
BitDefender 8 StandardWeb site: www.bitdefender.comLocal office:
Boca Raton, FLSupport:
Nice package, however thesoftware offers few options and was semiresourceintensive.
NOD32 Version 2Web site: www.nod32.comLocal office:
San Diego, CASupport:
619-437-7037(6am-3pm PST; near 24/7e-mail support)Price:
Very low overhead; advertisedas the fastest scanner in the world. Web sitelacks a little information. Internet modulewatches IP stack and intercepts virusesbefore they make it onto your computer.Great support; no automated answeringmenu; always a live person and never anywait times. Great heuristics; in fact, someof the best reported by independenttesters. (Tests report 85 percent, whileNOD32 claims they are at 91 percent.)Automatic updates start immediately; noreboot. One of two products that caughtviruses importing into my VMwaresession. After detection, it would no longerallow me to access those files. It is alsoworth noting that the last few big virusesthat disabled other antivirus softwareproducts did not disable NOD32. This isan outstanding product, probably the best.These guys are definitely not marketingtheir product enough, as they are the mostdecorated antivirus software out there.
Norman Virus ControlVersion 5Web site: www.norman.comLocal office:
No reboot required afterinstall, but a little sluggish. Technician didreturn my phone call.
RAV AntiVirus DesktopVersion 8.6Web site: www.ravantivirus.comLocal office:
No reboot, says it protectsagainst all malware—107,060 differentpests/Trojans to be exact. Not sure the ondemandscanner really scans anythingsince it always reports the same number offiles each time. This product is temporarilyunavailable for download, but I found it onthe company’s FTP server. According tothe company’s Web site, Microsoftacquired RAV’s intellectual propertyrights, and the company closed down itsdirect sales (including its e-store) inSeptember 2003. And although the sitestill offers updates, they seem to have littleto no effect.
After analyzing the results of my testing,Nod32 was my first choice, followed byKaspersky. NOD32 excelled in speed andlow resources, while Kaspersky did a betterjob with archives but detected fewerviruses overall. It is worth noting thatNOD32 has live US customer support andclose to 24/7 e-mail support, whereasKaspersky has no US support, just resellers.BitDefender and Panda were next in line,with Panda one of the most resource-intensive.All four of these products deal withdownloader Trojans, droppers, and a wideverity of malware, which is extremelyhelpful in this fast-growing epidemic.
Scott Brown has been an information security analyst with Colby-Sawyer College, an independent and comprehensive liberal arts college located in central New Hampshire, since 2004. Prior to joining the school, Brown ran his own computer consulting business for nearly 20 years, specializing in building and repairing hardware and troubleshooting operating systems for small businesses. By the late 1990s, he found himself doing more and more operating system and network troubleshooting. Brown has been working with malware since the beginning, so he clearly understands viruses and other forms of malware.
This article originally appeared in the 08/01/2005 issue of THE Journal.