What is the best antivirus program?
What is the best antivirus program?
None! Different products are more or less appropriate in different
situations, but in general you should build a cost-effective *strategy*
based on multiple layers of defense. There are three main kinds of
antivirus software, plus several other means of protection, such as
hardware write-protect methods (see D4). When planning your antivirus
strategy you should also look closely at your backup policies and
procedures (see 10).
1. ACTIVITY MONITORING programs. These try to prevent infection
before it happens by looking for virus-like activity, such as
attempts to write to another executable, reformat the disk,
etc. An alternative term is BEHAVIOR BLOCKER.
Examples: SECURE and FluShot+ (PC), and GateKeeper
These programs are considered the weakest line of defense
against viruses on a system that does not have memory
protection, because in such an environment it is possible for
a tunnelling virus (see B12) to bypass or disable them.
2. SCANNERS. Most look for known viruses by searching your
disks and files for "scan strings" or patterns, but a few use
heuristic techniques to recognize viral code. Most now also
include some form of "algorithmic scanning" in order to
detect known polymorphic viruses. A scanner may be designed
to examine specified disks or files on demand, or it may be
resident, examining each program which is about to be
executed. Most scanners also include virus removers.
Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk
Software's F-PROT, McAfee's VirusScan (all PC), Disinfectant
Resident scanners: McAfee's V-Shield, and F-PROT's VIRSTOP.
Heuristic scanners: the Analyse option in F-PROT, TBAV's
TbScan and ChkBoot (from Padgett Peterson's FixUtils).
Scanners are the most convenient and the most widely used
kind of antivirus programs. They are a relatively weak line
of defense because even the simplest virus can bypass them if
it is new and unknown to the scanner. Therefore, your virus
protection system should not rely on a scanner alone.
3. INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute
a small "checksum" or "hash value" (usually CRC or
cryptographic) for files when they are presumably uninfected,
and later compare newly calculated values with the original
ones to see if the files have been modified. This catches
unknown viruses as well as known ones and thus provides
*generic* detection. On the other hand, modifications can
also be due to reasons other than viruses. Usually, it is up
to the user to decide which modifications are intentional and
which might be due to viruses, although a few products give
the user help in making this decision. As in the case of
scanners, integrity checkers may be called to checksum entire
disks or specified files on demand, or they may be resident,
checking each program which is about to be executed (the
latter is sometimes called an INTEGRITY SHELL). A third
implementation is as a SELF-TEST, where the checksumming code
is attached to each executable file so they check themselves
just before execution. It is generally considered a bad idea
to add such code to existing executables (see F8).
Examples: ASP Integrity Toolkit (commercial), and Integrity
Master and VDS (shareware), all for the PC.
Integrity checkers are considered to be the strongest line of
defense against computer viruses, because they are not virus-
specific and can detect new viruses without being constantly
updated. However, they should not be considered as an
absolute protection--they have several drawbacks, cannot
identify the particular virus that has attacked the system,
and there are successful methods of attack against them too.
3a. Some modification detectors provide HEURISTIC DISINFECTION.
Sufficient information is saved for each file so that it can
be restored to its original state in the case of the great
majority of viral infections, even if the virus is unknown.
Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD
module of V-Care and ThunderByte's TbClean.
Note that behavior blockers and scanners are virus *prevention* tools,
while integrity checkers are virus *detection* tools.
Of course, only a few examples of each type have been given. All of
these types of antivirus program have a place in protecting against
computer viruses, but you should appreciate the limitations of each
method, along with system-supplied security measures that may or may not
be helpful in defeating viruses. Ideally, you should arrange a
combination of methods that cover each others' weaknesses.
A typical PC installation might include a protection system on the hard
disk's MBR to protect against viruses at load time (ideally this would
be hardware or in BIOS, but software methods such as DiskSecure and
Henrik Stroem's HS are pretty good). This would be followed by resident
virus detectors loaded as part of the machine's startup (CONFIG.SYS or
AUTOEXEC.BAT), such as FluShot+ and/or VirStop and/or ChkBoot. A
scanner such as F-PROT or McAfee's VirusScan and an integrity checker,
such as Integrity Master, could be put into AUTOEXEC.BAT, but this may
be a problem if you have a large disk to check, or don't reboot often
enough. Most importantly, new files and diskettes should be scanned as
they arrive *regardless* of their source. If your system has DR DOS
installed, you should use the PASSWORD command to write-protect all
system executables and utilities. If you have Stacker or SuperStor, you
can get some improved security from these compressed drives, but also a
risk that those viruses stupid enough to directly write to the disk
could do much more damage than normal. In this case a software write-
protect system (such as provided with Disk Manager or The Norton
Utilities) may help. Possibly the best solution is to put all
executables on a disk of their own, with a hardware write-protect system
that sounds an alarm if a write is attempted.
If you do use a resident BSI detector or a scan-while-you-copy detector,
it is important to trace back any infected diskette to its source. The
reason viruses survive so well is that usually you cannot do this,
because the infection is found long after the infecting diskette has
been forgotten due to most people's lax scanning policies.
Organizations should devise and implement a careful policy that may
include a system of vetting new software brought into the building and
free virus detectors for home machines of employees/students/etc who
take work home with them.
Internet FAQ top