How to keep your campus safe from infection: a head-to-head look at how 13 antivirus solutions stack up. Which ones will keep your computers protected?
Daily, in my duties at Colby-Sawyer College (NH), I run across all sorts of malware. After all, curious young minds want to explore all the Internet has to offer. The problem is, the Internet is not always a good place to be curious. As a result, I've seen all kinds of malware infections--in some cases, as many as 3,000 on a single computer. And I've managed to use my unique situation to acquire 10 viruses/ Trojans and two exploits. These could be considered "zero-day infections," as most were so new that they were not even recognized by antivirus software (but all were confirmed by two or more companies after submission for evaluation). I chose these threats because I've seen them destroy a computer and render it useless on and off the Net. Yet, these infections are not self-propagating, which is what a virus is by definition. Propagation is unnecessary when many of these infections are packaged with popular games or peer-to-peer programs, or, in some cases, buried on a Web page that gets 10,000 hits in a day. Most of these infections were far more complicated and time-consuming to remove and had worse effects than even the dreaded Sasser worm.
Varying Performance Between Products
So why doesn't every antivirus program detect and remove such infections? A technician from the computer security provider Sophos (www.sophos.com) explained that although many of the samples I have captured are Trojans and do create a backdoor into a computer (or install some sort of malicious code that eventually disables the computer completely), they are being used to propagate spyware. And until these infections are actually being used for virus-like activity, or for reasons other than bombarding your computer with spyware, the antivirus programs will not detect these infections. (Outrageously, some spyware companies in the UK were even bold enough to sue some antivirus companies on the premise that the spyware companies were receiving bad PR due to the insinuation that they were creating viruses.)
If you ask me, these companies are riding the fine line of the law, skirting legalities by saying that since their program does not propagate, it is not a virus. And while I haven't yet encountered a virus that I couldn't disable and remove in a short time, I have spent several hours on a single computer trying to remove spyware. It's also worth noting that, with a few exceptions, people whose computers have viruses usually don't know their systems are infected--seldom the case with spyware.
The problem is that these malicious programs technically are not spyware either, so they are not detected by any of the spyware programs I have tested. And until these programs are removed, a computer user's system will become overloaded with spyware and will eventually cease to be functional. For instance, I once saw a computer that had more than 300 processes running simultaneously, and took more than 20 minutes just to bring up the Task Manager.
The truth is, we are now in the information security age, and old-fashioned antivirus programs don't cut it. Computer users need comprehensive antivirus solutions combined with effective spyware solutions, providing real-time protection. Two good ones: Computer Associates' PestPatrol (www3.ca.com/securityadvisor/pest), or Webroot Spy Sweeper (www.webroot. com/products/spysweeper). PestPatrol reports over 1,000 new pests every month, while some of the traditional antivirus products I tested found as few as nine infections. My statistics follow; you tell me where the real threat is.
The antivirus software programs were tested on a fully patched Windows XP Professional machine loaded with Service Pack 2 and the latest software versions and definitions from each company. Only consumer products having some presence in the US (or at least I thought they did prior to testing) were tested. I did not read any manuals. Like most of you, I just want to install my antivirus product and know that I am protected so that I can continue with my chosen activity. The following products were tested on the same night. The viruses were then e-mailed that same night to each company (using a distribution list). Exactly a week later, I updated all antivirus definitions and retested; those results follow as well.
Key to Security Feature "Checklist" Chart (Above)
Windows XP Service Pack 2's Security Center compatibility (SP2 SC; column 1) acknowledges that the antivirus product is installed and up-to-date. Heuristics (column 2) is the ability to recognize as-yet unidentified viruses by catching virus-like patterns or behaviors. (I only reported this if settings were accessible, as I would hope all products have some sort of heuristics.) On-demand scan (O-D Scan; column 3) is very useful for checking suspicious files or downloads. This feature is commonly accessed via a right mouse click.
Antivirus Software Vendor Breakdown
SOPHOS Product name: Sophos Anti-Virus Version 3.86.2 Web site: www.soghos.com Local office: Lynnfield, MA Virus samples: email@example.com Download file size: 14.5MB Support: 800-355-3220(24/7)
Comments: This program has very few options, no manual update, and no way to unload from memory, which may or may not be a bad thing. It does have an option to scan for Mac viruses. However, it did lock up when extracting my zipped viruses, which made testing tough. The program is also fairly resource-intensive.
When I called on a Saturday night, a technician answered the phone and was very helpful. He e-mailed me a nice script to help capture new viruses. It stated that they do not detect any Trojans used for spyware. This product has no online update service. When I downloaded the new definitions dated November, it was only the third week in October.
McAfee Product name: McAfee Virus Scan 9.0 Web site: www.mcafee.com Local office: Santa Clara, CA Price: $39.99 Download file size: N/A (Has online installer; hard to tell the size, but I would guess it is quite large.) Virus samples: virus firstname.lastname@example.org Support: 800-338-8754(24/7)
Comments: This is a great interface for someone who has no computer knowledge; it looks pretty easy to use with very limited options. This program is quite a drain on resources, and it locked up the computer when unzipping my viruses. Its interface encourages you to buy other security products. Very slow scan speed when scanning a single file. It also scans about 35 extra system files making it agonizingly slow. After sending several of the samples, McAfee e-mailed back saying they were new viruses, but its software still did not detect them a week later. When McAfee e-mailed back the results, they included an updated definition called extended.dat. However, they didn't send any instructions regarding what to do with it. After searching with no results for an existing file by the same name, I put it in the folder with the clean.dat and the scan.dat file, but it did not seem to do anything even after a reboot.
Product name: eTrustAntivirus Version 7.1 Web site: www3.ca.com/Solutions/ Product.asp?ID=156 Local office: Islandia, NY Virus samples: email@example.com Support: 866-422-2774 (24/7) Price: $29.95 File size: 17.2 MB uncompressed (It came on a CD provided to me by CA.)
Comments: This program kept locking up. When I rebooted the computer, the SP2 fire wall prompted me to allow eTrust to connect to the Internet, but it still didn't run properly until I completely disabled the firewall, eTrust has two different scan engines you can choose, although neither one of them found my viruses. The options available were few to moderate. It took a lot of work to get this product to function, only to have it find one new virus. The company's Web page is difficult to navigate, which is why I gave you a direct link to the product (these guys market a ton of solutions). You must disable the SP2 firewall or manually set permissions to update.
Product name: Kaspersky Anti-Virus Personal 5.0 Web site: www.kaspersky.com Local office: Russia Price: $41.50 Virus samples: firstname.lastname@example.org Support: Russian and English, 24 hours a day: 800-803-2152 (I never could get through to support.)
Comments: No reboot required for install; nice, easy-to-use interface, nice options. This product also comes in a professional version for the advanced user. Great archive scanner prompts user for password on locked files. Didn't update right away, but when I clicked on the update, it told me they were seven days old and updated. By far, the
best Web site with the most information and an online scanner.
NOD32 and Kaspersky were the only programs that caught my viruses as I copied them into my VM ware session, and when I highlighted the file with the mouse without opening them. This is definitely one of the best products out there, and I could not stop laughing as it squeals like a pig when viruses are detected.
Product name: PC-cillin Internet Security 2005 Web site: www.trendmicro.com Local office: Cupertino, CA Price: $49.95 (includes firewall software) Virus samples: virus doctor@ trendmicro.com Support: 800-864-6027 (available weekdays, 5am-5pm PST) File size: 38MB with firewall (No evaluation version was available; I had to use a copy of the product that was recently purchased--but soon abandoned--by a colleague.)
Comments: Nice pre-scan on the install; says it can detect spyware. Unfortunately, the program doesn't seem to detect much of anything, but manages to delete an entire archive without asking, even if just one infected file is found.
Product name: Panda Titanium Antivirus 2004 Web site: www.pandasoftware.com Local office: Green dale, CA Price: $49.95 Virus samples: email@example.com Support: 818-543-6901 File size: 20MB
Comments: One of the slowest products tested, and it requires the most memory out of the programs tested. However, the program did perform fairly well, and the company representatives were responsive to my e-mails.
Product name: F-Prot Antivirus for Windows Version 3.15b Web site: www.f-prot.com Local office: Reykjavik, Iceland Price: $29 Virus samples: firstname.lastname@example.org Support: 354-540-7400 (Did not have the US presence I thought it did.) File size: 3.15MB
Comments: Small and fast install, quick update (came with virus samples only a week old), but offered limited options. At testing, the definitions had not been updated in almost a month.
Product name: Norton AntiVirus 2005 Web site: www.svmantec.com Local office: Cupertino, CA Price: $49.95 Virus samples: email@example.com Support: Free online; fee-based phone support File size: 24MB
Comments: Limited support plan, very high resource usage after install, needs extensive updates and a reboot (a problem for dial-up users.) Has a built-in pre-scan during install. Detects spyware, but not the Trojans used to install them. Did not auto-update; I had to do it manually, and the product required a reboot to be effective.
Product name: F-Secure Anti-Virus 2005 Web site: www.f-secure.com Local office: San Jose, CA Price: $64 Support: 408-938-6700 8am-6pm CST File size: 25.1MB
Comments: Appears to consume a large amount of resources. Needed a reboot to work properly, but product did not indicate that was the case. Auto-updated a week later with no manual interaction required. Very fast scan, works very well.
Product name: BitDefender 8 Standard Web site: www.bitdefender.com Local office: Boca Raton, FL Support: 561-620-8815 Price: $44.95 File size: 8.6MB
Comments: Nice package, however the software offers few options and was semi-resource intensive.
Product name: NOD32 Version 2 Web site: www.nod32.com Local office: San Diego, CA Support: 619-437-7037 (6am-3pm PST; near24/7 e-mail support) Price: $39 File size: 7.2MB
Comments: Very low overhead; advertised as the fastest scanner in the world. Web site lacks a little information. Internet module watches IP stack and intercepts viruses before they make it onto your computer. Great support; no automated answering menu; always a live person and never any wait times. Great heuristics; in fact, some of the best reported by independent testers. (Tests report 85 percent, while NOD32 claims they are at 91 percent.) Automatic updates start immediately; no reboot. One of two products that caught viruses importing into my VMware session. After detection, it would no longer allow me to access those files. It is also worth noting that the last few big viruses that disabled other antivirus software products did not disable NOD32. This is an outstanding product, probably the best. These guys are definitely not marketing their product enough, as they are the most decorated antivirus software out there.
Product name: Norman Virus Control Version 5 Web site: www.norman.com Local office: Fairfax, VA Support: 703-267-6109 or 888-GO-NORMAN (888-466-6762) Price: $63.74 File size: 12.5MB
Comments: No reboot required after install, but a little sluggish. Technician did return my phone call.
Product name: RAV AntiVirus Desktop Version8.6 Web site: www.ravantivirus.com Local office: Romania Price: $29 Support: Unknown File size: 12.1MB
Comments: No reboot, says it protects against all malware--107,060 different pests/Trojans to be exact. Not sure the on-demand scanner really scans anything since it always reports the same number of files each time. This product is temporarily unavailable for download, but I found it on the company's FTP server. According to the company's Web site, Microsoft acquired RAV's intellectual property rights, and the company closed down its direct sales (including its e-store) in September 2003. And although the site still offers updates, they seem to have little to no effect.
After analyzing the results of my testing, Nod32 was my first choice, followed by Kaspersky. NOD32 excelled in speed and low resources, while Kaspersky did a better job with archives but detected fewer viruses overall. It is worth noting that NOD32 has live US customer support and close to 24/7 e-mail support, whereas Kaspersky has no US support, just resellers. BitDefender and Panda were next in line, with Panda one of the most resource-intensive. All four of these products deal with downloader Trojans, droppers, and a wide verity of malware, which is extremely helpful in this fast-growing epidemic. THE
Scott Brown is an information security analyst a t Colby-Sawyer College.
CHECKLIST OF COMMON SECURITY FEATURES Checkout the comparison chart below to help find the best product for your school or institution. Name 1. SP2 SC 2. Heuristics 3. O-D Scan BitDefender Yes No Yes eTrust No Yes Yes F-Prot Yes No Yes F-Secure No Yes Yes Kaspersky Yes Yes Yes McAfee Yes N0 Yes NOD32 Yes Yes Yes Norman Yes No Yes Norton Yes Yes Yes Panda Yes Yes Yes PC-cillin Yes No Yes RAV No No Yes Sophos Yes No No
|Printer friendly Cite/link Email Feedback|
|Publication:||T H E Journal (Technological Horizons In Education)|
|Article Type:||Cover Story|
|Date:||Aug 1, 2005|
|Previous Article:||Sparking a revolution in teaching and learning: how one of Ohio's lowest-performing elementary schools raised its third-grade reading test scores by...|
|Next Article:||Doing more with less: despite a 'peanut-sized' budget, Georgia's Worth County Schools finds a tool to manage and improve network application...|