We have both good and bad news about the ongoing war against computer viruses. The good news: All the antivirus products we tested for this article were 100 percent successful at identifying and blocking recognized security threats. The bad news: Such utilities still can't completely protect you from new threats--and there are plenty of those around.
AV-Test, the German security firm with which PC World partnered for this story, says that 70 to 100 new threats are discovered each day. Though many of them are variants of existing threats, waiting even a few hours for your antivirus software vendor to release fixes for them exposes your computer and others to harmful infection. Plus, viruses aren't the only problem. Virus writers are also sending worms--which don't need a host file in order to spread--and other destructive programs such as Trojan horses to users as e-mail attachments.
"The Bagle author likes to do this," says senior security researcher Joe Stewart of LURHQ, a company that provides security consulting and managed security services. Because of such dangers, it's important that your antivirus application be able to recognize and remove not only viruses but other types of threats as well.
Antivirus Tools Strike Back
Antivirus software companies are adapting and upgrading their products in a number of ways. Frequently they now package traditional antivirus applications with other security components, such as antispyware tools and firewalls, to provide more-comprehensive protection; in some cases this extra functionality is baked into the antivirus product itself. Companies are also reducing the length of time it takes them to release signature updates, which individual antivirus utilities download and then use to recognize and destroy newly identified threats.
In addition, vendors are honing their products' heuristics, the mathematical algorithms that can spot new security threats based on their similarity to previously identified pieces of harmful code. "Heuristic scanning by antivirus software engines has shown some improvement over the past few years, with better detection and fewer false alarms," says Douglas Schweitzer, author of Securing the Network From Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans. In false alarms--or false positives--an application wrongly flags a file as malware. This mistake at best wastes users' time and at worst causes them to delete benign files.
Companies are also using behavior-based detection to fight new threats that their products can't yet recognize through signature updates. This technology monitors the parts of your system that a malicious file might target, flags suspicious behavior, and stops it. The drawback associated with this approach is that the malware must already be active on your computer in order for behavior-based monitoring to detect it. For this reason, behavior-based detection works best as a supplemental layer of protection behind the virus-scanning engine, which ideally eliminates the threat before it can execute.
Stand-Alone Apps, Suites, and Free Tools
With these trends in mind, PC World aimed to learn which of today's antivirus products will best protect you against both known and unknown malware. We tested ten products, ranging in price from free to $50. To create a level playing field, we tested stand-alone antivirus apps where available and only the antivirus components of suites that offer other functions such as antispyware protection and network firewalls. Testing the suites with their nonvirus-oriented components enabled would have given them an unfair advantage over the stand-alone antivirus programs, to which you can add (and we recommend that you do add) the firewall and antispyware tools of your choice.
Among our test group, Alwil Software's Avast Home Edition 4.6, AntiVir PersonalEdition Classic 6.32, and Grisoft's AVG Free Edition 7.1 are stand-alone programs that cost nothing. F-Secure Anti-Virus 2006, Kaspersky Lab's Kaspersky Anti-Virus Personal 5.0, McAfee VirusScan 2006, and BitDefender 9 Standard are paid stand-alone applications. Panda Software's Panda Titanium 2006 Antivirus + Antispyware and Symantec's Norton AntiVirus 2006 both include antispyware tools. Trend Micro sells its antivirus tool only as part of the full PC-cillin Internet Security Suite 2006.
One product we didn't rate is Zone Labs' ZoneAlarm Antivirus, our 2005 World Class winner in the category. It combines Computer Associates' Vet Antivirus engine with Zone Labs' network firewall and OSFirewall, a behavior-based prevention technology that flags suspicious system behavior.
AV-Test did evaluate Computer Associates' scanning engine, which performed poorly and was the slowest to release signature updates for new threats. However, for this story AV-Test could not assess the effectiveness of Zone Labs' behavior-based malware prevention. Putting it to the test against AV-Test's malware collection would have taken months, as each file has to be active on the test system. Since the OSFirewall is integral to the Zone Labs product, we excluded the entire product. (Panda's product, which we did rate, also uses behavior-based detection.)
How We Tested
Overall, AV-Test ran five tests (see details on the methodology). First, it determined whether the products could detect 1518 "in the wild" malware samples--a published list of viruses and other threats identified by the WildList Organization as active in public circulation.
Second, it tested the programs' ability to detect non-WildList threats by using its own collection (or zoo) of 136,250 backdoor programs, Trojan horses, and bots (also known as zombies). The zoo includes active malware collected from customers, computer magazines, and honey pots, which are Internet-connected servers that researchers set up to lure malware. Since the WildList is published, is often out-of-date, and intentionally excludes non-self-replicating threats such as Trojan horses and backdoor software, AV-Test's zoo malware complements the WildList malware well.
A network firewall will detect backdoor apps, bots, and Trojan horses; but as with behavior-based detection, a firewall will notify you of trouble only once the threat is active on your PC. "Firewalls stop network traffic," says LURHQ's Stewart. "They might stop a Trojan from phoning home. They're not going to stop a Trojan from running [on your PC]," he says.
Third, AV-Test evaluated each product's heuristic capabilities. To do this, it looked at how well one- and two-month-old versions of the programs, which didn't have the later virus signatures installed, recognized malware that subsequently emerged. Thus, AV-Test determined the programs' ability to detect worms and backdoor software without the benefit of signature updates. Testing for worms and backdoor apps was appropriate because those were common and dangerous threats during the testing period, and brand-new viruses are hard to find, according to AV-Test.
Fourth, AV-Test examined each product's ability to clean up 110 macro viruses that attack Microsoft Office programs. And fifth, it compiled data on the average outbreak-response time by each antivirus software company to 16 outbreaks during eight months in 2005--a measure of how quickly the company deploys signature updates after new malware is identified.
To complete our testing, PC World timed how fast the various products conducted on-demand virus scans, and then we evaluated each product's ease of use, features, and tech support policies.
Our Antivirus Picks
After the dust finally settled, BitDefender 9 Standard emerged as our Best Buy. It ranked in the top four on every performance measure, and it costs only $30. The $40 McAfee VirusScan 2006--with its relatively good heuristics performance and intuitive interface--came in second.
Trend Micro's PC-cillin Internet Security Suite 2006, a descendant of our Best Buy in June 2004, finished ninth among the ten products. It performed poorly in the zoo and heuristics tests and is relatively expensive because it's available only as a full security suite. On the bright side, it had snappy outbreak-response times and offers a stellar user interface.
The three free programs came up short, too: AntiVir placed seventh, Avast ranked eighth, and AVG brought up the rear in tenth. Of course, for people who have no budget for antivirus software, any one of these products provides far more protection than simply forgoing an antivirus utility.
Fighting Malware We Know
At their default configurations and with up-to-date virus definitions in place, all of the products that AV-Test evaluated were 100 percent successful at detecting WildList viruses in real time and on demand, defined as when a user conducts a manual or scheduled scan of the computer.
The programs successfully detected and removed macro viruses, with a few exceptions. Avast failed to clean ten viruses, including two viruses that targeted files from PowerPoint versions 97 to 2003 and four viruses that targeted files from Word 6. Panda did not fully clean the two PowerPoint viruses, though the files were still operable. AntiVir failed to clean ten Word 6 viruses among others, and BitDefender missed two viruses that targeted files from Word versions 97 to 2003. These viruses aren't new, so today's products should be able to handle them.
The ability to catch WildList viruses is essential, since they're widely known; detecting the miscreants in AV-Test's zoo, however, is a somewhat different matter.
Kaspersky Anti-Virus Personal 5.0 was the only program we looked at that successfully detected all three types of zoo threats 100 percent of the time. F-Secure and Symantec were successful 97 percent of the time--still an excellent score.
At the other end of the spectrum, PC-cillin produced one of the worst results, detecting only 76 percent of zoo threats--this score includes 85 percent of bots, 82 percent of backdoor software, and 69 percent of Trojan horses. Trend Micro says that it chooses not to expend resources developing signature files for the malware contained in AV-Test's zoo because those threats have never affected its customers. We can't say for sure whether every threat in the zoo is relevant, but we would rather choose a product that detects 100 percent of that menagerie's beasts.
Fighting Malware We Don't Know
None of the products performed exceptionally well in our heuristic tests, proving that there is room for improvement in identifying new threats. In our tests of apps with one-month-old signatures, BitDefender performed the best, detecting 43 percent of worms and 57 percent of backdoor programs. McAfee came in a close second, catching 41 percent of worms and 55 percent of backdoor software. F-Secure and Kaspersky finished close behind, catching more than 32 percent of worms and and 53 percent of backdoor malware each. (AV-Test says that a 50 percent detection rate is very good.) In our tests of apps with two-month-old signatures, all programs did more poorly.
PC-cillin again performed the worst. Its scanner with one-month-old definitions caught just 5 percent of worms and 7 percent of backdoor software. Trend Micro feels that the problems caused by heuristics--in particular, with its potential for false positives--outweigh the benefits. As a result, the company chooses to place less emphasis on developing heuristics.
0 comments