Antivirus Roundup
Lately we've been doing a spot of research into the available antivirus products,
with a view to changing our supplier and reseller agreement. The decision to
take this step came after a client-site computer was found to have been compromised
by a relatively serious executable-infector virus. This in spite of antivirus
software which we'd been reselling for a number of years, which had served well
over most of this interval but which recently seemed to be losing its effectiveness.
Information presented here is based on actual field experience, and is given
in good faith. We've tried to be fair to the vendors in question, but without
presenting the kind of unrealistically-positive reports often found on major
IT review-sites. Basically, if we think it's a poor product, we say so. If the vendor
doesn't like that, tough. It's an opinion, and we are entitled to state it.
Desktop Antivirus Packages:
| Product | Detection Rate | False Alarm Rate | Plus Points | Known Issues | Free* version | Verdict |
|---|---|---|---|---|---|---|
| Eset NOD32 | Excellent | Low | Network-aware, and ideal for larger sites. All-round good performance. | Somewhat complex to configure | No | Yes |
| Avast | Excellent | Low | Lightweight, fast and effective. Network options | Use of 'Secure Desktop' is incompatible with some software. | Yes | Yes |
| Avira | Excellent | Low | Small and efficient. | None observed. | Yes | Yes |
| Sophos | Excellent | Low | Business-site oriented. | Somewhat complex | No | Yes |
| AVG | Good | High | Easy to setup, fully configurable. | Web-protect module has major issues | Yes | Maybe |
| McAfee | Average | High | Brand-leader | Considerable slowdown | No | No |
| Norton | Good | High | Brand-leader | Excessive slowdown | No | No |
| ClamAV | Excellent | High | Open-source, multi-platform. Portable version. | No Windows on-access scanner. | Free (GPL) | Yes, for specialist use. |
Specialist Spyware/Adware detection utilities:
| Product | Detection Rate | False Alarm Rate | Plus Points | Known Issues | Free Version * | Verdict |
|---|---|---|---|---|---|---|
| Malwarebytes Anti-Malware | Best of all tested. | Some | THE product for removing spyware. | Detects some popular utilities as malware. | Yes | Yes |
| Spybot Search & Destroy | Poor | Low | Memory-resident module | Limited effectiveness | Yes | No |
| Lavasoft Ad-aware | Moderate | Some | Used to be the preferred option. | Outclassed by Malwarebytes scanner. | Yes | Maybe |
The omission of a product from these tables is not a reflection on its performance; it's just that we've never encountered or benchtested it. We are a support operation and not a review site, so please be aware that we don't aim to test all available products.
* Note that not all free versions are licensed for business use.
Our hands-on experiences:
Antivirus Programs:
Eset NOD32: Following some fairly exhaustive benchtests we're thinking this one is the solution we need, and will probably be recommending it in future. Detection rates appear to be good. So far, no indications of false-alarms or erroneous deletions of files have occurred. Although there is some impact on system performance as compared to an unprotected computer, this is not significant enough to be a concern. It's not the cheapest of the bunch, but is far less expensive than Norton or McAfee. Plus, the business version comes with a very useful rollout-tool which largely eliminates to need to make settings on a computer-by computer basis, a great timesaver for the network IT guy.
If there's a downside it's that the settings in v4 are a trifle complex, and not all that logical. For example, email scanning is mentioned in numerous different sections of the configuration dialog. Some sections of the configuration seem to duplicate others, and it's not certain which settings apply in any given set of circumstances. Therefore, expect to do a fair bit of study before rolling this product out.
Avast: Reports indicate this to be a solid program with good detection-performance and minimal impact of computer speed. Tests done here certainly seem to confirm that its demands are among the lightest of the products tested. Costwise, the professional version is also one of the lowest among Pro offerings. Settings are a lot more straightforward to configure than those of Eset's NOD32. It's also interesting to note that Avast is very much a product of a community of developers, and the website provides a very high level of interaction and support for users.
We would have selected Avast as our product of choice had it not been for one thing: the use of the 'Secure Desktop' to provide notifications to the user. For those unfamiliar with the term, this is where Vista or 7 'dim the screen' and block access to all but one dialog, as when UAE requires a response. Only, Avast does this on Windows XP as well, which is unheard-of. The issue here, well-known with UAE, is that this mechanism interferes with systems used to provide remote support to clients. Now, Windows7's 'screen-dimming' can be turned off, but Avast's cannot, at least not without cancelling all self-protection. Thus we found Avast to be unsuitable for our business-model, which relies heavily on remote support. For the home user, or for that matter the self-supporting business user, this may not be so much of a concern, though.
Avira: A compact and lightweight product with a good detection rate and minimal impact on computer performance. We've only a limited experience of using it, but our experiences have generally been good.
Sophos: A product aimed more at the corporate market than SOHO users. Managed one relatively large site using this, and found it effective and relatively trouble-free. Rather costly, but then you do get what you pay for, and it certainly worked.
AVG: We resold this product for a considerable time, but have recently found its performance to be lacking, hence the drive to find alternatives. Whilst the impact on computer performance is small, it has been seen to be prone to miss actual infections as well as to produce far too many false-alarms. The email-scanning component is prone to causing timeouts during mail downloads, therefore we generally omit it from the installation. Meanwhile, the 'Safe Surf' module is widely reported to cause browser problems. Again, we tend to omit this from installs.
Concerns over AVG's effectiveness came to a head a while back, when a client-site computer was found to have a very serious executable-modifying Trojan resident and active on it. This despite AVG sitting there, silent. The Trojan was found to be detectable with most of the mainstream AV products, as determined by a sample uploaded to Virustotal. On a previous occasion, AVG for Networks had attacked several login-script components on a site server, automatically quarantining them as supposed malware, making it impossible for users to log in. This was a complete false-alarm, and as such had the potential to cause a great deal of lost productivity. These and other incidents of substandard performance brought-about the decision to look-to other products.
Norton: Major problem here is that of the computer's performance being drastically affected by the antivirus program. The corporate, antivirus-only Norton offering is more acceptable in this respect, but the consumer version (360) can bring even the most powerful computer down to a crawl. Virus detection rates seem to be reasonably good, but the performance-hit is completely unacceptable.
There have also been numerous cases of the value-added 'Internet Security Suite' products from this line causing strange network problems, and of being difficult to uninstall properly.
McAfee: The performance-hit with Network Associates' offering is less than that of Norton, but still very noticeable. In a recent (2011) case-study in which McAfee Enterprise Edition was replaced with Eset NOD32 Business Edition, removal of the McAfee product resulted-in something like a halving of the time taken to open typical programs. Installation of the Eset product took-away some of that performance gain, but to nowhere near the same extent as caused by McAfee. Overall, the same computers with Eset antivirus felt far more responsive than with McAfee.
On one of the computers in the above test, a minor piece of spyware (Zink) was noticed by way of a manual check on processes running in Task Manager. McAfee had totally ignored this spyware, which had probably been there for months. A scan with Eset NOD32 quickly found the spyware. Whilst this is a limited sample, it does suggest that the detection rate of NOD32 is superior to that of McAfee.
Anti-malware Tools:
Malwarebytes Anti-Malware: A specialist product aimed at detection and removal of advertising Trojans and the like,this isn't a direct replacement for resideent protection as such. In our experience it is, however, one of the best programs available for the removal of malware from affected compuiters. Available as a free malware-removal tool, and as a paid version which provides resident protection against advertising-parasites and the like.
Spybot Search and Destroy: A program with a similar purpose to Malwarebytes, but in our experience far less effective. Basically, in our view, not worth bothering with.
Lavasoft Ad-Aware: Likewise a malware remover, and used to be the de-facto program of its kind, but in recent years has been far surpassed in effectiveness by Malwarebytes. Might be worth trying if Malwarebytes can't remove a Trojan, but always try Malwarebytes first.
General comments:
The big two:
By far the largest installed base of AV software comes from just two sources: Symantec and Network Associates, who market the Norton and McAfee product ranges respectively. The 'household word' nature of these two brands lends them credibility of its own accord. This often leads to their products being purchased without much thought for their suitability or performance.
In truth, the market-penetration of these two brands stems from a number of factors, none of which relates to actual performance. Both were early starts in the PC security market. Both operate a policy of franchising and reselling via major IT resellers, with heavy advertising in consumer outlets such as PC World. Perhaps more controversially, both 'push-sell' their products by way of arranging for PC manufacturers to install trial copies onto new computers. This leads-to a very large 'captive userbase' of these products, users who didn't in fact have any opportunity to exercise choice at all.
In our experience, both of these big-brand products suffer from multiple drawbacks which are sufficently serious that we would never recommend any user to purchase them. Not only that, but their subscriptions are unduly costly compared to other offerings. We would even go as far as to suggest that even if you have 'had your arm twisted' by a preinstalled copy into paying for a subscription to one of these products, you still might be better to cut your losses and pay again for something better.
The free options:
Several companies offer free antivirus for home use. Generally, there are licensing restrictions on business use of these products, though. Where a vendor offers free home and paid business versions, in general the free products use the same base code as the paid product and are no less effective. Therefore if you qualify for the free product, by all means use it.
Security suites:
Many vendors offer two classes of product; a straightforward antivirus program, and an 'Internet security suite' which offers all kinds of additional features. In many ways this is simply an attempt to raise the profit-margin by selling a premium product instead of a standard one, most of the additional features of the 'security suite' being unneccessary, amd in some cases being undesirable in that they may cause additional problems. Our advice would be that unless you have an identified need for any component of the security-suite version, you should go for the vanilla antivirus product.
Value-added features:
In the same vein, many of the standard AV packages now include multiple virus-scanning aproaches in addition to the basic function of detecting malicious files. Typical examples are modules whcich add themselves onto your email program or Web browser, and attempt to monitor all traffic passing via that program for malicious content. Whether these add-ons do provide any additional protection is a disputable point. Granted, a Web-checking add-on may save you from submitting your logon details to a fradulent banking page or the like, and this could save you a good deal of grief. That said, many such value-added functions also cause trouble with the computer, or with its Internet connection. The bottom line here is that the experienced user probably doesn't need such add-ons and might be better deselctign them at install-time, whereas a computer used by less-savvy individuals may well benefit from extra protection.
In a business sphere, it is in any case better to scan email centrally at a server, rather than on desktops. Thus, antivirus for business use should allow desktop email-monitoring to be deselected. Otherwise, it is simply duplicating the function of the central scanner and causing unneccessary delays.
The main point is that these additional services probably don't do a lot to increase security; in many instances I suspect that they may be more in the nature of a placebo. Or, more likely, a sales gimmick. The part of an antivirus progam which matters is the on-access scanner which checks executables as they are launched. If this is effective, then you are protected. If on-access scanning is ineffective, then no matter how many Web, email, phishing, kitchen-sink unblocking or other add-ons exist.. you are not protected.
|
|
|
|
|
|
|