Protect Your PC
From dangerous new viruses to stealthy software, the assaults on your computer just keep coming. Who's in charge here? You--with these 26 well-tested tools.Your home is your castle, and your virtual home--your PC--should feel just as secure. However, protecting both requires vigilance against a multitude of intruders ranging from the merely annoying to the truly dangerous. Just as you must guard against miscreants breaking into your house or office to vandalize and plunder it, you must repel viruses and hackers trying to slip into your PC to wreak havoc and filch valuable personal or company data. And just as telemarketers can disturb your dinner, stealthware-laden downloads and endless spam e-mail can ruin your appetite for going online.
You can protect your PC as you do your home or office, with a combination of strategy and the right tools. In this article we report on the dangers threatening your system and recap the results of our extensive performance testing and hands-on evaluations. Our findings will help you choose the best utilities for your PC-protection tool kit: antivirus, firewall, and antistealthware programs that lock out intruders; and antispam software and services that deflect the slings and arrows of outrageous e-mail marketing tactics.
Robert Luhn is a California-based freelance writer. Scott Spanbauer is a PC World contributing editor. Dr. Andreas Marx of the University of Magdeburg directed antivirus and firewall testing. Special thanks to Sarah Gordon of the WildList Organization International and Steve Gibson of Gibson Research.
Eliminate Viruses
By Robert Luhn
Your antivirus program should be thorough, accurate, and fast. If it isn't, you simply won't use it--and neglecting this task is very dangerous. In any given month, between 200 and 300 viruses are circling the globe. That number comes from the WildList, an internationally recognized monthly roster of viruses spreading "in the wild."
An antivirus scanner's main method for catching viruses is to compare suspect code against databases of known virus "signatures." These databases include current and previous WildList entries as well as tens of thousands of "zoo viruses" that mostly exist in labs but use tricks that future viruses may employ. Scanners also use methods such as heuristics in an ongoing effort to recognize virus-like behavior in new threats.
The Antivirus Most-Wanted
Viruses today not only are more potent than their predecessors, but can spread faster. In the 1980s, boot-sector viruses passed via traded floppy disks. By the late 1990s, e-mail transported macro viruses in attached Microsoft Word documents.
Now the danger comes mainly from mass-mailing worms--self-replicating viruses that can hijack e-mail address books and send themselves to multiple recipients. LoveLetter, for example, was a Visual Basic script virus. Now most mass-mailing worms are stand-alone Win32 programs, such as SirCam and Klez, and these programs make up the lion's share of all virus infections. Macro viruses trail a distant second, and script viruses come in a close third. Boot-sector viruses account for only about 1 percent of infections.
Antivirus to the Rescue?
Antivirus vendors have responded fairly well to the threats, judging from our evaluation of seven products: Computer Associates' ETrust EZ Antivirus 5.4, Kaspersky Lab's Anti-Virus Personal Pro 4, Network Associates' McAfee VirusScan 6.02, Norman's Virus Control 5.2, Panda's Antivirus Platinum 6.25, Symantec's Norton AntiVirus 2002, and Trend Micro's PC-cillin 2002. We evaluated programs intended for home or small-office use, but all seven of these companies also offer multiseat licenses or server-based product lines.
The Norton, Kaspersky, and McAfee products zapped viruses best, but Norton earned our Best Buy award thanks to its intuitive interface.
To evaluate the software, we partnered with AV-Test.org, an agency run by the University of Magdeburg, Germany. The lab first tested how programs handled the February 2002 WildList of 207 viruses packed into 414 files. Using each program's default settings and latest signature updates, we measured detection rates for both a full scan of the hard drive and a file-access scan (detection whenever a file is copied or opened). All but one program detected at least 99 percent of the in-the-wild viruses--a result we expected, since all vendors regularly track the WildList.
The scanners' in-the-wild failings surfaced only with boot-sector viruses. Trend Micro's PC-cillin missed all 22 of the boot-sector viruses in our file-access scans. After we alerted Trend Micro, the company issued a patch that allowed PC-cillin to find all boot-sector viruses in both the hard-drive and file-access tests.
For the tougher zoo tests--involving 9138 viruses in 42,426 infected files--AV-Test.org enabled the apps' highest security settings. The files included several thousand Trojan horses and backdoor programs--attachments or downloads that masquerade as useful files but contain destructive elements or may open your system to hackers. (The WildList doesn't track these threats, but they are monitored on a separate--and less-well-known--roster called the TrojanList.) AV-Test.org also tested against polymorphic viruses and worms, which mutate as they propagate, making them harder for antivirus scanners to recognize.
Kaspersky Anti-Virus, McAfee VirusScan, and Norton AntiVirus performed best in zoo tests. But we also found some sleepy sentinels. ETrust EZ Antivirus missed over half of the Trojan horses and backdoor programs, and over a quarter of the script viruses. Norman Virus Control and Panda Antivirus Platinum (a previous Best Buy) each let roughly 20 percent of the polymorphic viruses go undetected.
Dig, Dig, Dig
While the types of viruses a scanner finds are important, so are their locations. For example, your antivirus protector should be able to dig into.zip and other compressed files--even.zip files within.zip files. It should also screen e-mail attachments. And wherever it discovers an infection, the program should remove it without destroying valuable files.
Kaspersky and McAfee did the best job of cracking into compressed files, and Panda was close behind. The other programs' performance ranked from so-so to abysmal. The worst: ETrust caught just 2 out of 24 compressed viruses.
Kaspersky, McAfee, Norton, Panda, and PC-cillin intercept and scan e-mail attachments before they land on your hard drive. But Norton and PC-cillin are limited to working with POP3-compliant e-mail programs, and Kaspersky works only with Microsoft's Outlook, Outlook Express, and Exchange clients. Panda scans POP3, Exchange, and even AOL attachments.
When they did find a virus, most products did a good job of removing it without damaging files, but only Norton turned in a perfect record. ETrust had the spottiest results: It successfully repaired just 18 of the 30 infected test files.
Look and Feel
Lab tests tell only part of the story. The most sophisticated scanner is useless if you can't figure out how to run it.
Because new viruses show up all the time, easy virus-definition updating is a must. All the tested programs except ETrust offer automatic, scheduled updates; but our nod here goes to Norton, which by default checks for updates right after you install it and every 4 hours thereafter.
Norton earns kudos for having the most logical interface, too. From one location, you can view the program status and settings, as well as activate scans. You can also access Symantec's top-notch Web knowledge base to learn about viruses.
Other top scanners, such as Kaspersky, have a steep learning curve; but Norton is easy to master. And after you install the application, it scans your hard drive and turns on every relevant virus-hunting feature. (Many competitors don't.) These excellent features, plus its virus-hunting prowess, make Norton the Best Buy.
Virus Avengers: Norton Is Hard to Fool, Easy to Use (chart)
| Antivirus scanner | Street price (05/01/02) | Annual renewal fee | Wild viruses: success rate (full scan/file access)1 | Zoo viruses: success rate (full scan)1 | Ease of use | Comments |
| Computer Associates ETrust EZ Antivirus 5.4 (http://www1.my-etrust.com/) | $20 | $10 | 100/100 | 92.6 | Very good | Has a clean, intuitive interface but disappointing performance. Missed some malicious apps and script viruses, and had problems scanning archive files in zoo tests. (  ) |
| Kaspersky Lab Anti-Virus Personal Pro 4 (http://www.kaspersky.com/) | $100 | n/a2 | 100/99.5 | 99.8 | Poor | Complex interface is difficult to navigate. Missed some in-the-wild boot-sector viruses during file-access scanning. Provides e-mail scanning. (  ) |
| Network Associates McAfee VirusScan 6.02 (http://www.mcafee-at-home.com/) | $40 | $5 | 99.5/100 | 99.8 | Poor | Strong virus scanning, aside from missing some in-the-wild boot-sector viruses during full scans. Includes a firewall, as well as virus scanning for PDAs. ( ) |
| Norman Virus Control 5.2 (http://www.norman.com/) | $80 | $803 | 100/100 | 96.5 | Fair | Complex interface spread across six program components. Missed 20 percent of zoo polymorphic viruses; had difficulties with archived files. ( ) |
| Panda Antivirus Platinum 6.25 (http://www.pandasoftware.com/) | $594 | n/a | 100/99.8 | 96.2 | Good | Integrates with Microsoft Outlook e-mail client; scans Lotus Notes databases. Missed 20 percent of polymorphic zoo viruses in our tests. (  ) |
| Best Buy Symantec Norton AntiVirus 2002 (http://www.symantec.com/) | $50 | $10 | 100/99.8 | 99.1 | Outstanding | One of the top performers also boasts the clearest, most intuitive interface of the products tested. It missed some script viruses and couldn't scan some archive files in zoo tests. (  ) |
| Trend Micro PC-cillin 2002 (http://www.antivirus.com/) | $40 | n/a2 | 99.5/94.75 | 97.9 | Good | Missed high percentage of in-the-wild boot-sector viruses in our tests, but subsequent patch corrected the problem. Scans PDAs and includes a software firewall. ( ) |
Shut Out Hackers
By Scott Spanbauer
Though antivirus software protects you from many malicious programs, it might not catch everything. A hacker might attempt to snoop around your system for private passwords, for example, or you might download a file or receive an e-mail attachment containing a backdoor program or a Trojan horse that steals data or opens vulnerabilities. A firewall can protect you from these types of attacks by continuously watching all the data flowing both into and out of your system.
We reviewed six software firewalls--Internet Security Systems' BlackICE PC Protection 3.5, Network Associates McAfee Firewall 3.02, Sygate Technologies' Personal Firewall Pro 5, Symantec's Norton Personal Firewall 2002, Zero-Knowledge Systems' Freedom Personal Firewall 3.2, and Zone Labs' ZoneAlarm Pro 3--to determine which provides the best protection without interfering with common applications or inundating you with false alarms. For comparison, we also examined the Internet Connection Firewall that accompanies Windows XP (but is turned off by default). AV-Test.org conducted all lab tests on Windows XP Professional systems, using the firewalls' default security settings.
We were most highly impressed with Sygate's Personal Firewall Pro 5 and Zone Labs' ZoneAlarm Pro 3, so we gave both of them our Best Buy award. The Sygate product stands out for offering the finest control over how Internet-enabled programs can communicate. ZoneAlarm Pro, a previous Best Buy, has gotten even better with the addition of new ad-blocking tools, along with e-mail filtering and a better setup tutorial. Both Sygate and ZoneAlarm are also available in free editions that provide the basic firewall features.
What Comes In? What Goes Out?
A firewall's primary job is to monitor each of the 65,535 possible TCP and UDP port addresses your system uses to communicate with other computers. If no application on your system is using a particular port, the firewall should ward off incoming data packets destined for it.
Most inbound "attacks" are simple port scans: hackers' attempts to find poorly configured, vulnerable servers. Since few users run the FTP, Telnet, and Web server applications that hackers typically look for, these connection attempts are usually harmless. On the other hand, Trojan horses, backdoor programs, and configuration errors--such as enabling file sharing without restrictions--can open vulnerabilities and give hackers the ability to copy files, delete files, or co-opt your PC and use it as a platform for launching attacks on commercial servers.
Running common port-scanning applications on all the firewalls (including Windows XP's), we found that most products protect all ports from attack. However, in their default settings with Internet access enabled, BlackICE PC Protection, Norton Personal Firewall, and McAfee Firewall do not close port 5000, which the Universal Plug and Play feature in recent versions of Windows uses to detect networked devices. Few products currently support UPnP, but it is enabled by default in Windows XP, thereby opening a server port. A McAfee representative says that in later versions of its firewall the company may add a check box to allow users to close port 5000. And by the time you read this, Norton should have a new, downloadable firewall rule that closes the port.
BlackICE not only leaves port 5000 open but also fails to close any ports over number 1024. According to ISS, pushing the program's security level from default 'Cautious' to 'Nervous' closes all TCP ports, and moving to the highest setting, 'Paranoid', closes all UDP ports, as well.
Keeping an Eye on Apps
The biggest danger to most PCs comes not from outside attacks but from within: Trojan horses and backdoor programs that you install because they appear to be useful downloads or harmless e-mail attachments. Once they've slipped into your system, these programs can turn your PC into a vulnerable server, opening ports to intruders or collecting data--such as passwords--and sending it to hackers. An up-to-date antivirus scanner is your first line of defense against Trojan horses and backdoor code, but if one of these does slip through, a firewall provides further protection.
The Windows XP firewall monitors inbound attacks only, but the six other firewalls we reviewed attempt to thwart Trojan horses and backdoor programs by controlling which applications on your system can connect with remote servers. Most of the firewalls alert you when an application wants Internet access, and they allow you to grant or deny permission. Symantec's Norton Personal Firewall makes the identification process easy by using a signature database of known, safe applications--for example, Web browsers and e-mail clients--to configure access rules automatically. If an application doesn't appear in the database, Norton will ask you to set permissions.
Unfortunately, Norton failed to alert us when we replaced an approved application with another application that had the same file name--a trick that a Trojan horse or backdoor program might try in order to slip past the firewall. Norton did ask permission for the replacement program to run, but it identified the app only by its file name. Similarly, BlackICE PC Protection and McAfee Firewall failed to note that the original file had been overwritten.
BlackICE suffered from other problems, too. We've awarded Best Buys to earlier versions of the program because of their demonstrated ability to fend off and track attacks from outside. This time around, we focused more on application control, a feature that's new to the current version--but this feature failed to pass muster. By default, BlackICE grants full Internet privileges to any applications already installed on your PC. Because of this setting, BlackICE was the only firewall (other than Windows XP's) that failed to block a backdoor program preinstalled on our test system. You can restrict applications after installing BlackICE, but that requires you to review its list of the several hundred executable files installed on your PC and to configure rules for each.
The star of the application control tests, Sygate's Personal Firewall Pro, was the only firewall that resisted our attempts to shut it down using a third-party system-monitoring application--mimicking a trick some Trojan horses and worms use to disable a PC's security software.
Feedback and Control
Most of the six non-Microsoft programs we tested do a good job of reporting possible outside attacks, by changing the utility's system tray icon, popping up a warning dialog box, playing a sound, or doing all three. However, Freedom Personal Firewall's alerts are rather vague, and you don't miss much information by keeping them disabled, as they are by default. All six display real-time logs of suspicious incoming traffic, showing the originating IP address, the type of attack, and in most cases its severity. In addition, Freedom, Sygate, and ZoneAlarm perform "Whois" traces that can sometimes pinpoint the source. Sygate's firewall also lets you do a trace route showing the exact path the attack took, from the source to your PC. Both techniques can help you identify a probable attacker's ISP so that you can report the abuse.
For application control, all the non-Microsoft firewalls let you drill down to control settings and specify whether a program may initiate outgoing communications (acting as a client) or receive incoming connections initiated remotely (acting as a server). Sygate offers the greatest level of control, letting you dictate even specific days and times when a program can communicate.
Protect Yourself With Hardware
Many small offices and wired homes use inexpensive gateways/routers to share an Internet connection, files, and printers or other peripherals. The makers of gateways/routers often advertise built-in firewalls as well. How does this type of protection compare with a software firewall?
Using Network Address Translation and Dynamic Host Control Protocol, a basic hardware gateway/router such as the Linksys BEFSR41 EtherFast Cable/DSL Router ($75) distributes private IP addresses to computers on the network. It transforms those private addresses into its public IP address in the course of sending communications to Internet servers. Because the individual PCs don't have their own public IP addresses, they should be protected from outside attacks. We found the four-port Linksys to be simple to install. We didn't have to enter its setup screen because it retrieved a dynamic IP address from our ISP and then created a NAT network automatically.
More-expensive routers such as NetGear's eight-port FR318 ($250) add other safeguards, including stateful packet inspection, which scrutinizes both the address headers and the contents of data packets for signs of suspicious behavior. (Many of the software firewalls that we reviewed also use SPI.) In contrast, firewalls that use static rules look only at address headers; they are more susceptible to advanced attacks that disguise the packet's true source. The NetGear router required more work to configure during setup than the Linksys did, but it offers handy Internet content filtering that lower-cost routers like the Linksys don't. However, even advanced hardware firewalls can't perform the application checking that the software products can.
Hardware firewall manufacturers agree that software adds a layer of protection. Linksys, for example, has joined with Zone Labs to offer discounted multiple-computer ZoneAlarm Pro licenses along with its routers. And NetGear offers buyers of its RP114, RP334, RT311, and RM356 firewall routers eight free one-year subscriptions for Zero Knowledge's Freedom security and privacy suite.
Personal Firewalls: Sygate and ZoneAlarm Protect Best (chart)
| Firewall | Street price (05/01/02) | Closed all ports by default | Detected preinstalled backdoor code | Announced file replacement | Resisted firewall shutdown attempt | Ease of use | Comments |
| Microsoft Windows XP Internet Connection Firewall (http://www.iss.net/solutions/home_office/) | Free3 | Yes | No | No | No | Good | Monitors inbound connections only, using SPI. No controls of Internet-enabled apps, no intrusion alerts; log files difficult to access. ( ) |
| Network Associates McAfee Firewall 3.02 (http://www.mcafee-at-home.com/products/firewall/default.asp?m=2) | $30 | No1 | Yes | No | No | Good | Uses static firewall rules. Doesn't support Internet Connection Sharing (ICS) on host machine that shares an Internet connection with other PCs. ( ) |
| Best Buy Sygate Personal Firewall Pro 5 (http://soho.sygate.com/products/pspf_ov.htm) | $404 | Yes | Yes | Yes | Yes | Outstanding | Allows the finest control of traffic; only firewall preconfigured to support ICS. Includes SPI and intruder-tracing tools. (  ) |
| Symantec Norton Personal Firewall 2002 (http://www.symantec.com/sabu/nis/npf/) | $50 | No1 | Yes | No | No | Very good | Offers application permissions that are preconfigured and adjustable. Able to block cookies and transmission of personal information. ( ) |
| Zero-Knowledge Systems Freedom Personal Firewall 3.2 (http://www.freedom.net/products/firewall/index.html) | $305 | Yes | Yes | Yes | No | Very good | Provides good protection but limited adjustability. Does not support ICS. Can block cookies, banner ads, and transmission of personal info. ( ) |
| Best Buy Zone Labs ZoneAlarm Pro 3 (http://www.zonelabs.com/) | $506 | Yes | Yes | Yes | No | Outstanding | Allows precise control of app permissions. Includes SPI and intruder-tracing tools. Can block cookies, banner ads, and pop-ups; filters e-mail. ( ) |
Stop Stealthware
By Scott Spanbauer
Do you ever suspect that someone else is calling the shots on your PC? You're not doing anything online, but the modem lights show that your system is sending and receiving data. One day you research a Caribbean vacation, and the next day ads start popping up on your screen pushing Jamaican getaways. Is someone out there watching you?
Well, the snoops aren't watching you exactly--rather, they're watching (and recording) your mouse clicks. Much of that "free" software you've been downloading has a cost, after all. In addition to the banner advertisements that clutter the interfaces of many free programs, products such as BearShare and Kazaa Media Desktop come packed with a hidden payload: stealthware programs that track your surfing activity and send data on where you go back to a mothership marketing server.
Also dubbed spyware or adware (the latter delivers targeted advertising but does not collect personal information about you), these covert programs use the bandwidth and processor power you paid for to sell you stuff. And a new class of stealthware co-opts your computer's resources for other purposes: Earlier this year, users of Kazaa Media Desktop discovered that the Brilliant 3D viewer that was installed along with the file-sharing application was accompanied by client software for a soon-to-be-activated distributed processing network. According to Brilliant, users will be invited to opt in before their PC is connected to the network.
This novel arrangement isn't a complete secret. When you accept the terms of the Kazaa software license, you also grant Brilliant permission to use your PC's processing power and Internet connection. But few people, if any, scroll far enough down the Kazaa user license to read the terms of the embedded Brilliant license. To see whether a program contains stealthware before you install it--without getting bleary-eyed from reading through the license--check the online database of stealthware-bearing applications maintained at Spychecker.com.
Stealthware Fighters
To uncover stealthware that is already lurking in your system, you can use a utility that scans for it in much the same way that antivirus programs scan for viruses. We examined four such protectors: LavaSoft's $15 Ad-aware Plus 5, PestPatrol's $30 PestPatrol 3.1, Spyblocker Software's $20 Spyblocker 5, and the freeware SpyBot Search and Destroy.95.
Ad-aware Plus and PestPatrol are the most full-featured spy hunters of the four, and Ad-aware Plus earned the Best Buy title mainly because it found and disabled many more scary programs in our tests than PestPatrol did. Notably, PestPatrol missed the Brilliant 3D viewer and its dormant distributed computing client. Also, Ad-aware Plus's wizard-like scanning and spyware removal process is easier to navigate than PestPatrol's tabbed interface. Otherwise, the two programs behave very similarly. Both scan your hard disk and Registry for signatures of known spyware, and both scan your PC's memory to catch stealthware while it's running.
Before purging your PC with one of these utilities, remember that some free programs may stop working if you remove their hidden components. If you can't give up a prized application but you don't like what it does behind your back, use an application-monitoring firewall, such as one of our Best Buys (Sygate Personal Firewall Pro or ZoneAlarm Pro 3), to block unwanted background traffic.
Ad-aware and Pest Patrol are available in free versions, but we recommend the full packages because of the additional features they provide. The free version of PestPatrol, for example, lacks the ability to quarantine or delete stealthware; you'll have to remove it manually. Ad-aware's free version leaves out the memory scanner and other advanced features, including the useful ability to run a scan directly from Windows Explorer.
Like antivirus software and firewalls, stealthware blockers require program and signature updates to trap the newest culprits. PestPatrol can automatically download updates from the company's Web site. Ad-aware Plus uses a separate program that streamlines the downloading and installation of signature-file updates, though it does not run automatically.
The two other programs we tested deserve honorable mention. SpyBot Search and Destroy.95 is a promising freeware program that was in development during our research; it's nearly as thorough and feature-rich as Ad-aware Plus. Spyblocker is a real-time memory scanner that watches for a host of online threats, including Web bugs, ads, worms, spyware, scripts, and cookies. Like the application-control feature provided by a personal firewall, Spyblocker prevents stealthware from connecting to remote servers. The program also automatically blocks programs from communicating with servers that are associated with a long list of known stealthware domain names. However, Spyblocker doesn't scan your hard disk and remove offending programs.
Stealthware Finders: Ad-aware Catches the Most (chart)
| Utility | Street price (5/01/02) | Scans memory/storage | Removes programs | Comments |
| Best Buy Lavasoft Ad-aware Plus 5 (http://www.lavasoft.nu/) | $15 | Yes/Yes | Yes | Tool provides extremely thorough scanning and removal of stealthware. Separate utility assists with updating. ( ) |
| PestPatrol 3.1 (http://www.safersite.com/) | $30 | Yes/Yes | Yes | Utility has a slightly more difficult interface and less-thorough scanning than Ad-aware. Manual updates. ( ) |
| Spyblocker Software Spyblocker 5 (http://personal.bellsouth.net/mia/k/r/kryp/) | $20 | Yes/No | No | Real-time memory scanner blocks a broad range of stealthware, ads, cookies, and Web bugs. Separate utility assists with updating. ( ) |
| Spybot Search and Destroy.95 (http://www.wilders.org/downloads.htm) | Free | Yes/Yes | Yes | Student-written beta freeware offers thorough scanning and an impressive feature set. Manual updates. 1 |
Slam That Spam
By Robert Luhn
Compared with the trashing a virus or hacker can do to your PC, spam seems so, well, benign. But virus attacks don't happen every day, whereas junk e-mail does. The productivity you lose in sifting through this digital detritus, plus the hijacked server space and bandwidth, can put a dent in your budget or threaten your sanity.
Many ISPs offer customers spam-filtering services, but these aren't always vigilant. "Even [ISPs] with a good abuse desk find it difficult to disconnect a customer--even a spammer--in the current economic climate," says Dave Rand of the Mail Abuse Prevention System, an antispam advocacy group. And ISPs that have antispam technology still let plenty of junk through. For example, a seldom-used AOL screen name that we monitored received nearly a dozen junk messages each day. After forwarding the messages to AOL, adding the spammers' names to the account's filters, and unsubscribing from mailing lists, we still received the same amount of spam.
Going Vegetarian
You probably can't rid yourself of the junk entirely, but you can reduce the flow by choosing an ISP with a tough antispam policy, mastering your e-mail program's filter function, and being careful about which Web sites and services you sign up with. For detailed advice on how to proceed, follow the tips in " Spam Begone" and in June's " "How to Take Back Your Privacy."
You can also enlist the aid of programs and Web-based services that filter out the remaining spam, check sender addresses against a "blacklist" of spammers, or provide heavily filtered or temporary e-mail addresses. We tried four products--Contact Plus's Spam Buster 1.9, Crystal Office Systems' MailSweep 3.05, High Mountain Software's SpamEater Pro 3.56, and McAfee.com's SpamKiller 2.87--and ran them on several active e-mail accounts. Most of them effectively nabbed the real spam and spam-like messages we sent to the accounts, without zapping innocent e-mail, but we recommend SpamKiller because it's the easiest to use.
Antispam Tools
Except for SpamKiller, these four programs work only with POP3 e-mail accounts (which excludes AOL, MSN, some corporate e-mail systems, and Web-based e-mail such as Hotmail). Most of them compare return addresses with various blacklists, and they provide filters to block messages by address, domain, country, and size. All four programs scan your in-box (on demand or automatically) for suspicious mail and either flag it or delete it.
SpamKiller emerged as as our Best Buy choice, by a whisker, thanks to its clean interface and a superb wizard that finds your e-mail program and imports the address book (labeling everyone in it a nonspammer). The software is a snap to run: Buttons activate basic features (like checking mail), while a toolbar lets you scan your in-box or edit filters. And SpamKiller is the only program of the four that also works with the MAPI e-mail used in Microsoft Exchange systems. It doesn't use a blacklist of known spammers, but it does have a load of preconfigured filters that were effective in canning the junk.
Coming in a close second is Spam Buster, which uses its own blacklist. The tabbed dialog boxes where you configure the program are straightforward, and you can select filter rules from simple drop-down menus. But Spam Buster's wizard isn't quite as intelligent as SpamKiller's.
Spam-haters who want total control should try SpamEater Pro. You can craft rules and filters any way you wish, check a half-dozen blacklists, and have messages re-sent if you suspect that legitimate e-mail got swept up with the spam. But SpamEater is hard to configure, requiring lots of puzzling over arcane settings.
MailSweep, a mail-reading program with antispam features, fared less well. It doesn't have prefab filters or blacklists, and you can't create complex filters. While it caught some spam, it didn't always delete messages when instructed to do so.
Antispam at Your Service
Web antispam services block junk mail before it gets to you, and they work with all types of e-mail. We tried out two free services, Despammed and Spamgourmet. Both of them provide e-mail addresses for signing up with Web sites, newsletters, or forums.
The Despammed service filters incoming mail and sends whatever remains to your real e-mail address. The site has its own filtering technology but also checks several blacklists. Spamgourmet forwards mail without filtering, but each Spamgourmet address is good for only 20 messages. If you sign up for something you don't like, you can simply let that particular e-mail address expire.
While the free services work as advertised, the software packages offer greater control. If you have a POP3 or a MAPI e-mail account and a serious distaste for spam, spend the $30 on SpamKiller.
Spam Fighters: Spamkiller Has the Most Muscle (chart)
| Utility | Street price (5/01/02) | E-mail types supported | Comments |
| Contact Plus Spam Buster 1.9 (http://www.contactplus.com/) | $20 | POP3 | Simple, logical interface; built-in blacklist; no inline ads. Free, ad-supported version available. ( ) |
| Crystal Office Systems MailSweep 3.05 (http://www.crystaloffice.com/) | $19 | POP3 | Mail reader with antispam features, limited filters. Free 30-day demo has minor features disabled. (  ) |
| High Mountain Software SpamEater Pro 3.56 (http://www.hms.com) | $25 | POP3 | Offers in-depth control, multiple blacklists; hard to configure; help system terse. Free, fully functional 30-day demo available. ( ) |
| Best Buy McAfee.com SpamKiller 2.87 (http://www.mcafee.com/myapps/msk/default.asp) | $30 | POP3, Microsoft Exchange | Great wizard, easy setup. Free, fully functional 30-day demo available. ( ) |
| Service | Street price (5/01/02) | E-mail types supported | Comments |
| Despammed (http://www.despammed.com/) | Free | Any | Filters mail, then forwards it to your primary account. ( ) |
| Spamgourmet (http://www.spamgourmet.com/) | Free | Any | Forwards mail from temporary e-mail addresses to your primary account. ( ) |
A Suite Deal?
Software suites promise an irresistible deal. Why buy different apps from different vendors when a single package can do the job (and save you money)? Unfortunately, many suites resemble TV networks' fall lineups, with uninspired offerings crammed between the winners.
We examined two suites--Symantec's Norton Internet Security 2002 and Network Associates' McAfee Internet Security 4.02--that include at least an antivirus scanner and a firewall. Each sells for $70. Zero-Knowledge added a virus scanner to its firewall and privacy package, Freedom 3.2, but not in time for our testing.
Norton packages AntiVirus 2002 (our Best Buy) and Personal Firewall 2002, plus several privacy tools, such as an ad blocker. The McAfee suite combines VirusScan 6.02, Firewall 3.02, and a similar posse of privacy protecting applications.
Kludgey Combos
Alas, neither suite is ready for prime time. Norton's console is inconsistent: Some status screens allow you to configure an application; others kick you out to the main configuration screen. Some screens show if a feature is enabled, some don't.
McAfee's Internet Security 4.02 suite has the same confusing Web-style interface that the stand-alone VirusScan uses. Many options are buried, and key apps, such as the firewall, aren't turned on by default.
Once configured, the McAfee suite produced mixed results. The ad blocker let skyscraper and pop-up ads through. The Security Check feature, a cool idea, whips through your PC looking for information that should be secured. It makes some good suggestions, but also some bad ones, such as turning on your CPU identification feature. Like Norton's suite, the McAfee bundle does not include utilities to filter spam.
Our recommendation? While an all-in-one security package may sound appealing, you're better off building your own suite from our Best Buys.
--Robert Luhn
Antivirus Scanners: How We Tested
AV-Test.org conducted all antivirus tests on Pentium III-800-based PCs with 256MB of RAM and 30GB hard drives; each system used the original shipping version of Windows XP Professional. Original hard drive images were restored before the installation of each antivirus scanner. Antivirus definitions were updated for all products on March 20, 2002.
In-the-wild tests were conducted on samples from the February 2002 WildList. Each of the 207 viruses was represented in two forms, for a total of 414 infected files. Boot viruses were stored on floppy disks; all others were stored on the test systems' hard drives. AV-Test.org measured detection rates both for a full scan of the infected drives and for file access.
Zoo tests were conducted according to the same procedures as the in-the-wild full-disk scans, using 13,007 different viruses or virus variants in 42,522 infected files.
See the next page for detailed test results.
Antivirus Scanners: Detailed Test Results
| Antivirus scanner | File viruses (including Linux, Win16, Win32) | Macro viruses | Script viruses (including VBS and JavaScript) | Polymorphic viruses | Trojan horses and backdoor programs | Viruses in compressed archives | Boot viruses (full scan) | File viruses repaired | Macro viruses repaired |
| Computer Associates ETrust EZ Antivirus 5.4 | 98.62 | 99.80 | 72.16 | 99.98 | 46.73 | 5.41 | 100.00 | 63.33 | 96.08 |
| Kaspersky Lab Anti-Virus Personal Pro 4 | 99.58 | 99.96 | 99.75 | 100.00 | 99.14 | 100.00 | 100.00 | 80.00 | 98.04 |
| Network Associates McAfee VirusScan 6.02 | 99.85 | 99.98 | 99.66 | 99.71 | 99.45 | 75.68 | 90.91 | 80.00 | 100.00 |
| Norman Virus Control 5.2 | 94.68 | 99.61 | 95.04 | 83.76 | 84.20 | 24.32 | 100.00 | 86.67 | 78.92 |
| Panda Antivirus Platinum 6.25 | 91.58 | 98.73 | 94.20 | 77.35 | 91.24 | 64.87 | 100.00 | 73.33 | 98.04 |
| Symantec Norton AntiVirus 2002 | 99.73 | 99.89 | 92.18 | 99.93 | 96.06 | 40.54 | 100.00 | 100.00 | 92.16 |
| Trend Micro PC-cillin 2002 | 99.02 | 99.81 | 95.54 | 99.05 | 85.16 | 51.35 | 90.91 | 73.33 | 99.02 |