The New Virus Fighters
Today's antivirus programs have no trouble stopping familiar intruders, but how safe are you from the unknown? Our tests of ten contenders reveal a new Best Buy.Tony Bradley is a network security consultant, and the lead writer for About.com's Internet/Network Security Web site. Narasu Rebbapragada is an associate editor for PC World.
We have both good and bad news about the ongoing war against computer viruses. The good news: All the antivirus products we tested for this article were 100 percent successful at identifying and blocking recognized security threats. The bad news: Such utilities still can't completely protect you from new threats--and there are plenty of those around.
AV-Test, the German security firm with which PC World partnered for this story, says that 70 to 100 new threats are discovered each day. Though many of them are variants of existing threats, waiting even a few hours for your antivirus software vendor to release fixes for them exposes your computer and others to harmful infection. Plus, viruses aren't the only problem. Virus writers are also sending worms--which don't need a host file in order to spread--and other destructive programs such as Trojan horses to users as e-mail attachments.
"The Bagle author likes to do this," says senior security researcher Joe Stewart of LURHQ, a company that provides security consulting and managed security services. Because of such dangers, it's important that your antivirus application be able to recognize and remove not only viruses but other types of threats as well.
Illustration by David Plunkert
In this article:
Antivirus Tools Strike Back
Antivirus software companies are adapting and upgrading their products in a number of ways. Frequently they now package traditional antivirus applications with other security components, such as antispyware tools and firewalls, to provide more-comprehensive protection; in some cases this extra functionality is baked into the antivirus product itself. Companies are also reducing the length of time it takes them to release signature updates, which individual antivirus utilities download and then use to recognize and destroy newly identified threats.
In addition, vendors are honing their products' heuristics, the mathematical algorithms that can spot new security threats based on their similarity to previously identified pieces of harmful code. "Heuristic scanning by antivirus software engines has shown some improvement over the past few years, with better detection and fewer false alarms," says Douglas Schweitzer, author of Securing the Network From Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans. In false alarms--or false positives--an application wrongly flags a file as malware. This mistake at best wastes users' time and at worst causes them to delete benign files.
Companies are also using behavior-based detection to fight new threats that their products can't yet recognize through signature updates. This technology monitors the parts of your system that a malicious file might target, flags suspicious behavior, and stops it. The drawback associated with this approach is that the malware must already be active on your computer in order for behavior-based monitoring to detect it. For this reason, behavior-based detection works best as a supplemental layer of protection behind the virus-scanning engine, which ideally eliminates the threat before it can execute.
Stand-Alone Apps, Suites, and Free Tools
With these trends in mind, PC World aimed to learn which of today's antivirus products will best protect you against both known and unknown malware. We tested ten products, ranging in price from free to $50. To create a level playing field, we tested stand-alone antivirus apps where available and only the antivirus components of suites that offer other functions such as antispyware protection and network firewalls. Testing the suites with their nonvirus-oriented components enabled would have given them an unfair advantage over the stand-alone antivirus programs, to which you can add (and we recommend that you do add) the firewall and antispyware tools of your choice.
Among our test group, Alwil Software's Avast Home Edition 4.6, AntiVir PersonalEdition Classic 6.32, and Grisoft's AVG Free Edition 7.1 are stand-alone programs that cost nothing. F-Secure Anti-Virus 2006, Kaspersky Lab's Kaspersky Anti-Virus Personal 5.0, McAfee VirusScan 2006, and BitDefender 9 Standard are paid stand-alone applications. Panda Software's Panda Titanium 2006 Antivirus + Antispyware and Symantec's Norton AntiVirus 2006 both include antispyware tools. Trend Micro sells its antivirus tool only as part of the full PC-cillin Internet Security Suite 2006.
One product we didn't rate is Zone Labs' ZoneAlarm Antivirus, our 2005 World Class winner in the category. It combines Computer Associates' Vet Antivirus engine with Zone Labs' network firewall and OSFirewall, a behavior-based prevention technology that flags suspicious system behavior.
AV-Test did evaluate Computer Associates' scanning engine, which performed poorly and was the slowest to release signature updates for new threats. However, for this story AV-Test could not assess the effectiveness of Zone Labs' behavior-based malware prevention. Putting it to the test against AV-Test's malware collection would have taken months, as each file has to be active on the test system. Since the OSFirewall is integral to the Zone Labs product, we excluded the entire product. (Panda's product, which we did rate, also uses behavior-based detection.)
How We Tested
Overall, AV-Test ran five tests (see details on the methodology). First, it determined whether the products could detect 1518 "in the wild" malware samples--a published list of viruses and other threats identified by the WildList Organization as active in public circulation.
Second, it tested the programs' ability to detect non-WildList threats by using its own collection (or zoo) of 136,250 backdoor programs, Trojan horses, and bots (also known as zombies). The zoo includes active malware collected from customers, computer magazines, and honey pots, which are Internet-connected servers that researchers set up to lure malware. Since the WildList is published, is often out-of-date, and intentionally excludes non-self-replicating threats such as Trojan horses and backdoor software, AV-Test's zoo malware complements the WildList malware well.
A network firewall will detect backdoor apps, bots, and Trojan horses; but as with behavior-based detection, a firewall will notify you of trouble only once the threat is active on your PC. "Firewalls stop network traffic," says LURHQ's Stewart. "They might stop a Trojan from phoning home. They're not going to stop a Trojan from running [on your PC]," he says.
Third, AV-Test evaluated each product's heuristic capabilities. To do this, it looked at how well one- and two-month-old versions of the programs, which didn't have the later virus signatures installed, recognized malware that subsequently emerged. Thus, AV-Test determined the programs' ability to detect worms and backdoor software without the benefit of signature updates. Testing for worms and backdoor apps was appropriate because those were common and dangerous threats during the testing period, and brand-new viruses are hard to find, according to AV-Test.
Fourth, AV-Test examined each product's ability to clean up 110 macro viruses that attack Microsoft Office programs. And fifth, it compiled data on the average outbreak-response time by each antivirus software company to 16 outbreaks during eight months in 2005--a measure of how quickly the company deploys signature updates after new malware is identified.
To complete our testing, PC World timed how fast the various products conducted on-demand virus scans, and then we evaluated each product's ease of use, features, and tech support policies.
Our Antivirus Picks
BitDefender's main interface is basic. Its performance is top-notch.
After the dust finally settled, BitDefender 9 Standard emerged as our Best Buy. It ranked in the top four on every performance measure, and it costs only $30. The $40 McAfee VirusScan 2006--with its relatively good heuristics performance and intuitive interface--came in second.
Trend Micro's PC-cillin packs a lot of information into a well-designed screen.
Trend Micro's PC-cillin Internet Security Suite 2006, a descendant of our Best Buy in June 2004, finished ninth among the ten products. It performed poorly in the zoo and heuristics tests and is relatively expensive because it's available only as a full security suite. On the bright side, it had snappy outbreak-response times and offers a stellar user interface.
The three free programs came up short, too: AntiVir placed seventh, Avast ranked eighth, and AVG brought up the rear in tenth. Of course, for people who have no budget for antivirus software, any one of these products provides far more protection than simply forgoing an antivirus utility.
Fighting Malware We Know
At their default configurations and with up-to-date virus definitions in place, all of the products that AV-Test evaluated were 100 percent successful at detecting WildList viruses in real time and on demand, defined as when a user conducts a manual or scheduled scan of the computer.
The programs successfully detected and removed macro viruses, with a few exceptions. Avast failed to clean ten viruses, including two viruses that targeted files from PowerPoint versions 97 to 2003 and four viruses that targeted files from Word 6. Panda did not fully clean the two PowerPoint viruses, though the files were still operable. AntiVir failed to clean ten Word 6 viruses among others, and BitDefender missed two viruses that targeted files from Word versions 97 to 2003. These viruses aren't new, so today's products should be able to handle them.
The ability to catch WildList viruses is essential, since they're widely known; detecting the miscreants in AV-Test's zoo, however, is a somewhat different matter.
Kaspersky Anti-Virus Personal 5.0 was the only program we looked at that successfully detected all three types of zoo threats 100 percent of the time. F-Secure and Symantec were successful 97 percent of the time--still an excellent score.
At the other end of the spectrum, PC-cillin produced one of the worst results, detecting only 76 percent of zoo threats--this score includes 85 percent of bots, 82 percent of backdoor software, and 69 percent of Trojan horses. Trend Micro says that it chooses not to expend resources developing signature files for the malware contained in AV-Test's zoo because those threats have never affected its customers. We can't say for sure whether every threat in the zoo is relevant, but we would rather choose a product that detects 100 percent of that menagerie's beasts.
Fighting Malware We Don't Know
None of the products performed exceptionally well in our heuristic tests, proving that there is room for improvement in identifying new threats. In our tests of apps with one-month-old signatures, BitDefender performed the best, detecting 43 percent of worms and 57 percent of backdoor programs. McAfee came in a close second, catching 41 percent of worms and 55 percent of backdoor software. F-Secure and Kaspersky finished close behind, catching more than 32 percent of worms and and 53 percent of backdoor malware each. (AV-Test says that a 50 percent detection rate is very good.) In our tests of apps with two-month-old signatures, all programs did more poorly.
PC-cillin again performed the worst. Its scanner with one-month-old definitions caught just 5 percent of worms and 7 percent of backdoor software. Trend Micro feels that the problems caused by heuristics--in particular, with its potential for false positives--outweigh the benefits. As a result, the company chooses to place less emphasis on developing heuristics.
The Need for Speed
Panda's heuristics proved middle-of-the-road.
We tested the products for two kinds of speed: how fast they completed an on-demand virus scan and, more important, how swiftly the companies released signature updates for new malware outbreaks. The software that turned in the speediest scanning performance was Panda's, which blazed through the tests in an average time of 1 minute, 46 seconds. This was more than seven times faster than the slowest program, Avast, which came dragging in at the back of the pack with an average time of 13 minutes, 11 seconds.
When AV-Test evaluated the products' outbreak-response performance, all responded to incidents within 12 hours on average. Kaspersky had the fastest response time--from less than an hour to 2 hours. BitDefender and F-Secure were close behind at 2 to 4 hours. AntiVir and PC-cillin had response times of 4 to 6 hours; Panda took 6 to 8 hours; AVG, Avast, and McAfee took 8 to 10 hours, and Symantec taking the longest at 10 to 12 hours.
Features Vary, Slightly
Norton AntiVirus clearly explains interface elements and user choices.
Some packages provide nice extras. All automatically and regularly download virus signature files and application updates. Most will let you set up full or customized scans on a defined schedule. Some, such as the free AVG, are relatively rigid, allowing only scheduled scans of predefined drives or file types. Unlike every other program here, Panda's doesn't permit you to set up a regularly scheduled scan; for that, you'll need the full Panda Platinum 2006 Internet Security Suite.
Many programs have adopted console screens--similar to Windows XP's SP2 Security Center--that provide a general overview of your PC's status. Symantec's Norton Protection Center, for example, tells you how secure your PC is when you perform common activities such as using e-mail or surfing the Web. In some ways, these consoles (McAfee's Security Center, for one) are platforms for blatant attempts by the companies to market their other products, but they can be useful for finding security holes.
F-Secure reports comprehensively on the latest security threats.
F-Secure and Panda provide breaking security news from their system tray icons. BitDefender puts a small window called the File Zone on your desktop to supply a running, graphical representation of the number of files that have been scanned in the past few minutes (you can turn the option off).
All of the products we tested come with e-mail technical support for the duration of the virus-software subscription (one year for the paid programs and indefinitely for the free ones). BitDefender, F-Secure, Kaspersky, Panda, and Trend Micro all offer free telephone support--on weekdays, at least. Symantec's phone support costs $30 per incident; McAfee charges $3 per minute for help. If you think you might wind up needing phone support, you should consider these prices when making your buying decision. One or two lengthy calls could add up to the price of the software.
The Convenience Factor
Avast has a slick media-player-style interface that hides some features.
Trend Micro's PC-cillin was the easiest product to use. It packs a lot of security information in an easy-to-understand interface. And while intuitive for novice users to navigate, it still provides the choices and settings that seasoned users would require to configure the software.
Alwil's Avast distinguishes itself with a unique and flashy main console--complete with customizable skins--that looks similar to some media players. The console provides the same information as those of other programs, but it hides some features behind surrounding icon buttons.
The interfaces on other programs are fairly basic. BitDefender's opening screen notifies users only whether virus protection and automatic updates are turned on. More-useful features are located in screens accessed on the left side of the window. They open intuitive toolbars that let you quickly access details; here you can specify whether you wish to receive security notifications or change the color scheme of the interface, for example.
Grisoft AVG's main window is practically useless. Its sparse collection of options--Scan Computer, Scan Selected Areas, and Check For Updates--underscore the limited nature of the software's features, and some configuration options remind you that certain tools are available only in the paid upgrade product, AVG Professional (which we couldn't test due to space and time constraints).
However, thanks to free products such as Grisoft's AVG Free Edition, you don't have to shell out any money to win the fight against known viruses. Though no antivirus package can completely protect your PC against unknown threats, choosing one of our top-rated products will at least give you the best protection you can get right now.
Antivirus Alternative: Microsoft OneCare Live
Illustration by David Plunkert
Windows OneCare Live's firewall provides easy-to-understand alerts about unrecognized network activity.
OneCare Live is a collection of security tools and utilities that you can manage in a single interface. The security components currently consist of antivirus software and a firewall; Microsoft expects to add an antispyware application in a subsequent beta version. Other utilities in the set include a backup application and a tune-up routine that automates tasks such as disk defragmentation and disk cleanup.
Like most antivirus tools, OneCare Live lets you scan on demand or on a schedule, configure the files and folders you would like scanned, and exclude files from the scanning process. Currently, it performs no inbound or outbound e-mail scanning, and it scans instant messaging traffic only from MSN Messenger; the company says, however, that it plans to incorporate e-mail scanning and will consider additional IM client scanning later on. A layer of behavior-based protection monitors files for suspicious activities, such as modification of Registry keys. Our first scan took an acceptable 15-plus minutes.
OneCare's firewall, which monitors both inbound and outbound network traffic, is a beefed-up version of the Windows Firewall, which tracks only inbound traffic. Upon first use, OneCare asked us about software activity that it didn't recognize, such as an iTunes software update and Lotus Notes network activity. For the most part, it stayed out of our way so long as we kept up with security updates.
Installation was easy, though it required us to use Internet Explorer 6. (Checking for security updates necessitates using Internet Explorer 5 or later.) A Web-based wizard assessed our system to see whether it met the minimum requirements, as well as to spot possible software conflicts, before allowing us to install OneCare. Microsoft says that OneCare will check to make sure that you have no conflicting antivirus software running during installation, but it did not recognize the client version of Symantec's Norton AntiVirus Corporate Edition installed on our PC. However, a reader commenting on our Today @ PC World blog, reported that it did detect and prompt for the removal of the desktop version of Norton AntiVirus.
Microsoft hasn't set a price for the package, but a Purchase Now button indicates that OneCare won't be free forever.
Narasu RebbapragadaHow We Tested Antivirus Software
We tested stand-alone antivirus products where possible and only the antivirus scanning engines of products that had multiple security components. The PC World Rating is a weighted average of specifications (10 percent), price (10 percent), design (30 percent), and performance (50 percent).
Performance Tests Explained
AV-Test, a German security firm, evaluated how well the programs could detect 1518 WildList threats, and 136,250 threats from its own zoo of backdoors programs, bots, and Trojan horses. AV-Test evaluated each program's heuristics by using one-month-old and two-month old versions of the programs, which wouldn't have the benefits of subsequent malware signatures. In the one-month-old heuristic tests, AV-Test saw how well the programs could detect 244 backdoor programs and 37 worms. In the two-month-old heuristic tests, AV-Test saw how well the programs could detect 555 backdoor programs and 101 worms.
AV-Test evaluated how well the programs could detect and clean 110 macro viruses affecting Microsoft Office applications. AV-Test also compiled data on how quickly software companies released virus signatures for 16 new outbreaks over a period of eight months in 2005. PC World tested how quickly each program ran a system scan on a test set of files and folders.
Performance results are a weighted average of WildList tests (30 percent), zoo tests (15 percent), one-month-old heuristic tests (20 percent), two-month-old heuristic tests (10 percent), macro virus results (10 percent), outbreak-response-time tests (10 percent), and scan-speed tests (5 percent).