Tips for selecting the perfect tool for your environment
Rarely a day goes by that someone doesn't ask me to recommend a good antivirus scanner. But without understanding the particular environment and the inherent threats to that environment, determining the perfect product is impossible. More than a dozen good antivirus scanners—and a handful of great ones—are on the market. To find the perfect product for your environment, you need to understand the ingredients of a good antivirus scanner. You also need to do some product research and testing if you want to identify the best scanner without paying expensive consulting fees. (Although all antivirus scanners detect more than just viruses, I frequently use the term virus to refer to all sorts of malicious software—malware—to make the article more readable.)
Start with the Platform
Your first task is to inventory the platforms and systems you need to protect. Don't forget your PDAs and other wireless devices, such as Wireless Application Protocol (WAP)—enabled gateways. This inventory will partially determine which types of code—DOS viruses, Windows malware, Trojan horses, macro viruses, Instant Messaging (IM) threats, hostile ActiveX controls, malicious Java applets, email worms, HTML scripting threats—the antivirus scanner will need to watch for.
Several Web sites offer information about which antivirus products cover certain platforms. I like the supported-platform summary list at AV-Test.org (http://www.av-test.org/sites/tests.php3). However, just because a scanner runs on a particular platform doesn't necessarily mean that scanner is a good product for that platform. Check out Virus Bulletin's VB 100% awards (http://www.virusbtn.com/vb100/about/index.xml) for the pass/fail rankings of several antivirus products.
Signature- or Behavior-Based?
The more popular scanners—and those this article concentrates on—use a stored database of signatures to find malicious code. Vendors build pattern-matching algorithms based on a short series of bytes that appear in every replica of a particular virus. The virus's byte signature is typically 8 to 16 bytes long and is compared with the bytes in an examined host file. Vendors must choose signatures carefully so that their products don't turn up too many false positives and false negatives. More than 60,000 malware programs now exist, so signature databases can become quite large. Some antivirus scanners create signatures by using a hashing routine to take unique "snapshots" of the malware. The scanner's engine runs the hashing routine on suspect files and compares the results with the stored hash results in the signature database. If the two hashes match, the software makes its catch. This seemingly small difference in the way products capture and store signatures can decrease the malware's signature from as many as 16 bytes to as few as 2 or 3 bytes—quite a difference when multiplied by 60,000.
The Importance of the Engine
Signature-based antivirus scanners consist of two primary components: a signature database and a scanning engine. Most people understand the importance of having an up-to-date signature database with accurate signatures, virus names, and repair information. But understanding the scanning engine—the antivirus workhorse—is equally important.
Whenever a new type of exploit is discovered that the antivirus engine doesn't consider, the engine must be updated. For example, the W2K/Streams virus—discovered in September 2000—hid its code in the previously unexploited NTFS file-stream structure. At the time, no antivirus scanner scanned Windows NT's alternate file streams, so an engine update was necessary. While antivirus coders worked on signature updates for recognizing the W2K/Streams virus, other developers had to update the virus-scanning engines, testing installation and backward-compatibility.
Changes in malware techniques occur rapidly, so your antivirus vendor must produce new scanning engines and update customers regularly. (For information about the evolution of virus coding, see the sidebar "The Evolution of Virus Encryption," page 8.) Most vendors update their scanning engines a few times a year. If your scanning engine is 2 or more years old, something is amiss. Some vendors have a modular scanning engine and can send small updates along with the latest virus signatures. More often, the client must install the new client engine from a large download file. Check with your antivirus vendor about the frequency and methodology of engine updates. Most products automate the process so that you don't have to visit every client machine to do an update.
For efficiency, scanning engines keep some data in memory during scanning and keep other data on disk. Most antivirus products load the engine and common signatures in memory and store less commonly used signatures, features, and file-repair information on disk.
Antivirus vendors make trade-offs between accuracy and speed. A scanner that's 100 percent accurate would be as slow as molasses, so vendors strive for a product that offers a reasonable balance for the typical user. Most scanners scan only the most popular file types by default, but you can configure scanners to scan additional types.
An accurate scanner gives few false positives and false negatives and correctly identifies a given virus. False positives (which occur when a scanner inaccurately identifies a virus) can annoy you and can result in lost hours of productivity—often more time than you would have spent on a real virus. False negatives (which occur when a scanner fails to detect a true virus) permit the spread of malicious code. (For information about the predicted longevity of scanners, see the sidebar "Are Antivirus Scanners Dying?")
Common wisdom says that antivirus scanners should be at least 95 percent accurate against the entire population of malicious mobile code. No virus scanner is consistently 100 percent accurate. The best scanners average 97 percent accuracy or better, with occasional 100 percent spikes.
Many antivirus researchers believe that the ability to detect 100 percent of current threats is a better test of accuracy. Who cares whether a certain product can detect the Pakistani Brain boot virus, which hasn't infected anyone for 10 years and replicates only on 360KB 5.25" double-density disks? Virus Bulletin bestows its VB 100% award on antivirus scanners that detect 100 percent of the rogue code that currently exists in the wild, and WildList Organization International's official WildList (http://www.wildlist.org/WildList) reported only 543 threats as of November 2002. Interestingly, the VB 100% archives will show you how a particular vendor's product performs across different platforms. Although one product might detect 100 percent of the WildList in NT, it might perform horribly on Lotus Notes or Novell servers. The product you choose should make the VB 100% list for the platforms you run it on.
Complex viruses (e.g., Nimda, Klez) often require a complex removal tool. Typically, an antivirus removal tool for complex viruses doesn't reside within the antivirus scanning software. Instead, the scanner references a separate removal tool that you can find on the vendor's Web site. You might need your antivirus software to not only detect a virus but also determine the variant. For example, Nimda.A is a slightly different worm from Nimda.E, and you can cause additional problems if you use an antivirus-removal tool for the wrong variant.
Nobody wants a slow antivirus scanner. But how can a scanner quickly compare 60,000 file signatures against every file it needs to scan? The answer is that it can't. Although today's scanning engines look at every file they need to examine, they don't compare all files against every signature. Efficient virus scanners first determine the type of file being scanned, then compare it only against signatures for that file type.
For example, if you instruct a scanner to scan a Microsoft Excel file, the scanner first verifies that the file is indeed an Excel file, then ignores all signatures that are specific to other software, such as Microsoft Word macro viruses, boot-sector infectors, and .exe file infectors. How does the scanner determine what type of file type it's examining? Simple scanners look at the file extension—an inaccurate method that malware can work around. The best scanners examine the file's header and compare it with an internal file-header database to identify file type.
An efficient scanning engine will search for macro or Visual Basic (VB) code and, if it doesn't find such code, will consider the file clean. If the engine finds macro or VB code, the engine will search for potentially malicious key words (e.g., Auto_Open) in the code that might reveal a certain virus type. If the file doesn't contain a particular key word, the scanner can drop all virus signatures that require that key word's presence. A process of elimination occurs (in milliseconds) until the engine identifies the smallest universe of viable signatures. An efficient scanning engine can thus reduce the number of comparison signatures to a handful.
Another component of speed is the number of computing cycles the scanner uses while other operations and applications are running. Most network administrators have seen antivirus software overburden a CPU and slow an entire system to a snail's pace. The best engines let you dictate how much of a system's processing resources the scanner can use. If you notice that your scanner is slowing down regular processing, you can simply allot less time to the scanner.
When a scanner finds malware, you want it to clean your files and make your system healthy again. With some malicious programs that permanently overwrite or delete files, a repair process is impossible. If an antivirus program can't repair a file with 100 percent accuracy and return it to its original state, it won't attempt the repair. For this reason, many infected files end up quarantined.
With today's sophisticated hybrid threats, simply cleaning up infected files is insufficient. Viruses and worms often make many system modifications—for example, they can write registry entries, modify startup files, and install chat and FTP servers. An antivirus tool that removes the culprit but can't fix the other repairable damage is only half a scanner.
For example, one of the Nimda worm's many behaviors is to create open drive shares for every logical disk on an infected machine and make them accessible with full control to everyone, including guests. The administrative drive shares on a Nimda-infected system are no longer password-protected. This behavior complicates disinfection because Nimda can simply reinfect through the many open drive shares.
In the few hours after Nimda debuted, the best that antivirus removal tools could do was to delete infected files, but because this effort left drive shares open, damage continued. The next generation of Nimda repair tools patched large security holes by deleting all drive shares, but the result was that nobody on the network could access previously established drive shares. To make matters worse, network administrators typically don't keep track of permissions to drive shares, so recreating those shares was time-consuming. The third generation of Nimda repair tools can restore most drive-share permissions if the affected machine hasn't been rebooted since infection. This solution still isn't perfect, but at least it gives some administrators a chance to make an easy recovery. All three generations of Nimda-removal tools delete all Nimda files (including killing the active process in memory), and the second- and third-generation tools restore startup files and the registry to pre-Nimda status. Often, complicated cleanups require a separate tool from the vendor because the large repair tool isn't included in the basic scanner.
Many of today's viruses are so good at modifying, encrypting, and hiding themselves that a virus-scanning engine must actually execute a suspect program before beginning a scan. When the engine executes a virus, the virus reveals the portions of its code that are necessary to continue operating and spreading, which lets the scanner grab a reliable signature.
Of course, a harmful program launched into your environment can damage infected systems and spread, so scanners often offer virtual environments in which the engine can safely execute and examine suspect code. Some engines emulate OS environments (e.g., Windows XP, Windows 2000). Other engines emulate particular CPUs because certain viruses thrive only in the presence of a particular CPU component—for example, a Network Processing Unit (NPU). Your antivirus product should offer emulation coding. Simple scanners—those that have poor detection rates—don't.
Most antivirus scanners feature a heuristic mode, in which the scanner attempts to detect and prevent malware that has no known signatures. The heuristic mode watches for suspicious coding behavior, known suspicious coding instructions, and routines that malware writers typically use. For example, any program that spends time encrypting and decrypting itself or that attempts to modify the system kernel or copy itself into other files is suspicious.
Enabling heuristic mode can significantly affect system performance. Although a heuristics approach is adequate at detecting previously unknown threats (some heuristic scanners claim detection rates higher than 80 percent), they suffer universally from false positives. Most antivirus engines let you turn on and off heuristic mode; great scanners let you set the level (e.g., 100 percent maximum) of heuristic use.
Today's PC environments are full of compressed and archived files—rare are the PCs that don't run PKWARE's PKZIP utility. Malicious users have dozens of such compression tools (aka packers) at their disposal. An antivirus scanner might be able to find a virus in a .zip file, but can it find the same virus after five different compression tools compress it? The virus scanner must recognize that the file is compressed, then uncompress it, determine whether it's still compressed, and decompress again if necessary or, if not, begin scanning. And if a file contains an active link to another file (e.g., an HTML file coded to download a malicious executable), the virus scanner should also scan the linked file. A feature called recursive scanning can help solve these problems.
Some scanners address scanned files by including uncompression code or insisting on knowing the location of the unpacking utility. Other vendors' products ignore compressed files and scan only as files are uncompressed. Although I like scanners that scan zipped files and some vendors brag about their products' ability to scan within 20 or more file-compression types, I don't think any one scanning engine can work with every possible packer. I've also seen many scanners that claim to feature recursive scanning but fail miserably at it. Therefore, scanning the final file as it's uncompressed makes the most sense to me. Of course, that method requires that the scanner be called as the file is uncompressed, which means the scanner must be running in realtime protection mode.
To complicate matters, file-protection mechanisms that are designed to prevent unauthorized access can challenge antivirus scanners. Encrypted and password-protected files present special challenges, because scanners that can't open a file typically skip it.
Most scanners bypass password-protected files, but do you want yours to scan them? In the early days of Microsoft Office, a password-protected document wasn't encrypted. The password merely prevented the file from opening in Office, and a virus scanner could easily detect and delete a virus contained within such a file. Today, password-protected Office documents are locked up tight and are easily overlooked.
How should antivirus software treat a file that a digital certificate is protecting? If the document or program was signed while the virus was present, removing the virus will render the related digital certificate invalid. Nevertheless, scanners should remove all malware. If the malware corrupts the digital certificate, so be it—a malware-containing file shouldn't have been signed in the first place.
Files that Microsoft Encrypting File System (EFS) protects present a similar problem. Unless the scanner runs under a user account with a valid EFS key, the scanner won't be able to scan the file. If your company uses EFS, look specifically for products—such as Panda Software's Panda Antivirus Platinum for Win2K or Trend Micro's OfficeScan—that support EFS.
By default, most antivirus scanners' emergency boot disks will let you clean an infected NT boot sector. The boot sector and all the current boot sector viruses rely on standard FAT partitions. Antivirus products won't let you boot from a 3.5" disk to initiate an NTFS volume scan unless the vendor makes a special support boot disk. Although the need to scan an entire NTFS volume from a boot disk has diminished, the capability can still come in handy. If your product doesn't support boot-scanning NTFS volumes, you can use Sysinternals' NTFSDOS utility to create a custom boot disk that lets you boot to an NTFS volume and run a virus scanner from a 3.5" disk. If you use this approach, the virus scanner won't be able to scan compressed or EFS-encrypted files.
Your virus scanner should support on-demand scanning and realtime protection. In theory, if you run on-demand scanning when you install the scanner, then run realtime protection thereafter, you should never need on-demand scanning again. However, I like to use on-demand scanning to inspect specific files or to scan separate disks and volumes. Some virus scanners let you scan any accessible disk on the network; others allow only scans of local disks.
Your scanner should let you add and delete file types and folders from the scanning process. For example, a few years ago, most antivirus scanners skipped the Recycle Bin. Vendors thought scanning deleted files was a waste of resources. However, virus writers started hiding their creations in the Recycle Bin, so vendors put that folder back into the collection of items that you can have the product scan and protect.
Because antivirus scanners require frequent updates, you should consider only products that can update their engine and signatures without manual intervention. The virus scanner should check for signature updates every day and download them directly from the antivirus vendor's Web site or from a centralized server on the corporate network. I prefer the latter method, which is more efficient during a large outbreak of a new virus. If every PC on the network attempts to download a new signature while the vendor's Web site is under heavy load, protection will probably be spotty. If the centralized network server can get the signature update, it can feed the update to all connected workstations without interruption.
If you deploy antivirus clients to many desktops within a corporate network, check to see whether your antivirus vendor offers a tool for remotely configuring and deploying the clients. To prevent end-user unloading or misconfiguration, the desktop client should be locked down by default. The installation should be smooth, and when it's complete, the scanning engine should automatically check for updated signature files. The program shouldn't cause operational bugs or lockups. Even the best antivirus programs can cause problems on certain platforms, so if you have problems, don't assume you've made an installation mistake or that the workstation was previously corrupted. When the program is working on a desktop, it should do so transparently until it finds a problem.
Your antivirus scanner should always perform a self-check when it starts. More and more viruses are corrupting antivirus installations and deleting necessary files. The program should alert the user (and systems administrator) and take a default action when it finds malware. The program should also compile reports that show the total number of files scanned and cleaned, the types of viruses found, the affected user and machine, and the date of action. Alerts should be user-configurable so that the program can send messages to the screen, an email client, or a pager.
An antivirus solution for a corporate environment should permit centralized management and should let you disable or uninstall the antivirus software from a centralized location. Most applications vendors recommend disabling antivirus software during software installation, and a centralized management feature will pay for itself the first time you need to install a new application on many clients across a network.
The vendor's Web site should offer detailed analysis of the popular malware programs you're likely to encounter. Compare various vendors' analysis of Nimda, Klez, and other big-outbreak viruses. The finer the detail, the better. The site should contain a "virus encyclopedia" and let you search for particular filenames and message text that viruses might contain. The site should have a link dedicated to debunking hoax viruses so that you can readily research hoaxes. You should be able to download free utilities, repair tools, and supplemental reading. The vendor should also show evidence of ongoing research into future concerns, such as wireless threats and PDA viruses.
The vendor's technical-support staff should be accessible by phone, email, or fax and should answer calls within 15 minutes—faster, if you have a premium-support contract. Technical support should be helpful and willing to walk you step-by-step through installation, troubleshooting, and virus emergencies rather than simply point you to a document on the Web. Many vendors let their customers submit suspect files for inspection. If you've repeatedly scanned a file but still aren't sure it's safe, the ability to send it to the vendor for a once-over is comforting. This approach also helps antivirus vendors find new code and variants.
Make Your Choice
No antivirus scanner is perfect for everyone and every environment. You need to audit your environment to understand what you need to protect. Ideally, you want to install a scanner on every desktop and on a perimeter server, such as an email server or Internet gateway. Narrow your product list by including only vendors that offer strong support for your platforms. Then, check a few ratings sites and magazine reviews to determine how your candidates rank with regard to accuracy, speed, and feature sets. You want a scanner that consistently scores high detection rates and offers solid repair tools. Pick two or three candidates from vendors that have more than a few years of experience, then give them a try and choose one that feels natural in your environment. After you buy it, where do you put it? Check out the sidebar "Where to Run Your Scanner" for advice.