Protect yourself at all times with today's batch of antivirus software

Just in case you haven't heard, viruses can be fatal. Jeff Goldblum and Will Smith used one to wipe out an entire alien mothership in last year's hit movie Independence Day. In reality, viruses won't cause your computers to spontaneously break down, but they can be more than just a mere annoyance.

Like it or not, viruses (particularly those of the macro variety) are becoming more and more prevalent in everyday computing. People send files back and forth across the Internet all day, and these files eventually make their way down the pipe to your computer. Because authenticating each downloaded file is difficult, you have a slight chance of downloading something infected by viruses. Factor in other virus distribution vehicles, such as exchanging floppies with co-workers and installing shrinkwrapped software, and you increase the chances of infecting your computer. I've received infected files from the most unlikely sources: an infected executable on a store-bought application, infected Word documents from Microsoft Professional Developers Conference CD-ROMs, and an infected Excel spreadsheet from a coworker.

Although no native Windows NT viruses are in circulation, a simple boot sector virus can still wreak havoc on your NT systems. I've seen a boot sector virus continually kill NT, causing the Blue Screen of Death at almost regular intervals.

Thank goodness, NT virus scanners are available in abundance. In this year's virus scanner roundup, I looked at virus scanners available for NT Workstation. The results might surprise you.

How We Tested
One question that comes up often when you evaluate virus scanners is, "How do you determine which one is the best?" I usually reply, "It depends." And it does. You can rate virus scanners based on their respective detection rates. But with the current crop of viruses, you can assume that all virus detection routines detect about the same number of viruses. More variables are involved when you're gauging which virus scanner outperforms the others. When you decide to purchase a virus scanner, your first priority is to make sure it finds the most common viruses. The more common the virus, the greater the chance you have of finding it. Playing the numbers game with virus scanners might look impressive on paper, but what if the virus scanner that can detect a million viruses just happens to miss the Lacroix Excel macro virus?

In this comparative review, besides detection rates, I'll look at features such as realtime scanning and automatic updates (see Feature Comparison). Let's face it, running virus scans is almost as much fun as, well, doing backups. If you do an informal poll within your organization, I'd bet my software that very few people run virus scans regularly, if ever. Most antivirus vendors recognize that most professionals have too much work to worry about purifying their files daily or weekly, so vendors have added realtime scanning modules to their virus scanners. Realtime scanners are watchdogs that sit in the background, monitoring disk I/O for strains of viruses. When the system loads an infected executable, the scanner kicks in to clean the file.

In the past, virus scanners were dated as soon as they hit the street. New viruses are discovered every month, and in the dark ages before the Internet became a viable global network, virus scanners had no way of knowing about these new strains. Today, nearly every antivirus vendor makes updates available from its Web or FTP site. Automatic updating is simply an automated retrieval and installation process, making staying up-to-date on the latest viruses in the wild a bit easier.

Another requirement to consider is technical support. Although most modern virus scanners are easy to use, cleaning infected files is a different story. For the more stubborn viruses, calling a specialist is not a bad idea. How the companies handle panic calls is almost as important as what type of viruses their software can detect. My review also covers documentation included with the software, the user interface, notification options, and scheduling capabilities.

Some virus scanners include new heuristics-based technology. Traditionally, virus scanners use definition files to detect viruses. For example, a typical definition file includes a string of unintelligible (at least to human eyes) code that replicates the exact structure of a known virus. When scanning, the program compares the structure of each file against that string. When the program finds a match, it triggers an alert to let you know that it has detected a virus. This method has worked very well in the past, but newer viruses (such as polymorphic viruses and the ever-popular macro virus) laugh in the face of definitions. With a heuristics-based scanning engine, a virus scanner can plow through files looking for virus-like behavior. Rather than relying on exact matches, virus scanners can now active-ly seek out potentially destructive code.

In theory, this method tends to generate false positives (showing that a file is infected with a new virus when it's not), but it provides an additional layer of security, which is a good trade-off. In practice, however, this situation happens so infrequently that it's not much of a concern.

Price is, of course, also a concern. Small businesses might find it difficult to justify the cost of a multi-thousand dollar virus scanner with every single feature known to humankind. The perfect virus scanner is priced to sell (that is, under $100).

For this review, I introduced a package of roughly 50 common viruses, Trojan horses, and macro viruses into the testing environment. The testing environment consisted of one 150MHz Pentium machine running NT Workstation 4.0 with Service Pack 3. Some viruses were compressed and archived with PKZIP. I then zipped the ZIP files yet again in an attempt to catch the virus scanners off-guard. I installed each virus scanner independently of the others to prevent conflicts between each application.

I designed the testing regimen to be as straightforward as possible: I installed the viruses to a directory on the hard disk, triggering the flags of any virus scanner that happened to be poking around in that directory. Although this test might be less scientific than most conventional methods, it's also more representative of how users catch viruses. After all, all the poking and prodding in the world won't help if a virus hits your system when you load a file.

InocuLAN for Windows NT--Workstation Edition
Computer Associates' (CA's) InocuLAN has long been one of the finest NT Server virus scanners on the market. However, positioning itself as a server tool effectively priced InocuLAN out of the small office/home office (SOHO) market. Realizing this drawback, CA has issued an affordable workstation edition of InocuLAN that includes some important features of the server version.

InocuLAN ships on one CD-ROM and includes a comprehensive manual. Installation is simple: You insert the CD-ROM, feed a few directory names to the Setup program, and you're up and running. Although the manual lacks the encyclopedic information you get with other programs, CA makes a virus encyclopedia available on its Web site.

First, you'll notice the user interface lacks the glitz of rival utilities, as Screen 1 shows. What it lacks in aesthetics, however, is made up for in usability. Various options are scattered across multiple context-sensitive menus and dialog boxes, and setting up a scan is as easy as selecting the drives to scan and clicking the Go button.

Looks and usability are meaningless unless the scanning engine has the cleaning power to make it worthwhile. Fortunately, the capabilities under InocuLAN's hood are top-notch.

InocuLAN's scanning options are configurable to an extent. You can select which files a scan will include or exclude, based on their file extensions. You can select from one of three scanning options: Fast Scan, Secure Scan, and Reviewer Scan. I opted for the secure mode, and a default scan detected every virus in my test bed. This success rate included double-zipped files. Feeling particularly sadistic, I rezipped the double-zipped files, giving the infected files a three-layer compression shell. Again, InocuLAN plowed through the triple-zipped files without incident. Much to my delight, InocuLAN also cleaned every infected file without incident.

Unfortunately, InocuLAN's scanning engine doesn't support heuristics-based scanning. InocuLAN can't detect some of the more recent and obscure viruses. The slight upside to this shortcoming is that InocuLAN also generates few false positives. CA does have a heuristics-based version of InocuLAN in beta testing, and the final product might be available in the form of a virus definition update by the time you read this.

InocuLAN's notification options shine. By default, InocuLAN logs all activity in a text file, letting you call it up with just about any word processor or text editor available. For advanced configurations, you can set up InocuLAN to send virus alerts to pagers, Simple Network Management Protocol (SNMP) managers, email mailboxes, and remote printers. Admittedly, most of InocuLAN's notification features are overkill for small networks, but knowing that CA treats the workstation market with the same consideration that the company gives the more lucrative server market is reassuring.

Likewise, InocuLAN's scheduling options feature is comprehensive, albeit slightly inaccessible. You can set InocuLAN to run once a day, once a week, once a month, or multiple times daily. But the placement of its scheduling options makes the feature difficult to use. To schedule a scan, you must go into InocuLAN's Domain Manager, select your machine from the list of workstations on the network, and fill in the pertinent information.

InocuLAN's Realtime Monitor deserves an honorable mention. This on-the-fly scanning component sits in the background, monitoring both incoming and outgoing files. Because InocuLAN is primarily a server-based antivirus package, Realtime Monitor can scan network drives and email inboxes, if you use Microsoft's Exchange or Outlook clients and have the CA E-mail module installed. When the program detects viruses, InocuLAN can either clean the file, move the file, rename the file, or delete it. Interestingly, you can copy infected files to a special protected directory on the server to quarantine them--isolating them from every other file on the network--to minimize the chances of spreading the virus.

Virus definition updates are available for free from CA's Web site, but the retrieval and installation applet is not integrated with the main program. CA wants to give administrators more control by letting them disable definition updates. The purpose is to force some sort of standardization across the network. (Don't worry, I didn't quite understand it either.)

Regardless of this arrangement, retrieving and installing updates is relatively painless. The AutoDownload Manager, which you must start separately, runs as a scheduled service. You can set it to execute once a month, ensuring that you always have the latest virus definitions installed.

InocuLAN is the most scalable package I covered in this roundup. If you anticipate the need to add more machines to your network, InocuLAN is your best choice. It accommodates your needs as your working environment grows.

F-PROT Professional for Windows NT 3.0
In the early '90s, when DOS still ruled, the two main shareware virus scanners were McAfee's VirusScan and Command Software Systems' F-PROT. VirusScan has already made a successful transition from DOS to NT, leaving F-PROT with a hard act to follow.

F-PROT Professional ships on four permanently write-protected disks, preventing unauthorized tampering. Installation is straightforward. You let the program create a directory, select the components you want to install, and feed the floppies to the computer. Four floppies later, you're ready to go. F-PROT Professional comes with a thin manual that you can throw away once you've installed the software.

Like VirusScan, F-PROT Professional is a task-based virus scanner. Unlike McAfee's offering, however, F-PROT includes several predefined tasks, as Screen 2, page 78, shows. This feature helps you get up to speed and send F-PROT in on the war against viruses.

New tasks are easy to set up in F-PROT Professional. You click on the New Task button to bring up a dialog box that asks whether the new task is a user-level or administrator-level task. You select the appropriate security level to bring up the Properties dialog box that lets you specify which drives to scan, which files to exclude, and how the program will act when it encounters a virus.

Once you have saved the task, you can schedule it with F-PROT's internal scheduling tool. This scheduling tool is not as comprehensive as the schedulers in other products, but it supports daily, weekly, and monthly scans. A unique option in this scheduler is the ability to send F-PROT into action after a prespecified amount of idle time has elapsed.

F-PROT's detection rate was good, but not perfect. It detected 39 of the 40 unzipped viruses (including all the Office macro viruses) and 9 of the 10 double-zipped viruses. This score might be less important than it seems, because the 39 viruses it detected are some of the more common strains, such as Jerusalem and Michelangelo. For detection of more advanced viruses, F-PROT includes a heuristics analysis module, which is still considered experimental. In testing, this module generated many false positives because of its alpha-level status, so I recommend turning it off.

F-PROT's realtime scanning module, Dynamic Virus Protection (DVP), is excellent. It detects nearly every virus loaded and takes up very little CPU time.

The program moves infected files immediately to a quarantine directory to await treatment. This process isolates the infected files from the rest of the hard disk.

Cleaning the files was interesting to watch. F-PROT quite possibly has the best disinfecting rate of any virus scanner on the market today. The other virus scanners in this review stumbled over at least four or five infected files, but F-PROT cleaned everything it detected (quite possibly invalidating the lower detection rate vis á vis the other virus scanners).

The notification options in F-PROT Professional are very good. The software uses a Messaging API (MAPI)-compliant notification module that supports email notification on systems that support the MAPI standard. Pager notifications are missing, but you can send broadcast messages over a network when the program detects a virus.

Command Software Systems makes electronic definition updates available to registered users via its Web site. This method seems somewhat kludgey compared with the integrated update retrieval routines found in other programs, however. To make staying up-to-date with the latest viruses easy, F-PROT Professional lets you enter custom virus strings.

In terms of technical support, Command Software Systems stands head and shoulders above the other vendors. A 24-hour, toll-free emergency hotline is available to all users. Here's hoping it sparks a new trend among antivirus software vendors.

F-PROT Professional is a good tool, but it simply doesn't have the pizzazz to make it a must-have. The program doesn't have many compelling fea-tures, making it only an adequate virus scanner.

Additionally, the alpha status of F-PROT Professional's heuristics scanning engine makes it a hindrance. That fact, combined with the lack of automatic updates, knocks F-PROT Professional out of the running. Command Software Systems is committed to refining F-PROT, and the product will be one to look for when it matures.

Dr Solomon's Anti-Virus Toolkit for Windows NT
Dr Solomon's Anti-Virus Toolkit for Windows NT is a favorite among virus researchers. And why not? After all, virus researchers designed the software.

Dr Solomon's product comprises several components. The version I tested ships on a handful of permanently write-protected floppy disks, which include versions for DOS and NT and a special virus detecting boot disk called Magic Bullet. Dr Solomon's also includes a CD-ROM to make installation a bit easier. Before installing the software, I rebooted the test system with Magic Bullet in the disk drive. Unbeknownst to Magic Bullet, I infected the system with a boot sector virus. When the system started, Magic Bullet immediately found the infection and cleaned it.

To make sure everything's on the up and up, Dr Solomon's runs an immediate full system scan after installation, detecting and nuking the infected files I liberally sprinkled throughout my hard disks. Dr Solomon's also caught the double-zipped files. Further testing revealed that Dr Solomon's acts like, well, acid when it detects files that have been compressed multiple times. The scanner eats and eats through the layers of compression until it gets to the real files.

More impressive, Dr Solomon's comes with several manuals that are more akin to books than instruction pamphlets. A very useful guide to evaluating antivirus software shows you the most important attributes to look for when you're trying to find the right solution for your systems. Surprisingly, this guide lacks traces of bias. The words Dr Solomon never appear in the book. A massive (about 400-page) virus encyclopedia that includes information about most known viruses completes the package.

When you load Dr Solomon's, you'll notice that the interface has been streamlined (which is impressive because the interface in older releases was clean already). To launch scans, you select the drives in the Drives dialog box and click Find (to detect viruses only) or Repair (to clean infected files), as Screen 3 shows.

Dr Solomon's WinGuard scanner handles realtime virus scanning. WinGuard runs quietly in the background until an infected file is executed. WinGuard then automatically repairs the file, making WinGuard an ideal program for server computers that run (usually without user intervention) 24 hours a day.

The new version of Dr Solomon's includes and uses a heuristics scanning engine to detect unknown viruses. By using a heuristics-based engine, Dr Solomon's can look for suspicious strings in files to make the detection process more comprehensive.

Dr Solomon's scanning services are excellent. In a few minutes, the program worked its way through my infected files, identifying each one and eradicating them. Not even double-zipped files made it past the good doctor.

As far as notification options go, well, in Dr Solomon's they are close to nonexistent. You can have the program report whatever it finds to a text file or a printer, but nothing more. If you're using Dr Solomon's as a virus scanner for a standalone workstation, this level of reporting might be adequate, but it's clearly not enough if you plan to have the software scan multiple machines across a network.

Dr Solomon's scheduling services, in contrast, are both excellent and flexible. The internal scheduler supports interval scanning, rather than just daily or weekly scanning. You can set up the scheduler to do full system scans when your system is idle. For example, if you leave the office for lunch at noon every day, you can have the program perform a scan from 12:00 pm to 1:00 pm, then again at 5:00 pm when you call it a day. The scheduler also supports external applications, so you can use it as a more elegant AT command (NT's internal and slightly convoluted scheduling service).

Unfortunately, Dr Solomon's handles virus definition updates poorly. Each box of Dr Solomon's Anti-Virus includes quarterly virus definition updates that are sent out on floppies. You can also retrieve these updates from Dr Solomon's Web site, but you must install them manually. With new viruses appearing almost on a weekly basis, issuing updates four times a year makes very little sense, especially when compared with other products that update monthly or even weekly.

Dr Solomon's Anti-Virus Toolkit is a first-rate virus scanner that keeps going and going and going. However, the quarterly update plan makes very little sense to me. Other virus scanners in this review perform just as well as Dr Solomon's and offer more frequent updates.

VirusScan for Windows NT 3.02
Although early versions of McAfee's VirusScan for Windows NT lacked essential features and were rough in their execution, many of the nagging shortcomings I encountered in last year's roundup (see "Virus Scanners for NT," October 1996) have been cleaned up in version 3.02.

VirusScan ships on CD-ROM and floppies, but because 3.02 was brand new, I opted to download the code from McAfee's FTP server (at press time, the files were stored at Once I downloaded and unzipped the 3MB file, I executed setup.exe and specified an installation directory to install the software. Because I already had a previous version of VirusScan installed, Setup offered to upgrade the existing files (actually, it removed them). Note, though, that you must use an account with Administrator privileges to install VirusScan if you intend to scan network drives. Unfortunately, the documentation with the retail package is skimpy. Aside from installation instructions, most of the good stuff is available electronically in a Help file.

VirusScan 3.02's user interface, shown in Screen 4, page 80, is nearly identical to that of version 2.5. Wrapped around the scanning engine is an intuitive console from which you can set up tasks, update virus definitions, and view the virus list.

Running a scan is a bit trickier than you would expect. You don't simply click on a drive and let the virus scanner work its magic. VirusScan requires you to create scan tasks, which are predefined jobs that let VirusScan know which drives to scan. Although this approach might sound cumbersome, the execution is more flexible than the conventional method. For example, I set up one task to scan all local drives, another to scan network resources, another to scan my download directory, and one to scan my incoming email directory, each task executing independently of one another. You can have VirusScan plow through your local hard disks and network hard disks once a week to keep CPU and bandwidth usage to a minimum. The two most active directories on my system are my download and email directories--on a slow day, I pull in roughly 100 files--so I have VirusScan check for viruses in those two repositories once an hour.

In addition to the ability to schedule scans to run during off-peak hours, you can adjust the amount of priority the scan process receives. Those who use IDE hard disks will appreciate this feature because it prevents VirusScan from draining all available CPU resources. On a typical SCSI-based system, Task Manager reported 60 percent CPU usage with high priority, 50 percent usage with medium priority, and 35 percent usage with low priority. On EIDE hard disks, the CPU usage jumped up to 95 percent for high priority, 76 percent for medium priority, and 45 percent for low priority.

VirusScan for NT doesn't have many downsides. The only problem I have with the program is that it fails to take advantage of the Win32 APIs multithreading architecture, limiting its scanning engine to working on one drive at a time. With SCSI hard disks becoming more and more common in new systems, I'd like virus scanners to tackle multiple disks concurrently. To be fair, I must say that every product covered in this roundup works off of a single-threaded scanning engine.

VirusScan's notification options leave something to be desired. Most common notification methods, such as email, printer, or pager alerts, are conspicuously absent. In fact, the only option that somewhat resembles a notification feature is VirusScan's Prompt on Detection option. If you set the scanning engine's behavior to prompt only, VirusScan emits a (rather obnoxious) alert and a customizable message when it detects a virus.

In practice, VirusScan's detection rate is top-notch. In about 10 minutes, VirusScan plowed through 2GB of files and detected and cleaned infected Word documents, Excel documents, boot sector viruses, and polymorphic pests. The final score was VirusScan 40, viruses 0. McAfee claims that VirusScan has a 100 percent detection rate, but seeing the result was still surprising. So I threw 10 double-zipped infected files at VirusScan. It found all 10 viruses, but it couldn't clean them while they were in zipped format. VirusScan also logs all activity in a plain text file, making viewing the results of the last scan easy.

VirusScan's high detection rate comes from its Hunter engine. The Hunter engine is a heuristics-based detection engine that focuses mostly on polymorphic and Office viruses. This feature is important because polymorphic viruses have a nasty tendency to change forms to avoid detection, as their name implies. And Office viruses are becoming more and more prevalent as virus authors dabble in Visual Basic for Applications (VBA), Visual Basic (VB), and other macro languages to create malignant applets that target Office applications exclusively.

Additionally, VirusScan's realtime scanning module sits quietly in the background, monitoring all disk I/O activity. Just for fun, I ran an executable infected with the Jerusalem virus. VirusScan immediately trapped the virus and displayed a notification message. I was also pleasantly surprised to see that the realtime scanner didn't negatively affect system performance.

VirusScan's AutoUpdate module lets you easily retrieve new virus definitions if your computer is connected to the Internet. AutoUpdate is a shell script that connects to McAfee's FTP server to compare file dates between the definitions on your hard disk and the ones on the server. If the file dates on the server are later than the ones on your hard disk, the script downloads an update module and installs it seamlessly. If you have a permanent Internet connection, you can even schedule AutoUpdate to retrieve updates automatically at preset intervals.

You can access McAfee's technical support department via a messaging forum on their Web page and by calling a toll number. Users with a maintenance agreement (which is available at an additional cost) have access to a toll-free number. Ideally, McAfee needs a toll-free number for all customers, but the technical support staff seems to be competent, and they usually resolve problems in minutes.

McAfee has improved VirusScan enough to give it the edge over competing Workstation virus scanners, giving it a permanent spot on my desktop. With its flexible scanning options and high virus detection rate, VirusScan is excellent insurance for any connected PC. For an additional $99, the company offers free phone support for 90 days, free program updates for one year, and unlimited free virus definition updates.

Unlike the other programs in this review, SWEEP 3.0 is designed as a network-based virus scanner. However, SWEEP can run on a standalone workstation, which is the environment I tested the product in.

SWEEP ships on three write-protected floppies and installs with a standard installation interface. Because SWEEP uses a client/server architecture, Sophos recommends that you install the server software (InterCheck) to a central file server and distribute the clients from there. If you're working on a standalone workstation, you can simply install both components to the same machine. SWEEP requires a user account to run its services, so you'll either need to install with Administrator privileges or have an Administrator create an account for SWEEP to use before you install the software.

The printed manuals that come with the product are excellent. In addition to the three standard user manuals (one each for DOS, Windows 95, and NT), you get a Data Security Reference Guide, which I've dubbed the Data Security Bible. Within the 420-page book, you'll find anecdotes on past viral and Trojan horse attacks, a comprehensive history of viruses that dissects the basic virus format to demonstrate how viruses attack files, and Internet security tips. For the security conscious, this book might be worth the price of SWEEP.

SWEEP's UI is basic but adequate. Everything you need is accessible directly from the main window. As Screen 5 shows, the main window has four sections: a toolbar, a drive list, a progress indicator, and a status indicator. The drive includes a scheduling tab to let you schedule scans, and the toolbar includes an Alert button to let you specify how to send out notification messages.

SWEEP supports two types of scanning: quick and full. Quick scans are faster, but the process looks at only the parts of files most likely to contain viruses. Full scans take longer because they scan the entire file for viruses. SWEEP also includes two different priority levels, letting you choose between quicker scans that take less CPU time or more complex scans that come at the expense of system responsiveness.

In practice, SWEEP's detection engine is first-rate. The program detected every virus in my test bed. Even eccentric and uncommon strains couldn't escape SWEEP's watchful eye. However, SWEEP's virus detection routines are vigilant to the point of being an annoyance. When SWEEP discovers a virus, it locks the file until it gets a chance to clean it. It restricts copy, delete, and execute commands, which is inconvenient if you keep infected files for further analysis, as I do. Although I appreciated the security that this all-or-nothing method provides, this aspect became a hindrance. Also, SWEEP does not support heuristics-based scanning.

Cleaning the infected files is another matter. Of the 50 viruses it detected, SWEEP cleaned 48 of them, deleting the two that it couldn't recover.

The scheduling function is simple but powerful. A tabbed dialog box lets you define the type of scan (quick or full) you want to run. You simply check off the days that you want to run the scan and set times for each day. Because SWEEP, like most virus scanners for NT, runs as a service, you can close the program and let the service kick in at the prespecified times, even when you are not logged on to the system.

InterCheck, the realtime scanning module in SWEEP, scans crucial files and checks them against a list of authorized codes (that are created the first time a scan is initialized) when you first log on to NT. Once the program is loaded, it sits quietly in the background, monitoring activity. When you are about to load an infected file, InterCheck notifies you and locks the file. Aside from a brief slowdown when your system first executes InterCheck, the program doesn't seem to affect system performance.

SWEEP keeps a detailed log, viewable with NT's Event Viewer, noting which file has been infected with what. Recording activity in the system log is a double-edged sword because it makes exporting the saved information difficult. However, the system log is a logically sound place to keep the data.

SWEEP's notification methods leave something to be desired. Missing options include email and beeper notification that have become commonplace in virus scanners. SWEEP does provide network notification features, but the features are useless for standalone systems.

Updates for SWEEP are handled and distributed by Sophos' main distributor, Alternative Computer Technology. ACT places monthly updates on its Web site and makes them available to all registered users (alternatively, you can receive updates via monthly mailings of floppies which usually include product refreshes). Unfortunately, you must download these updates and install them manually.

Sophos' technical support department is a long-distance call for most users. But the company's virus specialists generally eradicate problems in minutes.

SWEEP is a solid contender in the server virus protection market, but it is overkill for standalone workstations and small peer-to-peer networks. To be fair, SWEEP isn't aimed at the workstation/SOHO market, so look elsewhere for a better virus detection system if you fit the SOHO profile.

Norton AntiVirus 4.0
One popular virus scanner for NT introduced a new version just in time for this year's roundup. Version 4.0 of last year's Editor's Choice award winner, Norton AntiVirus, is a bit older and a lot wiser, but the lack of new features is disappointing.

Norton AntiVirus ships on a CD-ROM loaded with InstallShield. The software comes with a 30+-page manual filled with installation and execution instructions, in contrast to the almost encyclopedic manuals that come with Dr Solomon's and SWEEP. Like the other programs in this roundup, Norton AntiVirus installs as a service and an application. Unlike the other programs, however, it lets you install it as a plugin for Netscape Navigator (Norton AntiVirus doesn't support Internet Explorer's ActiveX extension model). This feature is handy in light of the growing popularity of the Web as a software delivery vehicle. The program requires a reboot when you complete installation, so make sure your data is saved and safe before you install the software.

On the surface, Norton AntiVirus 4.0 looks and feels like its previous version. You select which drives to scan by marking their respective check boxes and clicking the Scan Now button. As Screen 6 shows, Norton AntiVirus includes three checkboxes to scan all floppy drives, local drives, and network drives, making systemwide scans a bit easier to perform. Tabbed dialog boxes categorize the comprehensive options list, so you can easily get to what you're looking for without wading through a sea of menus.

Unfortunately, Norton AntiVirus doesn't support the task-based scanning method available in other virus scanners. Although you can specify certain files and directories to include in the scan list, the program doesn't save them, making creating customized scan tasks difficult. For example, both VirusScan and F-PROT let me create tasks to scan through my download and email directories daily. Performing the same customized scan with Norton AntiVirus requires manually scanning each directory.

The scanning interface is straightforward. A progress indicator shows which file the program is currently looking at, the number of boot records and files scanned so far, and the number of viruses cleaned and detected. Norton AntiVirus had no problem detecting 100 percent of the viruses left in dropper (.exe and .com) format, but it choked on the viruses that had been zipped twice. Apparently, Norton AntiVirus checks archived files (including .pkzip, .lzh, .arj, and .rar), but it won't look at archived files within archived files. Keep this point in mind if you double-zip files.

The most important new feature in Norton AntiVirus 4.0 is the BloodHound heuristics scanning engine. Like McAfee's Hunter engine, BloodHound focuses on polymorphic viruses. Unlike Hunter, BloodHound has three preset sensitivity levels, letting you choose the level of aggression it uses to weed out viruses in those hard-to-reach spots. BloodHound is every bit as effective as Hunter, detecting the 40 infected files that were not zipped twice. The program cleaned each file to my satisfaction.

To provide scheduling functions, Symantec includes a copy of the Norton Program Scheduler with Norton AntiVirus. Norton Program Scheduler is a full-blown task scheduler, supporting most programs that you might want to schedule. This program scheduler is much more intuitive than NT's internal AT command. By default, the scheduler includes four event types: Display message, Run program, Scan for Viruses, and Run LiveUpdate. Scan for Viruses and Run LiveUpdate are self-explanatory; they are triggers for Norton AntiVirus. Display message, however, acts as a poor man's appointment manager. When you enter a message and set a time and date, Norton Program Scheduler displays a dialog box to remind you of appointments. Run program lets you create tasks to run at specified intervals. I used this tool to initiate weekly automatic backups of my data hard disk to CD-ROM.

The logging functions in Norton AntiVirus are first-rate. Activity logs are stored as text files that you view using Symantec's log viewer. The log viewer includes filtering features to separate the superfluous information from the essential.

The notification options in Norton AntiVirus are passable, but not much more than that. When the program detects a virus, it displays an onscreen message, sounds an alert, and forwards the alert to active Norton AntiVirus NetWare loadable modules (NLMs) on NetWare servers. I would like to see a pager and email notification in a future release.

Virus definition updates are available through Symantec's proprietary LiveUpdate tool, which requires a modem. If you have an active Internet account, you can send LiveUpdate to fetch updated definitions from Symantec's FTP site. If your computer is not connected to the Internet, LiveUpdate will call Symantec's toll-free BBS and download the updates. The company handles technical support, however, on CompuServe or via a toll telephone number. My experience with Symantec's technical support department was favorable. They answered my questions promptly even when I was in the guise of a bumbling first-time customer.

Norton AntiVirus 4.0 does not have many new features, but it's still a good, solid virus scanner. Unless you keep ZIP files within ZIP files, investigate Norton AntiVirus as a possible virus scanner. Its clean interface and advanced features make it a great fit for any system.

PC-cillin NT 1.0
TouchStone Software's PC-cillin has been a popular Windows 3.1 and Windows 95 product for the past few years, winning multiple awards. With the help of Trend Micro, TouchStone has developed a version of PC-cillin for NT. PC-cillin NT ships with support for Win95 and NT on one CD-ROM. Unlike many other virus scanners, the wizard-based installation program performs a full system scan before copying its files to the hard disk. A full installation, consisting of the virus scanner and the realtime scanners, takes about 13MB of disk space. Other vendors take note: PC-cillin offers to create or update your Emergency Repair Disk after installation.

PC-cillin has the best interface of the products I tested for this review. Although aesthetics might not be as important in virus scanning as it is in other genres, PC-cillin's tabbed interface, shown in Screen 7, makes getting up to speed with the program simple.

PC-cillin's scanning engine detected all the zipped and unzipped viruses, but it stumbled on the double-zipped files. To be fair, double-zipping isn't common, but a scanner's ability to handle such files makes me sleep better at night. Heuristics support is missing from the scanning engine, placing PC-cillin a step behind those programs that provide that support. I hope future versions of PC-cillin will include a heuristics-based scanning engine. Anything the program detected, it cleaned immediately.

PC-cillin's scheduling service is rudimentary but adequate. Although you can't set the virus scanner to kick in at prespecified intervals (such as multiple times per day or during idle times), you can have the program execute daily, weekly, or monthly.

Smart Monitor, PC-cillin's realtime virus scanner, is excellent and provides a high level of customizability. For example, from the Custom Monitor dialog box, you can set the type of events you want the scanner to trigger itself on, the type of files to scan (including UUENCODED files), and the type of extensions to scan for. With this ability, you can easily retrofit PC-cillin for your working environment. Smart Monitor also logs all detected viruses, which is handy if you leave your PC unattended on occasion.

One of the most innovative features in PC-cillin is its integration with Netscape to provide online support. But rather than providing a link from the application proper to Netscape Navigator, or adding a bookmark to the browser, PC-cillin includes a copy of Navigator within the software program. This integration with a Web browser makes downloading patches and receiving the latest virus alerts easy.

PC-cillin does most of the work of retrieving and installing updates behind the scenes, so you don't need to worry about downloading the updates and installing them. TouchStone Software offers three methods of retrieving updates: from its toll-free BBS, from its Web site, and from a floppy. Installing the updates is as easy as clicking on the appropriate button. Unfortunately, you can't schedule automatic updates, so you'll have to retrieve updates manually.

Finally, TouchStone Software offers electronic technical support. When you encounter a problem, you can fill out an electronic template that is sent directly to the developers. Turnaround time is estimated to be fewer than 48 hours. Although this solution is less elegant than traditional telephone-based tech support, it's better than posting a message on an open forum.

Overall, PC-cillin is a good, solid virus scanner with some innovative features that the antivirus field has never seen before. The lack of a heuristics-based engine is a problem if you anticipate encountering macro viruses. This oversight aside, PC-cillin NT has a lot about it to like.

Editor's Choice
Surprisingly enough, I didn't find a bad apple in the bunch. Table 1 summarizes my findings for each product's features. I would gladly install and use any of the virus scanners I tested in this review. However, only two programs excelled enough to get my vote for Editor's Choice: McAfee's VirusScan and Symantec's Norton AntiVirus. If you actively follow the antivirus market, you might find this observation amusing because Symantec claims that McAfee has illegally copied Symantec's source code for use in its products.

Legal issues aside, you can't beat either product's price and feature set. With their excellent detection rates, user interface, and automatic update features, McAfee VirusScan and Norton AntiVirus passed my acid tests with flying colors. Additionally, both VirusScan and Norton AntiVirus had the edge over their competitors because of their heuristic-based scanning engines. By employing heuristics technology, Symantec and McAfee have some additional insurance for the future.

The only feature keeping InocuLAN out of the Editor's Choice race is the lack of heuristics scanning in the version of the software that I tested. InocuLAN's superior notification features stood head and shoulders above both McAfee VirusScan and Norton AntiVirus, and you can't beat the price. With the inclusion of a heuristics-based scanning engine, InocuLAN will definitely be a contender. Dr Solomon's Anti-Virus also fared well in testing, but the quarterly update plan and relatively high price took it out of the running.

For now, VirusScan is my primary virus scanner because of its task-based architecture, but Norton AntiVirus still kicks in every time I download a file. I have the best of both worlds.

Dr Solomon's Anti-Virus Toolkit for Windows NT
Contact: Dr Solomon's Software * 781-273-7400 or 888-377-6566
Price: $125
System Requirements: Windows NT 3.51 or 4.0
F-PROT Professional for Windows NT 3.0
Contact: Command Software Systems * 561-575-3200 or 800-423-9147
Price: $49.95
System Requirements: Windows NT 3.51 or 4.0
InocuLAN for Windows NT Workstation Edition
Contact: Computer Associates International * 516-465-5000 or 800-243-9462
Price: $69
System Requirements: Windows NT 3.51 or 4.0
Norton AntiVirus 4.0
Contact: Symantec * 408-253-9600 or 800-441-7234
Price: $69
System Requirements: Windows NT 3.51 or 4.0
PC-cillin NT 1.0
Contact: TouchStone Software * 714-969-7746
Price: $69.95
System Requirements: Windows NT 3.51 or 4.0
Contact: Alternative Computer Technology * 513-755-1957
(Outside the US, contact Sophos, 44 1235 55 9933)
Price: $275
System Requirements: Windows NT 3.x or 4.0
VirusScan for Windows NT 3.02
Contact: McAfee * 408-988-3832
Price: $65
System Requirements: Windows NT 3.51 or 4.0