Vipre antivirus

[SFSxOI]

The company I work for provides network intrusion investigation/forensics, data protection, and information security consulting and contracting services for various corporations and governments (federal - state - county - city) in the U.S. We also evaluate anti-virus products for use and suitability. The ones currently in the top four of our list (ranked in order) in the personal or individual workstation category are:

1. Avast (A little money saving tip - Overall the free personal use version is the same as the retail version except the data base updates are not notified every day by the client in the free version but you can still get the updates by manually updating or setting the updates to automatic - you just dont get the notifications that an update is available on a daily basis is all. So basically if you get the free version you have the retail version for free )

2. Kaspersky

3. NOD 32

4. Symantec (pro version and enterprise - not endpoint version)

[Fangbeast]

I'm using the Comodo security suite (Combination antivirus and firewall).

While some people have personal issues with it and it can be a bit pedantic with its' messages, I've had no problems running it under Windows XP and Windows 7.

Seems to work well enough here. Just my personal experience with it.

[GWarner]

I've been using Avast for the past couple of years and was using AVG before that.

Will look at Microsoft's answer when it's released but unless it shows itself clearly better I'll probably just stay with Avast.

[SFSxOI]

There is also a web site that tests anti virus products > http://www.virusbtn.com/index

They run tests using over 3000 known viruses, trojans, and worms, here are their picks:

Pass:

AhnLab V3 Internet Security, Alwil avast! Professional, AVG Internet Security, Avira AntiVir Professional, CA eTrust ITM, eEye Blink Professional, ESET NOD32 Antivirus, Fortinet FortiClient, Frisk F-PROT antivirus, F-Secure Client Security, F-Secure PSB Workstation Security, G DATA AntiVirus 2010, Kaspersky Anti-Virus 2009, Kingsoft Internet Security 2009 Advanced, McAfee Total Security, McAfee VirusScan Enterprise, Microsoft Forefront Client Security, MWTI eScan Internet Security Suite, Nifty Corp. Security24, Norman Security Suite, Quick Heal AntiVirus Lite 2009, Sophos Anti-Virus, and Trustport Antivirus 2009.

Fail:

Agnitum Outpost Security Suite Pro (one false positive), CA Internet Security Suite (960 polymorphic viruses misses), Filseclab Twister AntiTrojanVirus (2612 wildlist misses, 38 false positives), Finport Simple Anti-Virus (2897 wildlist misses, two false positives), K7 Total Security Desktop (one false positive), Kingsoft Internet Security 2009 Standard (228 wildlist misses), PC Tools AntiVirus 2009 (1188 wildlist misses, one false positive), PC Tools Internet Security 2009 (1355 wildlist misses, one false positive), PC Tools Spyware Doctor (1355 wildlist misses, one false positive), Rising Internet Security 2009 (43 wildlist misses, one false positive), Symantec Endpoint Protection (two wildlist misses), and VirusBuster Professional (one false positive).

I have a few issues with their McAfee Total Security and McAfee VirusScan Enterprise tests though. In our tests using 4500 known viruses, worms, trojans and their varients - McAfee Total Security and McAfee VirusScan Enterprise repeatdly failed to identify several items although they did detect the activity of these items and alert as to their activity. So nothing actually went undetected just un-identified with these two.

[GWarner]

I'd like to see somebody do the same for adware/spyware programs. I'm currently using SpyBot S&D but recently found Malwarebytes. It found five malware traces that SpyBot completely missed though I only count it as one because four of them were registry traces and for all I know those traces could be very old and the malware that created them long gone. The one I'm counting was an actual executable file.

Now I'm wondering if SpyBot is the best choice and if I should switch.

[SFSxOI]

The web site link I posted also does the same for spyware.

SpyBot is pretty good, Malwarebytes is pretty good too. They both will leave traces, but any remaining traces are usually not a problem. You have to remember, spyware detection and removal, although necessary, is not the same as virus/trojan/worm detection and removal. They are actually two seperate things. Its enough in the majority of cases to render the spyware inert and remove the source of the spyware which both SpyBot and Malwarebytes do, where as with viruses/trojans/worms its necessary to remove all of it and scrub away any traces system wide. The difference is, spyware for the most part is a single point 'presence' where as viruses/trojan/worms represent a system wide infection. There are other differences, i'm just being simplistic for the sake of brevity.

[Logman]

There is also a web site that tests anti virus products > http://www.virusbtn.com/index.

I use Avast because it comes in a 64-bit version for Vista/XP 64-bit OS in addition to a 32-bit version. For best performance on 64-bit systems, I recommend a top brand that provides a 64-bit version.

Logman

[SFSxOI]

Avast is the top product in our tests. It also works with Windows 7 for both the 32 and 64 bit flavors. I use Avast Pro retail version (we get it for free anyway) myself and really like it. You can get the free version (personal license use) and you get basically the same as the retail version but just fewer bells and whistles but you can configure the free version and use it the same as the retail and it provides basically the same level of protection as the retail.

There is an inherent weakness in the various stand alone spyware removal tools, most of their engines rely heavily on known name patterns or activity pattern recognition at the time of the scan, instead of in-depth huristicts. Its OK to do it this way but the weakness in that is the spyware can remain dormant for a while and never be detected because it might not be active until a set pattern of circumstances exists to trigger its activity. Since most anti-spyware tools in the class of Spybot and Malwarebytes have what could be called "very light weight huristics" even if they are active all of the time in their protection modes their engines could fail to detect newer spyware that doesn't match its current name and activity recognition awareness even with the latest updates to its databases and because the hurestic engines are so light weight they tend to not 'learn' quickly if they have such capability. Plus, another weakness is the individual using the anti-spyware tool in that the anti-spyware tool exposes configuration settings to the individual which directly impact its already light weight huresticts engines, and its this way because it seems these packages were built for speed and conveinance to make their use more user friendly with little development cost on the producers end. So the producers take what could be called 'shortcuts' by not working out more complex internal mechanisims which make the exposed user configuration items not have an impact on effectivness . Its actually a simple thing for spyware to not be detected by these stand alone packages, i'm not going to disclose in public how but I will say that the only thing that has kept this from happening on a large scale basis is the hacker/producer their self and their willingness to go the easy route in coding something.

So the stand alone packages are good for protection from spyware or finding and getting rid of it for the most part with around an over 90% success rate. Any stand alone anti-spyware tool should always be backed up by a quality anti-virus package.

[GWarner]

So the stand alone packages are good for protection from spyware or finding and getting rid of it for the most part with around an over 90% success rate. Any stand alone anti-spyware tool should always be backed up by a quality anti-virus package.

The problem with that is there is little to no overlap between as good anti-virus program and a good anti-spyware program. That's because most anti-virus vendors don't consider true spyware that does nothing malicious, it just gathers information about you and sends it home, a virus so they don't target it for detection and removal by their program.

All too often the only defense that exists for spyware are outbound firewalls that alert you to programs trying to access the Internet, Internet security systems that watch for sensitive information in the outbound packets, and stand alone anti spyware programs.

It would be nice if the vendors of anti-virus programs with their advanced detection systems would also target spyware just as they do viruses.

[SFSxOI]

When you look at the various packages what you say is true, but thats all the more reason to back up anti-spyware tools with a good anti-virus package. For example, there is a virus varient of a virus called NimbaE (I think i spelled that right) that masquerades as the windows csrss.exe system file, it comes in different flavors but its a favorite of spyware producers because its so configurable. When its used as just spyware it infects a copy of the real csrss.exe file and moves that copy to the C:\Windows\System32\drivers folder (or creates the file from scratch in some cases from the payload of the arriving package or arrives named as that). This makes it real easy to spot visually in task manager in XP because that file will then be marked as OWNER for ownership instead of SYSTEM like its supposed to be, and it will be asking for internet access. Most firewall packages don't catch it because its name is recognized as a system file, but the real clue is its in C:\Windows\System32\drivers instead of C:\Windows\System32\ where its supposed to be.

Although its acting as spyware none of the anti-spyware packages routinely catch it, but a good anti-virus package will catch it upon its asking for internet access or trying any sort of activity. A good anti-virus package in this case is one that will identify the actual virus. As an example, Mcaffee will sound an alarm about it but only give the user the message that the csrss.exe file wants to access the internet with no hints that its actually a virus, where as Avast will correctly identify the virus and tell the user something that indicates a threat instead of a routine type of message like McAffeee gives. Most people would just click thru "Yes' or OK on the McAfee message because they are used to getting such messages when they are trying to do something on line so they will just think its part of what they are trying to do. The McAfee message gives no hint that a virus actually exists.

[blueznl]

Avira here, even purchased it for my main machine, using the free versions on everything else

As for anti spyware, I use SpyBot as well as (the name is horrible) SuperAntiSpyware on this machine, seems to work fine...

[Rescator]

I'm rather surprised by that test site, they haven't tested Clam at all, only thing i found on their site was a news announcement from 2007.
No tests at all O.o

[SFSxOI]

No one tests clam because its not a serious contender. They are more interested in it being open source then they are in adhering to the standards. Plus, unless i'm mistaken, it does not have an on access scanning engine meaning you have to scan each file individually. But its not all bad, its got its good points too. But it just doesn't appear as a market-serious product right now.

[talisman]

Maybe you know this already, but it's still a good site to have bookmarked: http://virusscan.jotti.org

If you suspect a file to contain a virus, upload to Jotti and see what the final output is. It's interesting to see how sometimes free AV can find trojans that commercial don't and many times commercial AV identifies virus that free doesn't.

[GWarner]

Maybe you know this already, but it's still a good site to have bookmarked: http://virusscan.jotti.org

Similar to: http://www.virustotal.com