Antivirus features comparison. Suggestions for avast improvements...

From http://techsupportalert.com/issues/al_current.htm :wink:

In the last three issues I outlined my revised approach to computer security. This new approach is not idle speculation but the result of over a year of intense testing of modern malware agents as well as the latest security products.

At the heart of this approach is an increased emphasis on preventing malware ever getting onto your computer as opposed to trying to detect it once it is on your PC or removing it if it manages to infect your PC.

The key to prevention is the use of good personal security practices combined with the use of a sandbox for surfing, opening email attachments and installing any unknown programs. This approach is fleshed out in more detail here:
http://techsupportalert.com/issues/issue141.htm#Section_0

This approach however, is not enough by itself. You still need active protection on your PC, but not as much as you would need if you adopted a less proactive approach to preventing malware from getting on your PC.

If you use good security practices as well as a sandbox, you only need one, maybe two active security products running on your PC. If you don’t, you’ll possibly need three or four.

So, if you only need one or two active security products, what are the best choices?

Without a doubt the first product should be an anti-virus scanner. That’s because AV scanners offer more powerful detection and protection than anti-spyware, anti-trojan and other specialized security products. Not only are they more powerful they also have the ability to detect a wider range of malware menaces than the other products. Indeed good AV products can detect trojans, keyloggers, spyware and rootkits in addition to viruses and worms.

The choice of a second product is moot. Indeed it may not even be required but more of that later. Today we will look at AV scanners.

Let’s first consider the requirements:

  1. The product must have good, broad spectrum scanning detection. It needs to be able to detect any malware you have downloaded in your sandbox before you run it. Similarly it must detect anything that you have accidentally downloaded or copied to your “real” PC. In other words, it must work well within and outside your sandbox.

  2. It must have a first class memory monitor. Some malware programs are so well hidden that they can’t be detected by file scanning however they can almost always be detected by a good monitor when the malware is run.

  3. Email protection. Although I recommend opening email attachments in a sandbox, it’s useful to know an attachment is infected before it is opened.

  4. Self protection. Modern malware products routinely will try to pull down your defenses. The best security products actively defend themselves against been terminated by hostile agents.

  5. Protection against new, previously unknown threats. The exploitation of previously unknown product flaws (so called zero day threats) is becoming increasingly common. That’s why you need a product with good behavioral/heuristic detection in addition to signature based detection.

  6. Polymorphic detection. To avoid detection by their signature, modern malware threats are commonly coded using a technique called polymorphic encryption that ensures each individual copy of the threat looks different to any other. The best scanners can still detect these rodents despite their disguise.

  7. Resource usage. Protection is a good thing but you still want your PC to be run quickly.

Let’s see how some poplar AV scanners shape up. My main emphasis is on free products but I’ve included several well known commercial products as well.

In the table below, I’ve rated the products on a scale of 1-5, with 5 being the best rating. My ratings are based on information from a wide set of sources including my own published tests, AV Comparatives and the Virus Bulletin.

[tr][td]Product[/td][td]Price[/td][td]File Scanner[/td][td]Memory Monitor[/td][td]Email Scanner[/td][td]Self Protection[/td][td]0-Day Protection[/td][td]Polymorphic Detection[/td][td]Resource Usage[/td][/tr]
[tr][td]AOL AVS[/td][td]Free[/td][td]5[/td][td]5[/td][td]5[/td][td]3[/td][td]2[/td][td]4[/td][td]2[/td][/tr]
[tr][td]Alwil Avast![/td][td]Free[/td][td]4+[/td][td]4+[/td][td]4+[/td][td]1[/td][td]2[/td][td]2[/td][td]5[/td][/tr]
[tr][td]Avira AntiVir[/td][td]Free[/td][td]5+[/td][td]5+[/td][td]-[/td][td]1[/td][td]5[/td][td]5[/td][td]4[/td][/tr]
[tr][td]Grisoft AVG[/td][td]Free[/td][td]4[/td][td]4[/td][td]4[/td][td]1[/td][td]1[/td][td]2[/td][td]5[/td][/tr]
[tr][td]BitDefender AV[/td][td]Free[/td][td]5[/td][td]-[/td][td]-[/td][td]n.a.[/td][td]4[/td][td]4[/td][td]3[/td][/tr]
[tr][td]Kaspersky AV[/td][td]$49.95[/td][td]5[/td][td]5[/td][td]5[/td][td]3[/td][td]2[/td][td]4[/td][td]2[/td][/tr]
[tr][td]Eset NOD32[/td][td]$39.00[/td][td]5[/td][td]5[/td][td]5[/td][td]5[/td][td]5[/td][td]5+[/td][td]5[/td][/tr]
[tr][td]Norton AV 2007[/td][td]$39.99[/td][td]5[/td][td]5[/td][td]5[/td][td]5[/td][td]2[/td][td]5+[/td][td]1[/td][/tr]
As you can see, Avira Personal and AOL AVS are on balance, the best of the free products though neither is without problems.

The free Avira lacks an email scanner; that’s only available in the paid version. The self protection is also poor - it can be terminated with Windows Task manager. The free version also constantly nags you to upgrade.

The Kaspersky-based AOL AVS lacks the html scanner found in the full Kaspersky product and consequently doesn’t offer the same level of protection against hostile sites. It’s also quite heavy on resources and is not suitable for slower PCs. AOL AVS can be terminated by a hostile agent as well, though it puts up more of a fight than Avira. Finally, the AOL end user licensing agreement (EULA) has some worrying features including the right to send you unsolicited email and to give your email address to third parties.

Avira’s lack of email scanning and AOL’s problem with hostile sites can be set aside if you are prepared to do all your browsing in a sandbox and to only open your email attachments in a sandbox. If you have the discipline to do this then you have two fine products available, though unfortunately both can be terminated. Of the two, I would lean towards Avira as it’s lighter on resources and doesn’t have the problems of the AOL EULA.

But most users lack the discipline to consistently use a sandbox. They may aspire to do so, but pressure and circumstance may not allow it.

If that’s you then I suggest you consider one of the commercial products, as I don’t think the other free products are fully up to the task. AVG and Avast! have poor detection of polymorphic and 0-day malware in addition to having limited self protection while the free BitDefender lacks a real time monitor as well as email scanning.

Of the commercial products I favor NOD32 as it provides first class detection, yet is light on resources. The $19.95 paid version of Avira is also a fine choice, providing the same or slightly better protection as NOD32 at the cost of slightly heavier resource usage. Kaspersky and Norton AV are also sound options provided you have a fast PC.

If you are an average user and you follow the safe practices I suggested at the beginning of this editorial and combine that with one of these commercial AV products, then that’s all the protection you probably need. High risk users such as P2P users will need more but that’s a separate story.

If you simply can’t afford to buy a commercial product, there are other options. That’s what I’ll be talking about next month. See you then.

Declaration of interest: I do not sell, derive any commission from nor carry advertising for any of the products mentioned in this editorial.

Gizmo

Regarding improvements for avast!, here is a short discussion vlk had with a poster at Wilders

vlk

The only comment I have, regarding the speed (or slowness) of adding detection of new samples (submitted by users) to the avast database is that things are improving.

A whole new submission system is now under preparation and we hope it will bring many enhancements and generally improve the overall quality of the product.

Cheers
Vlk

aigle

Thanks vlk, I am really cocerned about ITW samples as some users posted here. I install Avast for many novice users.

But to be honest, I am unable to understand ur coments. The problem we discussed here is not with submission of samples, samples are being submitted but problems is that they are not being added. I am not sure how new submission system can improve addition of signatures.

BTW anything about heuristics? I remember that in the past you have informed us that heuristics will improve too.

vlk

On our side, the problem [b]is[/b] related to the submission process. We're getting 3,000+ samples daily. More than half of these is junk (legal/benign files), many files are also corrupted (may be of malware nature but are not functional) and there are other problems, too.

Unless we streamline the submission process and our internal (backend) systems, it’s really hard to cope with such volumes. Our analysts are just losing too much precious time dealing with unnecessary stuff.

http://www.wilderssecurity.com/showthread.php?t=171149&page=2

Just FYI :wink: (Hope I’m not off-topic here)

How do the other antivirus company handle this, Vlk?
I mean, how they separate the garbage from the malware material for analysis?

I don’t think so…
Hope Alwil drop a word about this too… better, more than just a word…

Hello,

May I advise to use an other scanner which has higher detection rate to scan all the emails that virus (at) avast ()dot) com is receiving; then if a virus is found automaticly send it to one of the analyst with a high priority otherwise send it to the analyst with low priority. Then for the high priority threats you could have it pass through a sandbox, etc…

Hope that brings up new ideas

Al968

Thanks Al… Why don’t they comment this? Isn’t it a good idea? Is it already implemented?

The problem with this logic even if it were applied is the zip files are password protected as we ask people to do or they are sent from the chest in which case they are encrypted. So whatever scan were applied wouldn’t be able to scan the contents.

The one feature I would like to see Avast add would be rootkit detection. In this day and age I think this is VERY important.

Just wanted to add that a HTTP scanner is definitely more of an optional feature rather than a necessity. It does make things more convenient and leads to earlier detection of downloaded malware, but ultimately it doesn’t increase the level of security provided to the end user.

You’re right… but, after all, having the Standard Shield at High sensitivity OR using it at Normal plus WebShield, I stay with the second: better performance without compromissing security.

Yes, that would be a problem, may I ask why does Alwil ask for password in the first place ?

Thanks

P.S that still would work with the Chest as it doesn’t add a password(or does it ?). :slight_smile:

Al968

Submission system is in the works, it will do what we need (automatically pre-sort the things, adding priority to files coming in from multiple sources, adding priority to files from honeypots etc.).

It will have some impact on the speed/accuracy of the analyst work. We just can’t estimate now how large the impact will be.

And please ask for no dates. 8)

My guess is simply to allow emails with attached infected emails to get through any ISP email server or mail server on route to avast that does have an AV scan. If any did the likelihood is that the attachment or email might get deleted and not get through.

The chest doesn’t ask for a password because the contents of the chest are encrypted so the attachment is encrypted and like avast if the content is encrypted other scanners will have no easy way to scan it.