Antivirus Roundup

Lately we've been doing a spot of research into the available antivirus products, with a view to changing our supplier and reseller agreement. The decision to take this step came after a client-site computer was found to have been compromised by a relatively serious executable-infector virus. This in spite of antivirus software which we'd been reselling for a number of years, which had served well over most of this interval but which recently seemed to be losing its effectiveness.

Information presented here is based on actual field experience, and is given in good faith. We've tried to be fair to the vendors in question, but without presenting the kind of unrealistically-positive reports often found on major IT review-sites. Basically, if we think it's a poor product, we say so. If the vendor doesn't like that, tough. It's an opinion, and we are entitled to state it.

Desktop Antivirus Packages:
 

Product Detection Rate False Alarm Rate Plus Points Known Issues Free* version Verdict
Eset NOD32 Excellent Low Network-aware, and ideal for larger sites. All-round good performance. Somewhat complex to configure Yes* Yes
Microsoft Security Essesntials Good Low Does the job very acceptably, and with minimal fuss Requires Windows validation Yes Yes
Avast Excellent High† More in the nature of an "Internet Security Suite" than antivirus 'Takes over' the computer Yes See comments
Avira Untested Untested Completely new version Installation failed Yes Untested
Sophos Excellent Low Business-site oriented Somewhat complex No Yes
AVG Good High Easy to setup, fully configurable. Web-protect module has major issues Yes Maybe
McAfee Average High Brand-leader Considerable slowdown No No
Norton Good High Brand-leader Excessive slowdown No No
ClamAV Excellent High Open-source, multi-platform. Portable version. No Windows on-access scanner. Free (GPL) Yes,for specialist use.

 

 

Specialist Spyware/Adware detection utilities:
 

Product Detection Rate False Alarm Rate Plus Points Known Issues Free Version * Verdict
Malwarebytes Anti-Malware Best of all tested. Some THE product for removing spyware. Detects some popular utilities as malware. Yes Yes
Spybot Search & Destroy Poor Low Memory-resident module Limited effectiveness Yes No
Lavasoft Ad-aware Moderate Some Used to be the preferred option. Outclassed by Malwarebytes scanner. Yes Maybe

 

The omission of a product from these tables is not a reflection on its performance; it's just that we've never encountered or benchtested it. We are a support operation and not a review site, so please be aware that we don't aim to test all available products.

* Note that not all free versions are licensed for business use.

† Treats downloaded programs not seen before as malware, regardless of content.

 

Our hands-on experiences:

 

Antivirus Programs:


Eset NOD32: Following some fairly exhaustive benchtests we're of the firm opinion that this one is the solution for business users needing a top-notch product, and will be recommending it in future. Whilst there are cheaper or even free offerings that do the job OK, none can match NOD32's reliable detection of malware combined with the freedom from false alarms or mysterious file deletions to which the lesser products are almost invariably prone. Although there is some impact on system performance as compared to an unprotected computer, this is not significant enough to be a concern. It's not the cheapest of the bunch, but is far less expensive than Norton or McAfee. Plus, the business version comes with a very useful rollout-tool which largely eliminates to need to make settings on a computer-by computer basis, a great timesaver for the network IT guy.

 

If there's a downside it's that the settings are a trifle complex, and not all that logical. For example, email scanning is mentioned in numerous different sections of the configuration dialog. Some sections of the configuration seem to duplicate others, and it's not certain which settings apply in any given set of circumstances. Therefore, expect to do a fair bit of study before rolling this product out.

Update: Recently had to deal with a Zeus infection, and this can be a tricky one to detect as the infection begins with a small downloader app attached to a spoof email. Since this downloader isn't the actual malware, many AV apps fail to detect it as such. The spoofed download had gotten past the computer's own AV, and had successfully infected it. On sending the downloader to VirusTotal for analysis, Eset was one of only a handful of products which correctly flagged it as malware. I then applied Eset's Zeus removal tool, which removed this (very resistant) Trojan in one attempt.

*Although Eset do not provide a memory-resident protection app for free, they do now offer a free on-demand scanner.

Microsoft Security Essentials: It used to be assumed that Microsoft had long ago dropped-out of the anti-malware software stakes, but this recent offering has proved to be something of an eye-opener in terms of its very satisfactory detection performance, coupled with an unobtrusive footprint.

Even if you'd had to pay for it, it would still be good value, but hey, it's being given away to anyone with a valid copy of Windows 7 onward. Business users included. No update subscription charges, either. Thus if you run a small network or standalone computers and don't need the flagship network features of Eset NOD32, then MSE comes highly recommended.

The only downside is that Microsoft have issued a statement that MSE will cease to support Windows XP sometime in mid-2015. So, if you are still on XP by that time, you might need to look for an alternative AV product.

Avast: We used to recommend this product, but recent editions have morphed from an antivirus utility into an 'Internet Security Suite' more along the lines of Norton 360. Whilst this all-inclusive approach may have advantages for a computer used by a child, or by a totally IT-averse individual, it causes no end of problems for anyone who wants to use their computer as a serious tool to do work with. For just one example of its invasiveness, it installs itself into all browsers on the computer as a plugin. It is then made difficult to download any program which is not a mainstream vendor's product, on the basis that it is safer to prevent the user from doing so rather than have it contain an undetected virus. Doing so may enhance security. So does pulling the plug out of the wall socket. Neither are particularly helpful.

We recently had a run-in with the vendors over their labelling our downloads on this site as malware for no other reason that we aren't a company with the turnover of Microsoft or Apple. Basically, if you like this sort of intrusive I-will-tell-you-what-is-good-for-you approach, then OK. Otherwise, avoid.

Avira: A compact and lightweight product with a good detection rate and minimal impact on computer performance. We've only a limited experience of using it, but our experiences have generally been good. In terms of its footprint and effectiveness, Avira is somewhat similar to Microsoft Security Essentials. Therefore it's a choice between those two for a straightforward, free, memory-resident detector. One slight annoyance is ads for the paid version being displayed during updates. But hey, it's only fair that the company should advertise its own products when you're getting free protection.

June 2014 update: Avira have released a completely different version of their product. This relies on the .NET framework rather than being a self-contained program. The description hints that this new version is more in the nature of an 'Internet Security Suite' than a standard antivirus app. I base this in the fact that they mention making modifications to to the LSP (Layered Service Provider) to hook into browser and email downloads. I can only base this in what they say, because the install failed completely on our test VM.

The installer gives no user options, going straight into the install process without even listing what changes it will make to the computer. On the first try, it failed with a certificate error which after some investigation turned out to be due to our test VM's date being out. Strange, but not too serious, or so it seemed. On attempt two, the install process took ages, and appeared to be making a humongous download, which was probably a version of the .NET framework. Only to fail with another error message near the end, this time stating it could not find the installation.msi package. So far this is the only AV package which we've had a complete installation failure with. As I anticipated, the failed install left over 100MB of .NET runtime behind it. At this point I decided I'd seen enough. 

Sophos: A product aimed more at the corporate market than SOHO users. Managed one relatively large site using this, and found it effective and relatively trouble-free. Rather costly, but then you do get what you pay for, and it certainly worked.

AVG: We resold this product for a considerable time, but have recently found its performance to be lacking, hence the drive to find alternatives. Whilst the impact on computer performance is small, it has been seen to be prone to miss actual infections as well as to produce far too many false-alarms. The email-scanning component is prone to causing timeouts during mail downloads, therefore we generally omit it from the installation. Meanwhile, the 'Safe Surf' module is widely reported to cause browser problems. Again, we tend to omit this from installs.

Concerns over AVG's effectiveness came to a head a while back, when a client-site computer was found to have a very serious executable-modifying Trojan resident and active on it. This despite AVG sitting there, silent. The Trojan was found to be detectable with most of the mainstream AV products, as determined by a sample uploaded to Virustotal. On a previous occasion, AVG for Networks had attacked several login-script components on a site server, automatically quarantining them as supposed malware, making it impossible for users to log in. This was a complete false-alarm, and as such had the potential to cause a great deal of lost productivity. These and other incidents of substandard performance brought-about the decision to look-to other products.

June 2104: Other day, encountered a home computer with AVG, which was suffering from multiple items of advertising junkware. Nothing serious, but more of a constant cause of nuisance popups. AVG had detected one such item but could not successfully remove it. I manually stopped the suspicious processes, deleted the visible items, and a single pass with Malwarebytes' scanner got rid of the remainder.

Norton: Major problem here is that of the computer's performance being drastically affected by the antivirus program. The corporate, antivirus-only Norton offering is more acceptable in this respect, but the consumer version (360) can bring even the most powerful computer down to a crawl. Virus detection rates seem to be reasonably good, but the performance-hit is completely unacceptable.

There have also been numerous cases of the value-added 'Internet Security Suite' products from this line causing strange network problems, and of being difficult to uninstall properly.

McAfee: The performance-hit with Network Associates' offering is less than that of Norton, but still very noticeable. In a recent (2011) case-study in which McAfee Enterprise Edition was replaced with Eset NOD32 Business Edition, removal of the McAfee product resulted-in something like a halving of the time taken to open typical programs. Installation of the Eset product took-away some of that performance gain, but to nowhere near the same extent as caused by McAfee. Overall, the same computers with Eset antivirus felt far more responsive than with McAfee.

On one of the computers in the above test, a minor piece of spyware (Zink) was noticed by way of a manual check on processes running in Task Manager. McAfee had totally ignored this spyware, which had probably been there for months. A scan with Eset NOD32 quickly found the spyware. Whilst this is a limited sample, it does suggest that the detection rate of NOD32 is superior to that of McAfee.

Anti-malware Tools:


Malwarebytes Anti-Malware: A specialist product aimed at detection and removal of advertising Trojans and the like, this isn't a direct replacement for antivirus as such. In our experience it is, however, one of the best programs available for the removal of malware from affected computers. Available as a free malware-removal tool, and as a paid version which provides resident protection against advertising-parasites and the like.

Spybot Search and Destroy: A program with a similar purpose to Malwarebytes, but in our experience far less effective. Basically, in our view, not worth bothering with.

Lavasoft Ad-Aware: Likewise a malware remover, and used to be the de-facto program of its kind, but in recent years has been surpassed in effectiveness by Malwarebytes. Might be worth trying if Malwarebytes can't remove a Trojan, but always try Malwarebytes first.

General comments:


The big two:


By far the largest installed base of AV software comes from just two sources: Symantec and Network Associates, who market the Norton and McAfee product ranges respectively. The 'household word' nature of these two brands lends them credibility of its own accord. This often leads to their products being purchased without much thought for their suitability or performance.

In truth, the market-penetration of these two brands stems from a number of factors, none of which relates to actual performance. Both were early starts in the PC security market. Both operate a policy of franchising and reselling via major IT resellers, with heavy advertising in consumer outlets such as PC World. Perhaps more controversially, both 'push-sell' their products by way of arranging for PC manufacturers to install trial copies onto new computers. This leads-to a very large 'captive userbase' of these products, users who didn't in fact have any opportunity to exercise choice at all.

In our experience, both of these big-brand products suffer from multiple drawbacks which are sufficently serious that we would never recommend any user to purchase them. Not only that, but their subscriptions are unduly costly compared to other offerings. We would even go as far as to suggest that even if you have 'had your arm twisted' by a preinstalled copy into paying for a subscription to one of these products, you still might be better to cut your losses and pay again for something better.

The free options:

Several companies offer free antivirus for home use. Generally, there are licensing restrictions on business use of these products, though. Where a vendor offers free home and paid business versions, in general the free products use the same base code as the paid product and are no less effective. Therefore if you qualify for the free product, by all means use it.

Security suites:

Many vendors offer two classes of product; a straightforward antivirus program, and an 'Internet security suite' which offers all kinds of additional features. In many ways this is simply an attempt to raise the profit-margin by selling a premium product instead of a standard one, most of the additional features of the 'security suite' being unneccessary, amd in some cases being undesirable in that they may cause additional problems. Our advice would be that unless you have an identified need for any component of the security-suite version, you should go for the vanilla antivirus product.

Value-added features:


In the same vein, many of the standard AV packages now include multiple virus-scanning aproaches in addition to the basic function of detecting malicious files. Typical examples are modules whcich add themselves onto your email program or Web browser, and attempt to monitor all traffic passing via that program for malicious content. Whether these add-ons do provide any additional protection is a disputable point. Granted, a Web-checking add-on may save you from submitting your logon details to a fradulent banking page or the like, and this could save you a good deal of grief. That said, many such value-added functions also cause trouble with the computer, or with its Internet connection. The bottom line here is that the experienced user probably doesn't need such add-ons and might be better deselctign them at install-time, whereas a computer used by less-savvy individuals may well benefit from extra protection.

In a business sphere, it is in any case better to scan email centrally at a server, rather than on desktops. Thus, antivirus for business use should allow desktop email-monitoring to be deselected. Otherwise, it is simply duplicating the function of the central scanner and causing unneccessary delays.

The main point is that these additional services probably don't do a lot to increase security; in many instances I suspect that they may be more in the nature of a placebo. Or, more likely, a sales gimmick. The part of an antivirus progam which matters is the on-access scanner which checks executables as they are launched. If this is effective, then you are protected. If on-access scanning is ineffective, then no matter how many Web, email, phishing, kitchen-sink unblocking or other add-ons exist.. you are not protected.