Thursday, June 28, 2007

Evaluating Anti-Virus Programs

All anti-virus programs are not the same and making purchasing decisions based on opinions (not facts) could put you at risk.

So which anti-virus (AV) program is best for you? It really depends on who you talk to, but should it? Ever since the advent of anti-virus, debates have raged as to which program is best and most of the time you get plenty of subjective opinions. We all have our opinions, but believe it or not there is significant science to the evaluation of anti-virus programs.

NOTE: This article is written with desktop and server anti-virus in mind. Enterprise management i.e. McAfee ePO, Symantec Corporate Edition, et al. is outside of the scope of this article.

The Science
The science of evaluating anti-virus programs is based on two main criteria; features and effectiveness.

The anti-virus software market is more competitive than it has ever been. Some vendors offer a plethora of features in their offerings to attract more customers. Most people don’t even know what some of these features are or what they do, but there are some features that are important to look for during an evaluation of anti-virus programs.

OS Support
Does the anti-virus program fully support the operating system that it is intended to be used on? Sounds obvious don’t it? It does, but take Windows Vista for instance. Has the anti-virus program been designed for Windows Vista and has the program been tested and/or certified on this platform?

Automatic Updates
Can updates be downloaded manually and/or automatically?

Most people have better things to do than to make sure that anti-virus programs are updated regularly. This is a “must have” for a good anti-virus program. An added benefit is configurable automatic updates, allowing updates on a specific schedule.

On-Access Scanning
This is another critical feature. The on-access scan engine needs to start as early in the boot process as possible and files must be checked the instant there is any interaction with them.

On-Demand Scan
Is there an option to conduct a “deep scan” of files, folder, or drives when needed? All good anti-virus programs have this feature, but it is important to mention as a requirement anyway. It is also important that the anti-virus program allows for the scanning of removable media and network drives.

‘Heuristics’ describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. Anti-virus programs that rely solely on signatures of known viruses are ineffective against many new viruses. In order for an anti-virus program to be trusted in my environment it must have the ability to detect viruses that are not yet known to the signature engine.

Scan scheduling
Much like automatic updates, most users typically forget to scan their computer on a regular basis.

Email scanning
Does the anti-virus program have the ability to scan inbound and outbound email? Does the anti-virus program have some controls built-in to prohibit mass-mailing? Email scanning becomes less important if it is certain that the email gateway has a properly installed and configured anti-virus solution, but it is always nice to have added layers of defense.

Reporting is usually more important to technical and security personnel than it is to the typical user. The more reporting options the better. I conduct many information security audits and forensic investigations and enjoy the added benefit of detailed reports.

It is also important to consider what warnings are given to users by the anti-virus program. Are there warnings displayed if there are errors, scans have not been run in X number of days, the program has not been updated in X number of days, etc.

What makes an anti-virus program “effective”? The criteria most often used are detection and cleaning rates compared with the function of time*.

*All good anti-virus programs will “eventually” detect and clean a virus. The time function gives an indication of how effective the program tested with newer viruses.

Testing the effectiveness of anti-virus programs can be cumbersome and very work intensive. It is a good idea to rely on independent lab reports and certifications conducted by companies and people who specialize in testing anti-virus products. The two that I refer to often are iCSA Labs and the Austrian anti-virus experts

iCSA Labs
In order for an anti-virus program to be “ICSA Certified” it must meet certain and fairly rigorous criteria.

The list of certified anti-virus products can be found here:$gdhkkjk-kkkk.
The list of certification criteria is here:$80389867-30af3d4c$5524-512093a1

iCSA Labs does a very good job of testing anti-virus (and other) products. iCSA is a benchmark and lends credibility to the products it tests, but it should not be relied upon as the sole authority for anti-virus effectiveness testing. There are a variety of reasons why you may not see the anti-virus product you use on the list and a product that is certified may not necessarily be better than a product that is not. (
These Austrians know a thing or two about viruses and anti-virus software! If an anti-virus program was not found at iCSA Labs, it might be found here. The tests from AV-comparatives are very comprehensive and the reporting is excellent.

It is important to gather facts when evaluating technical solutions and anti-virus should be no exception. Before spending money on something someone told you was the best, do a little digging yourself. Create a checklist containing the evaluation criteria that are important to you and use it to evaluate the candidate anti-virus programs. If you would like a copy of the checklist I use in my evaluations; send me a note.

No comments: