I’ve heard that question so many times from customers and friends alike. It usually follows “Why didn’t my antivirus detect this?” right after I clean up their computers of malware (malicious software). So I figured I should write my take on the subject. Of course, I too have been intensely looking for the answer to the same question.
Short answer: NONE. Another one: ANY. Before you conclude I’ve lost my marbles, read on. You do want to know which you should install in your computer or if you should change the one you have installed, right? (You do have something installed, correct?) Well, here goes the full answer.
First of all, you should have read my article that goes over a brief history of viruses and malware in general.
Then read my essay on how much security is needed in your computer.
Now remember, the main principle upon which traditional antiviruses work is they’re basically programs that compare files in your computer to a signature file. This file contains the different characteristics of all known viruses, and thus it can detect if a particular file is infected or not, AS LONG AS THE IDENTIFIABLE CHARACTERISTIC OF THE MALWARE STRAIN IS INCLUDED IN THE SIGNATURE FILE. Typically the antivirus will then try to clean the infected file, move the infected file to a place where it’s rendered harmless (quarantine) or delete the file altogether.
Here’s the little secret the antivirus companies are not telling you, which I have mentioned before: they are overwhelmed and unable to keep up with the rate with which malware is being produced in recent times, which keeps accelerating. And there is no reason to believe it’s going to slow down. Want numbers? Here we go:
New unique samples added to AV-Test.org’s malware collection in Sept 2006: 87,577. In May 2009: 1,078,882! *
So malware is being produced at a higher rate than the antivirus companies’ ability to generate updated signature files to recognize such new malware.
Malware techniques are also getting more and more sophisticated. Even if the antivirus program has a particular strain of virus listed in its signature file, a virus can be delivered to target computer(s) in such a way that it stays out of view. To make things worse, as part of its payload (what the virus does when it becomes active or executes) it can cripple the antivirus program’s ability to detect it and remove it, especially if the logged-in user has administrative privileges. Not a pretty picture.
Sure, built-in “behavioral recognition”, present in most antivirus programs today, will try to deal with unknown, recently created malware that is not yet included in your antivirus signature file. It does so by trying to recognize the way malware behaves when active in your computer and designating it a malicious label even before the malware is in the official wanted list (signature file). That’s either limited or, if overdone, can lead to false positives where programs that are not malicious are labeled as malicious.
Some antivirus companies, such as Panda Security, have recently been approaching the problem with collective intelligence servers to speed up the detection process by making it happen on their servers and using the cloud (the internet) as one big entity to get lots of samples to analyze from. This proposes to improve the detection rate of recently created malware because of the much larger capacity of the servers sitting remotely and the much higher amount of data being processed. Other companies have tried that approach. Microsoft is piloting its own version of that model right now (They call this feature “Dynamic Signature Service”) with Microsoft Security Essentials. As one of the first ones using it, so far I like it (it’s been out for about a month now).
But my point is that, even with such new approaches, antivirus programs alone are no longer effective enough by themselves to keep you malware-free. Mind you, I’m not saying you should not have an antivirus program installed, and I’m not saying all antivirus are the same either. I’m just saying that NO antivirus by itself is good enough for the reasons stated above – no matter which one you choose.
I’m going to emphasize this boldly because it is the key datum to understand in this article: The big hole left open with the antivirus inability to deal with the newest malware makes the differences in their detection rates of known malware irrelevant. In other words, who cares if Brand X antivirus has a 98% detection rate of known malware and Brand Y has 99% while Brand Z has only 70%, when all of them miss about 50% of the unknown malware? These are close to actual figures by the way, not just random numbers.
So the question “Which Antivirus Program is Best?” actually becomes “What would it really take to keep your computer as close to virus free as possible?” The answer is a 4-pronged approach:
1. Install an antivirus program that can detect and remove/clean all old and relatively recently created malware. I have tried many of them. Symantec, McAfee, Trend Micro, Panda, Bit Defender, Superantispyware, Malware Bytes, Microsoft, and these are not all. Take your pick, all good enough, none good enough by themselves. (And that doesn’t mean you should have more than one antivirus program installed at a time – don’t. For technical reasons that’s counterproductive).
2. Install a firewall to curb the inflow and outflow of unauthorized data. It’s just an additional protection layer. Different good free ones exist, like Comodo. In my opinion and specially with Windows 7, the built-in firewall is sufficient for the purpose of this layer in this 4-prong approach.
3. Install a program that will prevent unauthorized execution of malicious programs. This is the secret key I have found in my search for the complete answer: Blue Ridge Networks’ AppGuard. I openly recommend it as a fundamental and key part of answering this newly posed question. Some antivirus companies might contend they have security suites with the same unauthorized execution prevention, but they don’t, at least not in the same way. The concept upon which this is based is, in my opinion, very clever. It deals with the CRITICAL “zero-day exploit” problem in a very effective way, it’s very light (uses little computer resources) and requires minimal user interaction, so you don’t have to be an expert to configure it – it is more like a set-it-and-forget-it type application. Although I recommend it, this article is not about this product, so for more specifics and how it works, go to http://www.blueridgenetworks.com/products/appguard.php.As I’m a professional in this field, I’ve purposely visited several infected Web sites to test this product, and it has protected me in every case. Kids, don’t try this at home!
And last but not least,
4. By any means and as I’ve mentioned in a previous article: exercise GOOD EMAILING AND WEB SURFING HABITS.
With all these 4 points in place, the probabilities of your computer getting infected are reduced to a minimum. And despite its apparent complexity, this approach actually results in the best result with the least computer resources usage.
That is my current full answer to the actual question. There might be other setups that achieve the same result. They might even be better. But this one is the best I know, and most importantly, it WORKS. And I believe in it so much that it is what I’m using right now in my own computer.
May your computer(s) live long and prosper in a malware-free zone.
* 6/30/11: Per the latest data available, between January and June 2011, AV-Test.org saw an average number of new malware samples averaging 1.6 to 1.7 million new unique samples per month. Click here for the May 2013 figures and prediction for the remaining of 2013.