How To: Buy anti-virus software
If you are looking to buy anti-virus software for your computer then you may be bewildered by the choice available. How to choose the best anti-virus? Are the big name brands like Norton and McAfee better than the rest? Does paying more get you the best virus protection? Which anti-virus product is the best value for money? How can I avoid buying useless "scareware"? This article explains the various features and terminology used by publishers of anti-virus software, to help you choose the best anti-virus software for your needs.
Features of anti-virus software
All anti-virus products do the same job, but they differ in the features they offer. Some features are essential, others may be nice to have but are there more for marketing reasons - because they make the product look better - than anything else. Realize this and you can avoid getting talked into buying an expensive resource hog.
An anti-virus product will typically feature several different scanning options. Some are more essential than others.
- On-demand scanner. This is the most basic feature of any anti-virus product. It is a program that scans your whole computer, or specified folders, checking the contents for viruses. It runs only when you run it, or when you schedule it to run - hence "on demand." Some free anti-virus products such as BitDefender Free Edition or ClamWin are purely on-demand scanners. If you know what you are doing, and make sure to check anything you download before opening it, this may be enough. But for most people, it isn't.
- On-access scanner. This is a program that runs all the time, usually showing as an icon in the system tray. It installs hooks into the operating system so that it is informed whenever a file is about to be opened or saved to disk, and checks the file on-the-fly. This means that your computer won't get infected by a virus just because you forgot to check. All commercial anti-virus software has an on-access scanner. For most people it is an essential. But the on-the-fly checking can slow down the computer, and the operating system hooks can cause conflicts with other programs, particularly other anti-virus and security products.
- Web (HTTP) scanner or filter. Similar to the email scanner, the web filter is a component that checks web pages on the fly for dangerous code. And just as with the email scanner, its role is much less vital now that web browsers have become much more secure. All the popular browsers cache content downloaded from the web by writing it to disk where the on-access scanner will detect it. So this is not an essential feature and one that can slow down web browsing.
- P2P and IRC scanners. Some anti-virus products offer filters or scanners for other web services like IRC and P2P file sharing. These are common channels for spreading malware, so anti-virus software can gain marketing benefits by advertising such services. But content must be saved to disk before it can be opened and any virus activated, and the on-access scanner will detect it at that point. So again this is not an essential feature.
All anti-virus products need to be able to detect the presence of a virus in a file. How this is done may have a bearing on its effectiveness.
- Signature-based scanning. The anti-virus software looks for specific characteristics or a signature of a virus. This allows it to identify a virus by name. The disadvantage of this method is that the software needs a database of signatures to look for. It can only identify viruses that are in the database. So the database needs frequent updates. There is a risk of infection by an undetected virus between the first release of a virus into circulation and its signatures being added to the database (the so-called "zero day exploit.") So the frequency of updates and the speed with which the product vendor responds to new viruses are factors that help distinguish the best anti-virus products from the rest.
- Rule-based scanning (heuristic analysis.) This is an attempt to determine whether something is a virus even though it is not a known virus in the database. A file being scanned is given a score according to various characteristics that it has that are in common with viruses. Good heuristics can reduce the chances of zero day exploits being successful, but bad implementations often result in many false alarms which can be very troublesome for the user - and for the developers of wrongly-accused applications.
- Trojan, anti-spyware detection. Anti-virus products traditionally focussed on detecting viruses - malicious programs that spread by replication, just as a biological virus would. Spyware, adware and other malicious or unwanted software which was picked up by visiting a website or downloading some software was ignored, requiring a separate class of product - anti-spyware - to be purchased to clean your computer of it. However, the best anti-virus products now detect other types of malware too, making the need for separate anti-spyware products less important.
Anti-virus software may offer a number of other features.
- Inoculation, cure, disinfect. Anti-virus products differ in their ability to remove a virus from a file and restore it to its original state. Some of the poorer products may be unable to do this at all, requiring you to restore an infected file from an original copy or backup. However, the lack of this feature isn't the disadvantage it may seem. It used to be common for viruses to parasitically infect files, adding themselves to an existing file so the virus is activated when the file is opened, most recent malware simply drop complete new files into the system, and deletion is the only thing you would want to do with them.
- Quarantine, virus vault. This is generally just a fancy name for a folder or archive in which infected files are stored. In most cases it isn't very useful - why would you want to keep copies of a virus, even if they are out of harm's way? One reason could be in the case of a false alarm, a file that was wrongly accused of being a virus. Having a quarantine folder allows you to easily get the file back. Another is if the infected file is your only copy of something irreplaceable, in which case the quarantined copy could enable you to get the data back.
- Live update. This is simply the automated downloading of updates to the virus database. All commercial anti-virus products should have this capability, which is essential to limit the opportunity for infection by zero-day exploits. Free products may require you to update them manually, or restrict the frequency of updates.
- Small updates. As database updates are required frequently, ideally they should be small, incremental updates. Most anti-virus products now manage this, but some still require a periodic full update that can be several megabytes in size, which isn't convenient if you only have a slow internet connection.
- Low resource usage. Some of the well-known brand name products have become memory and CPU-eating resource hogs that significantly slow your computer's performance, especially if you have an old or underpowered computer. So it's worth considering those anti-virus products that offer good, basic protection without the unnecessary extras.
Choosing the best anti-virus software
In choosing the best anti-virus software for your needs, you should start by picking the products which offer the features that you consider important in your particular case.
You might consider it important to rank products according to their effectiveness at detecting viruses. However, this is hard to do objectively, and not much of an indication of how well a product will perform in the real world. Many computer magazines and independent websites try to do this, and often do it badly, because representative samples of viruses that are currently in circulation are hard to come by if you are not a developer of anti-virus software with customers sending suspicious files to you every day.
One measure of effectiveness that has been widely used, and which we have referred to in our reviews on Tech-Pro.net, is the VB100 certificate awarded by Virus Bulletin. However, many authorities now feel that this is rather a flawed test. It is based on a product detecting a known set of viruses, so it's a bit like passing an exam in which the questions are known in advance.
The fact is, just about every anti-virus product sold by a reputable vendor today will do an effective job of catching viruses. So it is better to make your choice based on factors like feature set, frequency of updates, update size, ease of use, system resource usage and cost.
If you want to give your computer the best protection from viruses, consider the following products. Read the linked reviews for more information.
- Kaspersky AntiVirus - An advanced and very full-featured anti-virus, with frequent updates and detection of spyware and other malware.
- Dr.Web anti-virus for Windows - A good-performing basic anti-virus with low resource usage. Detects many non-virus malware, and is good at "curing" infected files
Why should you trust our advice any more than other sites on the Internet? That's a good question! One reason is that you can see who we are. Tech-Pro.net's owner and author of this article, Julian Moss, is a former computer magazine journalist, and Tech-Pro Limited is a registered UK company. You can find out more about us on the About Us page. Don't buy security software from a site whose owners hide their identity!