What to expect when you are expecting?
For most users, selecting an anti-virus product is like buying daily grocery items. There are many products on the shelf and you can always pick the other one depending upon the price and the attractive packaging. But this strategy is not helpful while selecting an anti-virus product. If you come under any of the following categories, you should read this article and the subsequent articles of this series:
- You don’t want to loose your data. Your data is your life.
- You don’t want to waste time on frequent formatting of your PC and re-installation of all the stuff again.
- You want to buy an anti-virus product that meets your requirements, and not of your neighbour or your friend.
- You want best possible protection for your PC.
1. Is the product certified by either VB100, CheckMark or ICSA Labs?
Few independent testing and research organizations certify whether the product passed their test or not. There are a wide variety of tests cases from detection to removal. Your product must be certified by at least one such organization and you would find one or all of the logos on your anti-virus box.
Few such organizations are:
Virus Bulletin
West Coast Labs
ICSA Labs
2. Does it use an indigenous detection engine or relies on a third-party engine?
Few companies design only the interface but rely on a third-party engine. The possible reason is that either they don’t have the resources for research & development or it is just a fake company.
There are some exceptional cases. Few reputed companies use third-party engines to improve detection, but remember, they have their own set of technologies and a core engine. They don’t rely on a third-party engine. The use of multiple engines enable multi-layer detection mechanism.
Reputed IT Security vendors have a series of white-papers of their research and development on their blogs.
Anti-Virus and IT Security overall, is one such area that involves continuous innovation. It is a battle field and the war is between good guys and the bad guys. You might consider it a strategy war. To defend yourself, you have revise your strategy and game plan daily.
3. How effective are the proactive detection methods of the product?
Proactive methods are a set of technologies that help detection of an unknown malware whose signature is not yet available.
Today, malwares use a variety of polymorphic mechanisms to bypass an anti-virus program. Any anti-virus program that relies heavily on signature databases is incapable to deal with these type of intelligent malwares. Novice users are simply fooled by the scanning reports and believe that the installed anti-virus product is working fine and not allowing malwares to enter their PC. But, the bitter truth is that their anti-virus program is actually being fooled by the modern threats.
Few companies use a variety of proactive detection mechanisms to deal with the present malware problems. An effective anti-virus program includes both of the following methods along with the other technologies for detecting suspicious files:
Static heuristic detection:
This method looks for the suspicious or strange characteristics in a file. Most of the times it is a new variant of an existing, in-the-wild, malware. In such a case, the heuristic method immediately recognizes that the characteristics resemble with an existing malware and quarantines the file. Either this type of suspicious file is automatically submitted to the anti-virus company lab or deleted.
Dynamic sandbox testing:
While the heuristic methods proved to be successful in the last few years but modern day threats are intelligent enough to bypass heuristics often. Modern best-of-the- breed anti-virus programs use a mechanism called as Sandbox testing to avoid heuristic false-positives and assure accurate unknown malware detection.
In this method, the suspicious file is set free to run in a sandboxed (emulated CPU) environment that resembles a real system. As soon as the file is run, its hidden behavior comes into the picture. If the file performed abnormally and behavior looks harmful, the file is trapped and quarantined. Some anti-virus programs send these quarantined files automatically to their labs for analysis.
4. How often the virus definitions or program modules are updated?
Few anti-virus companies release the signature or definitions as soon as a new malware is trapped in their research lab. These definitions and program modules are made available on their server so that the product automatically gets updated as soon as it detects an Internet connection.
The incident response time of some companies is excellent and therefore you might notice your anti-virus program being updated several times in a day, if you are using a product of one such reputed company.
Few companies release virus definitions once a day, say 5 p.m each day. They claim that their proactive detection methods handles the risk till the time program modules get updated. Though it is true that proactive defense mechanism is for such a scenario but relying heavily on proactive methods is not a fool-proof solution.
These days, a one-time proactive method design does not guarantee even a two weeks of protection. Methods need to be improved continuously to deal with modern threats. Here is a nice article on proactive detection.
5. How resource-friendly is the product?
It is obvious that you don’t want to create a system hog like situation. The anti-virus program must be light on system resources and it should not interfere much with your day-to-day system usage.
I want to write a series of articles on how to select an anti-virus and what to expect from it. This article is the first of its series and covers the most significant points that you should consider before buying an anti-virus product. I strongly recommend that you evaluate the trial versions of few products after reading this article.
In the other articles of this series, I am going to tell you why few features are very important and why you should submit a feature request on your vendor’s website if those features are absent in your product.
