By Sean Captain In May 2000, the LoveLetter (aka ILoveYou) computer virus became one of the most successful such viruses in history, infecting millions of PCs around the world through an e-mail message that claimed to be a love letter. The message's attachment was actually an updated version of the cleverly written Melissa virus that automatically sent itself to everyone in a recipient's address book, bringing misery to countless computer users and businesses as e-mail systems became clogged with LoveLetter copies.
At one time viruses crawled from PC to PC via the sneakernet of traded floppy disks, but today they race about the planet over e-mail and corporate networks, with the potential to spread to millions of machines in a matter of hours.
Fortunately, PC infections are preventable. A combination of common sense and an antivirus program can keep your PC healthy (see "What to Do About Viruses" for pointers).
Since our last roundup of antivirus programs, significant developments have occurred in the antivirus world. All the programs we looked at have undergone major revisions and have new features designed to catch the latest viruses. We reviewed seven leading antivirus utilities for use on stand-alone home and small-office PCs, though F-Secure and Sophos are designed mainly for networked enterprises (and are priced accordingly).
To evaluate the efficacy of these applications, we asked virus expert Joe Wells, founder of the volunteer WildList Organization International, to test the ability of each to find viruses, destroy them, and repair the damage they cause. To provide a realistic test of the types of threats these programs will face, we exposed them to all the viruses on the March version of the WildList--a widely recognized roster of malicious programs. The list, updated monthly, identifies about 200 viruses that currently infect PCs. For more on our testing procedures, see "How We Tested."
We also evaluated how easily a nonexpert could install and run the programs, configure them, set up scans, and update the list of virus signatures (the unique parts of viruses an antivirus program uses to identify them). Finally, we examined what happens when a utility detects a virus and the solutions it offers.
KNOW YOUR ENEMY. An antivirus utility searches for and tries to eradicate three types of malicious code: viruses, worms, and Trojan horses; of these, viruses are the best-known. Once a computer virus infects a file or a program, it can quickly spread from a single system to an entire network of PCs. And some viruses deliver a payload--a secondary program that can be harmless or wreak havoc. Like a hit movie, a successful virus often leads to sequels and knockoffs--variations on the original.
Worms originally spread between machines by exploiting operating-system bugs, but today's worms copy themselves over e-mail. The BubbleBoy virus, for example, uses the scripting tools built into Microsoft Outlook. As soon as someone receives an infected e-mail message, the virus sends itself to everyone in that user's Outlook address book.
Trojan horses come disguised as other programs, but like the Greeks in their mythical wooden horse, these sneak programs can give their creators access to the host system. The well-known hacking tool BackOrifice, for example, is usually sent hidden within another program (such as a game) that the victim runs.
Antivirus utilities commonly catch viruses by scanning the files on your PC and comparing them to a library of virus signatures, each of which identifies a particular virus. Unfortunately, this means someone must first suffer an infection before the virus signature can be developed. For scanning to be effective, users must regularly update the utility's virus signature database, or the program won't have signatures for the newer viruses.
To trap viruses that the antivirus companies have not yet analyzed, antivirus utilities use a method called heuristics; that is, the programs scan not for a particular signature, but for certain types of behavior. This technique can lead to problems, however, when the utility mistakes an innocent file for a virus (a result known as a false positive). Other antivirus programs are common sources of false positives, too: If you install one such program on top of another, the new program may assume that the virus signatures of the original program are viruses.
Users can scan for viruses either on demand, by telling the program to search every file on a disc (or a selected directory) for viruses, or on access, by setting the program to look for malicious code automatically every time a file is opened or an app is installed. On-demand scanning is a good idea when you first install an antivirus utility to ensure that your PC is clean, or when you receive documents on a floppy or a CD-RW disc.
HOW THE PROGRAMS PERFORMED
Known viruses. We began our tests by downloading the latest virus signature updates on April 20, 2001, and running on-demand scans of a plague-ridden hard drive containing 225 viruses from the March 2001 WildList. Three products--F-Secure Anti-Virus, Norman Virus Control, and Panda Antivirus Platinum--caught every virus on the list. Two others--McAfee VirusScan and Trend Micro PC-cillin 2000--each let a single invader get by. Norton AntiVirus 2001 missed the file MSIE-A.EXE--a dangerous payload of the well-known JS/Unicle.A-mm virus. PC-cillin missed a lesser-known variation of the LoveLetter virus called VBS/NewLove.A-mm, while Sophos missed six viruses.
We examined each scanner's on-access performance by copying the viruses to a new location on the hard drive. While F-Secure had a perfect score in our on-demand testing, it missed five viruses in its on-access scan, including two common viruses--Happy-99 and KakWorm.
Speed. We saw even greater performance variation in the time it took for each scanner to run on our Pentium III-550 test system. Norton was the speed champ: Its average for three scans was just 3 minutes, 47 seconds. Norman trailed at a leisurely 23 minutes, 30 seconds. Speed isn't critical to virus scanning--it's accuracy that matters. The quicker a product is, however, the more likely you are to use it regularly. You could probably set a Norton on-demand scan to run during your coffee break. With Norman, you'd have to get lunch.
Unknown viruses. With new viruses spreading faster than rumors, you may not be lucky enough to download the signature for a new nasty before you catch it.
We tested the programs' effectiveness against unknown viruses by arming them with signature files from April 20, then running them on a hard drive with 63 variations of 33 viruses that were added to the April and May editions of the WildList stored on it. It is important to note that this technique did not test heuristics only: Our April 20 signature files may have already contained signatures for the new viruses or other variants of the viruses that could be used to catch them.
Panda was the only utility to catch every new virus in this test; F-Secure missed just one. McAfee and Norton missed two and three viruses, respectively; Norman missed six; and PC-cillin missed ten.
McAfee VirusScan and Panda AntiVirus Platinum were the only products that found the Homepage virus, which was discovered in May and wouldn't have been included in any of the April 20 signature files.
LOOK AND FEEL
On-access. There is very little difference among the programs in the way they behave during on-access scanning. They all launch automatically at system start-up, and they indicate their presence with an icon in the system tray.
Four of the products--McAfee, Norton, Panda, and PC-cillin--also caught viruses that were attached to an e-mail message. For this trick, the utilities create a local proxy--a program that scans an e-mail message before delivering it to the recipient's in-box. If the programs detected a virus, it could be deleted before it could infect the system. F-Secure, Norman, and Sophos don't scan incoming e-mail, but their on-access scans did catch the infected file.
On-demand. In contrast to automatic on-access scanning, on-demand scans require that you take charge of the process. Panda Antivirus Platinum has a utilitarian but very navigable interface that makes it easy to use but still allows a high level of control in setting up scans. You can scan specific files or file types and schedule scans to run automatically.
Most of the products have coherent, navigable user interfaces. Norman's Virus Control is an exception: It's unduly confusing because it breaks the interface into a half-dozen components, making it difficult to find the controls you need. Norton and McAfee have some consistency problems. Their main control panels offer a translucent, Mac-style appearance, but other components retain a dull, boxy look seemingly left over from earlier versions. McAfee VirusScan's components are also poorly integrated. The system tray icon, for instance, has a pop-up menu that appears to let you change program settings, but those settings persist for only one session. So if you close and restart your e-mail client--to take just one example--you'll find that the e-mail scanner is disabled, even though you have instructed the program, via the icon, to keep the e-mail scanner always enabled. To make permanent setting changes, you must launch a separate part of the program from the Start menu.
STAY CURRENT. An antivirus scanner will be most effective when it has the latest virus signature files. We recommend that you update your virus signatures weekly to make sure your antivirus program can deal with all of the latest threats.
With that in mind, we paid special attention to ease of updating. Five programs--F-Secure Anti-Virus, Norman Virus Control, Norton AntiVirus 2001, Panda Antivirus Platinum, and Trend Micro PC-cillin--automate the process: Whenever you establish an Internet connection, each program checks its company's Web site for signature or product updates, then downloads and installs them. This feature is enabled by default for Norton and PC-cillin, but the Norman and Panda utilities require you to turn it on. With F-Secure, you must install a separate automatic update program--something that F-Secure's manual does not cover.
McAfee and Sophos have the least automated updating, requiring you to visit their Web sites or to initiate an update from within the program manually. However, McAfee does provide scheduled update reminders, and all of the programs include a one-year subscription for their virus signature updates.
DON'T PANIC. Finding a virus, or a suspected virus, on your system can be unsettling. Fortunately, none of these utilities heightens the anxiety by alerting you with sirens, flashing lights, or images from teen slasher movies. But the alerts from PC-cillin and Sophos, though subtle in design, are likely to cause the most undue stress because they sometimes pop up when there is nothing wrong. In our testing, PC-cillin falsely identified three benign bits of code as malicious and Sophos logged four. None of the other programs here gave false positives in our testing.
If your scanner does detect a real virus, you will likely have several options for dealing with it. Like surgeons removing a tumor, antivirus utilities can repair a damaged file by snipping out the viral code and stitching the original file back together. All the programs successfully removed a range of viruses and repaired previously infected files of different types well enough that we could once again read the data in those files.
You may also see options to ignore the alert, delete the infected file, or place it in quarantine--a section of your hard drive where you cannot accidentally run or open the file. Quarantining a file also lets you isolate a new virus and send it to your antivirus vendor for analysis. Norton AntiVirus 2001 and PC-cillin can also automatically send the virus.
These antivirus products differ in how well they explain your options when a virus is detected. McAfee, Norton, and PC-cillin all provide good information as to which virus has been detected and what they intend to do about it, but F-Secure wins our highest praise: Its dialog box alert includes a Virus Info button that links to a description of the suspect code. All the companies post on their Web sites extensive, detailed descriptions of every virus their programs scan for. Sophos takes the strong, silent approach by simply suggesting that you "refer to user manual for further details."
When it comes to printed documentation, though, Sophos takes top prize. The package includes a thoroughly illustrated installation guide; a detailed, spiral-bound user manual; and an informative, very readable book called Computer Viruses Demystified. Like most of the other vendors, Sophos also includes PDF versions of its printed documents on the package's installation CD-ROM. Norton AntiVirus provides the best disc-based documentation, including four instructional videos.
GET IN AND OUT. We didn't run into much trouble installing any of the programs, although Symantec's Norton AntiVirus was the hardest utility to install--it required a disruptive restart midway through the process and another restart to install the updates.
We experienced a slight glitch while installing Panda Antivirus--although the program has a built-in registration utility, Panda no longer supports it. Instead, the company wants you to register via its Web site. Our review copy didn't contain any information about the change, but Panda has since added a note to all packages informing users of the new procedure and providing step-by-step instructions. The Web-based registration, while less convenient, went smoothly. Although you can run the program without registering, registration lets you download virus signature updates.
Norton AntiVirus was difficult to remove from our test systems because its uninstaller leaves traces of the program on the hard drive. That can be a problem: Some antivirus programs will refuse to install if there is even the slightest trace of another one still on your PC.
Uninstalling Norton was a snap, however, compared with uninstalling Norman Virus Control--the version that we tested lacked an uninstaller and failed to appear in the list of applications under Windows' Add/Remove Programs applet. Norman subsequently provided us with an updated version that does uninstall via Add/Remove Programs.
THE UNDISPUTED CHAMP. Panda Antivirus Platinum 6.23 emerged the victor in our virus catching and killing tests. It caught every virus in both our known-virus and heuristics tests, and it posted no false positives. While it was not the fastest, its scan time was still tolerably brief. Panda is also very easy to use, despite our minor annoyance with the registration process. At $60 for the boxed product ($30 for a download) Panda is a bit more expensive than some competitors, but this stellar performer is worth the price. From the September 2001 issue of PC World magazine. Sean Captain is a PC World associate editor.