Author Topic: Scot Finnie finally decides on an antivirus solution... (Read 25157 times)

JavaJones · « **on:** August 04, 2006, 04:42 AM »

I could have sworn Scot Finnie's lengthy search for his ideal antivirus app had been discussed here before - in fact I remember commenting on his odd pickiness on certain criteria - but I can't seem to find the previous thread with a search. Must be SMF's broken search function.

Anyway, here's a snippet from his latest newsletter where he announces his "best antivirus app of 2006":

For those of you coming late to this party, over the last six months or so the newsletter has pursued an ongoing series on alternative antivirus packages. Back in December 2005 I wrote that I'd given up on Norton Antivirus and had been testing alternative antivirus utilities since the summer of 2005.

During the last year of testing, I've examined a wide range of antivirus product, and I've explored the features and options of many others. Products tested during this period include Avast 4.6 free and 4.7 Pro, AVG 7.1 Pro and Network Editions, BitDefender 9 Standard and 10 RC1, CA EZ Antivirus and eTrust Antivirus r8, F-Secure Anti-Virus 2006 and Internet Security 2006, Kaspersky 5 and 6, Nod32 2.5, Panda Titanium 2006 and Platinum 2006, and ZoneAlarm Antivirus. I've considered the features and specs of at least a dozen other products and rejected them because something didn't meet my ideal antivirus criteria.

Interestingly in the end it came down to AVG, F-Secure, and Nod32. Read his August Newsletter for his conclusions. Lots of other good info in this and his other newsletters too.

- Oshyan

mouser · « **Reply #1 on:** August 04, 2006, 05:19 AM »

Great reading, and worth taking seriously.

Just to cut to the chase for those that want to know which one he decided on:

Spoiler

Bottom line: This is the one running on my main PC. F-Secure Anti-Virus 2006 offers the best mix of solid protection, usability, full e-mail support, performance, small memory footprint, and reliable operation.

urlwolf · « **Reply #2 on:** August 04, 2006, 07:31 AM »

Great, F-Secure is the one I use.

JavaJones · « **Reply #3 on:** August 04, 2006, 12:20 PM »

I thought the fact that AVG was in his top 3 to be very interesting. It's particularly nice that there's a free version.

His comments about AVG's questionable detection rate vs. other competitors were interesting too in that they called the standard antivirus tests themselves into question a bit. I've always wondered about the accuracy and reliability of those tests too and wished there were better, broader tests out there, with the results available free. Why there is no such resource yet I don't know!

- Oshyan

zridling · « **Reply #4 on:** August 04, 2006, 10:36 PM »

When I unsubscribed from Scot's Newsletter this week, he sent a invitation asking why. So I told him it was because of (a) his crossover to the dark side (Mac), and all the Mac content he's adding to his newsletters, along with (b) his content has been unoriginal and dated for the past year, as I had already read it all elsewhere online, and (c) the newsletter just hasn't been the same since he stopped working full-time on it. He shot this back:

What Mac content? Geez. I have people complaining about how much Vista content I'm doing. There's so little Mac content that if you're unsubscribing for that, you're kidding yourself. Zaine, I've been working full time all along. I never stopped working full-time. The only thing I announced that I changed jobs. I moved from TechWeb and Informationweek to Computerworld. ALL my content is original. Every scrap. There has been no change there. I used to put some of it up on InformationWeek and TechWeb in advance too.

Whatever, Zaine.
___________________________
That hurt my feelings.

f0dder · « **Reply #5 on:** August 04, 2006, 10:40 PM »

Sounds like the guy needs a little pat on the back and a candyfloss.

zridling · « **Reply #6 on:** August 04, 2006, 10:51 PM »

Scot's a good guy, but I think you should not mix Mac and PC reporting and advice. Heck, just choose one, or better, compose separate newsletters. He's a Mac guy now, and he should dive into that side of computing. Since I will never use a Mac — although I have in the past, from 1984-86, the "good ol' days — I really could care less what the latest greatest development for OS X or Apple Laptop or iPod is.

f0dder · « **Reply #7 on:** August 04, 2006, 11:00 PM »

Well, IMHO it depends on how good you are at separating things. That's pretty hard wrt. Mac vs. Windows, though (and hell, throw in linux and it gets worse), because there's so many emotions and so much zealotry involved.

If somebody could succeed in having being relatively objective and have, say, mostly windows stuff, but a fair mix of OS-X/linux/*bsd ... then the result could actually be pretty interesting articles

Oh well, don't know the Scott guy so I can't tell how he's doing it. Is any of his stuff worth reading?

JavaJones · « **Reply #8 on:** August 04, 2006, 11:41 PM »

Hmm, I've only gotten 2 of his newsletters and read a few of his other articles (started subscription after his "20 things you'll hate about Vista" article), but I've not found it to be overly Mac-heavy *at all*. In fact I would tend to agree with him that it's more Vista-heavy than anything, which is interesting but not necessarily what I'd like to be getting the most of in terms of content.

He does mention some Mac stuff in I think every newsletter these days but I'm fine with that. I really don't think a "one or the other" attitude is particularly good either. If nothing else both sides have things to learn from each other. I played around a lot on a Mac Classic many years ago, but since then I've really disliked Mac's for the most part. There are lots of little issues that bug the crap out of me. OS X made improvements and brought fixes for some of those issues, but a lot still remain. My biggest continues to be the basic attitude of Apple and many of its users. Nonetheless I strongly considered buying an Apple machine recently because I am just really interested in seeing what OS X gets *right* and what could/should be done in other OS's. I'm interested in general in good OS design and I think Apple has a lot of really good ideas and implementation. If you disagree, that's a position that should be reasonably defended; if you agree then how could you willfully ignore an entire storehouse of potentially good ideas? We're not all OS developers of course, but it's good to have a reference point, a benchmark, something to inspire our feature requests for the apps and OS's we do use. I think if nothing else Mac's are good for that. Oh yes, and then there's Bootcamp...

- Oshyan

Sugar · « **Reply #9 on:** August 17, 2006, 05:55 PM »

I've read Scott til a year ago. I, too, felt he was boring but I'm not sure I'd say THAT part to someone. One has great difficulty changing how they are as a person.

Re: AVG, I've used it for at least 4 years and like it a lot. It updates daily, hasn't left me in the cold, virusy world out there and simply works like an antivirus should.

bratliff · « **Reply #10 on:** August 17, 2006, 09:06 PM »

For some reason you don't like bloated do everything programs, but I do. ZoneAlarm with virus protection, firewall, email scanner, etc. does it all. Why run multiple programs to get the job done when you can run one?
Robert

f0dder · « **Reply #11 on:** August 18, 2006, 03:26 AM »

For some reason you don't like bloated do everything programs, but I do. ZoneAlarm with virus protection, firewall, email scanner, etc. does it all. Why run multiple programs to get the job done when you can run one?
-bratliff (August 17, 2006, 09:06 PM)

If one app doesn't do the job properly, I'd rather have a couple running...

IMHO for the antivirus part, there's only two really reasonable choices: KAV or NOD32. KAV used to use rootkit-style hidden NTFS alternate streams, which got the sysinternals guys waving their warning flags, but that has been fixed...

KAV is a bit heavier than NOD32, but also includes "suspicious action blocking", not just virus scanning.

Personally I used to like zonealarm in the early versions, but then it went pretty rotten.

mrainey · « **Reply #12 on:** August 18, 2006, 06:30 AM »

I used the free version of Zone Alarm for years, but finally got tired of the bugs introduced with each new release. If you still use it, don't install a new version for a month or two after release - give Zone Labs a chance to fix the inevitable bloopers.

Having said that, all the reviews I've read over the past year say that the ZoneAlarm Pro Suite is very solid.

app103 · « **Reply #13 on:** August 19, 2006, 03:17 AM »

I would much prefer to have a great firewall and a great AV and a great anti-spyware, rather than have a less than great combo product.

Zone Alarm is a great firewall...always has been...and I will continue to use the older version I have without all the anti-other-stuff. It is the addition of all the extra stuff that seems to have created all the problems people complain about.

AVG is a great antivirus and not so bloated that I can't run it on my old P1.

And Spybot is a great anti-spyware, with the least amount of false positives. (I won't use an anti-spyware that detects all my Delphi & VB 6 source code files as malware, based solely on it's file extensions, which most do. Kind of gives me the impression that they don't know what they are doing when they call the source to my Delphi 'Hello World' a Kazaa trojan.)

All 3 of these are great products...and all 3 are either free or have a free version.

Some of the all-in-one products are so bad that having malware, instead, might be an actual improvement.

tomos · « **Reply #14 on:** August 19, 2006, 03:59 AM »

I'm using the free version of Sunbelt Kerio Firewall, AVG,
and,
I was using spybot, but started using Windows defender, cause it got good reports & I get download notifications from windows update - was using both for a while (Spybot + w.defender) but wasnt sure would they clash - (didnt seem to mind you)

Anyone have any opinions on the Sunbelt Kerio Firewall? And whether paid version is whole lot better? (I gotta admit I read about the differences & didnt understand ... $:-\$ )

f0dder · « **Reply #15 on:** August 19, 2006, 09:57 AM »

I switched to Kerio Personal Firewall once Tiny Personal Firewall went commercial, and it was pretty good - but then Kerio went personal too. Dunno how it is now, but the featurelist looks fine enough... and the pay-stuff doesn't look *that* necessary for home use, although remote config might be handy for corporate situations.

I think I'll give it a try, not running any firewall at the moment, depending on my NAT to keep me safe & warm

Innuendo · « **Reply #16 on:** August 19, 2006, 12:42 PM »

I used to use F-Secure, but quit because they use Backweb to deliver their updates & Backweb has been (don't know if they are anymore) a well-known delivery mechanism for spyware.

Windows Defender seems to be worthless to me. It sits there and does nothing. Literally nothing. It has never found any bit of spyware other programs have found (spybot, adaware, etc) & I remember reading somewhere that Microsoft is being pretty liberal about what it white-lists as safe, but now I can't find the link.

AVG is a great free anti-virus program, but I hear reports that AntiVir has better detection/clean rates. This is from independent anti-virus testing web sites.

f0dder · « **Reply #17 on:** August 19, 2006, 12:58 PM »

Ad-aware sucks. It's scanning method is slow & lame, and the amount of "known threats" shown to the end-user is the amount in their database multiplied by some number... some guy reversed it, so there's proof floating somewhere on the web.

Spybot S&D seems nice enough though.

tslim · « **Reply #18 on:** August 20, 2006, 11:08 AM »

I use NOD32 mainly because of its excellent performance and powerful protection.
It has saved me quite a few times these years.
I am so happy that I even help to sell copies of NOD32 to many of my customers, so far more than 50 copies (newcomers+renewal).

Scot Finnie's emphasis on scanning outgoing mail is "hard to understand", at least for me...
If the best 2006 antivirus can secure one from being attacked, isn't that means his/her PC is always clean, so why scan mail going out from a known "clean PC" ?

f0dder · « **Reply #19 on:** August 20, 2006, 11:17 AM »

Humm, I find NOD32 to be a bit more sluggish than KAV... especially that it doesn't have a persistant database of "this file is clean", which means that after a reboot, all first-time launches of an application has about a one-second "scan penalty" in launch time. Other than that, NOD32 is excellent.

Scanning outgoing mail does seem a bit silly to me. If somethings sending bad mails, you're already screwed... and sending bad attachments would be blocked at the file access level anyway.

app103 · « **Reply #20 on:** August 20, 2006, 11:49 AM »

Scot Finnie's emphasis on scanning outgoing mail is "hard to understand", at least for me...
If the best 2006 antivirus can secure one from being attacked, isn't that means his/her PC is always clean, so why scan mail going out from a known "clean PC" ?
-tslim (August 20, 2006, 11:08 AM)

I had a case where a program I was using, that wasn't malware, tried to send out an email without telling me that it was an email I would be sending.

What happened was I was using the Zinio Reader for magazines that I have digital subscriptions to. They are DRM protected files. They have a feature where you can send a friend a free copy of the magazine issue you are currently reading. You click the button and it asks for their email address and a message you want to include.

I thought this would be submitted directly to the Zinio site and they would send him an invite email. That wasn't what it did though. It tried to silently send an email to my friend from my pc with a link to get the reader and issue I wanted to share...without telling me it was doing that.

My anti-virus (McAfee at the time) intercepted it and asked my permission to send it...and asked if I wanted to see it first.

I had to see it first...since I don't have a working default email client. It would have failed to send.

I don't like having an email client set as default that other software could have access to. Too many stupid viruses like to mail themselves out to everyone in your address book. Having a default client that has no entries in the address book and can't send mail makes sense to me. I have always done things that way just in case something slips past my AV.

Now as far as an antivirus checking outgoing mail that you send, attachments & stuff, and adding that message at the end...that is for advertising purposes, and to make the recipient of your email think it's clean.

I don't like those messages that get attached to emails from various AV products. Anybody could deliberately send you malware and copy & paste that text from some mail someone sent them and accomplish the same thing...it's misleading and can give some unsuspecting under-educated pc user false confidence.

tslim · « **Reply #21 on:** August 20, 2006, 11:58 AM »

If I understand you and "persistant database" correctly:
1) There is additional activity/work to do in order to maintain or update the persistant database
2) There is additional time to search for a file being launched (before checking for virus pattern) if that file is not yet in the database.

It is intersting to me to find out how much time it actually save...

Anyway, lets say a user wants to scan through a HDD for possible hidden threats, does KAV use that "persistant database" to bypass "this file is clean" files during this "on demand scanning" process? Or instead, it builds and updates the database during that process?

f0dder · « **Reply #22 on:** August 20, 2006, 12:09 PM »

NOD32 already keeps an in-memory database - that's why you only get a one-hit penalty, after you've booted the computer... so I'd basically just like this to be persisted to disk. Of course a virus could theoretically attack such a database, but you'd already be infected if it had the chance to do this

Anyway, lets say a user wants to scan through a HDD for possible hidden threats, does KAV use that "persistant database" to bypass "this file is clean" files during this "on demand scanning" process? Or instead, it builds and updates the database during that process?

I haven't looked into how this works, so it's just guessing from an end-user perspective. In a previous version, KAV used NTFS "alternative file streams" to store the "this-is-clean" data, and then used some rootkit-like methods to hide/protect those streams, and this got sysinternals' rootkit revealer "up and ringing". Now it seems that it uses a few database files stored somewhere instead.

My guess is that any time a file is scanned (automatically on access, or through a full computer scan), the database is updated... taking things like filesize, last-modified etc. into consideration. Or perhaps a cryptographic hash (a MD5 or SHA hash is much less expensive to compute than doing a full heuristic scan of a file).

tslim · « **Reply #23 on:** August 20, 2006, 12:31 PM »

Another point worth considered:
A persistant database stores results of past scanning.
1) When should be the right time to bypass scanning based on this past result
2) and when should be the time to rescan and reconfirm the past result

Let say there is a 1 hour gap between a XXXX virus/trojan/... is found on the web and the delivery of latest virus signature database to the end user. If you happen to be online during that hour, do you find the need to re-examine the "persistant database"?
Do you rescan every entries found in the database or simply zap the database so that it is rebuilt from scratch?

moerl · « **Reply #24 on:** August 23, 2006, 07:45 PM »

I use NOD32 mainly because of its excellent performance and powerful protection.
It has saved me quite a few times these years.
I am so happy that I even help to sell copies of NOD32 to many of my customers, so far more than 50 copies (newcomers+renewal).

Scot Finnie's emphasis on scanning outgoing mail is "hard to understand", at least for me...
If the best 2006 antivirus can secure one from being attacked, isn't that means his/her PC is always clean, so why scan mail going out from a known "clean PC" ?

-tslim (August 20, 2006, 11:08 AM)

Where's the thumbs-up featuere here? Great post. That's exactly what I thought.. I was irritated by the emphasis on outgoing email scans as well. I'm a proud NOD32 user as well

. It's my second (third?) year of using it and I couldn't be happier. I feel perfectly safe with it and see it updating its virus database all the time. I never have to mess with it and just let it do its job.