Best free antivirus
Don't fall for bogus antivirus downloads
|
By
Scott Dunn
A new virus strain pretends to remove malware but actually does just the opposite: it infects your system. Fortunately, you can use a few simple steps to tell the difference between these rogue antivirus programs and legitimate security software. |
Antivirus apps may be malware in disguise
A dangerous new virus is making the rounds in the guise of a legitimate antivirus program. Going by such names as "Antivirus XP 2008" and "XP Antivirus 2009," this malware, as described in a recent Computer Associates advisory, succeeds by looking like a legitimate Windows program.
The Internet security blog Donna's SecurityFlash reports that rogue antivirus programs such as these are being promoted through spam messages that link to an automatic download of a virus installer.
With such aggressive methods afoot to fool security-minded users, how do you know when an antivirus product is legitimate? Use the following guidelines to ensure that the security products you download are legitimate.
Choose your security vendor deliberately
Be careful how you select a security vendor. Just because you see an ad for a vendor or product on a highly reputable site doesn't mean the advertiser is reliable.
Conversely, an ad for a reputable product or service on an unfamiliar site doesn't mean that you can trust the site. Advertisements are often distributed by third parties beyond the editorial control of the hosting site. That's why you may find ads for untrustworthy products on legitimate sites, and ads for legit products on bogus sites.
Services such as the free McAfee Site Advisor and the Web of Trust add-on for the Firefox browser evaluate beforehand the safety of the site you're about to visit. (Windows Secrets contributing editor Becky Waring reviewed Web of Trust in her July 17 column.)
Because the ratings generated by these tools may be based on out-of-date reports, they aren't perfect. But they serve as a useful line of defense.
Another way to evaluate sites before you visit them is with the free LinkScanner Lite application. Rather than rely on second-hand reports, LinkScanner analyzes the code of a given site to check for stealth downloads and other malicious behavior.
The free version of the program requires that you right-click a link manually to get a risk analysis before you surf to the site. If you want your Google and Yahoo search results to be scanned automatically (in addition to other added features), buy LinkScanner Pro for $20.
Published reviews praise LinkScanner for detecting hacked sites, although the program fares less well when rated for detecting phishing sites. CNET's review gave LinkScanner an overall rating of 7.5 out of 10. PC Magazine's evaluation was similar, awarding the program 3.5 out of 5 stars.
Finally, never visit a shopping site by clicking a link in a spam message. Even if the message claims to be pitching a reputable product, such as one from Symantec or ZoneAlarm, the link may actually take you to a counterfeit site.
Color-coding the good guys and bad guys
One site that has been tracking rogue anti-malware products since 2004 is Spyware Warrior. If you're considering a product whose validity is not certain, your first screening step should be to search Spyware Warrior's blacklist. Although Spyware Warrior focuses on identifying fake antispyware apps, the service's blacklist of suspicious sites and products also includes a lot of rogue antivirus applications.
Additionally, consult a whitelist of products that have been certified by a reliable independent organization. One such organization is ICSA Labs (formerly the International Computer Security Association), an independent research and certification division of Verizon Business. On its site, ICSA maintains a list of antivirus products it has certified according to its criteria.
Once you've validated a product to your satisfaction via these resources, you're probably safe downloading it directly from the vendor. But to be extra cautious, consider going to a reputable download source that scans every item before placing it in its library. Such sites include CNET's Download.com, the Downloads page of PCWorld.com, ZDNet's Downloads page, and Tucows.com's security section.
These days, every PC user needs security software to protect against online threats. But when the security software itself becomes a threat, the solution becomes a problem.
Fortunately, with a little care, you can dramatically reduce your risk when shopping for safe and effective security products.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here's How section of that magazine.
Get top-flight antivirus without spending a dime
|
By
Scott Spanbauer
Protect yourself from viruses and other online threats while skipping the annual subscription fees. These three antivirus freebies may lack some of the costly bells and whistles (and associated system slowdowns) of commercial alternatives, but they stop malware unobtrusively. |
No frills but first-rate virus detection
As a long-standing tightwad, I've gone years — decades even — without paying an antivirus-software subscription. First off, my browsing and e-mail behavior reduce the threat of attacks: I avoid using Internet Explorer and recently switched from Outlook to Gmail. Also, my home network uses a hardware router that blocks access to my PCs from the Internet.
Unfortunately, these steps alone won't prevent every Internet-borne threat. Venturing onto the Web with no virus protection feels like that bad dream where you realize you've gone out in public dressed only in your underwear.
To avoid this overexposed sensation, I use a free antivirus program. Until recently, my favorite antivirus freeware was Grisoft's AVG Anti-Virus Free Edition. Grisoft recently introduced version 8 of the program and discontinued virus-definition updates for the previous version 7.5.
Instead of downloading and installing the new version of AVG, I took another look at two other free antivirus utilities that I had used prior to switching to Grisoft's offering: AntiVir Personal from Avira and Alwil's Avast! Antivirus Home Edition.
I don't need instant-message scans, spyware detection, or other extra features in my free antivirus program. I just want the utility to prevent all viruses, trojans, and worms from infecting my system without reporting time-wasting false positives. I also expect the program to do its job without getting in my face any more than necessary.
I use Virus Bulletin's VB100 tests to find AV tools that meet these requirements. I was happy to read in Mark Edwards' May 1, 2008, PC Tune-Up column that AntiVir Personal achieved a perfect score in the most recent test. On further investigation, I discovered that AVG Anti-Virus also passed the April VB100 test, which was conducted on a PC running Windows Vista Business Edition with Service Pack 1.
Mark's June 12 column contained a further twist by citing complaints by some antivirus experts that the VB100 tests rely too heavily on the WildList. Mark also noted other independent AV tests that compete with those conducted by Virus Bulletin. It's only common sense that one lab's assessment of a product may not always be perfect.
For my review, I supplemented the VB100 results with test scores from two other third-party antivirus labs: AV-Comparatives and Westcoast Labs. Note that in many cases, all three organizations test the commercial versions of the antivirus programs. Since the commercial and free versions of antivirus utilities from a single vendor use the same AV engine, that shouldn't affect my assessment.
The best free antivirus tool also traps rootkits
As Mark noted in his May 1 column, Avira AntiVir Personal is the only free antivirus program that also detects and removes rootkits, which is malware that takes control of your system without your knowledge.
Avira is a top performer in a range of independent antivirus tests. Not only did the program pass the VB100 test with flying colors, it also gets AV-Comparatives' highest Advanced+ rating in May 2008 testing for its virus detection, speed, and low rate of false positives.
Figure 1. Get first-rate virus protection for free with Avira's AntiVir Personal.
One important thing to note is that the free version of AntiVir is for personal use only. Avira uses the honor system — naturally — but during installation you must agree not to use the utility for "any kind of commercial or business purpose."
The commercial version, Avira AntiVir Premium (19.95 euros for a one-year subscription) adds spyware and adware protection, e-mail scanning, and phishing alerts. The fee-based version also updates faster, and upgrading to the paid release eliminates the free version's irritating nag screen.
AntiVir keeps virus protection simple: the program performs daily scheduled system scans, updates its virus definitions automatically, and constantly scans your system's memory for malware. Like AVG, AntiVir lets you schedule updates and system scans but doesn't scan e-mail.
Free AV that works well with Microsoft Outlook
Grisoft's AVG Anti-Virus Free has long fit my criteria for a free antivirus tool: the program is effective yet inconspicuous. I set AVG to download updates and scan for viruses in the middle of the night, and the utility has never reported a false positive. However, the program has never detected an actual virus, either, probably because of my cautious online behavior, as noted above.
It's reassuring that AVG Anti-Virus passed the April 2008 VB100 test, but AV-Comparatives gave version 7.5 (the most recent version it tested) a less-than-stellar Advanced rating because the program scanned slower and detected fewer viruses than Avira AntiVir.
Nevertheless, Westcoast Labs' tests from April and May give version 8 of AVG its thumbs-up Checkmark certification; the tests used both Windows XP and Windows Vista. I'll be watching to see how AVG 8 performs in AV-Comparatives' upcoming tests.
Like earlier versions, AVG comes with mail-scanning plug-ins for Outlook and other e-mail programs. It also features an optional Internet Explorer security toolbar that alerts you to risky Web sites. The $34.95 paid version adds Grisoft's formerly free rootkit scanner, file-download scanner, and instant messaging and phishing protection.
Avast! is the only other memory-resident antivirus application I'm aware of that's free for non-commercial use. Though the program has scored well on the VB100 and other antivirus tests in the past, its poor performance on the most recent VB100 tests and relatively low Standard rating by AV-Comparatives moves Avast! down a few notches on my list. I look forward to reviewing a future version of the program, however.
Scott Spanbauer frequently writes for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of PC Hacks.
Infected Web sites replace email as main source of infection
I don't think anyone has any hard figures, but industry experts seem to think that currently about 70% of all new malware infections are from users visiting compromised or hostile websites. This contrasts with the situation a couple of years back where email was overwhelmingly the main vector for infection.
Most of these infected websites are legitimate sites that have been attacked and compromised by computer criminals, who use flaws in web server software (such as SQL and PHP) to take control of the server and then use the web sites on that server to infect unsuspecting site visitors. It may be hours or days before the site owner realizes there is a problem and fixes it. In the interim thousands of site visitors may have been infected.
Any website you visit is a potential victim, so you have no way of knowing what sites to avoid. You are surfing blind. That's why I recommend that all users surf using a sandbox or with reduced user rights.
And no, you cannot fully rely on your AV scanner or other security products to provide you with adequate protection. They sure can help, but it's been my experience that even the best security products do not perform well against hostile sites using zero day exploits.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316322,00.htmlThe limitations of AV certification
Many anti-virus scanner vendors proudly promote the fact that their product has achieved Virus Bulletin Top 100 (VB100) certification. This indicates that the product detected every one of the top 100 malware programs on VB's monthly "currently circulating" list. I stopped using the VB100 as a guide a year or so ago when a vendor told me he had staff employed full time to ensure that his product passed each month. When queried about the priority he gave to the thousands of currently circulating malware products other than the top 100, it was clear that he was much less interested. This article [1] flags even more concerns about the VB100 certification. So today, does VB100 certification for an AV mean anything? Yes, it means it passed the VB 100 test :>)
[1] http://www.eweek.com/c/a/Security/The-AntiMalware-Certification-Problem/The latest news on AVG Free vs. Avast!
First up I need to correct and apologize for an error I made in the May Premium issue when, in relation to AVG Version 8 [1], I said:
"The free version excluded the anti-spyware scanner, rootkit scanner and most of the other goodies added to the commercial V8 product. It also dropped active email protection."
This is incorrect. This is in fact what I should have said:
"The free version excluded the rootkit scanner, active protection against hostile websites and a number of the other goodies added to the commercial V8 product."
That out of the way, let me tell you the latest news:
First, AVG has announced [2] that they have extended the life of the old V7.5 until the end of 2008 rather than the end of May. That's good news and takes the pressure off AVG Free 7.5 users to make a decision.
Second, I keep on getting reports about AVG V8 bugs and how it's making users' PCs run more slowly.
My advice at this stage is to stay away from V8 until AVG has sorted out the problems. And they will; I recall a similar situation when V7 was introduced, but in the end V7 became a very solid product.
In contrast the reports I've been getting on Avast! V4 have been very positive. Although users report it to be resource-hungrier than AVG 7.5, it appears to be less hungry than AVG 8. And users love the fact that it provides broad-spectrum protection, which includes anti-spyware, anti-rootkit and email protection, in addition to anti-virus. It should definitely be high on your list of free security products to try. Remember though, it's only free for non-commercial use.
[1] http://free.grisoft.com/[2] http://freeforum.avg.com/read.php?1,123812,backpage=,sv=
[3] http://www.avast.com/eng/avast_4_home.html
More malware scanning options
Last month I also suggested that you use Jotti [1] to scan suspect files. I should have also mentioned Virus Total [2], another free online scanning service that uses 32 scanning engines rather than 20 used at Jotti. However, for new malware products it doesn't matter how many signature-based scanning engines you use, because the malware product's signature may not be in any of their databases. That's why I like the free Anubis service [3], which is a behavioral-based (rather than a signature-based) scanner. It's a little slow, but the results are very comprehensive. If a file scans clean on Anubis and either Jotti or Virus Scan, then you can be pretty confident that it's OK. Thanks to regular contributor Howie Mirkin for suggesting Anubis.
[1] http://virusscan.jotti.org
[2] http://www.virustotal.com/
[3] http://anubis.iseclab.org/
Get Kaspersky AV, WinRar, Avira Premium for free
When it comes to chasing up deals on security products, subscriber Rick Farrow is the champ. Here are his latest finds:
"Gizmo, I've got three great free offers which you may be interested in:
The first is a 6-month license to Kaspersky Internet Security [1]. The key is the same for everyone and is T6B6K-8YK22-VBQH7-ZUZJG . Some people are just downloading directly from Kaspersky and inserting the key with success.
The second is for a six-month free license to Avira Premium [2]. Unlike Avira's 30 day trial, this is a fully functional program.
The last is for WinRar promo and it's a bit trickier. The license has to be requested from this German site here [3]. Once the email is received the second link should be clicked. After the program is downloaded I believe you have the choice to use the English version. I don't use WinRar myself, but apparently the deal is genuine."
[1] http://www.kaspersky.com/de/20814_72814_329.html?campaign=ubs_english[2] https://license.avira.com/en/promotion-t0q1aatr05zwftftgnqr
[3] https://covermount.win-rar.com/pcwelt0508/
Are new antivirus programs any good?
It's a question I often get asked: How good is the new Comodo AV? How does the new PC Tools AV stack up? The honest answer is I don't know. I test a lot of security products but not AV scanners. Properly testing AV programs is a complex exercise, one which I don't have the resources to do myself. Instead I tend to rely on trusted sources such AV Compararatives [1] and a few others. The problem is that none of these reliable testing agencies has yet tested these new AV products. Until they are tested you should not rely on them for your primary AV protection. Yes they may be great, but until they are tested, using them can only be regarded as a gamble.
[1] http://www.av-comparatives.org/
Free virus check using Kaspersky
The Kaspersky anti-virus scanner is one of the most effective anti-virus scanners available. You can get the benefits of this power without buying and installing the product by using their free online scan [1]. It's not totally online, because you have to download a small program and a 9MB signature file as well. It's well worth the effort, though, just to make sure no nasties have sneaked past your security software. Note that you need Internet Explorer for this because it uses ActiveX controls. Subscriber Rick Farrow has written to let me know about another way of using Kaspersky for free. The company is now offering a trial version of their scanner called S.O.S. [2]. They claim that you can install S.O.S concurrently with your existing virus scanner and compare results. Normally running two AV scanners together is not a good idea so let's hope Kaspersky has done their homework. However you can uninstall S.O.S. by disabling protection and running the program unins0000exe in the S.O.S. folder.
[1] http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html#
[2] http://usa.kaspersky.com/products_services/free-virus-scanner.php
See how your anti-virus program stacks up
In my April 2007 Editorial [1] I rated some of the most popular free and commercial AV scanners. Since then I've located an excellent additional data source [2] for assessing AV performance. It's a near real-time listing of how well the major scanners detect new threats identified by the Malware Incident Reporting & Termination (MIRT) team. The results support my previous findings namely the class-leading new threat detection rate of AntiVir and the relatively poor performance of AVG and Avast! with Kaspersky and NOD32 falling in the middle. Perhaps more important than the product ranking, is the relatively poor performance of ALL products in detecting new threats. This reinforces the point I have been making in recent issues that you can no longer rely exclusively on signature based anti malware products to protect you from the current onslaught of new threats. That said, it should be noted that the detection of new threats is only one of several criteria you need to consider when assessing the performance of AV products. See my April [1] editorial for more details.
[1] http://techsupportalert.com/issues/issue144.htm#Section_0
[2] http://winnow.oitc.com/malewarestats.php
Test suspicious files for malware
It's a good practice to run any file you download (or borrow) through a free web based file testing service that will check it for malware using multiple anti-virus and spyware engines. Here are two of my favorites: Jotti [1] currently uses 20 different anti-virus scanners, while Virus Total [2] uses 32! Using one of these services can't guarantee that a file is 100% free of malware, but it's a lot safer than installing an unknown program on the blind faith that it's OK.
[1] http://virusscan.jotti.org/
[2] http://www.virustotal.com/flash/index_en.html
See how your anti-virus program stacks up
In my April 2007 Editorial [1] I rated some of the most popular free and commercial AV scanners. Since then I've located an excellent additional data source [2] for assessing AV performance. It's a near real-time listing of how well the major scanners detect new threats identified by the Malware Incident Reporting & Termination (MIRT) team. The results support my previous findings namely the class-leading new threat detection rate of AntiVir and the relatively poor performance of AVG and Avast! with Kaspersky and NOD32 falling in the middle. Perhaps more important than the product ranking, is the relatively poor performance of ALL products in detecting new threats. This reinforces the point I have been making in recent issues that you can no longer rely exclusively on signature based anti malware products to protect you from the current onslaught of new threats. That said, it should be noted that the detection of new threats is only one of several criteria you need to consider when assessing the performance of AV products. See my April [1] editorial for more details.
[1] http://techsupportalert.com/issues/issue144.htm#Section_0
[2] http://winnow.oitc.com/malewarestats.php
Security product review, part 2
In recent issues I've been examining the question of how well our computer security programs protect us against the latest generation of security threats.
To properly answer this question I've been carrying out an extensive series of tests on popular security products.
Last month I presented the first results. It wasn't good news. It showed that just about all the sixteen anti-virus, anti-spyware and anti-trojan scanners I tested could be easily terminated by hostile malware.
That's really bad news as a lot of modern malware routinely attempts to pull down your security software. A recent report suggests a figure as high as 40%.
I promised this month to give you the full results of my security tests. They are far too extensive to reprint in the newsletter but you can find them online here:
http://www.techsupportalert.com/security_scanners.htm
If you have time please read the full report, it's full of juicy information. However I've also prepared a summary table which you can find below.
The first column shows whether the security product could detect process injection. That's a technique used by malware to hide inside legitimate programs that are current running on your PC. Once inside these processes, they acquire the rights and privileges of the host process. If the host process has the right to communicate with the internet, the malware automatically gets that right, too.
The second column shows whether, independently of signature recognition, the security product could detect a malware program creating an autostart entry. In other words, could it detect an unknown program starting automatically with Windows? To pass the test the security product had to warn or prevent changes in the Startup folder as well as startup locations in the Registry.
The third column shows whether the security product protects your PC against drive-by infections. I tested each product at three hostile sites. To pass the tests, protection must have been provided against all three.
The final column show whether the security product can detect rootkits. I used two rootkits: Hacker Defender and FuTo. To pass, the product had to detect both.
Here are the results:
| � | Detect Process injection | Detect malware startup |
Protect drive-by download |
Detect rootkits |
| Ad-Aware Pro V1.6 | Fail | Fail | Fail | Fail |
| Avast! Home V4.7 | Fail | Fail | OK | Fail |
| AVG Anti-Virus Free V7.1 | Fail | Fail | OK | Fail |
| BitDefender Pro V9.095 | Fail | Fail | Fail | Fail |
| CounterSpy V1.5 | Fail | Fail | Fail | Fail |
| CounterSpy V2.0.122 beta | Fail | Fail | Fail | Fail |
| Ewido v3.5 | Failt | Fail | Fail | Fail |
| Ewido V4 beta | Fail | Fail | Fail | Fail |
| Kaspersky AV V6.0.0 | Fail | Fail | OK | Fail |
| NOD32 V2.51 | Fail | Fail | OK | Fail |
| Norton Antivirus 2006 | Fail | Fail | OK | Fail |
| SpyBot S&D V1.4 | Fail | Fail | Fail | Fail |
| Spyware Doctor V3.6 | Fail | Fail | Fail | OK |
| Trojan Hunter V4.5 | Fail | Fail | Fail | Fail |
| WebRoot SpySweeper V4.5 | Fail | Fail | OK | OK |
| Windows Defender V1.1.1051 | Fail | Fail | Fail | Fail |
As you can see, the results are not very impressive; most products failed most tests.
Now, in mitigation some would argue that it's not the function of signature scanners to detect things like process injection or registry changes. These, it would be argued, are best left to intrusion detection and protection systems.
That's fine, just make sure you have an IDS ;>)
However, no one can say that signature scanners shouldn't protect you from drive-by downloads or rootkits. Only one product, WebRoot SpySweeper, managed to do that. Even then it only managed to protect against drive-by download sites by its "Spy Communication Shield" banning access to the sites. With the shield disabled, it failed to protect as well.
Overall it's bad news all round. So what to do?
I gave you my conclusion last month and it remains unchanged.
I think it's pointless focusing on whether one security program is better than another when, in fact, all the security programs flunked.
The reality is that it's not possible to secure your PC against a malware program that is allowed to run on your PC with full admin privileges. Thank Windows for this.
Layering your defenses can clearly help. It doesn't solve the problem though. And the cost in complexity, inconvenience and processing power usage is high.
There is a better solution: run your PC in a virtualized environment whenever connected to the internet. It's simpler and more effective than any other option.
Remember though, virtualization is in addition to your normal security defenses. It doesn't replace them; it just makes their job easier.
Next month I'll talk in detail about virtualization options. In the meantime, be careful where you surf and even more careful what you install.
Trojan Hunter V4.5 now available
A new version of the top rated anti-trojan program Trojan Hunter [1] is now available for download. The upgrade is free though existing registered users will need to apply for a new license file [2]. The main new feature of V4.5 is the provision of incremental updates for the signature file which means that users no longer have to download the full file every time. There have also been some additional enhancements that make the product more attractive to trial users. First, trial users can now run Live Update to update their rules file. Second, you can start a new trial using the current version even if your 30-day trial period with an old version has expired. I suggest all users download a trial version of V4.5 and scan their PC. It won't cost you a cent and you never know what you may find. If you are not familiar with Trojan Hunter you can check out my review here [3].
[1] http://www.misec.net/
[2] http://www.misec.net/trojanhunter/licensefile/
[3] http://www.anti-trojan-software-reviews.com/review-trojan-hunter.htm