Antivirus products: is there any difference between them?
24th Oct 2013 | 13:30
How antivirus software actually protects your computer
If one of your company's computers gets a virus you could lose confidential data, your bank accounts could be emptied, and the potential cost to your business is enormous.
It's to try to mitigate this risk that almost every business computer runs antivirus software - often called 'endpoint protection' - either alone or as part of a security suite.
But how effective are antivirus products at preventing infection?
It turns out that on average about 9% of new viruses and other malware get past them, as well as 3% of better-known viruses, according to antivirus research company, AV-Test.
And there's not much to choose between them: any reputable product will catch most viruses but still let in some, according to Mario de Boer, a security analyst at Gartner.
"Most of the vendors are using the same types of technologies to protect against the same threats, so their detection rates tend to be in the same ballpark," he says.
But antivirus products from different vendors are not identical, and some are slightly better than others at catching malware. To understand why, you need to look at how antivirus software actually does its job.
At the most basic level, antivirus products use a set of virus definitions. These are digital fingerprints of known viruses which the software uses to recognize them as they come on to a system.
But there's a problem with this approach: it offers no protection against new viruses until the antivirus software has been updated with their definitions.
Malware writers use this weakness to their advantage by developing viruses that make subtly different variants of themselves as they spread, all of which require a different definition to be detected.
Antivirus software vendors have fought back against this type of 'polymorphic' virus by offering products that use loose signature matching: this attempts to recognise whole families of viruses that are similar but don't match signatures precisely.
Heuristics / behavioural protection
Since antivirus vendors can't hope to stop every virus using definition-based protection, the next line of defence they use is heuristics and behavioural protection.
This technology looks at the behaviour of a file that runs on a system to try to spot suspicious behaviour - activities that a normal program would be unlikely to do, but which are characteristics of virus behaviour. Some antivirus products isolate suspicious files in a "sandbox" while they watch what they do, before deciding whether their behaviour is likely to be malicious.
Examples of suspicious behaviour might include modifying registry entries to prevent antivirus software running when a computer is switched on, overwriting other files, or attempting to hide itself.
This type of technology can be useful, but it can also lead to false positives - wrongly identifying a legitimate program as a virus, and preventing it from running.
False positives are a problem because they can harm productivity by preventing employees running the programs they need, and can also lead employees to disable the antivirus software so they can get their jobs done.
It is also possible for antivirus writers to avoid detection by this type of protection by testing their viruses against popular antivirus products to see if it gets detected. If it does they simply modify their code and try again until they produce something that slips past the heuristics and behavioural protection.
Threat detection network protection
The larger antivirus vendors like McAfee, Symantec and Kaspersky use the cloud to offer a different type of protection, based on a threat detection network. The way this works is that every computer running a particular vendor's software acts as a 'sensor' or 'node' on a network of millions of machines.
Any machine that encounters a new virus, or a new file that it has not encountered before, sends the file up to the cloud to be analysed.
Signatures or blacklistings for newly encountered viruses are generated and sent back to every other node on the network, or placed in a cloud-based definition database almost immediately, while the 'reputation' of other newly encountered files is checked to see if it appears on a blacklist of known malware, or a whitelist of files that are known not to be malicious.
The benefit of a threat detection network is that as soon as a new virus is discovered, all the other computers on the network are made aware of it and protected against it very quickly - sometimes the 'time to protection' is as little as 40 seconds, according to Peter Beardmore, Kaspersky's senior director of product marketing.
"This is significant, because most viruses and other malware infect computers within the first two hours after they are released," he adds.
Rootkits are a type of malware that are particularly hard to detect. That's because they subvert the operating system of the infected machine, and antivirus software relies on information it receives from the operating system to spot viruses.
Once the operating system has been subverted it can be made to make the rootkit invisible to antivirus software, and therefore almost impossible to detect.
McAfee has pioneered the use of a technology it calls DeepSafe, based on virtualisation technology, which runs before the operating system loads - but only on computers equipped with certain Intel processors.
DeepSafe can then run independently, 'outside' the operating system, and spot files that are hidden to antivirus products that rely on the operating system.
McAfee is owned by Intel, and that may give the company an advantage in building this type of anti-rootkit technology.
But this type of technology may become less useful in the future thanks to efforts that are being made to build operating systems such as Windows 8 that protect themselves from being modified while they boot, according to Gartner's de Boer.
Choosing a product
So when it comes to choosing an antivirus product, the most important thing is to check the range of different protection mechanisms it provides.
All will offer signature protection, but not all offer behavioural protection or a cloud-based threat protection network.
And not all networks are equal - a big network with more nodes offers better protection than a smaller one.
Many vendors offer antivirus software for home use with more features than their business versions. Although they should, in theory, offer more security, home versions tend to generate more false positives.
Probably the biggest difference between antivirus products is not the antivirus software itself, but the additional security features that vendors package with their antivirus products to turn them in to security suites, de Boer believes.
These features often include encryption, data loss prevention (dlp), USB device control and even website blacklisting.
"The biggest benefit of these suites is that all the software is designed to work together to provide broad protection," says de Boer. "It may not all be best of breed, but at least the various features won't fight each other and they can often be managed easily together without the need for much training."