I consider it part of my job to run as many different anti-virus products as I can on my network. Its for the same reasons that I make a point of using both Internet Explorer and Firefox, but swapping around anti-virus software is much harder.
In the last two or three years Ive run Norton, McAfee, Trend, BitDefender, CA, Panda, ClamAV, Grisoft, Sophos and F-Secure, and Ive just installed Kaspersky. Im probably forgetting a couple of them too.
When they say familiarity breeds contempt theyre not entirely on-point. I dont stick with any of these products long enough to get familiar with them, and I hate them all. I havent really made up my mind about Kaspersky, which has an excellent reputation among the more technical anti-malware crowd, but in the two days Ive been running it Ive already had problems.
Heres something you might not have guessed, although it makes sense when you think about it. Malware researchers dont run anti-virus software. It gets in the way. I dont fancy myself all that serious a researcher, but I keep at least one machine without anti-virus software so that I can test suspicious files. If I need to scan something I just send it to VirusTotal, (one of the great research sites on the Net).
These days Im tempted to dump my anti-virus software as well, and I get a lot of viruses in my e-mail. Ive had bad luck with a lot of the software crashing my system, slowing it to a crawl at some points, and lying to me about when my license expires.
Ive had that last problem recently with both Norton Antivirus and Trend Internet Security. This blog thread and this one about Norton activation problems generated long threads of users saying, mostly, “me too!” Incidentally, I did ask Symantec about the problems and never got a response. Trend Micros Internet Security suite started telling me I had to renew about six months before the expiration date. I decided not to fight on that one and just move on.
CAs product gave me only about two months on my one-year subscription before it started telling me to buy another year. Time to uninstall and move on to the next one. You might have guessed I usually get eval copies of these programs. If I had paid I might be willing to spend more time trying to get tech support, but I have no patience for these things. I do usually buy anti-virus software when I buy a new computer, and I bought the copy of Kaspersky Antivirus Im using.
From there I moved to F-Secure Internet Security and quickly developed a problem: I have to use the Cisco VPN client for work and whenever I connected to the VPN on a system with F-Secure loaded (I tried this on two separate systems), the computer blue-screened and rebooted. F-Secure is still investigating.
My Kaspersky phase
I moved that particular computer over to Kaspersky Antivirus. As I said, Ive had problems, but I may have worked around them. When I set it up initially I turned on the “proactive defense” feature, which causes KAV to monitor programs with far greater scrutiny than by default. Leaving this feature on slowed file saves, especially to the network, to such a degree I might as well have written the files in longhand.
I also have to say that KAV has needed a lot of tweaking of settings before Ive begun to feel comfortable, but Im getting there. Ive noticed no overt conflicts with programs I run and nobody updates signatures faster than Kaspersky.
Of course, this means they cant spend a lot of time testing the updates. In fact, I got a false positive the other day on my (coincidentally Kaspersky-based) gateway security box. I also switch gateway security boxes frequently and the current one, a ZyXEL ZyWALL 5, about which I will write more soon, has a very small definition set of only 800. But one of those definitions is for the eicar test file, the semi-official anti-virus test.
A friend sent me a large document that had the eicar test in the middle of it. The file was blocked, even though the eicar test is only supposed to trigger in specific circumstances: The file cant be larger than 128 bytes. There have been cases where virus authors have used the eicar test before their own code, hoping the user would see “eicar” and think the file was innocuous. The file I got was many hundreds of kilobytes. The friend and I reported it to Kaspersky, who removed the eicar signature, which is just as well: On a box with only 800 definitions, its silly to waste even 68 bytes on a test.
So I may have gotten Kaspersky on the desktop to the point where I dont hate it anymore, but give it time. I also once ran a BitDefender system on which the hardware died so I dont run it anymore. BitDefender itself was relatively inoffensive, although it did raise some displays that I didnt want and couldnt figure out how to turn off.
And then theres McAfee. I had a McAfee-based gateway device for some time and I have to say the anti-virus software on it ran very well. Alas, it was a Servgate box and Servgate is pushing up daisies these days. My luck with it was better than with McAfee desktop anti-virus, which I found to be intrusive and slowed the system noticeably. And they have had their own false-positive problems.
Yup its true, they all stink. Well, mostly. Ive still got high hopes for KAV, mostly because I hear good things about it from people I respect. We have to find something were comfortable with; as Oscar Wilde might have said, the only thing in the world worse than running anti-virus software is not running anti-virus software.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer