Comparative testing of anti-virus products is complicated, and very few people outside of the vendors do it.
The most popular measure of performance is a list of viruses called the Wild List, and some popular tests and certifications are based on it. But, unlike viruses, the wild list updates very slowly. In fact, everything in it is at least one month old, probably much older.
You have to have harder tests than that to have real confidence in anti-virus protection, although controversy ensues when you do. In the early hours, even days, of a virus outbreak, researchers are often in disagreement about the nature of the attack. They disagree about the number of variants, whether an attack is new or a variant of an old attack, and what mitigating circumstances may apply.
This early time is the most important and dangerous time in a viruss life, when it gets a foothold in the wild, not a month from then. For this reason, the larger security companies have a genuine advantage in their ability to respond to new threats. When I see malware protection from little companies or even looser affiliations, I dont get a warm fuzzy about their ability to respond quickly.
A recent article by a Kaspersky researcher expresses some of the testing concerns well. In some tests of these products for PC Magazine in which I have participated we have worked with AV-Test.org, a German research firm with its finger on the pulse of the virus threat and the industry response to it. I cant get into detail about the research results because they charge for it, but I can guarantee you that efforts like ClamAV arent typically among the first responders to new threats.
The big three—McAfee, Symantec and Trend Micro—arent always perfect in this. I specifically remember Mydoom.A as a low point for Symantec. But these companies all have multiple research teams around the world and the ability to respond quickly.
Smaller anti-virus efforts, such as the new ones from companies like SonicWall and WatchGuard, really cant keep up with this. And in many cases their techniques cant be as thorough, especially when trying to perform heuristic analysis.
Consider the new SonicWall gateway-level protection, which inspects at a packet level. Theres no way you can get a big-enough picture at this level to do heuristic analysis. Beefier boxes, like the Servgate Edgeforce line, which are actually Linux PCs with hard disks in them, can view entire files and do more sophisticated analysis. The Servgate boxes run McAfees anti-virus software. Like the SonicWall boxes, they also provide firewall protection, VPN and many other functions.
Gateway-level anti-virus from different vendors often differs in other subtle, but important ways. Does the system scan only SMTP or does it also scan POP3, in case a user inside the LAN checks an outside server? Does it scan IMAP (not that many people care)? Does it scan outbound traffic?
Unfortunately, you get what you pay for, and this kind of high-quality anti-virus gateway enforcement doesnt come cheap. Good protection is not the sole province of the Big Three. Kaspersky, Sophos, Bitdefender and others all have good products. But small companies trying to do their own scanners are just not in their league.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis.
More from Larry Seltzer