In the previous article, we looked at why pre-installed software might be a prescription for trouble and just what constitutes a virus. Determining that antivirus protection is a necessity should be the easy part (yes, you need it). The hard part is deciding which one to use.

The single most important factor in the decision process is the product's ability to detect viruses. While this may appear obvious, many purchase antivirus software based on feature sets and price, overlooking detection rates in the process. Couple this with the fact that determining just which product has the best detection can seem downright impossible, and it is easy to understand why such an obvious approach is often undertaken by only the most determined. Considering there are only a handful of certifying agencies, why is there so much confusion? To better answer that question, let's look at the who and how of certifications.

First, it is important to recognize that not all testing is created equally. Various agencies work in cooperation with the antivirus vendors to certify their ability to detect malicious code. While all of the agencies perform detection testing, some, such as the AV-Test.org project, go so far as to identify desirable features and note which products provide these. Others provide only basic testing. The only standard adhered to is the only standard in existence - Wildlist testing.

What is the Wildlist?
Designated persons, dubbed Reporters, are tasked with the responsibility of reporting any virus that actively infects at least two people in any given month. Additionally, a minimum of two Reporters must notify in the same month for the virus to be considered in-the-wild. Thus, a total of four incidents, theoretically, could result in inclusion on the Wildlist. Once placed there, a virus will remain listed for up to a year and a half after the last report, unless the original Reporters request prior removal.

Since the Wildlist is cumulative, it cannot be considered a prevalency or even a commonality guage. Additionally, since it is published monthly, testing is based on at least month-old virus reports. In other words, the Wildlist cannot be considered a guage of what is presently in-the-wild, but rather what was considered in-the-wild for a given month. Inadequate as that may sound, it is the best measure currently available and thus is widely used for certifying antivirus products. While that may sound critical, in fact, the members of the Wildlist should be commended for the effort and innovation involved in its creation and maintenance. Without such an effort, there would be no standardized testing mechanisms or tracking of virus incidents available.

Who certifies antivirus?
AV-Test.org, ICSA, Secure Computing (Checkmark), University of Hamburg, and Virus Bulletin (VB100%) each provide certification testing for antivirus software. Of these, ICSA Labs, AV-Test.org and University of Hamburg provide additional tests with zoo viruses. In other words, their tests are not confined simply to viruses which were listed on the previous month's WildList, but also inlcude those the evaluators feel typical users might encounter. Both AV-Test.org and University of Hamburg do such extensive testing that results are not published as often. The comprehensive reports that are published require a bit of perusing, though University of Hamburg does provide a nice Executive Summary to encapsulate their findings. ICSA, which also performs comprehensive certification testing, does so approximately quarterly and includes specialized testing for both on-demand and on-access scanning, as well as a host of other scanner types.

How should results be viewed?
Test results vary and are often confusing. For example, Norton Antivirus fares very well in the VB100% Awards, but far less stellar in the real-world testing of Hamburg and AV-Test.org. Indeed, such disparities are not uncommon, though there are products that maintain a respectable showing in all tests. Testing is also increasingly becoming more sophisticated. Separate Checkmark certifications are provided for on-demand scanning, on-access scanning, and Trojans. As mentioned previously, ICSA sets the standard by providing certification in an array of categories, also including the product's ability to effectively repair the file(s) damaged by the virus.

Don't overlook the fact that testing costs money. If an antivirus vendor wants testing and certification for, in example, Windows 98 and Windows 2000, chances are they will have to pay not only for each of these platforms, but also for each type of test performed. For this reason, a very large vendor (in terms of spending capital) may have several products listed as certified, while a smaller company may have only one or two listed. In such cases, it might be useful to remember that the same core scanning technology can be expected to be in other platforms the vendor supports, even though those particular platforms may not be listed as certified.

What else should be expected from antivirus software?
Notwithstanding the importance of detection, antivirus software must comfortably fit both you and your computer. If you are not comfortable with it, you may not use it in its most appropriate fashion. The next segment of this article will provide insight into common terms used to describe features found in antivirus software and how important these features are to your computing security. Additionally, an overview of how virus detection is accomplished will be provided. Following that article, the continuing series will provide reviews of antivirus software. Every effort will be made to include all products (large and small) with testing being performed on a Windows 98 system. If you wish to ensure a particular product is included in these reviews, please email me with a name of that product and the URL (web address). The reviews will also include how a particular product "placed" with the various testing agencies.

Previous Articles