Antivirus Software

With the plethora of viruses, bugs, worms and threats invading the desktop these days, antivirus products have become a critical tool for any PC user.Regardless of whether you are trying to save your system from recent worm variants like Zafi, Netsky, Mydoom and Klez or traditional virus threats such as the many Word macro viruses in circulation you are certain to need some sort of virus protection. The question on everyone's lips however, is what type of antivirus protection to invest in.

PC World has developed this guide to give you a rundown on how antivirus programs work, what sorts of viruses they cover and the information you need in order to select the best antivirus protection for your desktop system.

What is a virus?


What is a virus?

Before we jump into what antivirus programs do, it's important to first identify what a computer virus is. Like its biological equivalent, a computer virus is a program that spreads unwanted and unexpected actions through the insides of your PC. Not all viruses are malicious, but many are written to damage particular types of files, applications or operating systems.

There are three main types of viruses in circulation: boot sector viruses; macro viruses, and file infecting viruses.

The boot sector is the very first sector on a floppy or hard disk. It contains executable code which helps to operate the PC. Because the PC's hard disk boot sector is referred to every time the PC powers or "boots" up, and is rewritten whenever you configure or format the set-up of the system, it is a vulnerable place for viruses to attack.

Boot sector viruses are usually spread through the boot sector of floppy disks left in disk drives when systems are rebooted. From there, they infect the boot sector of hard disks, loading themselves into memory each time the system is booted and waiting for an opportunity to write themselves to more floppy disks to spread. This kind of virus can prevent you from being able to boot your hard disk.

Macro viruses are by far the most common viruses in circulation, accounting for around 75 per cent of viruses found "in the wild". These can be obtained through disks, a network, the Internet, or an e-mail attachment.

Macro viruses do not directly infect programs, but instead, infiltrate the files from applications that use internal macro programming languages, such as Microsoft Excel or Word documents. They are then able to execute commands when the infected file is open, which spreads the virus to other vulnerable documents. In turn, users who share files can also spread the virus to other systems.

File infecting viruses infect executable files, such as EXE and COM files, loading into memory when executed and spreading their payload.

The results of virus infections vary according to the maliciousness of the author. Many viruses are designed only to spread from file to file and therefore from computer to computer without any serious damage. The only real effect to an end user is loss of credibility when an email to a customer or a friend is rejected by their antivirus program. But there are many viruses with sinister payloads - some actively destroy files, some overwrite the boot sectors on disks to render computers unbootable and an increasing number install backdoor programs that allow virus writers to take control of computers remotely. Computers with backdoor software installed are called "zombies" and are often used for computer crime such as distributed denial of service (DDoS) attacks.

For an illustration of how viruses work, click here.

other security breaching programs


Other security breaching programs (malware)


Strictly speaking, Trojans, worms, adware, dialers, spyware, backdoors, keyloggers and logic bombs are not by definition, viruses. Along with viruses as a group they are referred to as malware. Trojans for example, are programs that purport to do a certain function but in reality do another, like pretending to be a game but really harvesting all your email addresses and sending them to spammers.

Likewise, worms are self-replicating programs that spread like viruses, but the distinction is that viruses infect other files, whereas worms create complete copies of themselves and spread without a carrier executable. Worms most commonly use vulnerabilities in e-mail programs to distribute themselves widely and quickly. Logic bombs are programs written to do something unexpected - such as deleting all your files - at a triggered event such as a date.

Dialers are software components usually downloaded from websites without the user's knowledge. They use local modems to dial out to costly phone services in order to accrue charges on a user's account.

Not all adware programs are malicious. Adware refers to programs whose development is funded by the advertising revenues generated through ads shown while using the program. The Opera web browser is a good example of legitimate adware. However, some adware programs trick the user into agreeing to the installation of other programs, many of which are spyware.

Spyware programs are designed to capture information from the infected computer and return it to their controller. Much spyware is designed to record browsing patterns for marketing analysis, but some less benign spyware applications harvest credit card numbers, passwords and personal information.

Backdoors are programs designed to provide an attacker with remote control of a computer. They are often found within Trojans and their installation is often also a goal of worm writers.

Virus hoaxes also deserve a mention here. Although virus hoaxes do not use any actual computer code, they are still able to spread confusion and overload mail servers by using language to exploit the good nature of people who pass them on to their friends and colleagues without verifying their content first.

With the exception of hoaxes, all good antivirus programs will detect trojans, backdoors, worms and logic bombs. For the purposes of simplicity, they will be grouped together and referred to as viruses in this guide. However, an increasing number of vendors now either extend their malware capabilities to include adware, spyware and dialers or are bundling third-party products for the purpose. These applications are discussed in the Spyware Buying Guide (see link>.

Page Break

How antivirus programs work


How antivirus programs work


Antivirus (AV) is a term applied to either a single program or a collection of programs that serve to protect a computer system from viruses. The main component of an antivirus solution is the scanning engine (for an on-screen example, see here). The intricate details of each engine vary, but all share the basic responsibility of identifying virus-laden files using virus signature files: a unique string of bytes that identifies the virus like a fingerprint. They view patterns in the data and compare them to traits of known viruses captured in the wild to determine if a file is infected, and in most cases are able to strip the infection from files, leaving them undamaged. When repairs aren't possible, antivirus programs will quarantine the file to prevent accidental infection, or can be set up to delete the file immediately.

In the case of new viruses for which no antidote has been created, some engines also use heuristic scanning. This allows the AV programs to flag suspicious data structures or unusual virus-like activity even when there is no matching virus definition. If the program sees any funny business, it quarantines the questionable program and broadcasts a warning to you about what the program may be trying to do (such as modify your Windows Registry). The accuracy of such methods is much lower however, and often a program with this running may err on the side of caution. This can result in confusing false positive results.

If you and the software think the program may be a virus, you can send the quarantined file to the antivirus vendor, where researchers examine it, determine its signature, name and catalog it, and release its antidote. It's now a known virus.

What does AV software protect me from?


What does AV software protect me from?

The levels of protection vary according to the age of the antivirus product. Newer products include automatic update functions, scheduled scans, memory resident protection and integration with Internet applications such as e-mail clients and Web browsers. Older antivirus products may only consist of a scanner that needs to be manually operated. All virus scanners will protect your PC from viruses if used correctly to regularly scan the hard disks, removable media (such as USB drives, Firewire devices, floppy or Zip disks) as they are loaded into the PC, or any downloaded files prior to use. (Note: If you use a USB key from an infected computer on your PC, that does not mean you will get the virus too. However, you will if you run the infected applications from the USB drive.)

Where the new products shine is in their ability to protect PCs even when the owners aren't as careful as they should be. They include automatic removable media scanning options, helpful reminders when the virus definitions are dangerously out of date (see example here) and integration with existing Internet browsers and email applications. Some even automatically scan common file-dumping grounds like the desktop, ensuring that even if other measures aren't configured they still get to scan files before anything untoward happens.

At a minimum, you should be able to expect protection from boot-sector viruses, macro viruses, Trojans, executable files with viruses and worms. With new products you should also expect to find protection from malicious Web pages, scripts, ActiveX controls, Java applets and e-mail worms. Look for products with spyware support for additional protection.

Differences between AV solutions


Differences between AV solutions

Fundamentally, all antivirus packages do the same thing - they keep your computer virus-free by scanning and cleaning files. Many of them even share the same integral scanning engine to identify viruses. The main differences come in the polish of the graphical user interface (GUI), the number of add-on functions (e-mail scanners, scheduled automatic updates, heuristic scanning, antispyware etc.) and in the speed and accuracy of the product.


The usability of an antivirus program is essential for its ongoing success. If the pop-ups aren't friendly, then they'll quickly be disabled in options. If the system tray program is unstable, it will be switched off and unless the updates are quick and easy, they'll get neglected. Make certain the GUI works for you before you buy, and check with other people for their opinions on the stability of the products they have used. A memory-resident scanner with just a few nasty bugs in it for example, can cause all kinds of problems with using and copying files or just keeping your system stable.

Some antivirus vendors are now bundling their antivirus products with personal firewalls and Web filters to create "Security Suites", but they aren't necessary to just keep a system virus-free. Check that the extra features one product has over another are actually something you'll use as opposed to a neat marketing gimmick.

As for the speed and accuracy comparison, there are big differences between the vendors. For a thorough guide on AV software, take a look at http://AV-test.org .

What is an online virus scanner?


What is an online virus scanner?

Online virus scanners are free web sites provided by antivirus vendors to scan computers for viruses over the Internet. They are often functionally limited to scanning only certain types of files and most do not offer cleaning or repair functions. Their use is limited to providing piece-of-mind to users without full antivirus programs of their own and detecting a virus with one will usually result in an invitation to buy the vendors full product online.

Why would I want a personal firewall included?


Why would I want a personal firewall included?

Any computer connected to a broadband link without a firewall of some kind is almost certainly infected. Recent research has shown an average time of around eight minutes from connection to the Internet to being infected by worms for unprotected and unpatched Windows XP systems. Many commercial antivirus products can be purchased bundled with personal firewall products that filter the computer's Internet traffic and reject attacks. In the case of Norton AntiVirus 2005 a cut-down version of their personal firewall software is installed by default with a set of definitions for repelling worm attacks.

Page Break

Why do I need protection from e-mail?


Why do I need protection from e-mail?

The rise in popularity of e-mail worms has increased the need for everyone to have an antivirus product protecting their system, but many products don't adequately protect PCs from being infected. Often the increasing desire for integration between e-mail programs and office applications has left security holes that are quickly exploited by worms such as Klez and more recently by the Netsky variants. In these cases, e-mail can be structured so just viewing the message is enough to cause infection on a system where the security patches are out of date, which is common.


The problem lies in the way that many e-mail programs work - they download a mail message, and store it in their own database format. Antivirus programs work on scanning file types they understand through the regular file-system (for example, FAT16, FAT32, NTFS), so they don't necessarily have support for understanding the data structures that your e-mail program uses to store mail messages and their attached files. This means that should your PC download an infected e-mail that your software isn't patched for, not only does your PC become infected, but it becomes very difficult to clean your system and not lose all your e-mails (every time you look at the e-mail inbox you re-infect the PC). This caused a lot of people bother with the W32.Klez worm attacking antivirus programs as its first step, and the cleaning tools released by antivirus vendors affected by this attack were not capable of cleaning the contents of mailboxes.

There are two ways around this - either become very good at downloading all the patches for your Web browser and e-mail programs as they are released, or get an antivirus package that will hook into your mail program and browser and keep it up to date.

For the e-mail system to be adequately protected, it is important that the scanning take place before the e-mail is stored anywhere that it might execute or be triggered by the user. In other words, the e-mail system needs to hand off all data to the antivirus scanner as the mail is downloaded and sent from the system (or be talking to the POP3 server via the antivirus program).

Not all e-mail packages are supported for this kind of integration, but scanners exist that integrate tightly with versions of Microsoft Outlook Express, Microsoft Outlook, Netscape Messenger, Netscape, Eudora Pro and Becky Internet Mail. Some scanners also claim to integrate with any MAPI or POP3 client.

Why do I need protection from IM?


Why do I need protection from IM?


Instant Messaging is now one of the most popular uses for a computer online and it didn't take long before the IM vendors added support for file-sharing. IM integration for an antivirus product means that it will provide the same kind of protection offered by email support - scanning of files as they are downloaded and before they are made available to the computer user. This protects the computer from either accidental virus transfer from friends or malicious attempts to gain remote control of a computer by sending someone a Trojan or backdoor application and claiming it is something else.

Page Break

Upgrading your AV software


Updating your AV software

To keep your system virus-free requires a little more effort than just installing the antivirus program once then forgetting about it. New viruses are released into the wild every day, and in recent years the propagation of worm-building kits available to malcontents over the Internet has led to an increase in the rate of virus creation. This, combined with an increase in public knowledge of security problems regularly found in major software and operating systems, has led to an even higher rate of new virus discovery. No longer does a virus have to be skillfully crafted, but slightly different viruses can be created by almost anyone and re-released into the wild. This means that in addition to the product out of the box, regular updates are required.

The good news is the vendors know this and include automatic updating tools in their new products. For the PC user, this means updating your AV is usually as simple as selecting "Update definitions" from the software menu. Some also include scheduling applications that allow background automatic updates of the virus definitions and scan engines that offer helpful reminders when definitions are out of date. A common approach is for the antivirus program to check the latest version available via the Internet and to prompt the user to press a button if their definitions need updating (as can be seen here). Updating is quick and painless and usually requires no more than clicking "Yes" a couple of times.

The bad news is that out of the box products usually only include updates for a specified time period and then require a subscription to their signatures service to continue the updates. Generally they provide a year's worth of free updates with the purchase of a commercial product but will require an ongoing annual fee to keep the definitions up to date after that time. The antivirus vendors now have teams of experts working around the globe 24/7 to respond to new viruses and charge a premium for the service. Vendors provide updates for each product version for several years until they officially end-of-life a release. Some offer updating to this year's release along with another 12 months of updates for only a few dollars more than signing up for another year of signatures.

Over the last three years the time taken to release new signatures has dropped so significantly it is reasonable to expect your antivirus package to keep you protected from any virus you come across no matter how new, as long as you always make sure to update your signatures before downloading your e-mail or running any new executables.

Bottom line: If you have IM/email integration then you won't be able to download any infected file to run.

Page Break

System requirements


System requirements

There are antivirus solutions available for all kinds of computers and operating systems, though for older hardware or more unusual operating systems the Internet might be the only place to purchase them. For the newest products your PC will need somewhere around 40MB of hard disk space, a Pentium II 233+ processor, Windows 98/NT/2000/ME/XP and an Internet connection for getting updates.

For MacOS systems the newest products require OS X, around 15Mb of disk space, a CDROM and an Internet connection. There are still older products that support System 7.5.5 and above, and some of the newest packages ship including a version that supports MacOS 8.1 and 9.x.

Linux products appear on the whole to be much more particular. There are products available which require RH 6.2 or 7.1, 128Mb RAM, 150Mb space in /opt. Others specify exact libraries required ( eg. glibc-2.1.3, gtk+-1.2.8, glib-1.2.8 and XFree86-libs-3.3.5).

Free vs Fee AV


Free vs fee AV

Even though the heyday of the free virus scanner has long since past, there are still some commercial vendors offering free cut-down antivirus products over the Internet (See The Free Site for more details).


There is a catch though - some lack automatic updates, some lack e-mail integration and since free antivirus products are downloaded, all lack CDROMs with scanning software on them (See "Is it too late to buy AV software if I've already got a virus?" below).

With antivirus programs features aren't always the most important thing. The most common difference between any free piece of software and commercial software is the availability and organisation of support. In the case of antivirus programs, this also includes virus signature updates and support.

If you can survive without the bells and whistles available in the commercial software, and can cope with finding your support via other users on bulletin boards, then a freeware antivirus package might do the trick. But be aware that updates won't be released anywhere near as often as for commercial products (which can be as often as every day during an outbreak of worms like the W32.Klez variants). In fact, you'll probably be lucky to get updates once a month. And in the Internet age, once a month might mean hundreds if not thousands of new viruses your PC isn't protected from.


Is it too late to buy AV software if I've already got a virus?

No! Most commercial antivirus products are distributed on CDs that include an executable version of the program. This allows you to boot your infected PC then run a copy of the program from the CDROM, which, as read-only media, can't become infected. Even in the worst case scenario, where a boot sector virus has stopped the system from booting, the antivirus program can be installed on another PC and used to make boot disks with a copy of the scanning engine on it. This could then potentially be used to boot up and repair the PC in case of infection. Without the ability to clean a boot sector virus you'll need to get out your installation CDs and reformat your hard disk.


Is it wise to run more than one AV program? Or Is one enough?

The truly paranoid will always point to test results that show all antivirus programs miss infections during controlled tests and claim this means the defense-in-depth approach of using multiple virus scanners is required. Though two scanners might have a better success rate, the invasiveness of an antivirus product will almost certainly mean the two scanners will have a very noticeable impact on system performance and stability. Find one product you like and keep it up-to-date instead. Very few virus infected computers had an updated and functional antivirus program running on them prior to infection.


If I don't have an AV app installed on my PC, how can I check if a file on my computer has a virus?

Head for your favorite search engine and look for "Online antivirus". The online scanners will be able to tell you if your computer is infected even if they can't help clean it. Try http://housecall.trendmicro.com/ or http://www.pandasoftware.com/activescan/ or http://www.symantec.com/cgi-bin/securitycheck.cgi

Page Break

Questions to ask the retailer


Questions to ask the retailer


How long am I licensed for updates, and how much will it cost me to extend?

The real ongoing cost of the product might be the annual fees paid to keep it current. Make sure you know what you are in for before you buy.


How regularly are updates released?

Responsible vendors release updates constantly in order to counter new virus threats, and offer free tools for cleaning PCs infected with viruses that disable their antivirus products. Check out the information on their Web sites to see when their virus definitions are updated, and what selection of viruses are included. This should provide a general idea of who is on the ball when it comes to protecting against new viruses.


Show me how to use the updater program!

If running the updates isn't easy, it'll never get done. Look for a product that either warns you of new updates when you connect to the Internet or has simple one-click update facilities.


Can it integrate closely with my e-mail program?

Without tight integration between your mail program and the antivirus program your PC is an easy mark for all those nasty worms. Just remember to update the antivirus program before downloading your mail or it won't stand a chance of stopping them all.


Does it protect me from all types of malware? What kind of antispyware does it have?

The latest generation of commercial products should include protection from spyware, backdoors and other types of malware either through inbuilt support or bundled products.

Page Break

Technical support


Technical Support


Does it have a right-click shell extension to scan files?

A shell extension is a small system utility which gives users the ability to manipulate the settings of the PC through the operating system.

Often, one of the features overlooked by antivirus protection is the usability requirement of quickly double checking a file before using it. Many antivirus programs only automatically search certain file types based on their extensions, so look for a shell extension that forces a scanner window to open and immediately scan any file selected as opposed to one that just launches the scanner interface.


Does it make boot disks and/or have a CD-ROM that can be used for cleaning an infected PC?

Boot disks are required to recover from a nasty boot sector virus, and having the scanner on a CD-ROM means it should be a snap to repair even an infected PC that doesn't have an antivirus program installed.


Product Activation. What is it? And how does it affect me?

Product Activation is a process where a user or application contacts the manufacturer (usually via the Internet, but it can be by phone or fax). It lets the software vendor know some information about the application running and to provide a response that may trigger a change in the application. In the case of antivirus programs this is important as the software activation will signal the beginning of the time cycle for free updates.

This guide was last updated June 2005