All the tips/hints/fixes/other information posted here are at your own risk. Some of the steps here could result in damage to your computer. For example, using a Windows registry editor like RegEdit could result in unintended serious changes that may be difficult or impossible to reverse. Backups are always encouraged.

27 April 2008

Traditional Antivirus is Wasteful

A response to this LifeHacker post:

Traditional real-time antivirus scanning is wasteful, IMO. Viruses can come through in what you download, or if your networking settings are weirdly insecure-- but it's not like you can just "catch" a virus. To warn people that their computers might be unknowingly infected is unnecessarily alarmist; a virus or trojan would have to come from a downloaded or copied file. I scan every file I download by having Free Download Manager call ClamWin (and A-Squared Command Line), which I update hourly (I even made an AutoHotkey script so that the scan happens in the background). This precaution makes more sense than scanning every file whenever it is read or written, and it is hugely better for your I/O performance.

All in all, though, blacklist-paradigm antivirus does not make a lot of sense nowadays for on-access scanning, because viruses (and more relevantly, other kinds of malware) spread before virus definitions are created. Furthermore, on-access scanning of files involves a huge performance cost. If you scan all incoming files, extra file scanning doesn't make any sense unless the virus definitions have been updated in the interim. I'm perplexed, for instance, by Avast!, which can scan all files + emails + IMs... if all files are being scanned, why the extra scanning repetition due to its route of entry?

However, blacklist-oriented antivirus seems wise for periodic on-demand scanning. For this, Norton Security Scan available free through Google Pack is a nice choice.

A better choice for so-called real-time antivirus, though, is behavior-based scanning such as Threatfire, but I prefer Mamutu ($30 for 1 year). Threatfire would interfere with several programs (especially the kind that export files to other formats: PDF Creator, AutoHotkey EXE compiler) even when "suspended," so I can't recommend it unless you're allergic to spending money on security software (as I tend to be). Comodo Firewall is another free alternative in this vein, but it is quite confusing.

Additionally, you can take some preventive measures by using SpywareBlaster. I paid for the privilege of auto-updating and to support its development, but you don't have to.

The one thing that irritates me most about many anti-malware products: the false positives. Since trying out Comodo BOClean and having it shut down a program I wrote myself as a trojan, I've been very suspicious of claims that BOClean has caught malware other antivirus missed. When I see claims like that, I wonder about the likelihood that it is a false positive. (To be clear, I do NOT recommend Comodo BOClean.)

A final note is that I think infrequently-updated real-time antivirus like AVG, which allows only daily updates in its free version, is the worst (if used by itself), because you're exposed to the newest threats while suffering an I/O performance hit.

No comments:

Post a Comment