Antivirus products: is there any difference between them?

Antivirus products: is there any difference between them?

If one of your company's computers gets a virus you could lose confidential data, your bank accounts could be emptied, and the potential cost to your business is enormous.

It's to try to mitigate this risk that almost every business computer runs antivirus software - often called 'endpoint protection' - either alone or as part of a security suite.

But how effective are antivirus products at preventing infection?

It turns out that on average about 9% of new viruses and other malware get past them, as well as 3% of better-known viruses, according to antivirus research company, AV-Test.

And there's not much to choose between them: any reputable product will catch most viruses but still let in some, according to Mario de Boer, a security analyst at Gartner.

"Most of the vendors are using the same types of technologies to protect against the same threats, so their detection rates tend to be in the same ballpark," he says.

But antivirus products from different vendors are not identical, and some are slightly better than others at catching malware. To understand why, you need to look at how antivirus software actually does its job.

Definition-based protection

At the most basic level, antivirus products use a set of virus definitions. These are digital fingerprints of known viruses which the software uses to recognize them as they come on to a system.

But there's a problem with this approach: it offers no protection against new viruses until the antivirus software has been updated with their definitions.

Malware writers use this weakness to their advantage by developing viruses that make subtly different variants of themselves as they spread, all of which require a different definition to be detected.

Antivirus software vendors have fought back against this type of 'polymorphic' virus by offering products that use loose signature matching: this attempts to recognise whole families of viruses that are similar but don't match signatures precisely.

Heuristics / behavioural protection

Since antivirus vendors can't hope to stop every virus using definition-based protection, the next line of defence they use is heuristics and behavioural protection.

This technology looks at the behaviour of a file that runs on a system to try to spot suspicious behaviour - activities that a normal program would be unlikely to do, but which are characteristics of virus behaviour. Some antivirus products isolate suspicious files in a "sandbox" while they watch what they do, before deciding whether their behaviour is likely to be malicious.

Examples of suspicious behaviour might include modifying registry entries to prevent antivirus software running when a computer is switched on, overwriting other files, or attempting to hide itself.

This type of technology can be useful, but it can also lead to false positives - wrongly identifying a legitimate program as a virus, and preventing it from running.

False positives are a problem because they can harm productivity by preventing employees running the programs they need, and can also lead employees to disable the antivirus software so they can get their jobs done.

It is also possible for antivirus writers to avoid detection by this type of protection by testing their viruses against popular antivirus products to see if it gets detected. If it does they simply modify their code and try again until they produce something that slips past the heuristics and behavioural protection.

Threat detection network protection

The larger antivirus vendors like McAfee, Symantec and Kaspersky use the cloud to offer a different type of protection, based on a threat detection network. The way this works is that every computer running a particular vendor's software acts as a 'sensor' or 'node' on a network of millions of machines.

Any machine that encounters a new virus, or a new file that it has not encountered before, sends the file up to the cloud to be analysed.