That question always comes up. Any computer guy that has anything to do with security at all hears it while they are eating, while they are at a wedding, while they are hiking, wherever. “Which scanner should I be using?” It’s not exactly the easiest question to answer, and it’s one that the industry struggles to answer.
Reviewers have a hard time answering the question…Andreas Marx, a well known reviewer, presented problems with fundamental ways in which the products are tested here. Another well known reviewer, Andreas Clementi, blogged about the issue as he sees it here.
Every day, there are fresh malicious drive-by sites and new emails with executable payloads. It’s not all that difficult to submit these executables to http://virusscan.jotti.org or http://www.threatexpert.com. This one, getexe.exe, was downloaded and run without permission by a malicious web site in our lab a few hours ago:
Unfortunately, the source code (both delphi and asm) has been available for this LdPinch for a few years now. The first version came out in 2001, written by a “student” in Russia. So, let’s optimistically try another set of scanners and take a look at some other av scanners’ detection results:
Seriously? How does a computer professional recommend security software when they see results like that? Which is best?
To be honest, if you’ve already found one that you like, is stable, and rates well consistently in reviews, it’s probably pretty good. But you’ve also most likely paid quite a bit for it and don’t know it’s weaknesses. You can try a free av here: http://www.pctools.com/
There are always a tradeoffs for security products, between accuracy, speed, performance and overall effectiveness — it’s very difficult to find the right balance. One of the best signature-based scanners’ strengths is accuracy against known threats, but I believe it’s not timeliness or effectiveness against new, unknown, or changing threats (that have been publicly available, along with their source code, for years, ahem).
We always fall back to the line that Threatfire is a fantastic free complement to any av solution, whatever you’re running…it will stop the new, unknown, and changing threats, even the one from this afternoon that we ran across:
Set aside the confusion of identifying which scanner is best. You can snag a free copy at http://www.threatfire.com/.
That’s all the shameless self-promoting we have for now…