|
[ Go to February 1997 Table of Contents ]
WinLab Reviews
-- by Lenny Bailes
As computer viruses evolve, so must antivirus products. I examined four of the latest versions-IBM AntiVirus 2.5, Parsons ViruCide Plus 4.2, Dr Solomon's Anti-Virus Toolkit 7.64 and Norton AntiVirus 2.0-evaluating their skills at preventing infection from multiple attacks, savvy at detecting and cleaning infections, and general flexibility and ease of use. Norton AntiVirus came out on top due to its strong capabilities in all three of these areas. But this version of Norton isn't the best choice for Windows 3.x users; it only runs on Windows 95 and NT. Look to the others if you need to protect a Windows 3.x machine. Each of these four products includes a watchdog utility that sniffs around in the background, looking for virus-like code and activity. The efficiency of these tools varied from one product to the next. IBM's AntiVirus 2.5, for example, inconsistently intercepted copy operations with infected files. Not until options in the Scanner's Setup menu had been turned on did it detect the Concept virus. It successfully prevented attaching or decoding infected Word documents in e-mail messages; however, it didn't guard against attaching or decoding files infected with the DOS Ambulance virus. Although the intercept screen warned that the file was infected, it allowed the plagued program to continue. The Parsons ViruCide Plus Active Monitor performed better but displayed constant virus-interception messages rather than just beeping once and allowing me to cancel the operation. With the exception of the Lupin and Moonlite.458 viruses, Active Monitor successfully intercepted attempts to attach infected files to e-mail messages or unpack already received infected attachments. No virus was safe from Dr Solomon's WinGuard, which intercepted every one tested. The TSR is so strict that it won't let you examine the directory of a floppy disk with an infected boot sector until you disinfect it. That feature discourages novices from leaving an infected floppy in the floppy drive, eliminating a potential problem on a subsequent reboot. WinGuard also successfully intercepted attempts to send or receive infected e-mail attachments. Norton AntiVirus Auto-Protect also caught every virus used, offering disposition options for an intercepted virus. You can stop the system and deny access, attempt to clean, delete and rename a file, or ignore the infected file. Unlike the other sentinels, Norton lets you resolve a situation with a single button-click. Auto-Protect successfully guarded against attaching or decoding infected e-mail attachments in Microsoft Inbox, Netscape Navigator and Eudora. Of the four packages, only Dr Solomon's supplied a TSR watchdog for DOS that intercepts infected files in a real-mode command session. On system shutdown, IBM AntiVirus (for Win95), Dr Solomon's and Norton AntiVirus check the A: drive for boot-sector infection. To test the products' scanning features, I planted Word Macro viruses and DOS file viruses on my hard disk and attempted to read some floppy disks with infected boot sectors. All four packages detected my floppy infections and purged the Word Macro virus. Products differed, however, in their ability to handle DOS file viruses. IBM AntiVirus detected 12 of 13 common DOS file viruses, missing Lupin. Of the 12 detected types, only two could be purged without deleting the infected program. IBM AntiVirus couldn't clean files infected by Ambulance or Moonlite.458 virus strains. Files infected by Ambulance were salvaged by the three other packages, and files containing Moonlite.458 were successfully purged by Norton AntiVirus and Dr Solomon's. Parson's ViruCide Plus detected 11 of 13 DOS viruses (missing Lupin and Moonlite.458), of which six strains were curable. Dr Solomon's detected all 13 DOS viruses and cured 10. Norton AntiVirus detected all 13 DOS viruses, pronouncing them purgeable, but cleaned only four without deleting the infected file. Since some of the infected files were virus stubs, the inability of Dr Solomon's or Norton AntiVirus to purge them doesn't mean that other files infected with these viruses couldn't be repaired. IBM AntiVirus and Parson's ViruCide Plus inform you in advance if they can clean a particular virus; Norton AntiVirus and Dr Solomon's offer to clean detected infections and later notify you if this can't be done. IBM AntiVirus and Dr Solomon's scan three levels of ZIP archives within primary ZIP files, while Norton AntiVirus and Parsons ViruCide Plus can scan only the first level of a ZIP archive. The scanning modules in all four packages are sufficiently flexible to enable and disable scans of memory, the master boot record and individual boot records. All contain filters to examine all files, program files only or selected file extensions on local or network drives. IBM AntiVirus (for Win95), ViruCide Plus and Norton AntiVirus real-time system shields can be enabled or disabled without rebooting the computer. IBM AntiVirus includes a built-in scheduler to conduct antivirus scans on a recurring basis. The Norton Scheduler runs antivirus scans once, or hourly, daily, weekly, monthly and yearly. The more flexible Dr Solomon's Schedule Editor permits repeated execution every x minutes, hours, days, and so forth, with an optional maximum-duration setting. ViruCide Plus doesn't contain a scheduler for automated scans. Dr Solomon's spartan interface presents a Find module that performs a fixed, automatic search for all virus types and a Repair module that automatically attempts to repair any detected infection. Local and network filters allow you to select drive scans, and an advanced option dialog permits additional custom parameters to bypass boot sector and partition checks or to display a custom message on detecting an infection. The most feature-rich and customizable of the group is Norton AntiVirus, which has more interactive options when viruses are detected, including prompts, automatic repair, deletion or shutdown of the computer. The program also has a file-inoculation procedure that, by default, monitors the condition of your system files and can be set to supervise additional files. The same disposition options available in the scanner can be applied to the Auto-Protect real-time watchdog program or to Norton's Stricker Sensor (heuristic scans for unknown viruses). A backup of a file you elect to repair is made by default, before the repair is attempted. If Norton AntiVirus judges the repair to be successful, both the original and the backup copy are purged of the virus. Norton AntiVirus also has the most pleasant user interface and an easy-to-use real-time disk-monitoring utility. The package includes a LiveUpdate feature that can automatically download new virus patterns from the Internet and a Netscape Navigator plug-in to monitor file downloads from Web and ftp sites. It's the only one tested that explicitly supports Microsoft's FAT-32 File System, which is implemented in the Win95 OEM Service Pack 2 for hard-disk partitions greater than 2GB in size. There's also a good rescue-diskette feature, though it may be slightly less zealous than Dr Solomon's at repairing disks. IBM AntiVirus includes full DOS and OS/2 modules as well as Win95 support. Its real-time intercept and file-cleaning capabilities are not as well developed as those of the other three. Parsons ViruCide Plus' intercept and file-cleaning capabilities are better than the ones in the IBM package, but not as well developed as Dr Solomon's or Norton AntiVirus. Dr Solomon's Anti-Virus Toolkit contains an encyclopedia of viruses and extensive, well-written documentation. It is the champ for detecting and purging file infections, though it does not have the flexibility of the Norton AntiVirus interface. Of the four, Norton AntiVirus is the most well-rounded package. It found every virus I threw at it, and combined these superb detection capabilities with a flexible interface that gave me complete control over the program. I found the ability to scan for unknown viruses especially important; new viruses appear all the time, and this feature, combined with Norton AntiVirus' LiveUpdate capabilities, means I don't have to constantly download updates aimed at new viruses. For these reasons, Norton AntiVirus earns a spot on the Recommended List.
|