Scanning Accuracy
Antivirus vendors make trade-offs between accuracy and speed. A scanner that's 100 percent accurate would be as slow as molasses, so vendors strive for a product that offers a reasonable balance for the typical user. Most scanners scan only the most popular file types by default, but you can configure scanners to scan additional types.
An accurate scanner gives few false positives and false negatives and correctly identifies a given virus. False positives (which occur when a scanner inaccurately identifies a virus) can annoy you and can result in lost hours of productivity—often more time than you would have spent on a real virus. False negatives (which occur when a scanner fails to detect a true virus) permit the spread of malicious code. (For information about the predicted longevity of scanners, see the sidebar "Are Antivirus Scanners Dying?")
Common wisdom says that antivirus scanners should be at least 95 percent accurate against the entire population of malicious mobile code. No virus scanner is consistently 100 percent accurate. The best scanners average 97 percent accuracy or better, with occasional 100 percent spikes.
Many antivirus researchers believe that the ability to detect 100 percent of current threats is a better test of accuracy. Who cares whether a certain product can detect the Pakistani Brain boot virus, which hasn't infected anyone for 10 years and replicates only on 360KB 5.25" double-density disks? Virus Bulletin bestows its VB 100% award on antivirus scanners that detect 100 percent of the rogue code that currently exists in the wild, and WildList Organization International's official WildList (http://www.wildlist.org/WildList) reported only 543 threats as of November 2002. Interestingly, the VB 100% archives will show you how a particular vendor's product performs across different platforms. Although one product might detect 100 percent of the WildList in NT, it might perform horribly on Lotus Notes or Novell servers. The product you choose should make the VB 100% list for the platforms you run it on.
Complex viruses (e.g., Nimda, Klez) often require a complex removal tool. Typically, an antivirus removal tool for complex viruses doesn't reside within the antivirus scanning software. Instead, the scanner references a separate removal tool that you can find on the vendor's Web site. You might need your antivirus software to not only detect a virus but also determine the variant. For example, Nimda.A is a slightly different worm from Nimda.E, and you can cause additional problems if you use an antivirus-removal tool for the wrong variant.
Speed
Nobody wants a slow antivirus scanner. But how can a scanner quickly compare 60,000 file signatures against every file it needs to scan? The answer is that it can't. Although today's scanning engines look at every file they need to examine, they don't compare all files against every signature. Efficient virus scanners first determine the type of file being scanned, then compare it only against signatures for that file type.
For example, if you instruct a scanner to scan a Microsoft Excel file, the scanner first verifies that the file is indeed an Excel file, then ignores all signatures that are specific to other software, such as Microsoft Word macro viruses, boot-sector infectors, and .exe file infectors. How does the scanner determine what type of file type it's examining? Simple scanners look at the file extension—an inaccurate method that malware can work around. The best scanners examine the file's header and compare it with an internal file-header database to identify file type.
An efficient scanning engine will search for macro or Visual Basic (VB) code and, if it doesn't find such code, will consider the file clean. If the engine finds macro or VB code, the engine will search for potentially malicious key words (e.g., Auto_Open) in the code that might reveal a certain virus type. If the file doesn't contain a particular key word, the scanner can drop all virus signatures that require that key word's presence. A process of elimination occurs (in milliseconds) until the engine identifies the smallest universe of viable signatures. An efficient scanning engine can thus reduce the number of comparison signatures to a handful.
Another component of speed is the number of computing cycles the scanner uses while other operations and applications are running. Most network administrators have seen antivirus software overburden a CPU and slow an entire system to a snail's pace. The best engines let you dictate how much of a system's processing resources the scanner can use. If you notice that your scanner is slowing down regular processing, you can simply allot less time to the scanner.
Prev. page
1
[2]
3
4
5
next page 
