Virus Scanners for NT

When was the last time you had a cold? Some little germ invaded your body and made you tired, achy, and chilled, but you were probably still functioning. You probably had a major irritation but not a life-threatening situation. Your doctor most likely gave you antibiotics and scolded you for not getting a flu shot three months ago.

Everybody knows the analogy between human and computer viruses, but you usually hear about computer viruses only in dire terms--Ebola instead of a cold. The bad news is that computer viruses are rampant on the Internet and intranets and in this network-happy world. The good news is that a surprisingly small percentage of users ever suffer a loss from a virus. Most computer viruses are just plain annoying, much like the common cold. Few evolve into destructive strains.

To protect your computer from catching a cold or something worse, you need to scan for viruses. Most virus scanners perform two tasks--detecting viruses and inoculating your computer against them.

Virus scanners have gone through many generations of change to keep up with the new virus strains. Many of the latest viruses aren't even executable files. Malicious pranksters have written Word and Excel macros that attach themselves to documents. You can infect documents on your system and not realize what you've done until it's too late. For example, at a Professional Developer's Conference, Microsoft recently distributed a CD-ROM that was infected with the Word Prank macro virus.

With the booming popularity of online software distribution, you now have the tools to purge sophisticated new viruses soon after they hit. So, many virus scanner vendors now distribute minor upgrades on the Internet. Because new viruses emerge weekly (sometimes daily), virus scanner vendors need to let you download an update with the latest virus definitions monthly. For example, when the recent Laroux virus (the first Excel macro virus) made headlines, McAfee and Symantec offered detection and cleaning routines on their Web sites.

If you connect to any network, you need to invest in a virus scanner and schedule regular scans. Whether the release of virus scanners for Windows NT signals its growing popularity or is a sign of the times, NT virus scanners have been appearing at an amazing rate during the past year. At press time, as many virus scanners are available for NT as for Windows 95, which is incredible given the installed base of each OS. Small start-up vendors are diving into the NT pool, and established companies such as McAfee, Symantec, and S&S Software International are porting their virus scanners to NT.

NT alone protects itself from viruses that can infect other operating systems: NT's built-in protection can ward off viruses attempting to directly access hardware such as a hard disk. But what happens when NT isn't running? Boot-sector viruses can still affect systems because their damage occurs during boot-up. Viruses that exist on the system before you install or upgrade to NT can cause installation problems--the dreaded Blue Screen of Death. Unfortunately, the scanners in this review can't clean your system before you install NT, so you will want to scan your system with a DOS or Win95 virus scanner before installing NT for the first time.

No one has detected any NT-specific viruses at press time. Still, you need a virus scanner to catch boot-sector viruses that can affect NT systems and any viruses that are on your hard drive.

Putting Scanners to the Test
Selecting a virus scanner that best meets your needs can be a challenge. So to help you evaluate the pros and cons of each package, I've gathered and evaluated six leading scanners for NT. I reviewed Carmel Software Engineering's Carmel Anti-Virus, S&S Software International's Dr Solomon's Anti-Virus Toolkit, Cheyenne Software's InocuLAN, Symantec's Norton AntiVirus Scanner (NAVSCAN), Sophos's SWEEP, and McAfee's VirusScan with NetShield. All the scanners in this roundup offer sufficient virus protection and deserve a spot on your NT system. But which ones pull ahead of the pack? Table 1 rates each scanner's features. The sidebar, "Editor's Choice," on page 59, explains how I reached my selections.

I installed each application on a late beta build of NT Server 4.0. Most of the virus scanners ran on NT 4.0 and on NT 3.51; however, some choked on NT 4.0, and McAfee's offerings refused to install on anything other than NT 3.51. In those cases, I ran the scanners on NT 3.51 Server. The test system was a 133MHz Pentium with 32MB of RAM.

The tests focused on ease of use, network support, and virus detection rate against a test bed of common viruses. I also looked at less apparent features, such as configuration, scan scheduling, and--most important--product updates.

To test each scanner, I compiled a random list of 207 stealth, polymorphic, and boot-sector viruses in the wild and compressed them in PKZIP archives. Some of these viruses were new when I tested for them.

Carmel Anti-Virus 1.6
For the past year, Carmel Software Engineering's Carmel Anti-Virus for Windows NT has been popular. Carmel provides excellent local virus protection and decent network protection for NT, but other scanners have leapfrogged Carmel in terms of looks and feature set.

I downloaded the beta version of 1.6 from Carmel's Web site. You can find it at www.carmel.co.il/demo.htm. Installing the software was easy, although the installation program doesn't have NAVSCAN's or InocuLAN's flashy splash screens.

Carmel's user interface is intuitive and simple in appearance. Carmel takes a bare-bones approach to file scanning. Rather than trying to entertain you with paper flying between folders, Carmel simply displays a status box containing the number of files scanned, the number of viruses found, and the name of the file the product is scanning.

Carmel maintains a database of NT system files on your hard drive and performs cyclical redundancy checks (CRCs) against that database on every scan. Screen 1 shows this verification process.

During the tests, Carmel crashed occasionally. In all fairness, I was running beta code, but seeing the program crash during a routine scan concerned me.

Carmel is clearly for local desktop use. Network options are limited to scanning mapped drives, and notification features are all but nonexistent. In fact, Carmel lacks remote alert support, so you have to read separate log files for each Carmel installation. At the very least, a centralized log system would make Carmel more convenient on a network.

Carmel Software Engineering offers virus definition updates on its online sites (GO CARMEL on CompuServe and www.carmel.co.il/update.htm on the Internet). Unfortunately, the definitions I found there were almost three months old, which is ironic because the company states on the same Web page that new viruses emerge weekly. Carmel detected 140 of 207 viruses with the most recent (April) virus definitions.

Although Carmel lacks other scanners' sophisticated features and high virus detection rate, Carmel has distinct advantages that make it a good choice for desktop use with a network scanner. For example, Carmel's file checksum verification is a handy feature that can help ensure your system's safety. If you need a standalone or network scanner, however, look elsewhere.