Workstation Virus Scanning Software-Antivirus

Just in case you haven't heard, viruses can be fatal. Jeff Goldblum and Will Smith used one to wipe out an entire alien mothership in last year's hit movie Independence Day. In reality, viruses won't cause your computers to spontaneously break down, but they can be more than just a mere annoyance.

Like it or not, viruses (particularly those of the macro variety) are becoming more and more prevalent in everyday computing. People send files back and forth across the Internet all day, and these files eventually make their way down the pipe to your computer. Because authenticating each downloaded file is difficult, you have a slight chance of downloading something infected by viruses. Factor in other virus distribution vehicles, such as exchanging floppies with co-workers and installing shrinkwrapped software, and you increase the chances of infecting your computer. I've received infected files from the most unlikely sources: an infected executable on a store-bought application, infected Word documents from Microsoft Professional Developers Conference CD-ROMs, and an infected Excel spreadsheet from a coworker.

Although no native Windows NT viruses are in circulation, a simple boot sector virus can still wreak havoc on your NT systems. I've seen a boot sector virus continually kill NT, causing the Blue Screen of Death at almost regular intervals.

Thank goodness, NT virus scanners are available in abundance. In this year's virus scanner roundup, I looked at virus scanners available for NT Workstation. The results might surprise you.

How We Tested
One question that comes up often when you evaluate virus scanners is, "How do you determine which one is the best?" I usually reply, "It depends." And it does. You can rate virus scanners based on their respective detection rates. But with the current crop of viruses, you can assume that all virus detection routines detect about the same number of viruses. More variables are involved when you're gauging which virus scanner outperforms the others. When you decide to purchase a virus scanner, your first priority is to make sure it finds the most common viruses. The more common the virus, the greater the chance you have of finding it. Playing the numbers game with virus scanners might look impressive on paper, but what if the virus scanner that can detect a million viruses just happens to miss the Lacroix Excel macro virus?

In this comparative review, besides detection rates, I'll look at features such as realtime scanning and automatic updates (see Feature Comparison). Let's face it, running virus scans is almost as much fun as, well, doing backups. If you do an informal poll within your organization, I'd bet my software that very few people run virus scans regularly, if ever. Most antivirus vendors recognize that most professionals have too much work to worry about purifying their files daily or weekly, so vendors have added realtime scanning modules to their virus scanners. Realtime scanners are watchdogs that sit in the background, monitoring disk I/O for strains of viruses. When the system loads an infected executable, the scanner kicks in to clean the file.

In the past, virus scanners were dated as soon as they hit the street. New viruses are discovered every month, and in the dark ages before the Internet became a viable global network, virus scanners had no way of knowing about these new strains. Today, nearly every antivirus vendor makes updates available from its Web or FTP site. Automatic updating is simply an automated retrieval and installation process, making staying up-to-date on the latest viruses in the wild a bit easier.

Another requirement to consider is technical support. Although most modern virus scanners are easy to use, cleaning infected files is a different story. For the more stubborn viruses, calling a specialist is not a bad idea. How the companies handle panic calls is almost as important as what type of viruses their software can detect. My review also covers documentation included with the software, the user interface, notification options, and scheduling capabilities.

Some virus scanners include new heuristics-based technology. Traditionally, virus scanners use definition files to detect viruses. For example, a typical definition file includes a string of unintelligible (at least to human eyes) code that replicates the exact structure of a known virus. When scanning, the program compares the structure of each file against that string. When the program finds a match, it triggers an alert to let you know that it has detected a virus. This method has worked very well in the past, but newer viruses (such as polymorphic viruses and the ever-popular macro virus) laugh in the face of definitions. With a heuristics-based scanning engine, a virus scanner can plow through files looking for virus-like behavior. Rather than relying on exact matches, virus scanners can now active-ly seek out potentially destructive code.

In theory, this method tends to generate false positives (showing that a file is infected with a new virus when it's not), but it provides an additional layer of security, which is a good trade-off. In practice, however, this situation happens so infrequently that it's not much of a concern.

Price is, of course, also a concern. Small businesses might find it difficult to justify the cost of a multi-thousand dollar virus scanner with every single feature known to humankind. The perfect virus scanner is priced to sell (that is, under $100).

For this review, I introduced a package of roughly 50 common viruses, Trojan horses, and macro viruses into the testing environment. The testing environment consisted of one 150MHz Pentium machine running NT Workstation 4.0 with Service Pack 3. Some viruses were compressed and archived with PKZIP. I then zipped the ZIP files yet again in an attempt to catch the virus scanners off-guard. I installed each virus scanner independently of the others to prevent conflicts between each application.

I designed the testing regimen to be as straightforward as possible: I installed the viruses to a directory on the hard disk, triggering the flags of any virus scanner that happened to be poking around in that directory. Although this test might be less scientific than most conventional methods, it's also more representative of how users catch viruses. After all, all the poking and prodding in the world won't help if a virus hits your system when you load a file.

InocuLAN for Windows NT--Workstation Edition
Computer Associates' (CA's) InocuLAN has long been one of the finest NT Server virus scanners on the market. However, positioning itself as a server tool effectively priced InocuLAN out of the small office/home office (SOHO) market. Realizing this drawback, CA has issued an affordable workstation edition of InocuLAN that includes some important features of the server version.

InocuLAN ships on one CD-ROM and includes a comprehensive manual. Installation is simple: You insert the CD-ROM, feed a few directory names to the Setup program, and you're up and running. Although the manual lacks the encyclopedic information you get with other programs, CA makes a virus encyclopedia available on its Web site.

First, you'll notice the user interface lacks the glitz of rival utilities, as Screen 1 shows. What it lacks in aesthetics, however, is made up for in usability. Various options are scattered across multiple context-sensitive menus and dialog boxes, and setting up a scan is as easy as selecting the drives to scan and clicking the Go button.

Looks and usability are meaningless unless the scanning engine has the cleaning power to make it worthwhile. Fortunately, the capabilities under InocuLAN's hood are top-notch.

InocuLAN's scanning options are configurable to an extent. You can select which files a scan will include or exclude, based on their file extensions. You can select from one of three scanning options: Fast Scan, Secure Scan, and Reviewer Scan. I opted for the secure mode, and a default scan detected every virus in my test bed. This success rate included double-zipped files. Feeling particularly sadistic, I rezipped the double-zipped files, giving the infected files a three-layer compression shell. Again, InocuLAN plowed through the triple-zipped files without incident. Much to my delight, InocuLAN also cleaned every infected file without incident.

Unfortunately, InocuLAN's scanning engine doesn't support heuristics-based scanning. InocuLAN can't detect some of the more recent and obscure viruses. The slight upside to this shortcoming is that InocuLAN also generates few false positives. CA does have a heuristics-based version of InocuLAN in beta testing, and the final product might be available in the form of a virus definition update by the time you read this.

InocuLAN's notification options shine. By default, InocuLAN logs all activity in a text file, letting you call it up with just about any word processor or text editor available. For advanced configurations, you can set up InocuLAN to send virus alerts to pagers, Simple Network Management Protocol (SNMP) managers, email mailboxes, and remote printers. Admittedly, most of InocuLAN's notification features are overkill for small networks, but knowing that CA treats the workstation market with the same consideration that the company gives the more lucrative server market is reassuring.

Likewise, InocuLAN's scheduling options feature is comprehensive, albeit slightly inaccessible. You can set InocuLAN to run once a day, once a week, once a month, or multiple times daily. But the placement of its scheduling options makes the feature difficult to use. To schedule a scan, you must go into InocuLAN's Domain Manager, select your machine from the list of workstations on the network, and fill in the pertinent information.

InocuLAN's Realtime Monitor deserves an honorable mention. This on-the-fly scanning component sits in the background, monitoring both incoming and outgoing files. Because InocuLAN is primarily a server-based antivirus package, Realtime Monitor can scan network drives and email inboxes, if you use Microsoft's Exchange or Outlook clients and have the CA E-mail module installed. When the program detects viruses, InocuLAN can either clean the file, move the file, rename the file, or delete it. Interestingly, you can copy infected files to a special protected directory on the server to quarantine them--isolating them from every other file on the network--to minimize the chances of spreading the virus.

Virus definition updates are available for free from CA's Web site, but the retrieval and installation applet is not integrated with the main program. CA wants to give administrators more control by letting them disable definition updates. The purpose is to force some sort of standardization across the network. (Don't worry, I didn't quite understand it either.)

Regardless of this arrangement, retrieving and installing updates is relatively painless. The AutoDownload Manager, which you must start separately, runs as a scheduled service. You can set it to execute once a month, ensuring that you always have the latest virus definitions installed.

InocuLAN is the most scalable package I covered in this roundup. If you anticipate the need to add more machines to your network, InocuLAN is your best choice. It accommodates your needs as your working environment grows.

F-PROT Professional for Windows NT 3.0
In the early '90s, when DOS still ruled, the two main shareware virus scanners were McAfee's VirusScan and Command Software Systems' F-PROT. VirusScan has already made a successful transition from DOS to NT, leaving F-PROT with a hard act to follow.

F-PROT Professional ships on four permanently write-protected disks, preventing unauthorized tampering. Installation is straightforward. You let the program create a directory, select the components you want to install, and feed the floppies to the computer. Four floppies later, you're ready to go. F-PROT Professional comes with a thin manual that you can throw away once you've installed the software.

Like VirusScan, F-PROT Professional is a task-based virus scanner. Unlike McAfee's offering, however, F-PROT includes several predefined tasks, as Screen 2, page 78, shows. This feature helps you get up to speed and send F-PROT in on the war against viruses.