Antivirus 2011: Digital Defenders

Digital Defenders

Today’s new threats demand a new breed of antivirus software. Our lab tests show you which paid antivirus products you can trust, and which ones you should skip.

If you haven't bought a new version of your antivirus software in a couple of years, now may be a good time to do so. Malware is evolving faster than ever, and the latest generation of antivirus software is better equipped to handle this rapid pace of change. If your antivirus software is a few years old, it may not be able to defend against this on­­slaught effectively, even if you faithfully download new virus definitions. In recent years, the technology that powers antivirus software has changed dramatically: An antivirus package you purchased a few years ago may be able to stop known viruses and other known malware, but brand-new, as-yet unknown viruses can be more dangerous, and newer products do a much better job of stopping them.

So which paid antivirus program should you pick? That's where we come in. PCWorld teamed up with AV-Test (av-test.org), a respected security-software testing lab based in Germany. Together, we looked at 13 paid antivirus products from a number of leading security companies. We provide links here to full reviews of all 13, plus summaries of the reviews' key points.

AV-Test's multifaceted testing procedure looks not only at how well an antivirus product can detect malware using traditional, largely signature-based methods (that is, employing a database of known malware types), but also at how well it can block brand-new, as-yet unknown malware. AV-Test also examines how well a security product can clean up after an infection in the event that a piece of malware does get through.

This article focuses on paid stand-alone antivirus products, not free antivirus software or full-fledged security suites. Paid antivirus usually comes with better technical support options and more-comprehensive protection features than free programs. Suites go further still, offering features such as firewalls, parental controls, identity theft protection services, and more.

See "Fee vs. Free: Free and Paid Antivirus Programs Compared" (some of our rankings have changed since that roundup appeared in November) and "Battle of the Security Superpowers," which lists our top security suite picks.
Antivirus Trends

This year, more and more antivirus packages come with tie-ins to so-called cloud services, in which fresh information on brand-new threats pushes down from the vendor's Web servers to your PC. This is a trend we began to see over the past year or two, but it has really taken off in this year's batch of products.

Cloud-based detection takes many forms. In some products, such as Norton AntiVirus, it's used in reputation-based systems that pull together information on files and file types from users around the world to better detect suspicious files more quickly. Norton calls its system Quorum, but each company that offers a reputation-based process has its own name for the feature.

In other products, such as Trend Micro Titanium Antivirus, the bulk of the malware detection actually takes place in the cloud--remotely, on the company's servers, rather than on your PC--with the intention of catching malware sooner and reducing the performance impact on your system.
Since an antivirus product is only as good as its ability to block baddies, we based 70 percent of each program's overall score on its success in malware detection (and blocking and cleanup), with features, ease of use, and overall drag on system performance accounting for the rest.


It was a close race overall, but Symantec Norton AntiVirus 2011 took home the top prize with its excellent malware detection, blocking, and cleanup. BitDefender Antivirus Pro 2011 and G-Data AntiVirus 2011 round out the top three. Check out our top 10 paid antivirus programs of 2011, or click on the thumbnail image above.
In order of ranking, here are the antivirus products we reviewed. (You can click on each accompanying thumbnail for a full-size image of the program's home or main interface screen.)

Symantec Norton AntiVirus 2011

Pros: Has a good interface and strong malware detection.

Cons: Scan speeds lag behind those of the top performers.

Bottom line: Norton AntiVirus 2011 is a great choice thanks to its strong malware detection and smooth interface.

Symantec Norton AntiVirus 2011 review

BitDefender Antivirus Pro 2011

Pros: BitDefender is effective at cleaning up infections and at detecting known malware.

Cons: It struggles at detecting new malware, and its interface may be confusing to some users.

Bottom line: BitDefender Antivirus Pro 2011 does a good job at detecting malware and disinfecting PCs, but it had some difficulty in blocking brand-new malware.

BitDefender Antivirus Pro 2011 review

G-Data AntiVirus 2011
Pros: Excellent malware detection and blocking; good at disinfecting PCs.
Cons: Lacks some features common in other antivirus products; scan speeds are inconsistent.

Bottom line: G-Data AntiVirus 2011 is a solid package, with strong malware detection, blocking, and removal capabilities.

G-Data AntiVirus 2011 review

Kaspersky Anti-virus 2011

Pros: Has strong malware detection and blocking, and a great interface.

Cons: It slows PC startup times and file copying.

Bottom line: Kaspersky Anti-Virus 2011 is very effective at blocking new malware attacks and is easy to use, but it slows system performance more than we'd like to see.

Kaspersky Anti-virus 2011 review

Trend Micro Titanium Antivirus Plus 2011

Pros: Easy to use, with good malware blocking.

Cons: Not ideal for advanced users.

bottom line: Trend Micro provides solid, simple protection against malware, but advanced users may find its lack of customizability frustrating.

Trend Micro Titanium Antivirus Plus 2011 review

Avast Pro Antivirus 5

Pros: Has a good interface and excellent scan speeds.

Cons: Its detection performance is only average.

Bottom line: Avast Pro Antivirus 5 has a slick interface, but its middling malware detection performance prevents it from achieving a higher score.

Avast Pro Antivirus 5 review

Panda Antivirus Pro 2011

Pros: Excellent at detecting known malware; good disinfection capabilities.

Cons: Slow scan speeds.

Bottom line: Panda Antivirus Pro 2011 is an effective defender, but it's one of the slower antivirus products we tested.

Panda Antivirus Pro 2011 review

Avira AntiVir Premium 2011

Pros: Has excellent malware detection and blocking, and excellent scan speeds.

Cons: It's somewhat light in features, and its main interface needs refining.

Bottom line: Avira AntiVir Personal does an great job at blocking and detecting malware, but its interface needs a makeover.

Avira AntiVir Premium 2011 review

Eset NOD32 Antivirus 4

Pros: Great speed-test results.

Cons: Malware detection and blocking is subpar, and the settings interface is poorly designed.

Bottom line: Eset NOD32 Antivirus 4 is fast, but its malware detection capabilities are lacking.

Eset NOD32 Antivirus 4 review

GFI Vipre Antivirus 4

Pros: Has fast scan speeds and little impact on PC performance.

Cons: Struggles at blocking new malware, and the interface is rough in spots.

Bottom line: GFI Vipre Antivirus is fast, but it's ineffective at blocking new malware.

GFI Vipre Antivirus 4 review

Checkpoint ZoneAlarm Antivirus

Pros: Good blocking of new malware.

Cons: Running it generates a sizeable hit on PC performance, and it manages only middling detection of known malware.

Bottom line: ZoneAlarm Antivirus put up reasonable scores in blocking new malware, but mediocre detection of known malware and speed issues drag its score down.

Checkpoint ZoneAlarm Antivirus review

Comodo Antivirus 2011 Advanced

Pros: Great blocking of new malware.

Cons: Below-average detection of known malware; struggles at cleaning up infected PCs.

Bottom line: Comodo Antivirus Advanced does an excellent job at blocking of known malware, but this can't offset its problems at detecting known malware and removing infections.

Comodo Antivirus 2011 Advanced review

Webroot Antivirus With Spysweeper 2011

Pros: Easy to use.

Cons: Slow scan speeds and below-average malware detection and blocking.

Bottom line: Although it's straightforward and easy to use, Webroot Antivirus With Spysweeper 2011 trails the competition at blocking and detecting malware, and it is hit hard by slow scan speeds.

Webroot Antivirus With Spysweeper 2011 review

Sophos products

Sophos products:

Complementary endpoint, encryption, email, web and NAC solutions.

Endpoint

Protect your computers and data

Get the level of protection you need with a choice of endpoint security solutions that keep you protected against the latest threats, reduce the impact on your users and are easy to manage.

Why Sophos?Single agent provides both anti-malware and data loss prevention in oneProtection for Windows, Mac, Linux, UNIX and more all included in the licenseCombines anti-virus technologies to protect against the very latest threatsReal-time threat and compliance intelligence reduces cost and administration timeCentralized management delivers unrivalled visibility and control of your networkExpert technical support delivered round the clock at no extra cost

Endpoint Security and Data Protection
Cross-platform anti-virus protection
Simplified, centralized management
Control of applications, devices and network access
Integrated DLP and encryption
Centrally managed client firewall
 
Sophos Endpoint Security and Data Protection protects all your computers and data – without stretching your anti-virus budget.


Key features

 

Anti-virus

 

Stop malware with fast scanning, built-in intrusion prevention and live in-the-cloud protection technologies.

Platforms protected:

Live protection

 

Protect users against the new threats with in-the-cloud checks against the latest threat data and malicious URLs.
Learn more

 

Management

 

Gain instant visibility of security issues for all computers with one console for Windows, Macs, Linux and UNIX.
Learn more

 

Application Control

 

Reduce infection, data loss and productivity risks by blocking the use of unauthorized applications.

Learn more

 

Device Control

 

Reduce the risk of data loss and malware infection with granular policies to control removable storage devices.

Learn more

 

Data Loss Prevention

 

Simplify DLP deployment with scanning uniquely built into the endpoint agent to monitor the transfer of sensitive data.

Learn more

 

Encryption

 

Meet compliance needs by securing data on computers and removable media with proven SafeGuard encryption.

Learn more

 

Network Access Control

 

Ensure compliance with your security policy and patch status by assessing managed and guest computers.

Learn more

 

Support

 

24x7 expert technical support and constant, automatic updates and upgrades for new releases - all included.
Learn more

Encryption

Encrypt and secure your company's data

Protect your confidential information and ensure regulatory compliance with a range of encryption products that deliver policy-based security across mixed environments and operate transparently to your users.

 

Why SophosIndustry certified, award-winning technology already protecting millions of usersSuperior key management for secure and easy data sharing and recoveryRecognized as a market leader by Gartner for Mobile Data ProtectionReduces cost by integrating easily into your existing infrastructureCentralized, integrated policies for full disk encryption, removable media encryption and port controlModular architecture enables you to tailor the solution to your needs

SafeGuard Enterprise
Advanced full disk encryption
State-of-the-art key management
Single, centralized console
Manages external encryption products
Granular policy control

Key features

 

Protect your confidential information from data breaches and comply with regulatory mandates—safely and securely—with SafeGuard Enterprise. A modular information protection control solution, SafeGuard Enterprise enforces policy-based encryption for PCs and mobile devices across mixed environments. It is fully transparent to end users and is easy to administer from a single central console. SafeGuard Enterprise provides multi-layered endpoint data security by combining encryption and data leakage prevention (DLP). Its modular architecture provides comprehensive data security tailored to your organization's needs and growth requirements.

 

State-of-the-art policy enforcement and key management

 

• Delivers centralized data security control across mixed IT environments
• Provides consistent implementation and enforcement of company-wide security policies
• Centralized key management makes secure storage, exchange and recovery of data simple and easy
• Provides comprehensive data protection on all kinds of devices: full disk encryption for laptops and desktops, and flexible encryption for removable media, CD/DVDs, email, et cetera
• Offers full disk encryption and port control-based data leakage prevention (DLP) under a single management console
• Manages BitLocker Drive Encryption in Windows Vista and Windows 7
• Integrates quickly and effectively with existing security infrastructures and automates administrative tasks
• Detailed compliance audit logs and reports on device encryption status and user activities

 Comprehensive security with a modular architecture

  

With modular, scalable and open architecture, SafeGuard Enterprise provides seamless integration of current and future SafeGuard modules, new security components and third-party products—guaranteeing continuous investment protection. You can pick the modules that suit your requirements. SafeGuard Enterprise modules include:

• Management Center, which provides a single, centralized console to manage all the other modules
• Device Encryption for advanced full disk encryption for laptops and desktop PCs
• Data Exchange for strong encryption and secure sharing of removable media
• Partner Connect for managing external encryption products
• Configuration Protection for granular port control of PCs

 

Benefits

 

Comprehensive data security with strong encryption for PCs and removable media as well as port control-based DLP
Regulatory compliance with consistent policy enforcement and reporting via a central management console
Secure end user productivity with advanced, transparent key management
Investment protection with a modular architecture that integrates easily with existing architecture

Trusted support from one source
Regular updates and upgrades for new releases, as well as 24x7 in-house technical support are available with a maintenance contract.
Depend upon a recognized market leader in endpoint protection

Antivirus protection tips for today's enterprise

General server-based protection

Your first line of defense should be at the perimeter of your network. Deploying firewalls to block port- and service-based attacks is essential. However, perimeter protection can go much further than simply blocking all but a handful of required ports. You should also consider deploying perimeter scanners to scan for and block viruses before they ever get inside your network.

Many worms exploit vulnerabilities in the operating system, so patching against those vulnerabilities is critical. Applying service packs and updates can go a long way toward closing holes that expose the server to attack. Windows Server 2003 can typically apply patches without rebooting (and triggering the disruption that rebooting can cause). For earlier Windows operating systems, consider using Qchain.exe to apply multiple patches with a single reboot. Although most worms and viruses target Windows platforms, Linux platforms are equally at risk if not patched and updated.

Disable unneeded services

Carefully review each server and ensure that it is running only those services required for it to carry out its function. Disable services that are not needed to reduce the server's attack surface, and explore ways to harden required services. Separate critical services from noncritical services by moving them to other servers, and consider deploying load balancing and clustering where appropriate to help ensure high availability.

File system protection

Consider how your network resources should be protected. All file servers should have an antivirus solution that actively scans the file system in real time so that, as files are modified or added, the antivirus application can quarantine or repair the affected files before they spread to client systems or other servers. The server should also be protected at the file system level in other ways. For example, all Windows servers should use NTFS, since FAT offers essentially no security. You should also eliminate unnecessary shares, require share permissions for all shares, and use hidden shares where possible to further protect the server from worms that propagate through unprotected shares.

Protection for e-mail services

Mail servers are obviously a vulnerable point in any network. A file system scanner can catch message files as they are written to the system, but a better approach is to use an antivirus solution that scans the messages as they arrive in the mail system. There are several antivirus solutions that interface directly with Exchange Server to proactively scan incoming and outgoing messages. An SMTP gateway scanner is another alternative in networks where other mail servers are used, or where you want to scan the messages before they reach your mail servers.

It's also important to not place all of your faith in one solution. Using multiple scanning engines from different vendors can add an extra layer of protection. A message might get past a single engine, but it's less likely to sneak past two or three. Using multiple scanning engines also guards against a coordinated denial-of-service attack on a particular antivirus vendor. GFI's MailSecurity is an example of an antivirus solution that employs multiple scanning engines. As an alternative to a single-vendor solution, you could deploy an SMTP-gateway scanner from one vendor and a solution from a different vendor on your e-mail servers.

The antivirus solutions you choose for your e-mail servers should scan for more than just virus-infected files. It's critical that they also perform exploit detection and scan for scripts, malformed MIME headers, or other mechanisms that exploit vulnerabilities in e-mail clients or server operating systems

Can Your PC Protector Defend Your Computer?

Can Your PC Protector Defend Your Computer?

All of us must be extremely cautious when browsing the web, if not be prepared to become yet another victim of hacker attacks. Our personal information and money is increasingly becoming the target of cyber criminals. This time get ready to fight Your PC Protector - a program with rather simple name. However, don't be tricked by this title; Your PC Protector is just a new rogue anti-spyware application increasingly infecting unaware computer users.

Wondering how Your PC Protector (also known as YourPC Protector, Your PCProtector and YourPCProtector) would end up on your PC? Well, the first thing to ne noted about this malicious application is the fact that it is spread by the group of cyber criminals who are also responsible for the development of Windows Police PRO and Windows Antivirus PRO.

Your PC Protector and other malicious applications in its family, all perform similar methods to trick unsuspecting computer users into purchasing a full version of the program. It can be dropped onto your system by Trojans or other malicious parasites. The program can also be dropped onto victimized system after visiting some malicious website. Therefore, if you don't want to get infected, it's very important to browse with caution and not to click on unknown links.

Once on the system, Your PC Protector will perform a scan of your computer system and immediately start displaying fake warning messages that your system is infected. Below you can see a screenshot of this fake computer scan:

Image 1. Your PC Protector fake system scan

After the scan, all you have to do is buy the full version of Your PC Protector in order to remove the huge number of purportedly found malware. Don't do that! Don't waste your money on absolutely useless security programs! And keep an eye out for my next article with more detailed information on Your PC Protector.

Computer virus

A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware. Malware includes computer viruses, worms, trojans, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or go unnoticed.

Infection strategies:

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses:-

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.

Resident viruses:-

Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful.

Stealth:-

Some viruses try to trick antivirus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the antivirus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is "clean". Modern antivirus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification:-

Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Encryption with a variable key:-

A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.

Anti-virus software and other preventive measures:-

Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats.

One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent).

If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. Backups on removable media must be carefully inspected before restoration. The Gammima virus, for example, propagates via removable flash drives

White Paper: The Evolution of Viruses

The first computer virus appeared more than 30 years ago, which renders this class of pestilence a mere infant compared to the real thing. But 30 years is an eon in technology time, and the critters—and their creators—have morphed and adapted to resist every effort to stamp them out. While early viruses were the innocuous work of geeks seeking a creative outlet, any of today’s computer viruses are hatched with criminal intent.

• 
  
  Primordial Viruses
  
  
  

The first computer viruses were created for exploration and experimentation; they often did little more than replicate. “Very early viruses were kind of proof of concept,” says Craig Schmugar, threat research manager for McAfee Avert Labs. “[They were] written by, effectively, geek programmers who had a lot of skill and who knew what they were doing. In some respects it was almost like an art form to them.”

Creeper, which appeared in the early 1970s on the ARPAnet (the progenitor of the Internet), is a case in point. It did little more than spread across the network and taunt its victims.

When John Walker, creator of the 20-questions-style game Animal, wanted a better distribution method than mailing tapes (this being 1975, magnetic tape was the prevalent means of data storage), he turned to a second program of his creation called Pervade. Attached to Animal, the Pervade code copied the game to all the directories the game player had access to.

As a result, both Animal and Pervade made their way into the accounts of system administrators, who spread both programs to even more systems—via tape, ironically enough. From there, it didn’t take long for the programs to spread to computers across the United States. Walker, who went on to found Autodesk, had no malicious intent—he just wanted to distribute his little game—but his technique blazed a path for modern virus propagators.

The first personal-computer virus broke into the wild in 1982. Created by high-school freshman Richard Skrenta, Elk Cloner spread by copying itself from an infected Apple II floppy disk to the host computer’s system memory. The virus would reside in memory until another floppy was inserted, at which point the program would copy itself to the new disk. When the disk was used to boot the machine (Apple II computers didn’t have hard drives), the embedded virus would display a short poem on every 50th startup.

Computer viruses became more prevalent in the 1990s, and they exploded with the widespread availability of Internet access. A hacker culture began to take root. Most virus writers remained tinkerers, but they sought more widespread fame and even formed communities.

The use of macro viruses was one common technique for spreading an attack as quickly as possible. The ubiquity of programs such as Microsoft Word and Excel—with their built-in scripting language—gave virus writers a new way to toy with systems.

• 
  
  Modern Times
  
  
  

The virus economy today is booming, for the virus writers as much as it is for the antivirus doctors. “It’s scary how literal a business it is,” says Zulfikar Ramzan, senior principal researcher at Symantec. “You have a lot of people who had really good technical skills, but when the economies in [Eastern Europe and Asia] drastically shifted… [they] were out of a job and needed some outlet to make income.” By analyzing attacks, Ramzan says he can tell the time of day these kinds of viruses are written—a fingerprint that reveals the authors to be 9-to-5 employees. They even write clean, commented code in order to ease collaboration.

These often-criminal enterprises create viruses that can generate illicit profits in several ways: Keyloggers can steal passwords, credit cards, and identities; and botnets create massive, distributed platforms that can be leased for spam mailings, phishing, denial of service attacks, and other uses. Some of these groups even sell virus toolkits with full graphical user interfaces, so their customers can install their own payloads. “They actually offer technical support if you’re having trouble getting it installed,” according to Schmugar.

The original viruses often simply taunted victims with their presence, but today these ventures make the most money by staying quiet to delay their removal. Some viruses even download modified antivirus software as their first step, blocking infection from competitors while fooling the host system into behaving as though it’s healthy.

Rootkits often help viruses avoid detection. These tools are nothing new; system administrators sometimes use them to manage PCs or hide critical files. But viruses often use these low-level tools to mask their presence while gaining complete access to a machine. Once free to muck around, viruses can modify the kernel and process list to stay hidden even if a user asks which programs are running. And boot-record viruses in the spirit of Elk Cloner are once again becoming popular because they can be difficult to detect and purge.

Security researchers and less-predatory hackers have also become a part of this monetized culture. Maintaining a “white hat,” or ethical, approach, they root out vulnerabilities in code and then follow established disclosure practices to inform companies about security flaws in their products before going public with the information. Some software developers even pay bounties for such tips.

• 
  
  Breaking In
  
  
  

Sometimes, computer owners make the hacker’s job entirely too easy. “The main security issues today are not so much technical as they are social,” notes Symantec’s Ramzan. “Hackers often just ring the doorbell and ask to be invited in. Although there are ways to compromise a system by finding a technical hole, the most common way hackers try to compromise systems is by finding the human hole, by emailing you an attachment with malicious code and telling you to execute it by yourself.” These initial bits of code often work as a stage downloader, with the main objective being to clear a path for the malicious bytes to follow.

Sloppy programming, on the other hand, creates opportunities for viruses to infect a system without a user’s help. The buffer-overflow attack is one of the most common exploits. The virus designer, for example, might identify a point at which the software expects user input. Instead of entering a normal amount of data, the virus floods the query, overwhelming the program. Executable code hidden within this tsunami of data gains control of the host machine and overrides the program, tricking the computer into running a new set of instructions.

“Code itself is a type of data,” Ramzan explains. “It’s basically data that can be executed on a machine. Sometimes that distinction is not actually made at a very low technical level, and that’s what often causes these vulnerabilities to occur. At the end of the day, they’re all just bits, and your computer has to know which one’s which.”

Fortunately, it’s easy to protect your PC from viruses and cyber criminals. Install an antivirus program, perform periodic scans, and don’t do anything that would make it easy for criminals and mischief-makers to take advantage of you.

Antivirus Software Roundup -- Protect Your PC!

Behind every piece of malware—be it a virus, spyware, or any other form of hostile, destructive code—is a sneaky, scheming scoundrel, oftentimes someone you’d never suspect. Antivirus suites promise to defend your PC against all the baddies. We test 10 of the leading products to see which ones are best at keeping your PC safe. You don’t need a military background to recognize that the Internet has turned intoa war zone. Not only are you always under attack, but the bad guys possess a seemingly endless arsenal of weapons that are constantly changing. Set foot in the wrong website and you might be stepping into a booby trap of malicious Javascript code. Toolbars and greeting cards come laced with spyware, hackers are finding new exploits faster than software vendors can patch the old ones, and rootkits have given virtual villains a way to stealthily penetrate deep into your system at the kernel level.

And if all that weren’t enough, social networking continues to sweep the web, making it even easier for morally bereft miscreants to spread their foul files. Can you really trust that MySpace page you’re viewing not to contain some hidden element ready to do you harm? You even need to be suspicious of IMs, and that includes messages seemingly originating from contacts on your buddy list. It’s enough to make you want to wave the white flag—and if you plan on going into battle alone, you probably should.

But you don’t have to fight the fight all on your lonesome. Several security vendors offer software packages that not only promise protection against viruses, but also purport to run off rootkits, stop spam dead in its tracks, and even circumvent websites from loading hidden malware before it has a chance to run amok on your PC. This got us wondering, just how much protection is actually necessary?

To answer that question, we hit up all the major security vendors and asked them to send us their most robust packages. We also gathered the most popular free antivirus programs for comparison. After all, power users know how to practice safe computing habits, which can go a long way toward PC safety. We’ll cut through the hype to tell you if the protection you get with a paid app is any better than what you can get for free—or if the paid programs, which have become so huge as of late, are too unwieldy and ultimately more troublesome than the viruses they’re meant to combat

• Our Testing Methodology:

It doesn’t matter how effective an AV app is at catching viruses if it means we have to suffer through constant nagging or performance degradation in our day-to-day computing. We’ve identified the five criteria by which security apps should be judged.

• System Performance and Scan Speed

We know you spent time researching components and toiling over your system build, so why let a poorly optimized program transform your hot rod into a horse and buggy? To gauge each AV package’s performance impact, we loaded up a series of action scripts in OSMark (http://tinyurl.com/OSMark), paying close attention to both memory and CPU activity. We then compared the results to that of a clean install.

We’re also interested in how long it takes to complete a full system scan. In today’s dual- and quad-core landscape, you no longer have to sit idly by waiting for a scheduled scan to finish, but if you suspect your system has become ill, you won’t want to do much of anything until your virus scanner produces a clean bill of health. With stopwatch in hand, we measured the time it took each program to run through its routine.

• Annoyance:

Whether we’re using our PC for work or play, we don’t want to be bothered with near-constant nagging from our security software. An AV app should integrate seamlessly with the OS and be able to do its job with minimal interaction from the end user, while still offering at least some level of customization. Otherwise, it’s no less obtrusive than the viruses it’s supposed to be protecting against.

In order to assess how much each app intrudes on our day-to-day life, we performed a variety of common tasks to see how the AV software responds, if at all. This includes web surfing, downloading files, running executables, playing games, and everything else you’re likely to do with your PC.

We also took into account how much harassment we can expect to receive when the subscription runs out.

• Features and Implementation:

Anyone who’s ever shopped for a new car knows what it’s like to be pressured into paying extra for all kinds of upgrades. And just because the salesman is attempting to increase his profit margin doesn’t mean you can’t both benefit from tacking on useful additions, but that only works if you’ll actually use the added amenities. Do you really need six cup holders in a two-seat sports car?

Likewise, there’s no point in owning a security suite stuffed with apps if most of them suck. Not only that, but you need to consider whether this added functionality is easy to use and how much pestering you can expect from disabling unused features. We take all this into consideration.

• How To Avoid Viruses

Captain Obvious says that the best way to prevent infection is to avoid viruses in the first place, but what he doesn’t tell you is how to do it. And even though hackers continue to get more cunning in both delivery and execution, you can tip the odds considerably in your favor by practicing safe and sane computing.

If you receive an unknown or unexpected attachment, don’t open it no matter who it came from. Not only are some viruses capable of emailing themselves to everyone they find in an infected user’s address book, but inexperienced computer users are just as guilty of passing along payloads as hackers are of distributing them.

BitTorrent sites and peer-to-peer networking clients are also common modes of spreading infection. When attempting to download a legitimate program—a Linux distro, for instance —use the link provided at the vendor’s website. Pirated software is a particularly popular source of malware, so if your moral compass doesn’t steer you toward the straight and narrow, the risk of infection should.

And finally, get in the habit of regularly checking for software updates. New exploits are always being discovered in Windows, QuickTime, web browsers, and other common programs