Oct 25 2009 Update: before plunking down money on a paid anti virus program with activation, you may want to read http://mattgadient.com/2009/10/25/anti-virus-software-and-activation-why-free-just-might-be-better-than-paid/
With the final version of Windows 7 finally being released by Microsoft on Technet, and having a subscription, I decided it was time to grab a copy and start playing with some anti-virus programs to see what the ideal paid anti-virus program might be.
The most commonly talked about AV’s tend to be the offerings from Symantec (Norton), Kaspersky, and NOD32. They all offer free 30-day trials, so away I went. I grabbed the following:
- Kaspersky 2010 (not as easily found on the site, but they have a link stickied in the forums which installs as a trial just fine for those who want to do their own checking)
- Symantec Endpoint Protection 12.0
- NOD32 v4.0
Now a few may be wondering what the heck Symantec’s Endpoint is doing with the other 2. After all, the others are cost-effective consumer versions, while Endpoint Protection is a pricey business option. The reason is simple – I was looking for AV’s that aren’t terribly resource-intensive. Endpoint Protection is the successor to Symantec AV Corporate Edition which was known for being light on resources, and hence why I chose it.
In any case, neither of the 3 are claiming full Windows 7 compatibility in their products yet since we’ve still got a while to go before Win 7 is publicly available. That said, I encountered no issues in my limited testing, which means all 3 of these AV-makers have done a pretty good job so far of preparing.
Enough of that! On to the testing!
I searched around to find a couple files – the first being a keygen that had so many “VIRUS!!!” claims that I figured every scanner should probably flag it. The second actually had “trojan” in the file name and looked to be a poorly made custom program to zombify another computer.
For testing, I attempted the following with each:
- Download from the web
- Run the program
Before installing each anti-virus program, I made sure I had a RAR as well as an extracted copy available in case the AV program stopped it in it’s tracks at the download point.
Download from the web: Kaspersky detected both, and offered the options to either block the download, or allow it
Run the program: Kaspersky didn’t want to let me get that far. As soon as the containing folder was opened, Kaspersky detected each, and forced me to “delete” or “block” the program. Any time I chose to simply “block”, it would pop up the message again the next time the folder was opened. Finally, I tried running the program. The program errored out and Kaspersky again forced me to block or delete.
NOD32 let me download the first keygen, unRAR it, and run it. It’s remotely possible that the keygen was simply a false positive, but something odd happened a little later on (which I’ll get to).
NOD32 detected the 2nd file (trojan) during the download and automatically quarantined it. I disabled the scanner long enough to let me download and unRAR it, then re-enabled NOD32. To my surprise, it let me run it without a peep!
Something pretty fishy was going on here. It let me do everything with the first keygen. It then wouldn’t let me download the 2nd file (trojan), but would let me run it?!
I peaked through the options in NOD32, and turned on “Advanced heuristics on file execution”, which is disabled by default because it hurts performance (NOD32 actually warns you about this when you enable it). Now it detected both files but with a huge performance penalty (5-7 seconds!) when trying to run them. The most unfortunate part was that the programs seemed to run anyway. Sure it detected them, but if it lets them run and do some damage before it actually does something about it… what’s the point?
One final oddity… after disabling the advanced heuristics on file execution, it still continued to detect both – I would have expected it to only continue detecting the 2nd.
Symantec Endpoint Protection 12.0
I can sum Endpoint Protection up fairly quickly. It doesn’t seem to actively scan within compressed folders (not RAR’s anyway). So both downloaded without being flagged. Once extracted, it did catch the first file immediately upon extraction. I disabled the AV long enough to extract a few copies, re-enabled it, and tried running them – each time the file was removed before I could run it.
Sadly, Endpoint Protection didn’t catch the 2nd file (trojan) at all and was quite content to let me extract and run it. A downside of Endpoint seems to be the limited options available. I looked through for something equivilant to NOD32’s “advanced heuristics”, but didn’t find anything. Perhaps I just missed something? I’m not sure.
In these tests, Kaspersky clearly came out ahead. It nailed both files at every opportunity. In my opinion, Kaspersky has the absolute worst, most complicated and complex interface, but when it came to the detection it was miles ahead.
NOD was odd. Quite a few things happened that just didn’t make sense. I may do a retest again in the future because things really didn’t add up. The fact that it let me run a program even as it was detecting the baddies within it really soured things for me.
Symantec Endpoint handled the baddie it found very well. I would have tied it with Kaspersky (despite not scanning within the RAR) if it didn’t miss the 2nd baddie.
As far as interfaces go, I had screenshots I took all along the way, but they got destroyed during one of the reformats. Symantec has the simpliest, although when it detects something the window can get lost in the background. I’d rate NOD32’s interface as the best – a few options shown with the ability to go into further detail in a relatively clean sort of way. Kaspersky’s is bloated and complicated in too many ways – I suppose some may like it, but I find it an annoyance (and I’d never dare to try to explain to someone over the phone how to find something in the log).
A few odds and ends….
- Kaspersky has a “Gaming Mode” that can be enabled which amongst other benefits keeps notifications from bugging you during your game (for those who’ve had that happen to you – I know I sure have).
- Symantec also has a “Gaming Edition” in their consumer-line (worth a mention simply because I mentioned the above).
- NOD32 installs extremely fast. Really. It’s uncanny.
- Symantec Endpoint is huge. As in almost 500 megs for the zipped installer (compared to under 40 for NOD32 and under 60 for Kaspersky). At least it didn’t feel that bloated 😉
- NOD32 is awesome when it comes to submitting new files you feel may be infected. You can simply right-click the file from within Windows to submit it, or if the scanner finds a file which is suspect, you can just click the notification message to submit to NOD32 to be checked out.
- Symantec Endpoint does not have a right-click context menu option to scan a file. That means if you download something and want to scan it, you’ll have to enter the program and do a custom scan.
Before anyone comes screaming, these are all thoughts and opinions based on my own testing. Feel free to do your own testing – all the AV programs I mentioned have free trials, so do some checking and tell me which AV you prefer and why.