Previous Next Index Thread

Antiviral Software Evaluation FAQ [long]

 AVREVIEW.FAQ   960624
 Antiviral Software Evaluation FAQ
 maintained by Robert M. Slade
 (beta release)
 This list of questions is intended to provide a framework and background
 information for review, evaluation and decisions regarding antiviral protection
 software and systems.  The companion files "Antiviral contacts listing"
 (CONTACTS.LST) and "Quick reference antiviral review chart" (QUICKREF.RVW)
 provide additional related information.  All three files are available in the
 Computer Virus SIG of the Victoria (BC, Canada) Freenet
 (telnet:// and give the command "go virus").  (This
 file is prepared from Chapter Six of "Robert Slade's Guide to Computer
 This document is *not* intended to be an introduction to the study of computer
 viral programs.  It is expected that you already know the relevant concepts and
 terminology.  For general background information on computer viruses, please
 see the VIRUS-L/comp.virus FAQ (
 which is also available at the Victoria Freenet site.
 1)  Why can't I get 100% protection?
 2)  Why isn't there any one "best" antiviral?
 3)  What is an activity monitor?
 3a)  What are the strengths of activity monitors?
 3b)  What are the weaknesses of activity monitors?
 3c)  How should activity monitors be evaluated?
 4)  What is authentication/change-detection software?
 4a)  What are the strengths of change-detection software?
 4b)  What are the weaknesses of change-detection software?
 4c)  How should change-detection software be evaluated?
 5)  What is a scanner?
 5a)  What are the strengths of scanners?
 5b)  What are the weaknesses of scanners?
 5c)  How should scanners be evaluated?
 6)  What is resident software?
 7)  What is heuristic scanning?
 8)  What is a false negative?
 9)  What is a false positive?
 10) How does disinfection work?
 10a) What is "generic" disinfection?
 10b) What is "heuristic generic" disinfection?
 11) Can I get hardware antiviral protection?
 12) Why can a "so-so" antiviral actually be harmful?
 13) What aspects of an antiviral are important?
 14) What aspects of an antiviral are *not* important?
 15) What about "number of viruses detected"?
 16) Why isn't disinfection very important?
 17) Why should I support "free" software?
 18) What about published reviews?
 19) Where can I find published reviews?
 Questions and answers
 1)  Why can't I get 100% protection?
 An easy answer can be seen by noting that computer viruses are programs, and
 they only do things that "real" programs do.  There is no magic secret that
 viral programs use.  Therefore, there is no single distinctive or
 characteristic that can be used to identify a viral program.
 A more rigorous explanation is found in Fred Cohen's ground breaking work on
 the theoretical study of computer viruses between 1983 and 1986.  Using
 mathematical and logical models of the nature of computers and computation he
 determined that the problem of accurately identifying a viral program, as
 opposed to one which is not viral, is "undecidable".  A program to identify