Anti Virus Case Study

1

1. INTRODUCTION

Antivirus or anti-virus software (usually written as the abbreviation AV) is software used to prevent, detect and remove malware (of all descriptions), such as: viruses, malicious BHOs, hijackers, ransom ware, key loggers, backdoors, root kits, Trojan, worms, malicious LSPs, dialers, fraudtools, adware and spyware. Computer security, including protection from social engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods. A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions.

No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a performance. Inexperienced users may also have problems understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.

2

2. History Of Anti Virus

Most of the computer viruses written in the early and mid-1980s were limited to self-reproduction and had no specific damage routine built into the code. That changed when more and more programmers became acquainted with virus programming and created viruses that manipulated or even destroyed data on infected computers.

There are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987. There were also two antivirus applications for the Atari ST platform developed in 1987. The first one was G Data and second was UVK 2000.

Fred Cohen, who published one of the first academic papers on computer viruses in 1984, began to develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus software developers. In 1987, he published a demonstration that there is no algorithm that can perfectly detect all possible viruses.

In 1987 the first two heuristic antivirus utilities were released: Flushot Plus by Ross Greenberg and Anti4us by Erwin Lanting. Also in 1988 a mailing list named VIRUS-Laws started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing list like John McAfee or Eugene Kaspersky later founded software companies that developed and sold commercial antivirus software.

Before internet connectivity was widespread, viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as internet usage became common, viruses began to spread online.

3 Over the years it has become necessary for antivirus software to check an increasing variety of files, rather than just executables, for several reasons:

 Powerful macros used in word processor applications, such as Microsoft Word, presented a risk. Virus writers could use the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by opening documents with hidden attached macros.

 The possibility of embedding executable objects inside otherwise non-executable file formats can make opening those files a risk.

 Later email programs, in particular Microsoft's Outlook Express and Outlook, were vulnerable to viruses embedded in the email body itself. A user's computer could be infected by just opening or previewing a message.

As always-on broadband connections became the norm, and more and more viruses were released, it became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could become widespread before antivirus companies released an update to protect against it.

4

3. Features

Antivirus software has the capability of searching an entire file on a computer system. Instead of just looking at a small section of an existing computer file, the antivirus software thoroughly analyzes it. This prevents viruses, spyware, and malware from hiding on your computer system and compromising the data stored on it. On-access scanning is another useful feature of much antivirus software. The real time protection will notify you of any irregular file activity that may indicate your computer system has been infected. Virus removal features are also included in antivirus software to take them off your current computer system. With frequent virus database updates, your antivirus software will effectively keep track of the latest threats that could harm your computer system.

4. Function of Antivirus Software

Antivirus software is used to detect harmful viruses and other spyware on a computer system. Hackers frequently embed viruses on popular websites to infect the computer of anyone that visits their website. You’ll need to locate a suitable type of antivirus software to stop them from invading your computer system unknowingly. With antivirus software, viruses and spyware will be properly removed from your infected computer system to protect your important data. Most antivirus software programs can usefully identify common and uncommon malware applications that have been unwittingly installed on a computer system.

5

Most anti-virus programs work like the human immune system by scanning your computer for the signatures (patterns) of digital pathogens and infections. They refer to a dictionary of known malware, and if something in a file matches a pattern in the dictionary, the anti-virus software attempts to neutralize it. Like the human immune system,

the dictionary approach requires updates, like flu shots, to provide protection against new strains of malware. Anti-virus can only protect against what it recognizes as harmful. Again, the problem is the bad guys are developing new malware so fast that anti-virus developers cannot keep up. Your computer is vulnerable during the delay between

the time new malware is identified and the time a dictionary update is released by anti-virus vendors. This is why it is important that you keep your anti-virus product as up-to-date as possible.

6. BEHAVIOR DETECTION

In this approach, instead of attempting to identify known malware, anti-virus software monitors the behavior of software installed on your computer. When a program acts suspiciously, such as trying to access a protected file or to modify another program, anti-virus spots the suspicious activity and alerts you to it. This approach provides protection against brand new types of malware that do not yet exist in any dictionary. The problem with this approach is that it can generate a large number of false warnings. You, the computer user, may be unsure about what to allow or not allow and over time become desensitized to all those warnings. You might be tempted to click Accept on every warning, leaving your computer wide open to attack and infection.

6

7. ANTI-VIRUS TIPS

1. Don’t assume you’re Not at Risk

Every computer, regardless of its operating system, is vulnerable to attack. While anti-virus cannot protect against all types of malware, the security of your computer is enhanced substantially when anti-virus software is installed, up to date, and working properly.

2. Download Only From Trusted Sources

Obtain security software only from known, trusted sources and vendors. It is a common ploy of cybercriminals to pretend to be selling anti-virus programs that are in fact malware. We list several trusted sources for anti-virus solutions at the end of this newsletter.

7

3. Keep Your Software Current

Make sure you have the latest version of your anti-virus product installed and that it is set to update automatically. Check the status of the signature updates periodically to

make sure they are current.

4. Don’t Delay Updates

If your computer has been offline or powered off for a while, your anti-virus will most likely need an update when you turn it back on or reconnect it to the Internet. Do not postpone these updates.

5. Scan Additional Devices

Make sure your anti-virus automatically scans portable devices, such as USB sticks, when you plug them into your computer.

6. Track Warnings and Alerts

Pay attention to the onscreen warnings and alerts generated by your anti-virus software. Most alerts include the option of clicking on a link to get more information or a recommendation about what to do next. At the office, write down the alert messages and contact your computer help desk or security team.

8

7. Don’t Disable The Software

Do not disable your security software because you feel it is slowing down your computer, blocking a website, or preventing you from installing an app or program. Disabling your anti-virus will expose your computer to unnecessary risk and could result in a serious security incident. If problems persist, replace your anti-virus with another product.

8. Install One Program Only

Do not install multiple anti-virus programs on your computer at the same time. Doing so may leave your computer with less protection instead of providing more protection.

9. Consider a Security Suite

Understand that anti-virus cannot protect your computer against all threats. We recommend you install a security suite that includes additional tools, such as a firewall, browser protection, and other advanced security features.

8. What is a Computer Virus?

A virus is a computer code that has been designed to” spread" and replicate itself by passing from computer to computer. It is a piece of software that piggybacks on legitimate programs like Excel, Word, WordPerfect, Outlook, etc... When the program is run, the virus is triggered to run too. Viruses can be destructive in nature, and can cause a wide range of problems ranging from operating system and file corruption to getting blamed for email spamming. Some viruses are just annoying, but cause no damage.

9

9. How do Computers get Viruses?

Viruses usually find their way into computers through networks (local networks

as well as the internet) by taking advantage of unpatched security vulnerabilities (holes) in

software or by receiving an infected file via email, download or shared disk. Depending on the type of virus, it may be embedded in an Excel or Word file, or may be designed to infect upon the opening of an email. Once infected, a computer can literally infect thousands of other computers by quietly spreading the virus without the user even knowing about it.

10.

How Anti Virus Software Works

Virus definition files tell the anti virus software what codecharacteristics to look for while monitoring your computer. When acertain file type or activity occurs that matches a characteristic, theanti virus software blocks the execution of code and alerts you thata virus has been found. The virus is then isolated and destroyed.Hundreds of new computer viruses are introduced onto the interneteach week, and as antivirus software developers find these newviruses, they create updates of the virus “definitions” in order toprovide the antivirus software with a way to identify and destroyeven the newest of viruses. It is extremely important to update your antivirus software every day in order to make sure you have the most current virus definitions available. Fortunately, most modernanti virus software comes with an “automatic update” feature that makes this task a onetime “set it and forget it” kind of thing.

10

11. ANTIVIRUS PRODUCT VIRUS DETECTION ANALYSIS

Each product type requires different analysis approaches. A virus test bed can be used for evaluating products which will detect or prevent known viruses .A virus test bed can be utilized for products which will detect or prevent unknown viruses, but vulnerability analysis is also required. If the virus tests beds are divide into different categories, this can be utilized while analyzing antivirus products. The different virus categories of the test bed are examples and the classification can be differerent depending on the analysis method and products evaluated .If the test bed is divided into different categories, this will help analysis of product.

Antivirus product catego

Current antivirus productrepresent the category

11 Preventing known virus : memory resident known virusscanner

Detecting unknown virus: checksum calculation programs and heuristic scanner Preventing unknown virus: Memory resident heuristic Scanners, behavior blockers

and memory resident checksum calculation programs.

Current Antivirus Product

Detecting known viruses

A well maintained virus test bed, which contains viruses known to computer antivirus researches, can be used for evaluating products which will detect known viruses. The virus detection analysis can be carried out by scanning the contents of the test bed and concluding results from the scanning reports. Unfortunately, some product may crash during the scanning and in such files causing crashes need to be traced and files resulting in crashes should be treated as unidentified by the product.

Preventing Known virus

A well maintained virus test bed containing viruses known to computer antivirus researches can be used for evaluating products preventing known viruses. The difference between is that the product is working in the background and this requires more complicated evaluation methods, but the same virus test bed can be used with products, which will prevent known viruses.

Detecting Unknown viruses

A virus test bed can also be used as a basis for the analysis for product, which detects unknown viruses. Often products detecting unknown viruses are combined with products which will detect known viruses. If possible, the products known virus detection capability should be disabled. Known virus detection may be detached by removing virus database files, by using old database files or by using specific operation mode of a product. Unfortunate-ly, the known virus detection may be an inseparable part of a product and in this case test bed should be limited to viruses not known to the product and a vulnerability analysis may be necessary.

12 Preventing Unknown viruses

A virus test bed can be also used for evaluating products which will prevent unknown viruses. The difference is that the product is working in the background and this requires special evaluation methods, but the same virus test bed can be used with product which will prevent unknown viruses. This is demonstrated in Virus Research Unit’s behavior blocker analysis. With products preventing unknown viruses, virus attack emulation and Vulnerability analysis are also required.

Different virus types in the test bed

File viruses

Some programs are viruses in disguise, when executed they load the virus in the memory along with the program and perform the predefined steps and infect the system. They infect program files like files with extensions like.EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicated as soon as they are loaded into the memory. As the file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted due to the file virus, too, has to be repaired or reinstalled.

Boot sector viruses

The boot sector virus can be the simplest or the most sophisticated of all computer viruses. Since the boot sector is the first code to gain control after the ROM startup code, it is very difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines, it can also be very difficult to detect after it loads, making the virus nearly invincible. Specifically, let’s look at a virus which will carefully hide itself on both floppy disks and hard disks, and will infect new disks very efficiently, rather than just at boot time. Such a virus will require more than one sector of code, so we will be faced with hiding multiple sectors on disk and loading them at boot time. Additionally, if the virus is to infect other disks after boot-up, it must leave at least a portion of itself memory-resident. The mechanism for making the virus memory resident cannot take advantage of the DOS Keep function (Function31H) like typical TSR programs.

13 Macro viruses

In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically users employ macros to automate repetitive tasks and there by save key strokes. The macro language is some type of basic programming language. A user might define a sequence of key strokes i n a m a c r o a n d s e t i t u p s o t h a t a m a c r o i s i n v o k e d w h e n a f u n c t i o n k e y i s invoked. Common auto executing events are opening a file, closing file etc. Once a macro is running it can copy itself to other documents, deleting files etc. How does a Macro Virus strike?1. The user gets an infected Office Document by email or by any other medium.2. The infected document is opened by the user.3. The evil Macro code looks for the event to occur which is set as the event handler at which the Virus is set off or starts infecting other files. Macro viruses include “Concept,” “Melissa,” and “Have a Nice Day.”

Script viruses

Script viruses should be replicated by using the environment needed for Replication. For example, viruses using MS-DOS batch language should be replicated using batch files as goat files and viruses using Visual Basic Scripting should be replicated using Windows Scripting Host.

Multipartition viruses

Multipartite viruses are the hybrid variety; they can be best described as across between both Boot Viruses and File viruses. They not only infect files but also infect the boot sector. They are more destructive and more difficult to remove. First of all, they infect program files and when the infected program is launched or run, the multipartite viruses start infecting the boot sector too. Now the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected. Now after the boot sector is infected, when the system is booted, they load into the memory and start infecting other program files.

14 Polymorphic viruses

They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects. Thus Antiviruses which look for specific virus codes are not able to detect such viruses. Now what exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint of a particular virus which is a string of bytes taken from the code of the virus. Antiviral software maintain database of known virus signatures and look for a match each time they scan for v i r u s e s . A s w e s e e a n e w v i r u s a l m o s t e v e r y d a y , t h i s d a t a b a s e o f V i r u s Signatures has to be kept updated. This is the reason why the Antivirus vendors provide updates.

How does a Polymorphic Virus Strike? 1. The User copies an infected file to the disk.

2. When the infected file is run, it loads the Virus into the memory or the RAM. 3. The new virus looks for a host and starts infecting other files on the disk.

4. The virus makes copies of itself on the disk.

5. The mutation engines on the new viruses generate a new unique encrypticcode which is developed due to a new unique algorithm. Thus it avoids detecting from Check summers.

Companion viruses

Companion viruses sustaining known executable appearance do not pose much difficulty for scanners, because they can be simply detected by normally scanning executable files. Companion viruses, however, may mislead non identifying products, like integrity checkers, if the possibility of a companion virus type of attack has not been taken into account while implementing the product.

Stealth viruses

They viruses are stealth in nature and use various methods to hide themselves and to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hiding from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some stealth viruses like the Whale conceal the increase in the length of the infected file and display the

15 original length by reducing the size by the same amount as that of the increase, so as to avoid detection from scanners. For example, the whale virus adds 9216 bytes to an infected file and then the virus subtracts the same number of bytes i.e. 9216 from the size given in the directory. They are somewhat difficult to detect.

Linking viruses

Linking viruses may require that the system is first infected with the virus in Order to construct the linkage. However, scanners typically detect the virus even when the linkage does not exist and this can be utilized in virus detection analysis..Furthermore, a linkage virus may be capable of replicating even without establishing the linkage, but if this is not the case, then the linkage should be created before analysis. Otherwise we are not analyzing true working viruses, because the virus is not capable of replicating without the linkage.

Memory resident viruses

As demonstrated with the definition of stealth viruses, memory resident Viruses may be able to deceive antivirus products, if the memory scanning does not work correctly for some reason and the virus active in the central memory is not found. In such a case it is possible that a antivirus scanner is actually replicating a virus, because the virus may infect each file the scanner opens for reading. Therefore one phase of antivirus product evaluation could be evaluating products’ capabilities to detect viruses in central memory.

Self-distributing viruses

Self-distributing viruses have at least one special replication channel from a local system to a remote system. The replication should be performed by using the replication channels. However, the replication environment should be an isolated environment in order to prevent the virus accidently spreading to external systems. Preventing antivirus products should be analyzed based on the prevention mechanism. This may require that the replication channel is used or that the virus is activated while the antivirus product is actively preventing virus

12. IDENTIFICATION METHOD OF ANTIVIRUS

16 based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a d i c t i o n a r y o f v i r u s s i g n a t u r e s . B e c a u s e v i r u s e s c a n e m b e d t h e m s e l v e s i n existing files, the entire file is searched, not just as a whole, but also in pieces.

Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses.

File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry Signature-based detection.

Traditionally, antivirus software heavily relied upon signatures to identifymalware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses .A s n e w v i r u s e s a r e b e i n g c r e a t e d e a c h d a y , t h e s i g n a t u r e - b a s e d d e t e c t i o n approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. [citation needed] A n e x a m p l e o f s o f t w a r e u s e d i n reversed engineering is Interactive. S u c h s o f t w a r e d o e s n o t implement antivirus protection, but facilitates human analysis. Although the signature-based approach can effectively contain virus outbreaks, v i r u s a u t h o r s h a v e t r i e d t o s t a y a s t e p a h e a d o f s u c h s o f t w a r e b y w r i t i n g "oligomorphic", " polymorphic" a n d , m o r e r e c e n t l y , " metamorphic" viruses,which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. Heuristics some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. M a n y v i r u s e s s t a r t a s a s i n g l e i n f e c t i o n a n d t h r o u g h e i t h e r mutation or refinements by other attackers, can

17 grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundofamily into two distinct categories, Trojan. Vundo and Trojan. Vundo.B. While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection."Variants of viruses are referred to with terminology such as: "oligomorphic"," polymorphic" a n d " metamorphic", where the differences between specifi cv a r i a n t s o f t h e s a m e v i r u s a r e s i g n i f i c a n t l y h i g h . I n s u c h c a s e s , t h e r e a r e d edicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behavior. This approach is not absolutely e x a c t a n d r e s u l t s i n h i g h e r r e s o u r c e u s a g e o n t h e c o m p u t e r . S i n c e "oligomorphic", " polymorphic" a n d " metamorphic" e n g i n e d e v e l o p m e n t i s difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate. This approach may imply human ingeniousness for the design of the algorithm. I f t h e a n t i v i r u s s o f t w a r e e m p l o y s h e u r i s t i c d e t e c t i o n , s u c c e s s d e p e n d s o n achieving the right balance between false positives and false negatives. Due to the e x i s t e n c e o f t h e p o s s i b i l i t y o f

f a l s e p o s i t i v e s a n d f a l s e n e g a t i v e s , t h e identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.

18 13 ANTIVIRUS APPROACHES

The ideal solution to the threat of viruses is prevention. Do not allow a virus is get into the system in first place. This goal is in general difficult to achieve, although prevention can reduce the no: of successful viral attacks. The next best approach is to be able to do the following.

Detection: Once the infection has occurred, determine that it has occurred and locate the virus. Identification: Once detection has been achieved, identify the specific virus has infected a program. Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Advances in viruses and antivirus technology go hand in hand. As the virus arms race has evolved, both viruses and antivirus software have grown more complex and sophisticated. There are three main kinds of anti-virus programs [McAfee]. Essentially these are scanners, monitors and integrity checkers.

SCANNERS

Scanners are programs that scan the executable objects (files and bootsectors) for the presence of code sequences that are present in the knownviruses. Currently, these are the most popular and the most widely used kindof anti-virus programs. There are some variations of the scanning technique,like virus removal programs (programs that can "repair" the infected objectsby removing the virus from them), resident scanners (programs that areconstantly active in memory and scan every file before it is executed), virusidentifiers (programs that can recognize the particular virus variant exactly bykeeping some kind of map of the non-modifiable parts of the virus body andtheir checksums), heuristic analyzers (programs that scan for particular sequences of instructions that perform some virus-like functions), and so on.The reason that this kind of anti-virus program is so widely used nowadays isthat they are relatively easy to maintain. This is especially true for the programswhich just report the infection by a known virus variant, without attemptingexact identification or removal. They consist mainly of a searching engine and adatabase of code sequences (often called virus signatures or scan strings) that are present in the known viruses. When a new virus appears, the author of thescanner needs just to pick a good signature (which is present in each copy of thevirus and in the same time is unlikely to be found in any legitimate program)and to

19 add it to the scanner's database. Often this can be done very quickly and without a detailed disassembly and understanding of the particular virus. Furthermore, scanning of any new software is the only way to detect viruses before they have the chance to get executed. Having in mind that in most operating systems for personal computers the program being executed has the f u l l r i g h t s t o a c c e s s a n d / o r m o d i f y a n y m e m o r y l o c a t i o n ( i n c l u d i n g t h e operating system itself), it is preferable that the infected programs do not get any chance to be executed. At last, even if the computer is protected by another (not virus-specific) defense, a scanner will still be needed. The reason is that when the non virus -specific defense detects a virus-like behavior, the user usually wants to identify the particular virus, which is attacking the system - for instance, to figure out the possible side effects or intentional damage, or at least to identify all infectedobjects.Unfortunately, the scanners have several very serious drawbacks. The main one is that they must be constantly kept up-to-date. Since they can detect only the k n o w n v i r u s e s , a n y n e w v i r u s p r e s e n t s a d a n g e r , b e c a u s e i t c a n b y p a s s a s c a n n e r o n l y b a s e d p r o t e c t i o n . I n f a c t , a n o l d s c a n n e r i s w o r s e t h a n n o protection at all - since it provides a false sense of security. Simultaneously, it is very difficult to keep a scanner up -to-date. In order to produce an update, which can detect a particular new virus, the author of the scanner must obtain a sample of the virus, disassemble it, understand it, pick a good scan string that is characteristic for this virus and is unlikely to cause a false positive alert, incorporate this string in the scanner, and ship the update to the users. This can take quite a lot of time. And new viruses are created every day - with a current rate of up to 100 per month. Very few anti-virus producers are able to keep up-to-date with such a production rate. One can even argue that h i s s c a n n e r s a r e s o m e h o w r e s p o n s i b l e f o r t h e e x i s t e n c e o f s o m a n y v i r u s v a r i a n t s . I n d e e d , s i n c e i t i s s o e a s y t o m o d i f y a v i r u s i n o r d e r t o a v o i d a particular scanner, lots of "wannabe" virus writers are doing it. However, the fact that the scanners are obsolete as a single line of defense against the computer viruses became obvious only with the appearance of the polymorphic viruses. These are viruses, which use a variable encryption scheme to encode their body and which even modify the small decryption routine, so that the virus looks differently in each infected file. It is impossible to pick a simple sequence of bytes

20 that will be present in all infected files and use it as as can string. Such sequence simply does not exist. Some polymorphic viruses can be detected using a wildcard scan string, but more and more viruses appear today, which cannot be detected even if the scan string is allowed to contain wildcard bytes. The only possible way to detect such viruses is to understand their mutation engine in detail. Then one has to construct an algorithmic "scanning engine “specific to the particular virus. However, this is a very time -consuming and effort-expensive task, so many of the existing scanners have problems with the polymorphic viruses. And we are going to see more such viruses in the future. The Bulgarian virus writer known under the handle Dark Avenger has evenreleased a "mutating engine" - a tool for building extremely polymorphic viruses... Very few scanners are able to detect the viruses, which are using it, with 100 reliability. One last drawback of the scanners is that scanning for lots of viruses can be very time-consuming. The number of currently existing viruses is about 1,600and is expected to reach 3,000 at the end of 1992. Indeed, some scanners useclever scanning methods like fixed-point scanning, top-and-tail scanning,

hashing and so on. The detailed description of these methods is outside the scope of this paper, but as has been proved in [Cohen90], scanning is not cost-effective in the long run, despite the scanning method used.

MONITORS

The monitoring programs are memory resident programs, which constantly monitor some functions of the operating system. Those are the functions that are c o n s i d e r e d t o b e D a n g e r o u s a n d i n d i c a t i v e f o r v i r u s - l i k e b e h a v i o r . S u c h f u n c t i o n s i n c l u d e m o d i f y i n g a n e x e c u t a b l e f i l e , d i r e c t a c c e s s o f t h e d i s k by passing the operating system, and so on. When a program tries to use such a function, the monitoring program intercepts it and either denies it completely or asks the user for confirmation. Unlike the scanners, the monitors are not virus-specific and therefore need not to be constantly updated. Unfortunately, they have other very serious drawbacks- drawbacks that make them even weaker than the scanners as an anti -virus defense and almost unusable today. The most serious drawback of the monitors is that they can be easily by passed by the so-called tunneling viruses.

21 The reason forthis is the total lack of memory protection in most operating systems for pe rsonal computers. Any program that is being executed (including the virus) has full access to readand/or modify any area of the computer's memory - including the parts of the operating system. Therefore, any monitoring program can be disabled because the virus could simply patch it in the memory. There are other clever techniques as interrupt tracing, DOS scanning, and so on, which allow the viruses to find the original handlers of any operating system function. Afterwards, this function can be called directly, thus bypassing any monitoring programs, which watch for it. Another drawback of the monitoring programs is that they try to detect a virus by its behavior.

This is essentially impossible in the general case, as proven in[Cohen84]. Therefore, they cause many false alarms - since the functions that are expected to be used by the computer viruses usually have pretty legitimate use by the normal programs. And if the user gets used to the false alerts, s/he will be likely to oversee a real one. The monitoring programs are also completely useless against the slow viruses, described later in this paper.

INTEGRITY CHECKING PROGRAMS.

Therefore, in order to be a virus, a program must be able to infect. And, in order to infect, the program must cause modifications to the programs that are infected. Therefore, a program, which can detect that the other executable objects have been modified, will be able to detect the infection. Such programs are usually called integrity checkers. The integrity checkers compute some kind of checksum of the executable code in a computer system and store it in a database. The checksums are re-computed periodically and compared with the stored originals. Several authors point out that in order to avoid forging attempts from the part of the virus, the checksums must be cryptographically strong. This can be achieved by using some kind of trap-door one-way function, which is algorithmically difficult to be inverted. Such functions include DES, MD4, MD5, and so on. But, as has been shown by [Radai], this is not mandatory. A simple CRC is sufficient, if implemented correctly. There are several kinds of Integrity checkers. The most widely used ones are the o f f l i n e i n t e g r i t y c h e c k e r s , w h i c h a r e r u n t o c h e c k t h e i n t e g r i t y o f a l l t h e executable code on a computer system.

22 Another kind is the integrity modules, which can be attached (with the help of a special program) to the executable f i l e s , s o t h a t w h e n t h e l a t t e r s t a r t e d w i l l c h e c k t h e i r o w n i n t e g r i t y . Unfortunately, this is not a good idea, since not all executable objects can be "immunized" this way. Additionally, the "immunization" itself can be easily bypassed by stealth viruses, as described later in this paper. The third kind of integrity software is the integrity shells. They are resident programs, similar to the resident scanners, which check the integrity of an object only at the moment when this object is about to be executed. These are the least widespread anti-virus programs today, but the specialists predict them a bright future [Cohen90].The integrity checking programs are not virus-specific and therefore do not need constant updating like the scanners. They do not try to block virus replication attempts like the monitoring programs and therefore cannot be bypassed by the tunneling viruses. In fact, as demonstrated by [Cohen90], they are currently the most cost-effective and sound line of defense against the computer viruses. They also have some drawbacks. For instance, they cannot prevent an infection- they are able only to detect and report it after the fact. Second, they must be installed on a virus-free system; otherwise they will compute and store the c h e c k s u m s o f a l r e a d y i n f e c t e d o b j e c t s . T h e r e f o r e , t h e y m u s t b e u s e d i n a combinat ion with a scanner at least before installation. This is needed, in order to ensure that the system they are being installed on is virus-free. Third, they are prone to false positive alerts. Since they detect changes, not viruses, any change in the programs (like updating the software with a new version), is likely to trigger the alert. Sometimes this can be avoided or at least reduced by using some intelligent heuristics and educating the users. Fourth, while the integrity checkers are able to detect the virus spread and identify the newly infected objects, they usually cannot determine the initially infected object, i.e., the source of the infection.Despite the drawbacks mentioned, the integrity checking programs are the currently most powerful line of defense against computer viruses and are likely to be used more widely in the future. Therefore, we should expect that new viruses will appear Which will target the integrity programs in the same way as the polymorphic viruses are targeting the scanners and the tunneling viruses are targeting the monitors? Let's see what kinds of attacks are possible against the integrity checking programs and how these programs can be improved to avoid them.

23

14. OTHER COMPUTER PROTECTION METHODS

Antivirus Card

This method was used in the early 1990s by DOS users and involves the installation of an ISA interface card which takes over the DOS interrupt and monitors the WRITE operation.

Network Firewall

Network firewalls prevent unknown programs and Internet processes from accessing the system protected. However, they are not antivirus systems as such and thus make no attempt to identify or remove anything. They may protect against infection from outside the protected computer or LAN, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system.

Online detection

Some antivirus vendors maintain websites with free online scanning capability of theentire computer, critical areas only, local disks, folders or files. Examples includeKaspersky Online Scanner and ESET Online Scanner

Virus removal tool

A virus removal tool is software for removing specificvirusesfrom infected computers. Unlike complete antivirus scanners, they are usually not intended to detect and remove an extensive list of viruses; rather they are designed to remove specific viruses, usually more effectively than normal antivirus software. Sometimes they are also designed to run in places that regular antivirus software can't. This is useful in the case of a severely infected

24 computer. Examples of these tools include McAfee Stinger and the Microsoft Windows Malicious Software Removal Tool.

USE MORE THAN ONE AT A TIME

Although there are multiple types of antivirus software to help keep your computer system safe, you shouldn't use more than one at a time. Having several antivirus software programs installed on a single computer system will expose it to vulnerabilities. A missed malicious file could cause your entire computer system to crash or prevent it from accessing a stable Internet connection. Instead of tracking a virus threat, each antivirus software will prevent the other from correctly functioning

15. Why Should Update Your Antivirus

If you don't update your antivirus software to its most recent version, it will not effectively protect your computer system. Activate the feature that allows automatic connection to the Internet for virus database updates. This can usually be done by accessing the "Settings" feature within your antivirus software

16. New controversy on the effectiveness of antivirus

software

The debate on whether or not an antivirus solution is worth the money spent is not new. There have been surveys and studies comparing the effectiveness of the various security solutions out there for many years. The problem used to be fairly huge, because the very design of an antivirus meant that it would scan a system for potential malware it knows about, and nothing else. In the early years of these security systems, each antivirus would keep a database of known threats, and whenever a new type of malware came in, nothing could detect it, and it would then infect every system it could reach until the companies could update their virus

25 definition databases. Now, this is less so, because of something called heuristics, where an antivirus software not only looks at malware signatures, but also behavior, and tries to detect new malware simply by what the binary file may be doing to your computer. However, the effectiveness of these new solutions is up for debate, and according to a recent study by the firm Imperva, also published in the New York Times, antivirus solutions simply do not do a good job at it.

In its Hacker Intelligence Initiative Monthly Trend Report, published in late December, the researchers picked 82 randomly selected malware files and used them against some of the most popular antivirus solutions to see what their detection rates were. These were newly created infections, taken from web forums, and the result was abysmal, according to the report. The initial detection rate for new viruses was less than 5%. In fact, they found that for some of them, it would take weeks for an antivirus to start detecting the infected file. They also found that the commercial and free solutions had similar detection rates, and recommend that people and businesses stick to freeware products instead. One of the figures they cited, was that 4.5 billion dollars is spent on antivirus solutions -- an amount that is not proportional to the effectiveness of these applications. They finally recommend that security teams focus on identifying aberrant behavior rather than detecting infections.

There are many ways to compare security solutions, and it can be very complex to reach a good conclusion. In the weeks following the release of this study, many independent labs and antivirus companies criticized the way this particular research was done. First, the firm used a tool called Virus Total. This site is a very popular one in the security community, where you can upload a file and run it through a series of popular antivirus engines to see if the file is infected. Virus Total gives you a report as to which solutions detected which malware, if any. However, this automated process only uses the core engine of each antivirus solution. It does not use some of the perimeter detection systems and the heuristics will not be as good. It also uses the command line version of the engine, and will not behave like a fully-installed antivirus.

26

Another problem that the security companies are quick to point out is the small sample size. There are around 142,000 new malicious files being submitted to security researchers every single day. A sample size of 82 is much too small, and could be biased. This is especially true if all of those files were taken from specific Russian forums, for example, and not from a more representative sample of what everyday Internet users may find. Finally, they also note that normal computer users will not face sophisticated threats like Flame or Stuxnet, and that for average malware your antivirus solution will stop around 9 infections out of 10.

One interesting thing to note is that few people criticised the study for reaching the conclusion that free antivirus solutions were just as good as paid ones. In fact while there are differences between each company, and the features that each antivirus provides, as far as the engine goes, the detection rate is fairly similar, which makes the purchase of a paid software fairly dubious. One conclusion that the study did point out is that some of the free solutions have a higher false positive rate, but this may be seen as a good thing, since it means they might be more aggressive in their detection.

But at the end of the day, the information most of us want to know is whether an antivirus solution is useful, and everyone pretty much agrees on that one. There is no question that using security software is a good thing, and that your antivirus will help detect infections. While the detection rate will never be 100%, modern software with heuristics have a very good rate for normal, average malware, the type we find in abundance on the web. Problems typically occur for new, zero-day malicious infections, and for targeted attacks. This is where researchers don't agree, but it can be safe to assume that if someone is out to get you, then there is a good chance that your antivirus will not protect you. Flame, for example, infected Windows computers in the Middle-East for over four years before antivirus companies finally started detecting it. This was a major failure of the security community, but it was also a new type of highly sophisticated malware.

If you have no reason to think the government or organized crime will spend the necessary resources to break into your system, there probably is no good reason to lose sleep over it. But any modern business should be doing more than simply installing antivirus software. This is just one part of a full protection policy, which should also include intrusion detection systems, log auditing, and a myriad of other things.

27 17. THERE ARE 4 THING’s SHOULD BE CARE WHILE PURCHASING THE ANTIVIRUS

1. A good fast scanning engine

2. Ability to detect and clean viruses easily even the latest ones 3. Faster and lighter updates

4. Easy to configure

18. SOME OF THE KEY FEATURES OR FUNCTION THAT ARE COMMONLY FOUND IN ANTIVIRUS:

 Real Time Scanner  On- access Scanner  On- Demand Scanner  Compressed File Scanner  Scheduled Scans

 POP3 Email Scanner  Webmail Protection  Automatic Virus Updates

19. HOW AN ANTIVIRUS WORKS

Using dictionary Approach:

The antivirus softvirus software examines each and every file in a computer and examine its content with the virus difinitions stored in its virus dictionary.

28

A virus dictionary is an inbuilt file belonging to an antivirus software that contains code identified as a virus by the antivirus authors.

20. The advantage of an ANTIVIRUS

 Protection from Viruses.

 Protecting personal information  Cost Saving

 Convenience

21. THE disadvantage of an ANTIVIRUS

 Doesn’t Fully Protect

 Slow Down PC or Network.  Conflicts.

22. SYSTEM REQUIREMENTS

WINDOWS

 1GHZ OR HIGHER 32-BIT OR 64-BIT PROCESSOR.

 1 GB OF RAM

 INTERNET CONNECTION IS ESSENCIAL TO UPDATION.

 200MB OF HARD DISK SPACE FOR INSTALATION.

 DVD OR CD-ROM DRIVE.

29

MAC OS

 MAC COMPUTER WITH 1GHZOR HIGHER.

 INTERNET CONNECTION IS ESSENCIAL TO UPDATION.

 512MB OF RAM.

 140MB OF HARD DISK SPACE FOR INSTALLATION

 DVD OR CD-ROM DRIVE.

 MAC OS X 10 OR LATER.

23. SOME OF THE SYMPTOMS OF AN INFECTED COMPUTER

 Folder Options disappears from the Tools. Now, hidden files cannot be viewed. Changing registry values has no effect.

 In My Computer, Auto play option appears instead of Open in every drive you enter i.e. when you click on your drive letters (C, D, E etc.) a window opens to select any one program to open with.

 It creates new entries & adds values to the existing Registry.

 You cannot open system utilities like Task Manager, Msconfig opens and suddenly closes.

 Computer becomes slow and there is noticeable delay in characters to appear on screen when you press in keyboard

30

24. WHAT TO DO ON SUSPECTING VIRUS ATTACK?

 Disconnect the suspected computer system from the Internet as well as from the Local Network.

 Start the system in Safe Mode or from the Windows boot disk, if it displays any problem in starting.

 Take backup of all crucial data to an external drive.  Install antivirus software if you do not have it installed.

 Now, download the latest virus definitions updates from the internet. (do it on a separate computer)

 Perform a full system scan.

25. VIRUS FOUND



REPAIR



QUARANTINE



DELETE



RENAME



IGNORE

31

26. CONFIGURING YOUR ANTIVIRUS SOFTWARE

 Adjust the settings to scan all (*all*) files. Also, ensure that real time scanning is enabled

by default.

 Create a recovery/reference/cure disk because if a boot sector or MBR virus attack the system, it may fail to boot. In that case, recovery cure disk can be used to boot the system and remove the virus.

 Read the vendors manual. This will help you to understand the advanced options and how to use them according to your preference.

27. HOW AN ANTIVIRUS WORKS

Using dictionary Approach

 The antivirus software examines each and every file in a computer and examines its content with the virus definitions stored in its virus dictionary.

 A virus dictionary is an inbuilt file belonging to an antivirus software that contains code identified as a virus by the antivirus authors.

Using Suspicious Behavior Approach:

 Antivirus software will constantly monitors the activity of all the programs.

 If any program tries to write data on an executable file, the antivirus software will flag the program having a suspicious behavior, means the suspected program will be marked as a virus.

 The advantage of this approach is that it can safeguard the computer against unknown viruses also.

32

28. WITH OR WITHOUT AN ANTIVIRUS SOLUTION?

So, no matter if the antivirus solutions are vulnerable or not, all the users prefer to install them to feel A little more secure.

I must agree that an antivirus application is more useful when it helps you clean your computer so, you're the one that decides: install or not.

29. New Product Development on (Antivirus

internet security product)

Name of the antivirus product -: antivirus capsule.

Features -: maximum protection, online update, internet security specialist, pc protection, fast relief from antivirus, total health care of computer.

Rate /price – 500/- per piece M.R.P

SWOT analysis of antivirus software –

1. Strength

-: Quality of software, software is made within time limit, which is given

by the client and with the company

.a) Credibility. b) Reliability.

33

2. Weaknesses

-:If the website is not made within the time limit or duration on which

client and the company made and agreement .Narmada Computers is newly launched in the software industry. There is much such other big company, so that Narmada Computers had to struggle more than any other company. Competitors are large in numbers. Employees are less in number (For that it took time for the project completion).

2.

Opportunity

-: Favorable time for the company is there is no recession and company

gets as many as project from foreign country or from Indian company. Outsourced antivirus marketing projects from other company Long term selling and distribution of the antivirus projects. Design marketing strategy and marketing plan of other company. Project of online marketing of the antivirus website.

3. Threats

-:

For Software Company recession is the major threats. Inflation increases

can also be threats to a company .Not getting appropriate skill employee for a particular projects. Not getting the long term marketing and selling and distribution of the projects.

34

30. Best Antivirus Software Review

35

Antivirus Software: What to Look For

The top antivirus software protects your personal computer from various malware attacks. No security software can always detect and block every threat. Some malware attacks are brand new and have never been seen in the wild. When a virus scanner finds one of these zero-day threats, it attempts to figure out whether it descends from a known threat-family genealogy, which would make it guilty by association. Many times there is nothing in a zero-day threat to reveal its bad intent. So, in addition to considering how an antivirus software product keeps threats out, we must also take into account how well a product discovers and removes a threat after it has already lodged itself within a system and exposed itself through its behavior.

36 The ability to block incoming threats and to get rid of threats that break through defenses are aspects of performance, which is the most important thing to look for in antivirus software. After you consider performance, you should take into account product features as well as the help and support that the publishers provide. Let's look at each of these factors one by one.

Performance

The best way to know how well a product performs is to read product test results from AV-Test, which considers three main performance criteria: protection, repair and usability. AV-Test has dozens of servers that are connected to hundreds of workstations. With this test bed, AV-Test exposes antivirus software products to tens of millions of malicious threat samples and records the results for the world to see.

Features

After you know how a product performs, consider its other features. All antivirus software is easy to install, so this is not something to worry about these days. But not every antivirus software product blocks malware that attempts to arrive via web browsing. Sometimes you need the internet security version of a product, not just the antivirus version, to protect against phishing attempts. Other features to consider are whether the product can detect threats in instant messages and email, and whether it can detect and scan an inserted USB drive. Help&Support

The best antivirus software publishers let you reach their support departments via live chat, telephone and email on any day and at any hour. However, not every competitor is so generous in terms of help and support, so you should be aware of what type of access you prefer prior to purchase.

Some of the best computer scientists on the planet have gone over to the dark side to cast their lots with the hacker underworld. Without third-party antivirus protection, you do not stand a chance. They are organized to steal your identity and subjugate your PC into a botnet available to do their bidding. Our reviews describe the best antivirus software's performance, features, and help and support. Don't rely on the security native in Windows. Let us assist you to find something better.

37

31. THE BEST Antivirus for 2013

Most antivirus vendors that run on a yearly update schedule wait until the fall to release the next year's version, just like car manufacturers. So, the "2014 models" appear in the fall of 2013. They're definitely rolling in; I've reviewed four that actually contain "2014" in the name. Four others come from vendors who've dropped the notion of adding a version or year number, but they're still the "(2014)" editions.

As new versions arrive, most of the same products retain their positions at the top of the heap. Here are the best from the current crop of antivirus products.

The Best Products

The antivirus field is huge; I currently track over forty products. In a field that big there's room for multiple products to earn the title of Editors' Choice.

Three products share the Editor's Choice honor for best overall antivirus: Bitdefender Antivirus Plus (2014)$39.95 at BitDefender, Norton AntiVirus (2014)$49.99 at Norton, and Webroot SecureAnywhere Antivirus 2013$29.99 at Webroot. (I expect the 2014 edition of Webroot's antivirus in a few weeks).

38 Bitdefender and Web root both earned 6.6 points in my malware removal test, though they were tested with different sample sets. Norton, tested along with Bitdefender, slipped to 6.3 this time around, but its impressive multi-layered malware-fighting technology continues to impress.

Two free products also did well in testing. Ad-Aware Free Antivirus+ 10.5 detected 83 percent of the samples and earned 5.8 points; for a while that was the top score. AVG AntiVirus FREE 2014 detected fewer samples, 78 percent, but more thorough cleanup earned it an impressive 6.4 points. AVG and Ad-Aware are our current Editors' Choice products for free antivirus. The new Bitdefender Antivirus Free Edition (2014) also fared well in testing. It matched the full Bitdefender antivirus's malware blocking score, and earned a decent 6.2 points for malware cleanup

Our two free Editors' Choice products share the best malware blocking score, 9.4 points, among products tested using my current malware collection. Trend Micro Titanium Antivirus+ 2014$39.95 at Trend Micro and McAfee AntiVirus Plus 2014$39.99 at Dell Small Business were close behind with 9.2 points. Tested with my previous malware collection, Webroot scored an impressive 9.9 of 10 possible points.

.

InterestingVariations

A full-scale antivirus tool both cleans up existing threats and keeps new attacks from getting a foothold. Sometimes, though, a counterattack by entrenched malware means you can't even install that hot-shot antivirus. In that case, a free removal-only tool can be a godsend. In my malware removal test, Malwarebytes Anti-Malware 1.70 scored higher than any of the competition, paid or free. The well-known Malwarebytes is our Editors' Choice for free cleanup-only antivirus.

39 Of course, you do have to work to make sure your antivirus stays up to date, and you need to deal with any threats it reports. Or do you? In fact, once you install Daily Safety Check Home Edition you don't have to do a thing. Its managed antivirus will scan your system and block attacks, and it also ensures that you have all the latest security patches. If necessary, a support agent can remote-control your PC to clean up the worst infestations. All you need to do is view emailed safety reports. This unique service has earned Editors' Choice for consumer-side managed antivirus.

If ransomware or other malicious software has made it impossible to boot Windows, you need a solution that doesn't rely on Windows. When you boot from the hardware-basedFixMeStick 2013$42.89 at Amazon, it automatically updates itself and runs a scan. All you need to do is click OK when it asks permission to clean up.

Newcomer Jumpshot is another interesting cleanup-only tool. It conceals a full-scale Linux-based bootable antivirus behind a user interface Linux-based on cartoon-style "minions" that handle tasks like wiping out malware, tuning system performance, and protecting your privacy. Jumpshot had the highest malware-removal score among products tested with my current malware collection, until it got edged out by Bitdefender.

AntivirusTests

Where did those scores come from? To test an antivirus product's ability to deal with existing malware infestations, I install it on twelve malware-infested virtual machines. After running the most comprehensive scan available, I check which threats the antivirus detected and note how well it cleaned them up. This article explains how I derive the scores in the chart that follows: How We Test Malware Removal.

Antivirus malware removal chart

Starting with the introduction of my new malware collection earlier this year, I've added a new metric to my malware removal charts, an ease of installation score. I base this score on how tough it is to install the product on my malware-infested systems. A product like Malwarebytes that installs on all twelve with little or no help from the vendor's tech support, well, that's a five-star performance. If tech support supplies

40 ancillary tools like rescue disks or threat-specific removal tools that make installation possible, we're at four stars; Kaspersky is an example.

All too often, getting antivirus protection installed on an infested system takes hours or days of back and forth with tech support. If after a super-lengthy process the product does get installed, that's worth two to three stars. If it totally can't install on one or more of the twelve systems, well, we're down to one star. That's not the bottom, though. Sometimes the cleanup process renders a test system completely unusable. A product that "kills" any test system beyond tech support's ability to fix gets zero stars. And yes, it does happen.

I also install each product on a clean test system and see how well it prevents infestation by the same collection of threats. Most antivirus tools wipe out a portion of the samples the moment I open the containing folder. I launch those that weren't killed on sight and observe just how far they get before the antivirus takes action. The article How We Test Malware Blocking explains in detail how I come up with the scores in the chart below.

Antivirus malware blocking chart

Independent antivirus testing labs have vastly more resources at hand than I do, so they can perform tests on a scale beyond what I can manage. At present I track results from AV-Comparatives, AV-Test, ICSA Labs, Virus Bulletin, and West Coast Labs. I hope to be adding tests from NSS Labs and Dennis Labs later this year. The chart below summarizes current results, and this article goes into more detail about how I interpret those results:How We Interpret Antivirus Lab Tests.

Note that only Bitdefender and Kaspersky Anti-Virus (2014)£23.39 at Amazon earn top scores across the board. To be fair, both Norton and Webroot argue that the current crop of tests don't match real-world circumstances well enough to properly evaluate their products.

Antivirus lab tests chart

Whatever your antivirus needs, one of the over forty tools listed here should do the job. Note that the blurbs that follow are not the full reviews; click on the title of each antivirus to get to the full reviews, which detail my testing. Also note that we'll be updating this roundup often, adding reviews of the new AV software as it rolls out this fall.