Product Group Tests

Anti-virus 2007

Group Summary

Many anti-virus vendors offer complete suites of solutions to the malware problem. In a large enterprise, these total packages may be your best bet. If you are a relatively small operation, however, you may be able to do a perfectly fine job of protecting your enterprise with far less and still get acceptable coverage.

Scroll To Full Group Summary Below

Full Group Summary

In this special Group Test we look at anti-virus products somewhat differently than is our normal habit in these pages. Because there are such a large number of products in the field we decided to take a different approach and call on our sister organization, West Coast Labs for some assistance.

Paste this URL into your web browser to view the group test: http://offlinehbpl.hbpl.co.uk/misc/UCX/MiscFiles/GT3%20matrix.pdf 

West Coast Labs is the top anti-malware test organization in the world by our reckoning, and they have tested almost every anti-virus vendor in the market today in its Checkmark Certification system (www.check-mark.com).

In conversations with their team we determined that there really is very little substantive difference between today’s products in the things that really matter, such as catch rate.

The catch rate is the percentage of "catches" of viruses in a test suite. West Coast Labs focuses on the WildList (see pg. 44). This is a real-world test suite and we could not have done better in our own SC Labs.

Beyond a product’s substance are the cosmetics. These, for the customer, are pretty much as important as the catch rate because they determine the product’s usability. What good, for example, is a product that catches 98 percent of the WildList if there is no easy way to respond to its action?

How we tested

We asked West Coast Labs to provide us with a list of every anti-virus vendor they test in Checkmark. We knew from the testing that these products all had very high and very similar catch rates so any differentiation must be in the product’s features.

To that end we have, with the assistance of West Coast Labs and the product vendors themselves, built a features matrix for all of the tested anti-virus products. This features matrix is, by necessity, quite a bit more extensive than our usual summary matrices because it lists product features in somewhat more detail.

In this special section, in order to give you the most complete view of anti-virus products, we have dispensed with the usual individual write-ups in favor of the matrix. There are two reasons for this decision. First, the amount of space that these 49 products would take up would be prohibitive. Second, and more important, we could not give you as much information as we can in a matrix. Finally, buying decisions will be simplified by having all of the salient features of all important products side by side on the pages in front of you.

How to use this section

Selecting an anti-virus product can be confusing. There are a lot of products on the market and most have similar features. Candidly, there are not a lot of differentiators here to help you make a buying decision. So here are a few thoughts to help you decide which product fits your requirements best.

First, don’t be fooled by catch rates. Just because an AV product catches 73,240,431 viruses does not mean that it catches the ones of which you need to be aware. The WildList is the best indicator of what is dangerous currently and it is updated monthly. The list of products is certified by West Coast Labs in Checkmark (www.check-mark.com) as an independent indicator of malware detection capabilities.

Second, get a good understanding of how the product is updated. That information is usually on the vendor’s website. How often you update depends on your exposure risk. If you have a static environment with no laptops, a relatively small group of workers and little outside exposure, you can accept longer update cycles. If you are on the other end of the spectrum, look for short update cycles and ease of update deployment.

Next, look at how the product reports activity. How customizable is the product in terms of the message the user sees? Can it be managed centrally?

Finally, how intrusive is the product? False positive rate is important. Can the product perform heuristically? That means that it can catch certain kinds of viruses even if it does not have a specific signature. This is important for catching zero-day attacks.

It is important to understand that you don’t just select an anti-virus product, push it out and move on. What you need is an anti-virus strategy. That may include protecting the desktops, the file and mail servers, and/or deploying a multipurpose anti-malware gateway.

- Mike Stephenson, Kris Rowley and John Aitken contributed to this Group Test.

All Products In This Group Test