This story originally appeared Nov. 7, 2007.
Name a security suite, and most of what comes to mind are big names: Symantec (NSDQ:
SYMC), PC-cillin, McAfee. Maybe Kaspersky or Grisoft AVG. But there's a whole slew of other system-protection suites out there that are either quite new or not as well known, and which deserve a closer look.
We've assembled a survey of five system-protection / antivirus productions that aren't as widely known (Dr.Web, TrustPort), or that come from companies known mainly for other products (Microsoft (NSDQ: MSFT), ESET, Check Point Software (NSDQ: CHKP)). We looked at the total scope of each program -- what it covered, what it didn't, and how it implemented its particular features. Not every security product is going to intercept the same range of threats or handle really outlandish behaviors (like null byte obfuscation), and so the sheer range of features, even within roughly the same price points, was eye-opening.
Each of the products listed here also has been tested by the AV-comparatives testing firm, which performs regular assays of many popular and lesser-known antivirus products and reports back on the results. The most recent set of tests was conducted back in August 2007 and so may not reflect on the detection quality of the most recent versions of each application, but will give a good idea of how tight their overall detection is.
If you're curious about whether or not the feature mix or performance impact from a given program will suit you, every program listed here has a fully functional trial or evaluation version. Grab a copy, make a quick data backup (you are doing that regularly, right?), set a System Restore point, and see for yourself
1...Dr.Web Antivirus For Windows
The charmingly-named Dr.Web sports only two protections -- antivirus and anti-spam -- with the antivirus portion of the product being the more versatile of the two.
The three core applications are the antivirus engine, the mail-scanning engine, and a task scheduler. Many common program options are available by right-clicking the tray icons, so you don't need to drill down through the program's configuration menus as much as you might for some other apps of this kind. Each program's defaults seem to be decent for everyday use: by default, Dr.Web's protection traps pretty much all file creation and access actions, including anything downloaded from the Web.
The program's creators claim they employ an intelligent scanning engine that doesn't need to constantly rescan the same files. Malware, adware, and hacking tools are all broken out into their own categories, so each can be handled differently from the other if you're inclined to do so. Each type of threat can be given a default action and a "what to do if this fails" action -- for instance, a virus could be defaulted to "move to quarantine," with "block" as the fallback action in case the virus can't be moved. I've long been in favor of regarding malware/adware as viruses, but it's nice to have this added degree of flexibility in case for some reason you need to have a given piece of adware running.
(click image to see larger view)
Archive scanning is turned off by default, with the justification for this being that it slows down scanning without substantially increasing security. Ditto scanning e-mail archives (although it's not clear from the documentation which e-mail applications are supported), again on the grounds that it will slow the system down without really making things any safer. Specific directories and files also can be set to be excluded by default from scanning, if you need to, and it's also possible to selectively suppress scanning of objects on the local network and on removable drives. The scanning engine also can be configured to send e-mails or notifications if something is detected -- useful if you're administering multiple desktops, but maybe not as important for an individual user.
There are some other things about the program, aside from its relatively limited scope of protection, that also are irritating. For one, the program populates the system tray with three icons: one for the e-mail subsystem, one for the antivirus system itself, and one for the program's task scheduler. It's not clear why they use their own scheduler instead of Windows's native scheduler. Also, the anti-spam system is even less configurable than TrustPort's anti-spam system -- for one, there's no visible way to even control the sensitivity of the spam filter. It's possible to change how it stamps messages suspected of being spam, though: by default the message subject is prefixed with "[SPAM]," but you can change that as needed. What's unforgivably primitive is the whitelist/blacklist function, which is nothing but a pair of text boxes. Being able to point to an e-mail client's address book or having some other mechanism that's a little more flexible would help.
In sum, Dr.Web is limited in scope, if efficient in its protection. If you eventually decide you need broader coverage, though, you will probably have to go to an entirely different application, unless Dr.Web is significantly expanded in future revisions.
2..ESET Smart Security
ESET Smart Security is a protection suite from the folks who gave us the NOD32 antivirus product. NOD32's been around for a while now and gets high accolades from people who use it, but this is ESET's first attempt at building a whole suite of protection, with NOD32's antivirus protection as part of that.
The installation process gives you the option of simply accepting all the program's defaults or allowing some degree of expert option-setting (which always can be done later, too). I chose to use the "simple" setting at first, just to see how well the program behaved. The only real decision I had to make was whether to allow file sharing for my computer in my local network, something the program advertised as being best for wireless connections.
The program's protection consists of a real-time file-system and Internet monitor, scans for Microsoft Office documents and Outlook e-mail, and a number of peripheral threat-detection technologies (the "ThreatSense Scanning Engine"). ESET only announces its presence when there's something newsworthy, like the interception of a virus in a user download. Most of the time it runs silently; by default, the virus signature database updates itself quietly in the background without user prompting. The program's tray icon can pop up a notification balloon to tell you that a new set of definitions or program updates have been applied. Scans initiated from a right-click context menu can be run in the foreground or sent to the system tray to run silently in the background.
The mail scanner checks both incoming and outgoing messages and also scans Outlook mail (cleaning and moving any infected messages to their own folder). The mail module also includes a few other options to make handling Outlook e-mail that much easier: e-mail bodies can be converted to plain text by default, and you can elect to have any already-scanned e-mail rescanned by default after a signature update. Sadly, the anti-spam module doesn't give you very detailed control over how messages are classified, but it does intelligently detect mail sent from people in your address book as being good, and also automatically whitelists recipients to whom you reply.
If you're not using Outlook, NOD32 also can scan whatever port is used for POP3 traffic (110 by default; it's editable). You also can set the level of modification made to inbound e-mail depending on what your e-mail client can handle. The default setting is maximum efficiency, so only people using an older e-mail client (older than three years, say) might need to tinker with this setting.
Anything downloaded from the Web is automatically scanned. An advanced user also can configure ESET to scan traffic from different Web clients using one of two modes: passive, for higher compatibility; or active, for more effective filtering. I tried both modes and noticed little, if any, difference in speed or behavior. Finally, you can whitelist or blacklist HTTP addresses (i.e., pre-emptively designate given sites as "good" or "bad"), and ESET lets you feed in a plain text file to define those lists rather than just punch them in by hand.
The firewall's default protections are entirely automatic. I didn't have to touch much of anything to do my usual Web browsing or to work with applications that needed the network. Aside from automatic mode, the firewall also can work in interactive mode, where program behaviors that aren't already covered by existing rules can have rules generated for them based on user feedback, or policy-based mode, where behaviors not covered by a predefined rule are automatically blocked. You also can define network zones, where anything in a given zone (such as your LAN) is handled with an assumed level of trust.
If you've already used the NOD32 products before, ESET Smart Security makes for a good step up to something more comprehensive. And if you haven't used ESET's products before, you're liable to be impressed: the whole suite runs with the same quiet efficiency that NOD32 itself did.
3...Microsoft Windows Live OneCare 1.6
"Disappointing" is one of the nicer words people have used to describe Microsoft (NSDQ:
MSFT)'s Windows Live OneCare. Part of me wonders if this is Microsoft deliberately holding back a bit to avoid antitrust accusations and incurring further legal trouble, but that still doesn't explain the generally lackluster feature mix shown here.
OneCare's protections consist of an antivirus system, controls for IE 7's anti-phishing filter, periodic performance tune-ups, and backup and restore functionality. Each one of these things can be subjected to strong criticisms. The antivirus protection has in the past fared very poorly against other programs; the anti-phishing filter is for IE only (even if other Web browsers do have anti-phishing protection); and the backup and restore functions are limited to data and not bare-metal backup, something third-party programs have been offering for quite some time now. Apart from its antivirus features, it feels like little more than a front end to many existing Windows functions. Perhaps the single best attribute is the fact that it's available in a 90-day trial version, as opposed to the mere 15 or 30 days that other packages use.
When tested against other antivirus products in the AV-comparatives test back in August 2007, OneCare's protection was only ranked as "standard" -- trapping 90.3% of 800,000+ pieces of malware (which is on the lower end of the scale of tested products). On the plus side, OneCare's detection system was pretty scrupulous: when I performed an on-demand scan of a known-bad item, OneCare took the time to perform a quick inspection of the rest of the system. ' This prolonged the scan a bit more than usual (and I would have liked to see some feedback to that effect), but as an additional protective measure it makes a fair amount of sense.
The system-optimization functions, referred to here as "Performance Plus," run in five phases: removing unneeded files (such as the clutter that builds up in temp directories), defragmenting the hard disk, running a virus scan, checking for what files need to be backed up, and obtaining high-priority security updates from Microsoft. Nominally all this can be run on a schedule -- it's set by default to run every four weeks -- but you can always run the cleanup cycle on demand if you need to.
The backup utility is somewhat like a scaled-down version of the backup utility found in Windows Vista, which is a way of saying it's simple, if sometimes also a little too simple. When invoked, it scans for certain file types and includes them in the backup set by default, but you're also allowed to manually specify additional directories or files that aren't automatically chosen by OneCare's preprogrammed backup criteria. The results are saved in a folder labeled "Windows OneCare Backup," so they're difficult to mistake for anything else, and you can always run the backups on demand if you don't want to wait for the program to decide you need it.
The backup repositories themselves can be written to CD/DVD drives, an external or alternate hard drive, or a network share, but unfortunately no provision is offered within the OneCare product itself for remote network backup (as per what services like Mozy offer). Also, the scope of the backup is limited to personal data -- you can't back up the OS or the system state and restore it from bare metal. This feature has been persistently missing from just about every version of Windows, and only really provided in any form by third-party programs (barring the full-system backup-and-restore available in the higher-priced SKUs of Vista). I just find it irritating that Microsoft isn't even selling the ability to do this through its own system-protection tool.
OneCare's other major feature is anti-phishing controls -- for IE only, which in practice means no real added functionality. (If you habitually run another browser, you'll be left with whatever anti-phishing technology they provide, if any.) There's a sprinkling of other reasonably useful tools scattered throughout OneCare, such as the Firewall Connection Tool -- a convenient little menu for setting up firewall rules based on what you're trying to do (e.g., "File and Printer Sharing," or "Connect my Xbox 360 to my Media Center PC"). But compared with what else is out there at roughly the same prices, OneCare is still way too thin an offering -- even if it does protect three PCs for $50 a year.
4..TrustPort Workstation
TrustPort Workstation sports an interesting mix of system-protection tools -- aside from the usual stuff like antivirus, anti-spam, and firewall, there's a virtual encrypted disk utility, digital signatures for e-mail, and data-shredding tools.
The antivirus portion of TrustPort has one immediately unique feature: the ability to use multiple antivirus scanning engines, as licensed by the manufacturer. By default the Norman (not Norton!) antivirus engine is installed, but others can be licensed and added if needed. You optionally can use "sandbox" on-demand scanning, which adds further protection, but at the cost of performance (it's off by default). If you attempt to download an infected file through an HTTP connection, regardless of what browser you're using, you'll be redirected to a page that says "Virus infection found" with details about the virus. Viruses intercepted during a file-copying operation throw up an "Infection found / Access denied!" dialog which closes automatically after 30 seconds.
TrustPort also scans incoming e-mail on port 110 for viruses, independent of whatever e-mail client you're using. The mail scanner also includes an anti-spam engine, which adds an "X-Spam-Found" header to the message, but if you're already running a client that has its own spam controls, you can shut this off. The anti-spam engine has a blacklist/whitelist function, but there doesn't appear to be an easy way to add entries to either list. (It would be nice to have some way to integrate an external address book with this function.)
The firewall's not as immediately user-friendly as, say, ZoneAlarm's firewall; you need to dig into it a bit if you want to customize it beyond the most basic behaviors. You can define application-specific rules, for instance, but only by hand -- there doesn't appear to be any learning mechanism for applications that ask for network access. The default rules seem to be decently well-constructed, though, and you can always edit them or revert to the factory settings without too much trouble. A small clutch of network utilities -- like a geographic ping tool, and a network-traffic monitor -- help round things out nicely. (The presence and design of these tools is to me another hint that the suite as a whole is meant more for professionals than end users.)
TrustPort's encryption tools are a mini-suite unto themselves. You can create encrypted file archives; sign, encrypt, and decrypt files using public/private key pairs; and create encrypted virtual disks. The latter is essentially what's available in the third-party open-source freeware program TrueCrypt (which I've evaluated before), and the implementation here is similar -- the virtual disk is just a file which can be stored anywhere, and is encrypted with your choice of algorithm and password. When mounted, it behaves just like a regular drive, except that all data copied to it is encrypted on the fly. The data shredder, too, is not functionally all that different from freeware programs that do the same thing, but it's handy to have around.
The whole feature mix for TrustPort -- and its price tag ($55 for one machine/year) -- makes it feel like it's aimed more at professionals than regular users. But that same feature mix may make it that much more appealing to a user with a more professional bent.
