what is the differnet between AV and AT ?

many Members say there is the differnet between AV and AT
is AT stronger than Av in trojans?

AV's (anti-viruses) originally specialized in the detection of viruses only. Then along came AT's (anti-trojans) that specialized in trojans only. Over time the line between the two has diminished as AV's have expanded to cover spyware and trojans also. AT's have expanded to cover spyware and even some viruses in some cases. Even though this line between the two has grown smaller, it is still generally accepted that AV's do a better job at viruses while AT's do a better job at trojans. Spyware is in a grey area that most consider to be trojans however it also may be considered viruses. The general concensus is that it is best to have a layered protection setup, which includes an AV and an AT.

HTH ;) ...

Hi,

There is an architectural difference between the two "classes" of software that you may be interested in.

Generally, you will hear that you shouldn't run to AVs at one time. AVs (but as puff pointed out, they reallly do much more than cover viruses) are generally installed in a way to hook into the operating system in such a way that they will conflict with each other if you are running more than one. On the otherhand, ATs (or so they are sometimes names, though really they often cover much more ground), are installed in such a way that they will not conflict with classical AVs or each other.

Thus you can run products such as Kaspersky, Ewido, and BOClean with no conflict (in most cases), but you wouldn't want to run to classical AVs such as Kaspersky and NOD32 together in real-time. It all has to do with they way they are installed and monitor the computer. Generally, if both and AV and AT can detect the same piece of malware, the AV will catch it first.

I am sure others will correct me where I might be mistaken.

Rich

-{ Quote: "There is an architectural difference between the two "classes" of software that you may be interested in.

Generally, you will hear that you shouldn't run to AVs at one time. AVs (but as puff pointed out, they reallly do much more than cover viruses) are generally installed in a way to hook into the operating system in such a way that they will conflict with each other if you are running more than one. On the otherhand, ATs (or so they are sometimes names, though really they often cover much more ground), are installed in such a way that they will not conflict with classical AVs or each other." }-

How true is this? Someone please confirm.

So if someone worked in a AV company and then moved to AT company he would find many big differences?

Or is AV/AT really the same industry but differ because of marketing? Do the AT and AV authors read the same technical magazines? Attend the same conferences? Compete for the same awards?

It can't be that different can it?

-{ Quote: "How true is this? Someone please confirm.

So if someone worked in a AV company and then moved to AT company he would find many big differences?

Or is AV/AT really the same industry but differ because of marketing? Do the AT and AV authors read the same technical magazines? Attend the same conferences? Compete for the same awards?

It can't be that different can it?" }-

I don't see it different at all, technically. Let's say we have 2 computers, one running 2 AVs in real-time, the other running an AV and an AT in real-time again. Conflicts can arise on both computers, or on none, since both the AT and AV hook/can hook api functions in the same way. Some ATs that protect themselves against process termination can/can't conflict with an AV that does the same. Same goes with two AVs.

I never really understood why people say "Don't run two AVs in real-time, it can cause conflicts, instead, run an AV and an AT". Both work the same, it's the definitions they add to their databases that make the difference, isn't it ?

By that philosophy, every AV/AT that has a real-time monitor, should conflict with PG, since both hook execution functions, shouldn't it ?

the problem with running two AVs is the performance hit it can take on ur computer and its likely that both AV will have many viruses common to both definitions. once malware hits, both AVs will compete to clean the virus and thats when ur comp slows down greatly and where ur conflict lies.

as for pg conflicting with AV/AT, pg only needs a driver and since it doesnt scan files like an AV does then theres is no conflict. im sure someone can offer a better explanation tho.

-{ Quote: " The general concensus is that it is best to have a layered protection setup, which includes an AV and an AT." }-

We don't all have the same idea's about that...

I disagree with that quote, originaly , yes this was true , years ago.

1) Years ago there where Firewall-only Anti-virus-only Anti-Spyware-only
anti-dialers-only etc. products, but they are very hard to find today!
And if you find one, it concept is not changed in many years!!!

2) There is no proof that let's say Kaspersky can't find more Trojans
then any AT-only.
After cleaning pc's for my job, on a daily basis, i could not find this true.

(of course sometimes an AT finds a trojan that a AV does not,
but i have seen more cases that where just the oposite last year!)

Creating a layered defence with a Anti-trojan only a Anti-Virus-only etc. is history.
You must forget that idea, The AV's have all grown to be complete Anti-Malware suites, that detect Virusses,Trojans,Dialers etc.

More and more companies understand that this is what the public want.
For a user it doesn't make a diff. if it is a Trojan or a Virus,
it is all MALWARE and that is something he/she doesn't want on his system.

That is why Mcafee has a suite with a Firewall,AntiVirus,AntiSpam etc.

That is why C.A. bought Tinysoftware to make a suite with a Firewall,
ProcessProtection Registry protection,Anti-Spyware AntiVirus etc.

That is why Kaspersky is making a AntiVirus,Firewall AntiSpam etc.

Creating your own suite of AntiMalware/ Pc security tools is difficult.
Lot's of people that do that for their hobby/work, find that they have
programs installed that have conflicts together.
Or slow down your system, or eat up to much system resources.

So Kaspersky and TDS-3 perhaps 95 % overlap?
NOD32 and TrojanHunter 95 % overlap?
BOCLEAN and Sophos 95 % overlap ?

Tiny Personal Firewall and ProcessGuard ? (absurd)
Ewido and and Boclean??

Ok, you still can choose a firewall and Anti-virus yourself, but i expect not for
many years.

I respect that others think different about this,
but this is my idea about the layered defence concept ,of the late 90-'s

;)

-{ Quote: "many Members say there is the differnet between AV and AT is AT stronger than Av in trojans?" }-

In general : difficult to say, depends which ones you are using.

If you would compair both top 5's i guess: NO!

first off i dont think having a layered setup is rele that old. and security suites arent very new either. the difference is that now companies are shifting their focus into including better protection against trojans and spyware instead o just a AV and FW together. these all-in-one suites are better suited for corporate environments and people who may not know much about computer security. for these people, having integration of products and minimal conflict is important. otoh some, if not a large amount of Wilders' members seek to improve their computer security setup and this isnt possible if u only use an all-in-one. in addition even if products protection overlap, no setup can guarantee absolute protection. a layered security setup allows greater flexibility and customized security for a person's needs, however like u said, theres a higher chance for conflict and maybe greater resource usage. but thats just what i think.

To me, and I could be wrong, trojans and spyware are dominating the internet terrain of late. For an AV to just do viruses would be the death knell of that company.

It just makes sense that they have to do both or actually all three. But if you start incorporating a firewall into an AV - AT - AS as a suite that's a different story. There's just to many good firewall products out there that many people just won't want to buy a suite that includes a firewall. And I just don't see the conflicts or difficulty in incorporating the two.

As a matter of fact I can see people that would think a suite is too bloated for them and prefer not to go that route. Just my opinion.

Regards,

Jaws

-{ Quote: "To me, and I could be wrong, trojans and spyware are dominating the internet terrain of late. For an AV to just do viruses would be the death knell of that company." }-

Yes! , every customer that brings in his pc, and hears that it is loaded with spyware,ad-ware dialers, etc etc.

And has an AV installed, is not a happy AV customer..
They bought a AV because they want to protect their PC from MALWARE.
A virus,Trojan, Spyware try to explain what the difference is, to somebody
that is totally not interessted, and only needs his computer for his/hers work.

And about the suites, if you look how products develop over the years,
( i got my first Anti Virus training in the mid 80's) you see that in the next 2 years, more and more suites will become the way to earn money in the Anti-Malware business.

Again, perhaps We (Wilders forum readers) want the best Firewall, the best Anti-Virus, The best Anti Trojan etc. all together on our pc,
but the public has no time for this, they want complete protection.

So: "This Security-Suite has a firewall Anti-Virus,Anti Spyware and what else?"
"...on this other box , it says that this one also has a Anti-Spam module, and it is the same price..so i'll buy that one ..."

The more modules, the higher the price, and people will make their decision on that.

And of course, on what the specialist say (if it is not too technical).

The only suprise, can be expected from Microsoft it self, who created,
this unsafe OS in the first place.

If the are providing a complete suite for free, with some real OS improvements, Which are recommended by Security Specialist,
(and are made in other safer OS-es for MANY years), it can all go change to
another direction.
And of course spent a few Billion Dollars on advertising, making licenses even more expensive...

So the Anti-Malware industry must be fast, with releasing their products,
they know that, that is why they are buying knowledge as ... (fast as they do).

;)

I don't know if I buy into that 100%. We're old folks, for the most part. Up and coming is the younger more savvy users that know a lot more then we give them credit for. Just look at the kid that got convicted (slap on the wrist) in Germany.

Regards,

Jaws

Exists differences between this kind of programs, but on the last years, the best AV's are trying to improve its detection on all the areas, including Trojans...

It's the future because now we have more Trojans, Worms and Spyware than Virus... ;)

-{ Quote: "...We're old folks, for the most part. Up and coming is the younger more savvy users that know a lot more then we give them credit for. " }-
Many younger people I've worked with prefer separate products. These tend to be computer enthusiasts. On the other hand, a number of college students I know use products like Norton System Works, etc, where they regard everything as malware (they wouldn't use that term, but don't understand the distinction -if there is one anymore - between the various categories) and just want something that "prevents the bad stuff."

I'll see if Firecat will give his thoughts as someone of the younger generation.

-rich
________________
~~Be ALERT!!! ~~

being a teenager, i think the younger people tend to know more about computers but like the older generations theyre mostly concerned with having a working computer and web surfing and communication (IM, email) rather than security. but thats just my personal experience of my friends and peers, it may different elsewhere. i often times will look at my friends profile on AIM and find evidence of a virus/trojan. theyre usually aware of it and if necessary ill try to help them.

I'm surprised that no one has mentioned this: the main difference between the realtime monitor {RTM} of an AV and AT is -- an AV-RTM hooks into the filesystem and monitors file access {monitors when you copy, move, open a file} -- whereas an AT-RTM usually monitors processes running in memory. So, in realtime an AT scans memory whereas an AV monitors file access -- thus there is usually no conflict between realtime monitors of AV and AT -- whereas two AVs will usually conflict if both run in realtime since they are trying to hook into the filesystem to monitor the same thing {whenever a file is opened, accessed, copied, moved, etc.} Hope that helps! ;)

ewido guard also scan the file access...

All,
Well I still say build your own best of breed. A suite may have great AV, terrible Anti-Spyware, satisfactory firewall, but limited features. Another may have poor AV, but great Anti-Spyware and so on...Suites :P you will always at least for now...today currently...settle for third rate something. There just is not in my opinion a best of breed Suite, that has been put together or home grown from the same company.

The security product industry responding to mass demand of those who would just want security without putting together their own (what they consider) best of breed are hard at work. Most do want one product to cover it all sure enough...but it ain't out there imho.

Yes, the public is demanding a one purchase one stop best of breed solution. But I do not think today they can get it. So put together your own! I am extremely opinionated on this. :-[

Sometimes I need to :-X . There are many very smart "in the business" people who could have technical skills that can prove that the fractional benefits gained by some best of breed systems does not justify the complexity or fractional win in the detection and cleaning ability to justify the added cost and confusion it creates for the mass average user who wants one stop solution.

This very complex issue is what is making a very competitive and good for the public security product market. No security product can rest on it's success or it will die. This is why I do believe there is lots of promise in a one stop solution one day but not yet in my opinion.

-{ Quote: "the problem with running two AVs is the performance hit it can take on ur computer and its likely that both AV will have many viruses common to both definitions. once malware hits, both AVs will compete to clean the virus and thats when ur comp slows down greatly and where ur conflict lies.

as for pg conflicting with AV/AT, pg only needs a driver and since it doesnt scan files like an AV does then theres is no conflict. im sure someone can offer a better explanation tho." }-

That's not true. There's no "competition". It works something like this:

Program -- > Hook1 -- > Hook2 -- > ... -- > HookN -- > Function

If AV1 has the first hook in the chain, and catches the virus first, AV1 will be the one blocking it. There's no race, thus no performance hit in this area, and definitely no conflict. It depends on how they're written, just as two AVs can/can't work together, an AV can/can't work together with an AT.

As for PG, I'm not trying to say it does cause conflicts, I'm saying it's just as likely to do so as two AVs with their real-time monitors enabled are. Many antiviruses use drivers to do their API hooking too: NOD32 for example, AVG etc.

Correct me if I'm wrong.

-{ Quote: "ewido guard also scan the file access..." }-

And a few rare AVs also scan memory, though okay ATs generally excel here.

Sfel, I fully agree with you. I don't see the difference either.

Except maybe, AT products perhaps tends to be tested with other AVs to ensure there isn't conflict?

When you install many AVs, you often get a warning to remove and uninstall other AVs to avoid system instability. ATs don't do that. ATs don't even complain about other ATs!

I don't think this is due to a technical difference between the 2 class of products though since otherwise an AT should complain about the existence of another AT!

So perhaps it's just the way the products position themselves. Makers of AT know that their product as to coexist with another scanner , while AVs tend to assume they are the only scanner.

I personally think that all those AV warnings are mostly bogus anyway. Except for Norton which can conflict even with itself :)

-{ Quote: "

If AV1 has the first hook in the chain, and catches the virus first, AV1 will be the one blocking it. There's no race, thus no performance hit in this area, and definitely no conflict. It depends on how they're written, just as two AVs can/can't work together, an AV can/can't work together with an AT.
" }-

Fully agree. 2 AVs can run together, but there's often some vague fear of some unexpected interaction.

It can happen to AT+AVs as well, but I suppose at least with ATs, nobody is going to scream at you if you tell the tech that the AT doesnt run with your AV.

If you tell the same tech , you run 2 AVs at the same time, he's going to scream at you and say of course, it isnt designed to work that way!

It's about marketing. No AV company wants you to have a competitor's product running along with theirs, thus they suggest removing it. They have no interest to do so with an AT however, since it's not a competing product.

Why doesn't a AT stop me from keeping another AT?

I mean when I install TDS-3 it doesn't care if I'm running Ewido.
Vice versa.

-{ Quote: "Why doesn't a AT stop me from keeping another AT?

I mean when I install TDS-3 it doesn't care if I'm running Ewido.
Vice versa." }-


Not everyone is greedy? :P
Not all AVs care either..

If you think it is OK to run two AVs together have a look at this thread:- http://castlecops.com/posts102982-0.html

Without having access to actual code or definitive statements by AV and AT vendors (which would be nice if they are forthcoming), my own experiences and guesses are these:

1) That two AVs running simultaneously in real-time are far more likely to cause system instabilities than an AV+AT or AT+AT.

2) I think the reason for this is that AV's always consider themselves "top-dogs" on a system (for historical reasons) and therefore the designers do whatever they feel it takes to stop malware from entering the system - short of causing instabilities with the operating system and other very common applications (e.g. browsers, MS Office, etc).

3) AT's on the otherhand have historically played second-fiddle to well known AV's (e.g. Norton, McAfee) and therefore have been designed to stay of the way of AVs (and the resources that the AV's are monopolizing. Therefore the ATs are more likely to work with other AVs (especially the popular ones) as well as other ATs without causing obvious system instabiliites.

4) Because of this ATs become more of a "second-line" of defense (e.g process scanning as opposed to file scanning) as it is more likely that AVs will have the first stab at catching the malware (this is what it seem like in my experiences).

5) Playing "second-fiddle" is not a good place to be, if an AT desires to become a "must-have" technology that has legs and become a successful business - and not simply be overwhelmed by AVs. As AVs become more aggressive against spyware and trojans, ATs have to respond in kind by increasing the capabilities of their own heuristics engines and signature databases. Thus, the line between the two is becoming blurred. In time, we will probably see more and more overlap conflicts between these types of software, as each does what it needs to do to survive in a very competitive environment.

As others have mentioned, I think in the current environment, AV vendors don't care about designing or testing their product against other AVs since their assumptions are that there will be only one AV and their prime objective is to catch malware at all costs. AT vendors at this time, have to assume there is at least one AV on the machine (most probably Norton or McAfee) and they are forced to design with these constraints in mind. How long this will last, I don't know.

All of the above is conjecture based upon my own experiences. It should be interesting to hear from actual developers if they are able and willing to comment.

Rich

ah ok, it makes sense now. so if AV companies built AVs so that they could co-exist then there would be less of those so called conflicts?

-{ Quote: "ah ok, it makes sense now. so if AV companies built AVs so that they could co-exist then there would be less of those so called conflicts?" }-

This is probably true, but the problem, as I see it is this: If any AV company begins to try to "co-exist", that AV automatically is at a disadvantage since they would have to "yield" to another AV, who then automatically becomes "top-dog". Playing "second-fiddle" is very unhealthy for long-term health (as Netscape discovered) so it behooves each AV company to do whatever it needs to do in order to stay on top of the heap. As you can tell from the discussions on this forum, no one wants to be #2. :)

The AT vendors have been content, up until recently, to position themselves as cohabitable with AVs, providing a second line of defense against trojans. But now the AVs are rapidly getting into the anti-trojan/anti-spyware business, making the positioning of AT vendors very difficult. For example, if KAV is catching 99% of the viruses and 98% of the trojans, what is then the value proposition of AT vendors? I can see Ewido, A-squared, DiamondCS (via ProcessGuard) trying to carve out "must-have" niches for themselves, but it is very difficult to find and define this niche. But in order to survive, the AT vendors have to become very creative and create important new capabilities for themselves in order to make their technology "must-have". So far, I am impressed enough with Ewido's capabilities to keep in running on my machine alongside KAV (it actually catches stuff in on-demand scans that KAV misses). Ditto for ProcessGuard and RegDefend. We'll see where it all leads. ;)

Rich

-{ Quote: " So far, I am impressed enough with Ewido's capabilities to keep in running on my machine alongside KAV (it actually catches stuff in on-demand scans that KAV misses)." }-Hi Rich,

Can you share what some of this stuff is that Ewido catches (virus or trojan), and have you ever been able to backtrack and determine how this stuff actually gets into your computer?

thanks,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: " But now the AVs are rapidly getting into the anti-trojan/anti-spyware business, making the positioning of AT vendors very difficult. For example, if KAV is catching 99% of the viruses and 98% of the trojans, what is then the value proposition of AT vendors? I can see Ewido, A-squared, DiamondCS (via ProcessGuard) trying to carve out "must-have" niches for themselves, but it is very difficult to find and define this niche." }-

i totaly agree with that..

Ewido and A2 (squared) are more MALWARE scanners then specific
AT's and they find malware that your AV,AT AS does not.

Like dialers, trojan-downloaders, tracking cookies etc.

I have found lots of things with it that Kaspersky and TDS-3 etc. did not find.

So i have no idea what else i could use for this purpose,
with other words for the insiders (Wilders readers / if PC Security is your job/hobby) A2 or Ewido is a must have ..

BTW , you can run A2Free from BARTPE, that makes it a super must-have.

;)

btw: TDS-3 , Trojanhunter etc. can't be run from BARTPE.

Just a reminder:

This thread is about "what is the differnet between AV and AT ?" and is not about any specific products. Let's try to keep this discussion on topic and refrain from personal remarks/bashing. If anyone wishes to start a topic concerning what it takes to clean a machine, any "hidden agendas", submitting samples, the pros/cons of any specific product, etc., then please feel free. So far the thread has been fairly informative and I would hate to have to close this topic.

EDIT: Thanks for all parties involved for voluntarily deleting their off-topic posts....

-{ Quote: " So far the thread has been fairly informative and I would hate to have to close this topic." }-Hear Hear!

Rich, can you go back to my post - just wondering whether the stuff you refer to was mostly virus or trojan, and how you think it got on to your machine.

thanks,


-rich
________________
~~Be ALERT!!! ~~

Hi Rmus,

They were mostly trojans and keyloggers. Keyloggers were more prevelent than I would have normally predicted. One machine had three different keyloggers.

I do not know where they may have come from since the users in this case were intermittent users of the Internet, mostly using it for email and financial type transactions. None used P2P or intentionally frequented "high risk" sites.

Rich

-{ Quote: "...I do not know where they may have come from since the users in this case were intermittent users of the Internet," }-I was referring to your comment about your own machine - just curious if you were able to pinpoint the intrusion.

-rich
________________
~~Be ALERT!!! ~~

Hi Rmus,

Are you talking about recent intrusions? There haven't been any seen I installed KAV, WormGuard ProcessGuard, and RegDefend. Prior to that, there were trojans and spyware which I could never quite pinpoint the sources though they may have been associated with some blog and/or related sites. But they could also be from totally innocently looking sites, since after I installed KAV, I noticed that certain very benign looking sites were in fact anything but. It is difficult to say, since the symptoms inevitably start appearing much after the apparent time of infection. Malware usually don't announce themselves. :)

Recent "malware" that has been detected by Ewido on-demand are largely tracking cookies and "remnants" of malware (e.g. BingoFun) that as far as I can tell were benign.

I hope this answers your questions. I think it is best that this is the last answer that I give on this thread concerning my own personal AV/AT experiences, since as Kent recommended, we stay on topic which is AV vs. AT and not my own personal experiences with AV's and the reasons I began purchasing various ATs.

Rich