Avast and Antivir- real time protection

I installed Antivir alongwith Avast just to play with them and received a dialog box from Avast on start up( shown below).

So avast still continued to run 3 of its scanners. What does it mean? Dose it mean that the real time protection provided by Avtivir is not enough? Does Avast gives more real time protection than Antivir?

 

it simply is telling you that the 2 cannot coexist at the same time. It's not usual to have 2 AV's going at the same time. Choose one & stick with it...

 

Got to give a lot of credit to Avast for spotting that potential problem and preventing it for you.

While I prefer to have just AntiVir on full protection mode and then occasionally run a Kaspersky OnLine Scan just to be sure, you can have two Antivirus on your system,
just so you choose only one for the "On-Access Protection", I would stay with AntiVir "Guard" for "On Access" due to its better detection rate and light footprint.

Were I to add a second Antivirus, I would likely choose the free BitDefender version that does not have "On Access" but is rated for high detection on a System Scan:
Click this line to open "Installing BitDefender 9 Standard"

AntiSpyware programs are another matter, it is highly recommended to have at least three of those loaded and protecting all the time,
but three Antiviruses would be serious overkill.

For AntiSpy, I have SpyBot, SpyWareBlaster, Ad-Aware and use ewido's online scan.

Top of your list should include Firewall protection, enable WinXP(SP2)'s and I have ZoneAlarm also running (default is for ZA to turn off the MS FW).

Some other recommended free Firewalls are;

Kerio http://www.sunbelt-software.com/Kerio.cfm
Safety.Net http://www.netveda.com/
GhostWall http://www.ghostsecurity.com/index.php?page=ghostwall

Choose ONLY ONE Firewall

 

Thanks for ur suggestions. But infact what I want to know is different. As u see, Antivir has only one scanner while Avast has total 7 scanners, so does it mean that Antivir,s real time protection is poor as compared to Avast?

 

I think that this question has recently been the subject of another thread https://www.wilderssecurity.com/showthread.php?t=124386

 

Yes but I have raised a slightly different issue, I mean more scanners are definitely better, esp Antivir is not monitoring P2P, E-mails, and IMs. I did not find any detailed discussion esp on thsi matter, otherwise in general which one is better is discussed in more detail here.
https://www.wilderssecurity.com/showthread.php?t=119571

 

Sometimes I wonder if all these 'scanners' and modules are just mostly marketing hype. If something hits your disk then it'll be caught by any AV that monitors reads and writes anyway, right? So unless I'm missing something, it seems to me that AntiVir is just as good as Avast in that any material written to disk will be caught as it's happening, this includes email, p2p files, whatever...

 

In my opinion, the highlight of avast! real-time protection is Web Shield (HTTP scanner), not that P2P or IM Shield. Web Shield plays important role to detecting and eliminating malware in HTTP traffic in real time before malware get executed in memory by browser and this process is done without noticeable network performance degradation.

I think the important of HTTP scanner module is on the rise, it's not that marketing hype as it is probably the only way to fight against exploit malware that attack web browser vulnerability, many AVs (e.g. Kaspersky, Dr.Web) are struggling to have this HTTP scanner module.

HTTP scanner plays as a layered defence, in our corporate network we have Fortinet FortiGate antivirus firewall placed at network perimeter, FortiGate scans all HTTP traffic (plus its web content filtering) to eliminating malware in real time before it gets into our inner network so this greatly reduces many infections, I've rarely seen eTrust Antivirus on clients catches some malware that FortiGate misses.

 

More than 1 resident/real time/active AV will cause PROBLEMS.

 

Perhaps so, but my thinking is that no decent browser (i.e., Firefox, Opera, etc) will execute anything without permission (if at all), so I don't see that happening. If you use IE and hit the wrong button and say 'yes', then you get what you deserve. To my mind, the only benefit of an http scanner is that it might stop the bad thing before it even hits my HD, rather than letting a file hit the HD first, then dealing with it. Otherwise, to me it's mostly just marketing hype... But to each his own..

 

I fully agree with TAP,Web Shield indeed is the most important feature in Avast,but don't forget,on a non firewalled PC,the network module will intercept and block all common network exploits like netbios scan etc.

 

I guess the question is, is anything going to execute or happen without a file being written to disk first. If a file is indeed written first, before anything happens (exploit or otherwise), then any AV will catch it on file write. Hence, no need for special 'modules' or 'web shields' or 'network shields' etc etc.

 

I am in full agreement with Kerodo on this one regarding additional modules; especially HTTP scanning.

No solid resident AV should need the extra 'help' from these extra modules when they would already be scanning read/write disk activity. I personally believe that it essentially comes down to one of two things; marketing hype or backup to a resident AV that is lacking.

Why do you think McAfee and Symantec have no mention of including HTTP scanning?

I think that the reason for avast! having HTTP scanning (plus additional modules) is simply because the main engine does not scan within archives real-time, however those additional modules do. So they backup the main engine. From what I understand the Pro edition does have an option to scan real-time within archives but with a huge impact on performance. With avast!, I believe their engine needs the extra 'help' or modules, whatever you want to call it.

What is the difference between stopping a virus with HTTP scanning before it hits the disk or by resident protection stopping it when it writes to the disk or before it executes?

Either way, it still gets stopped just the same. It still relies on a good signature database.

Please keep in mind that this is all just my own opinion at this point in time. Time may change my ways of thinking. If someone can explain in a more detailed way of why these additional modules are necessary, please do. I would be quite pleased if somebody could change my ways of thinking regarding this.

Cheers!

Dave

 

If there is no TCP module for network scanning detection which is basically a IDS,how will netbios scans etc. be blocked,and http scanning is indeed a good idea,blocking at the source is far better than the virus coming into the system and then alarm bells going on,some viruses can hide well and infect system files needing an offline scan or delete,why go through all that hassle.

Easy to make a general statement that modules aren't needed,point is,they are there for a reason and are not doing any harm or consuming heavy resources,so why not have the benefit as well.

 

DaveD makes some excellent points. If these http scanners are so necessary then why don't the industry leaders and those who have been around the longest (Symantec and McAfee) use them? Simple, they're just marketing nonsense. Any AV that scans on file writes will catch anything anyway.

One reason why NOT to have an http scanner is that it just means adding extra code and useless bloat to the program. Certainly we don't need that do we?

At any rate, that's just my opinion also. I don't want to beat it to death, so I'll leave it at that..

 

If thats the case then why do the "industry leaders (Symantec and McAfee)" have mail scanners, isn't mail scan the same principle as HTTP scan ?

 

Good point.. and I would have to say yes, it seems like a similar situation. Why do we need email scanners when the resident AV will catch the file write anyway? Perhaps it's as DaveD said above, that the 'scanner' modules for email, web, etc are specialized to scan archives and the normal resident scanner doesn't. But then you can argue that who needs that anyway, because as soon as you open that archive and extract it, the resident AV scanner will catch the file write immediately. Seems to me that the email scanner is also somewhat of a marketing ploy as well. Who cares whether you catch the virus sooner or later, just so long as you do catch it before it executes?

 

Don't all ISP's provide server-level virus cleaning for e-mail these days anyways?
They certainly should be responsible for that, seeing how it is something that they can control on their end.

I personally have never had an e-mail with an infected attachment come through to my inbox in the 4 or 5 years I've been with this ISP (Bell Sympatico in Canada). I've even tried to send infected files to/from my own inbox and those attachments were always removed on the server-level.

 

I was able to send a AntiVir (version 6) False Positive (an old Panda file imscan.dll renamed to imscan.txt) to myself from another Email account and it went right through (as an attachment).

A click on it immediatly produced the "Virus Warning, what should we do with this ...(IMSCAN.DLL.RENAMED [DETECTION] Contains signature of the Micro-128 (C) virus)"

Nothing further could be done in Outlook at that point until after it was deleted (in Outlook) and then removed from "Deleted Folder".

Now all the various "Testing Viruses" have been blocked before loading, by Outlook or external security, perhaps.
__________________________________________________________________________________________________________

edit:- it is said that if you run a Panda "Free" 'On-Line' Scan, AntiVir will still flag that imscan.dll on its next scan.

Online malware scanners: Panda ActiveScan Very easy to use. High detection rate. {Click here}

 

I don't think so.

Why the AV real-time file scanner can't catch/prevent network worms such as SQLSlammer, Blaster, Sasser, etc. that attack running processes on your PC memory (either Windows components or some server apps like SQL Server, IIS etc.)? isn't just because the worms don't write files to a disk while attacking? In this case, your AV real-time scanner will catch the worm but when your machine already gets infected.

This scenario applies to exploit malware that attack the running process of web browser in memory too.


https://www.wilderssecurity.com/showpost.php?p=392878&postcount=14

 

Ok, I'm open to considering all things.. But isn't that really the job of a firewall? To keep network traffic out and away from services that are holding ports open to exploits? And theoretically, if your OS is up to date and patched, then those exploits will fail anyway, right?

Also, any 'exploit malware' will be caught before it runs by the AV I would think. So there's no need to worry about code injection and such things if the nasty is caught when the malware file is written to disk or opens before execution, right? And another point on that, if it's malware that the AV doesn't catch, then it begins to fall into another category anyway, and again, it becomes the job of your firewall or other HIPS product or malware scanner to catch it.

 

Kerodo, you're completely wrong. There are MANY examples of ItW viruses that regular (file-system based) on-access scanner CANNOT catch whereas HTTP (or generally, TCP-level) scanner can.

Most network worms of the last decade show this (to name a few, SQLSlammer, CodeRed, CodeBlue, Blaster, Welchia, Sasser, ...).


No marketing bullshit.

 

Kerodo you make some (not all) valid points-but, you do so as if all PC users are security savvy like Wilders members. I'm willing to bet that most users aren't that savvy.

Example- CD/DVD forums have many more people seeking advice than do the security forums. Over the years advice has been given to turn off the AV while burning CD/DVD's and encoding so not to slow the PC or cause buffer under runs. Now lets say someone dose this and decides to read the mail or surf the net at the same time they encode or burn, the AV real time scanner is off not effecting the work, the mail & HTTP scanners are on and still protect and they don't effect the work. And what if they forget to turn AV resident protection back on ?

What about the people who turn off the AV while installing drivers or software (during install warnings are given many times to do so) and that person forgets to turn the AV back on after installation ? If they're using an AV with mail scan and HTTP scan aren't they more protected than someone who uses an AV with just resident/on-demand scan ?

I don't think AV's with mail/HTTP scanners do so for marketing gimmicks, I think they do so for versatility and extra safety measures.

 

Ok, perhaps I am wrong. Perhaps I'm not understanding what a worm really is then. I admit my knowledge is limited.. Show or tell me for example, how a worm can get into my computer to begin with? How can a worm get past my router? Does it come in thru my browser? If so, then it hits my cache and disk with a file before it does anything else. Are you saying a worm can enter in thru Firefox and directly write to memory and execute? I rather doubt that'll ever happen.. So where is the entrance point for a worm given that I have a router or good firewall and my browser doesn't do screwball things? I fail to see the threat...

FastGame you make some good points. I am mostly speaking for my own situation and not saying that some folks might not want or need these features. To me they are mostly useless..

 

Does that mean that these worms in particular would _execute_ and _infect_ Windows systems running, for example, McAfee VSE 7.1?

Would these be stopped by a router and/or firewall?

Thanks,
Dave