Avast and Antivir- real time protection

Discussion in 'other anti-virus software' started by aigle, Apr 3, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I installed Antivir alongwith Avast just to play with them and received a dialog box from Avast on start up( shown below).

    So avast still continued to run 3 of its scanners. What does it mean? Dose it mean that the real time protection provided by Avtivir is not enough? Does Avast gives more real time protection than Antivir?
     

    Attached Files:

  2. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126
    it simply is telling you that the 2 cannot coexist at the same time. It's not usual to have 2 AV's going at the same time. Choose one & stick with it...
     
  3. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Got to give a lot of credit to Avast for spotting that potential problem and preventing it for you.

    While I prefer to have just AntiVir on full protection mode and then occasionally run a Kaspersky OnLine Scan just to be sure, you can have two Antivirus on your system,
    just so you choose only one for the "On-Access Protection", I would stay with AntiVir "Guard" for "On Access" due to its better detection rate and light footprint.

    Were I to add a second Antivirus, I would likely choose the free BitDefender version that does not have "On Access" but is rated for high detection on a System Scan:
    Click this line to open "Installing BitDefender 9 Standard"

    AntiSpyware programs are another matter, it is highly recommended to have at least three of those loaded and protecting all the time,
    but three Antiviruses would be serious overkill.

    For AntiSpy, I have SpyBot, SpyWareBlaster, Ad-Aware and use ewido's online scan.

    Top of your list should include Firewall protection, enable WinXP(SP2)'s and I have ZoneAlarm also running (default is for ZA to turn off the MS FW).

    Some other recommended free Firewalls are;

    Kerio http://www.sunbelt-software.com/Kerio.cfm
    Safety.Net http://www.netveda.com/
    GhostWall http://www.ghostsecurity.com/index.php?page=ghostwall

    Choose ONLY ONE Firewall:)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for ur suggestions. But infact what I want to know is different. As u see, Antivir has only one scanner while Avast has total 7 scanners, so does it mean that Antivir,s real time protection is poor as compared to Avast?
     
  5. Thorny

    Thorny Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    28
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes but I have raised a slightly different issue, I mean more scanners are definitely better, esp Antivir is not monitoring P2P, E-mails, and IMs. I did not find any detailed discussion esp on thsi matter, otherwise in general which one is better is discussed in more detail here.
    https://www.wilderssecurity.com/showthread.php?t=119571
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Sometimes I wonder if all these 'scanners' and modules are just mostly marketing hype. If something hits your disk then it'll be caught by any AV that monitors reads and writes anyway, right? So unless I'm missing something, it seems to me that AntiVir is just as good as Avast in that any material written to disk will be caught as it's happening, this includes email, p2p files, whatever...
     
  8. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    In my opinion, the highlight of avast! real-time protection is Web Shield (HTTP scanner), not that P2P or IM Shield. Web Shield plays important role to detecting and eliminating malware in HTTP traffic in real time before malware get executed in memory by browser and this process is done without noticeable network performance degradation.

    I think the important of HTTP scanner module is on the rise, it's not that marketing hype as it is probably the only way to fight against exploit malware that attack web browser vulnerability, many AVs (e.g. Kaspersky, Dr.Web) are struggling to have this HTTP scanner module.

    HTTP scanner plays as a layered defence, in our corporate network we have Fortinet FortiGate antivirus firewall placed at network perimeter, FortiGate scans all HTTP traffic (plus its web content filtering) to eliminating malware in real time before it gets into our inner network so this greatly reduces many infections, I've rarely seen eTrust Antivirus on clients catches some malware that FortiGate misses.
     
    Last edited: Apr 3, 2006
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    More than 1 resident/real time/active AV will cause PROBLEMS.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Perhaps so, but my thinking is that no decent browser (i.e., Firefox, Opera, etc) will execute anything without permission (if at all), so I don't see that happening. If you use IE and hit the wrong button and say 'yes', then you get what you deserve. To my mind, the only benefit of an http scanner is that it might stop the bad thing before it even hits my HD, rather than letting a file hit the HD first, then dealing with it. Otherwise, to me it's mostly just marketing hype... But to each his own.. :)
     
  11. Arup

    Arup Guest

    I fully agree with TAP,Web Shield indeed is the most important feature in Avast,but don't forget,on a non firewalled PC,the network module will intercept and block all common network exploits like netbios scan etc.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    I guess the question is, is anything going to execute or happen without a file being written to disk first. If a file is indeed written first, before anything happens (exploit or otherwise), then any AV will catch it on file write. Hence, no need for special 'modules' or 'web shields' or 'network shields' etc etc.
     
  13. DaveD

    DaveD Guest

    I am in full agreement with Kerodo on this one regarding additional modules; especially HTTP scanning.

    No solid resident AV should need the extra 'help' from these extra modules when they would already be scanning read/write disk activity. I personally believe that it essentially comes down to one of two things; marketing hype or backup to a resident AV that is lacking.

    Why do you think McAfee and Symantec have no mention of including HTTP scanning?

    I think that the reason for avast! having HTTP scanning (plus additional modules) is simply because the main engine does not scan within archives real-time, however those additional modules do. So they backup the main engine. From what I understand the Pro edition does have an option to scan real-time within archives but with a huge impact on performance. With avast!, I believe their engine needs the extra 'help' or modules, whatever you want to call it.

    What is the difference between stopping a virus with HTTP scanning before it hits the disk or by resident protection stopping it when it writes to the disk or before it executes?

    Either way, it still gets stopped just the same. It still relies on a good signature database.

    Please keep in mind that this is all just my own opinion at this point in time. Time may change my ways of thinking. If someone can explain in a more detailed way of why these additional modules are necessary, please do. I would be quite pleased if somebody could change my ways of thinking regarding this.

    Cheers!

    Dave
     
  14. Arup

    Arup Guest

    If there is no TCP module for network scanning detection which is basically a IDS,how will netbios scans etc. be blocked,and http scanning is indeed a good idea,blocking at the source is far better than the virus coming into the system and then alarm bells going on,some viruses can hide well and infect system files needing an offline scan or delete,why go through all that hassle.

    Easy to make a general statement that modules aren't needed,point is,they are there for a reason and are not doing any harm or consuming heavy resources,so why not have the benefit as well.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    DaveD makes some excellent points. If these http scanners are so necessary then why don't the industry leaders and those who have been around the longest (Symantec and McAfee) use them? Simple, they're just marketing nonsense. Any AV that scans on file writes will catch anything anyway.

    One reason why NOT to have an http scanner is that it just means adding extra code and useless bloat to the program. Certainly we don't need that do we?

    At any rate, that's just my opinion also. I don't want to beat it to death, so I'll leave it at that.. ;)
     
  16. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    If thats the case then why do the "industry leaders (Symantec and McAfee)" have mail scanners, isn't mail scan the same principle as HTTP scan ?
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Good point.. and I would have to say yes, it seems like a similar situation. Why do we need email scanners when the resident AV will catch the file write anyway? Perhaps it's as DaveD said above, that the 'scanner' modules for email, web, etc are specialized to scan archives and the normal resident scanner doesn't. But then you can argue that who needs that anyway, because as soon as you open that archive and extract it, the resident AV scanner will catch the file write immediately. Seems to me that the email scanner is also somewhat of a marketing ploy as well. Who cares whether you catch the virus sooner or later, just so long as you do catch it before it executes?
     
  18. DaveD

    DaveD Guest

    Don't all ISP's provide server-level virus cleaning for e-mail these days anyways?
    They certainly should be responsible for that, seeing how it is something that they can control on their end.

    I personally have never had an e-mail with an infected attachment come through to my inbox in the 4 or 5 years I've been with this ISP (Bell Sympatico in Canada). I've even tried to send infected files to/from my own inbox and those attachments were always removed on the server-level.
     
  19. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    I was able to send a AntiVir (version 6) False Positive (an old Panda file imscan.dll renamed to imscan.txt) to myself from another Email account and it went right through (as an attachment).

    A click on it immediatly produced the "Virus Warning, what should we do with this ...(IMSCAN.DLL.RENAMED [DETECTION] Contains signature of the Micro-128 (C) virus)"

    Nothing further could be done in Outlook at that point until after it was deleted (in Outlook) and then removed from "Deleted Folder".

    Now all the various "Testing Viruses" have been blocked before loading, by Outlook or external security, perhaps.
    __________________________________________________________________________________________________________

    edit:- it is said that if you run a Panda "Free" 'On-Line' Scan, AntiVir will still flag that imscan.dll on its next scan.

    Online malware scanners: Panda ActiveScan Very easy to use. High detection rate. {Click here}
     
    Last edited: Apr 4, 2006
  20. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    I don't think so.

    Why the AV real-time file scanner can't catch/prevent network worms such as SQLSlammer, Blaster, Sasser, etc. that attack running processes on your PC memory (either Windows components or some server apps like SQL Server, IIS etc.)? isn't just because the worms don't write files to a disk while attacking? In this case, your AV real-time scanner will catch the worm but when your machine already gets infected.

    This scenario applies to exploit malware that attack the running process of web browser in memory too.


    https://www.wilderssecurity.com/showpost.php?p=392878&postcount=14
     
    Last edited: Apr 4, 2006
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Ok, I'm open to considering all things.. But isn't that really the job of a firewall? To keep network traffic out and away from services that are holding ports open to exploits? And theoretically, if your OS is up to date and patched, then those exploits will fail anyway, right?

    Also, any 'exploit malware' will be caught before it runs by the AV I would think. So there's no need to worry about code injection and such things if the nasty is caught when the malware file is written to disk or opens before execution, right? And another point on that, if it's malware that the AV doesn't catch, then it begins to fall into another category anyway, and again, it becomes the job of your firewall or other HIPS product or malware scanner to catch it.
     
  22. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Kerodo, you're completely wrong. There are MANY examples of ItW viruses that regular (file-system based) on-access scanner CANNOT catch whereas HTTP (or generally, TCP-level) scanner can.

    Most network worms of the last decade show this (to name a few, SQLSlammer, CodeRed, CodeBlue, Blaster, Welchia, Sasser, ...).


    No marketing bullshit.
     
  23. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    Kerodo you make some (not all) valid points-but, you do so as if all PC users are security savvy like Wilders members. I'm willing to bet that most users aren't that savvy.

    Example- CD/DVD forums have many more people seeking advice than do the security forums. Over the years advice has been given to turn off the AV while burning CD/DVD's and encoding so not to slow the PC or cause buffer under runs. Now lets say someone dose this and decides to read the mail or surf the net at the same time they encode or burn, the AV real time scanner is off not effecting the work, the mail & HTTP scanners are on and still protect and they don't effect the work. And what if they forget to turn AV resident protection back on ?

    What about the people who turn off the AV while installing drivers or software (during install warnings are given many times to do so) and that person forgets to turn the AV back on after installation ? If they're using an AV with mail scan and HTTP scan aren't they more protected than someone who uses an AV with just resident/on-demand scan ?

    I don't think AV's with mail/HTTP scanners do so for marketing gimmicks, I think they do so for versatility and extra safety measures.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Ok, perhaps I am wrong. Perhaps I'm not understanding what a worm really is then. I admit my knowledge is limited.. Show or tell me for example, how a worm can get into my computer to begin with? How can a worm get past my router? Does it come in thru my browser? If so, then it hits my cache and disk with a file before it does anything else. Are you saying a worm can enter in thru Firefox and directly write to memory and execute? I rather doubt that'll ever happen.. So where is the entrance point for a worm given that I have a router or good firewall and my browser doesn't do screwball things? I fail to see the threat...

    FastGame you make some good points. I am mostly speaking for my own situation and not saying that some folks might not want or need these features. To me they are mostly useless..
     
  25. DaveD

    DaveD Guest

    Does that mean that these worms in particular would _execute_ and _infect_ Windows systems running, for example, McAfee VSE 7.1?

    Would these be stopped by a router and/or firewall?

    Thanks,
    Dave
     
Loading...
Thread Status:
Not open for further replies.