what is the differnet between AV and AT ?

Discussion in 'other anti-virus software' started by CcCcCcOoOo., Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. CcCcCcOoOo.

    CcCcCcOoOo. Guest

    what is the differnet between AV and AT ?

    many Members say there is the differnet between AV and AT
    is AT stronger than Av in trojans?
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    AV's (anti-viruses) originally specialized in the detection of viruses only. Then along came AT's (anti-trojans) that specialized in trojans only. Over time the line between the two has diminished as AV's have expanded to cover spyware and trojans also. AT's have expanded to cover spyware and even some viruses in some cases. Even though this line between the two has grown smaller, it is still generally accepted that AV's do a better job at viruses while AT's do a better job at trojans. Spyware is in a grey area that most consider to be trojans however it also may be considered viruses. The general concensus is that it is best to have a layered protection setup, which includes an AV and an AT.

    HTH ;) ...
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    There is an architectural difference between the two "classes" of software that you may be interested in.

    Generally, you will hear that you shouldn't run to AVs at one time. AVs (but as puff pointed out, they reallly do much more than cover viruses) are generally installed in a way to hook into the operating system in such a way that they will conflict with each other if you are running more than one. On the otherhand, ATs (or so they are sometimes names, though really they often cover much more ground), are installed in such a way that they will not conflict with classical AVs or each other.

    Thus you can run products such as Kaspersky, Ewido, and BOClean with no conflict (in most cases), but you wouldn't want to run to classical AVs such as Kaspersky and NOD32 together in real-time. It all has to do with they way they are installed and monitor the computer. Generally, if both and AV and AT can detect the same piece of malware, the AV will catch it first.

    I am sure others will correct me where I might be mistaken.

    Rich
     
  4. James Taylor

    James Taylor Guest

    How true is this? Someone please confirm.

    So if someone worked in a AV company and then moved to AT company he would find many big differences?

    Or is AV/AT really the same industry but differ because of marketing? Do the AT and AV authors read the same technical magazines? Attend the same conferences? Compete for the same awards?

    It can't be that different can it?
     
  5. Sfel

    Sfel Guest

    I don't see it different at all, technically. Let's say we have 2 computers, one running 2 AVs in real-time, the other running an AV and an AT in real-time again. Conflicts can arise on both computers, or on none, since both the AT and AV hook/can hook api functions in the same way. Some ATs that protect themselves against process termination can/can't conflict with an AV that does the same. Same goes with two AVs.

    I never really understood why people say "Don't run two AVs in real-time, it can cause conflicts, instead, run an AV and an AT". Both work the same, it's the definitions they add to their databases that make the difference, isn't it ?

    By that philosophy, every AV/AT that has a real-time monitor, should conflict with PG, since both hook execution functions, shouldn't it ?
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    the problem with running two AVs is the performance hit it can take on ur computer and its likely that both AV will have many viruses common to both definitions. once malware hits, both AVs will compete to clean the virus and thats when ur comp slows down greatly and where ur conflict lies.

    as for pg conflicting with AV/AT, pg only needs a driver and since it doesnt scan files like an AV does then theres is no conflict. im sure someone can offer a better explanation tho.
     
  7. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    We don't all have the same idea's about that...

    I disagree with that quote, originaly , yes this was true , years ago.

    1) Years ago there where Firewall-only Anti-virus-only Anti-Spyware-only
    anti-dialers-only etc. products, but they are very hard to find today!
    And if you find one, it concept is not changed in many years!!!

    2) There is no proof that let's say Kaspersky can't find more Trojans
    then any AT-only.
    After cleaning pc's for my job, on a daily basis, i could not find this true.

    (of course sometimes an AT finds a trojan that a AV does not,
    but i have seen more cases that where just the oposite last year!)

    Creating a layered defence with a Anti-trojan only a Anti-Virus-only etc. is history.
    You must forget that idea, The AV's have all grown to be complete Anti-Malware suites, that detect Virusses,Trojans,Dialers etc.

    More and more companies understand that this is what the public want.
    For a user it doesn't make a diff. if it is a Trojan or a Virus,
    it is all MALWARE and that is something he/she doesn't want on his system.

    That is why Mcafee has a suite with a Firewall,AntiVirus,AntiSpam etc.

    That is why C.A. bought Tinysoftware to make a suite with a Firewall,
    ProcessProtection Registry protection,Anti-Spyware AntiVirus etc.

    That is why Kaspersky is making a AntiVirus,Firewall AntiSpam etc.

    Creating your own suite of AntiMalware/ Pc security tools is difficult.
    Lot's of people that do that for their hobby/work, find that they have
    programs installed that have conflicts together.
    Or slow down your system, or eat up to much system resources.

    So Kaspersky and TDS-3 perhaps 95 % overlap?
    NOD32 and TrojanHunter 95 % overlap?
    BOCLEAN and Sophos 95 % overlap ?

    Tiny Personal Firewall and ProcessGuard ? (absurd)
    Ewido and and Boclean??

    Ok, you still can choose a firewall and Anti-virus yourself, but i expect not for
    many years.

    I respect that others think different about this,
    but this is my idea about the layered defence concept ,of the late 90-'s

    ;)

    In general : difficult to say, depends which ones you are using.

    If you would compair both top 5's i guess: NO!
     
    Last edited: Jul 8, 2005
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    first off i dont think having a layered setup is rele that old. and security suites arent very new either. the difference is that now companies are shifting their focus into including better protection against trojans and spyware instead o just a AV and FW together. these all-in-one suites are better suited for corporate environments and people who may not know much about computer security. for these people, having integration of products and minimal conflict is important. otoh some, if not a large amount of Wilders' members seek to improve their computer security setup and this isnt possible if u only use an all-in-one. in addition even if products protection overlap, no setup can guarantee absolute protection. a layered security setup allows greater flexibility and customized security for a person's needs, however like u said, theres a higher chance for conflict and maybe greater resource usage. but thats just what i think.
     
  9. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    To me, and I could be wrong, trojans and spyware are dominating the internet terrain of late. For an AV to just do viruses would be the death knell of that company.

    It just makes sense that they have to do both or actually all three. But if you start incorporating a firewall into an AV - AT - AS as a suite that's a different story. There's just to many good firewall products out there that many people just won't want to buy a suite that includes a firewall. And I just don't see the conflicts or difficulty in incorporating the two.

    As a matter of fact I can see people that would think a suite is too bloated for them and prefer not to go that route. Just my opinion.

    Regards,

    Jaws
     
    Last edited: Jul 8, 2005
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Yes! , every customer that brings in his pc, and hears that it is loaded with spyware,ad-ware dialers, etc etc.

    And has an AV installed, is not a happy AV customer..
    They bought a AV because they want to protect their PC from MALWARE.
    A virus,Trojan, Spyware try to explain what the difference is, to somebody
    that is totally not interessted, and only needs his computer for his/hers work.

    And about the suites, if you look how products develop over the years,
    ( i got my first Anti Virus training in the mid 80's) you see that in the next 2 years, more and more suites will become the way to earn money in the Anti-Malware business.

    Again, perhaps We (Wilders forum readers) want the best Firewall, the best Anti-Virus, The best Anti Trojan etc. all together on our pc,
    but the public has no time for this, they want complete protection.

    So: "This Security-Suite has a firewall Anti-Virus,Anti Spyware and what else?"
    "...on this other box , it says that this one also has a Anti-Spam module, and it is the same price..so i'll buy that one ..."

    The more modules, the higher the price, and people will make their decision on that.

    And of course, on what the specialist say (if it is not too technical).

    The only suprise, can be expected from Microsoft it self, who created,
    this unsafe OS in the first place.

    If the are providing a complete suite for free, with some real OS improvements, Which are recommended by Security Specialist,
    (and are made in other safer OS-es for MANY years), it can all go change to
    another direction.
    And of course spent a few Billion Dollars on advertising, making licenses even more expensive...

    So the Anti-Malware industry must be fast, with releasing their products,
    they know that, that is why they are buying knowledge as ... (fast as they do).

    ;)
     
    Last edited: Jul 8, 2005
  11. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    I don't know if I buy into that 100%. We're old folks, for the most part. Up and coming is the younger more savvy users that know a lot more then we give them credit for. Just look at the kid that got convicted (slap on the wrist) in Germany.

    Regards,

    Jaws
     
  12. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Exists differences between this kind of programs, but on the last years, the best AV's are trying to improve its detection on all the areas, including Trojans...

    It's the future because now we have more Trojans, Worms and Spyware than Virus... ;)
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Many younger people I've worked with prefer separate products. These tend to be computer enthusiasts. On the other hand, a number of college students I know use products like Norton System Works, etc, where they regard everything as malware (they wouldn't use that term, but don't understand the distinction -if there is one anymore - between the various categories) and just want something that "prevents the bad stuff."

    I'll see if Firecat will give his thoughts as someone of the younger generation.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  14. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    being a teenager, i think the younger people tend to know more about computers but like the older generations theyre mostly concerned with having a working computer and web surfing and communication (IM, email) rather than security. but thats just my personal experience of my friends and peers, it may different elsewhere. i often times will look at my friends profile on AIM and find evidence of a virus/trojan. theyre usually aware of it and if necessary ill try to help them.
     
  15. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    I'm surprised that no one has mentioned this: the main difference between the realtime monitor {RTM} of an AV and AT is -- an AV-RTM hooks into the filesystem and monitors file access {monitors when you copy, move, open a file} -- whereas an AT-RTM usually monitors processes running in memory. So, in realtime an AT scans memory whereas an AV monitors file access -- thus there is usually no conflict between realtime monitors of AV and AT -- whereas two AVs will usually conflict if both run in realtime since they are trying to hook into the filesystem to monitor the same thing {whenever a file is opened, accessed, copied, moved, etc.} Hope that helps! ;)
     
  16. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    ewido guard also scan the file access...
     
  17. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    All,
    Well I still say build your own best of breed. A suite may have great AV, terrible Anti-Spyware, satisfactory firewall, but limited features. Another may have poor AV, but great Anti-Spyware and so on...Suites :p you will always at least for now...today currently...settle for third rate something. There just is not in my opinion a best of breed Suite, that has been put together or home grown from the same company.

    The security product industry responding to mass demand of those who would just want security without putting together their own (what they consider) best of breed are hard at work. Most do want one product to cover it all sure enough...but it ain't out there imho.

    Yes, the public is demanding a one purchase one stop best of breed solution. But I do not think today they can get it. So put together your own! I am extremely opinionated on this. :oops:

    Sometimes I need to :blink: . There are many very smart "in the business" people who could have technical skills that can prove that the fractional benefits gained by some best of breed systems does not justify the complexity or fractional win in the detection and cleaning ability to justify the added cost and confusion it creates for the mass average user who wants one stop solution.

    This very complex issue is what is making a very competitive and good for the public security product market. No security product can rest on it's success or it will die. This is why I do believe there is lots of promise in a one stop solution one day but not yet in my opinion.
     
  18. Sfel

    Sfel Guest

    That's not true. There's no "competition". It works something like this:

    Program -- > Hook1 -- > Hook2 -- > ... -- > HookN -- > Function

    If AV1 has the first hook in the chain, and catches the virus first, AV1 will be the one blocking it. There's no race, thus no performance hit in this area, and definitely no conflict. It depends on how they're written, just as two AVs can/can't work together, an AV can/can't work together with an AT.

    As for PG, I'm not trying to say it does cause conflicts, I'm saying it's just as likely to do so as two AVs with their real-time monitors enabled are. Many antiviruses use drivers to do their API hooking too: NOD32 for example, AVG etc.

    Correct me if I'm wrong.
     
  19. James Taylor

    James Taylor Guest

    And a few rare AVs also scan memory, though okay ATs generally excel here.

    Sfel, I fully agree with you. I don't see the difference either.

    Except maybe, AT products perhaps tends to be tested with other AVs to ensure there isn't conflict?

    When you install many AVs, you often get a warning to remove and uninstall other AVs to avoid system instability. ATs don't do that. ATs don't even complain about other ATs!

    I don't think this is due to a technical difference between the 2 class of products though since otherwise an AT should complain about the existence of another AT!

    So perhaps it's just the way the products position themselves. Makers of AT know that their product as to coexist with another scanner , while AVs tend to assume they are the only scanner.

    I personally think that all those AV warnings are mostly bogus anyway. Except for Norton which can conflict even with itself :)
     
  20. James Taylor

    James Taylor Guest

    Fully agree. 2 AVs can run together, but there's often some vague fear of some unexpected interaction.

    It can happen to AT+AVs as well, but I suppose at least with ATs, nobody is going to scream at you if you tell the tech that the AT doesnt run with your AV.

    If you tell the same tech , you run 2 AVs at the same time, he's going to scream at you and say of course, it isnt designed to work that way!
     
  21. Sfel

    Sfel Guest

    It's about marketing. No AV company wants you to have a competitor's product running along with theirs, thus they suggest removing it. They have no interest to do so with an AT however, since it's not a competing product.
     
  22. James Taylor

    James Taylor Guest

    Why doesn't a AT stop me from keeping another AT?

    I mean when I install TDS-3 it doesn't care if I'm running Ewido.
    Vice versa.
     
  23. Sfel

    Sfel Guest


    Not everyone is greedy? :p
    Not all AVs care either..
     
  24. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  25. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Without having access to actual code or definitive statements by AV and AT vendors (which would be nice if they are forthcoming), my own experiences and guesses are these:

    1) That two AVs running simultaneously in real-time are far more likely to cause system instabilities than an AV+AT or AT+AT.

    2) I think the reason for this is that AV's always consider themselves "top-dogs" on a system (for historical reasons) and therefore the designers do whatever they feel it takes to stop malware from entering the system - short of causing instabilities with the operating system and other very common applications (e.g. browsers, MS Office, etc).

    3) AT's on the otherhand have historically played second-fiddle to well known AV's (e.g. Norton, McAfee) and therefore have been designed to stay of the way of AVs (and the resources that the AV's are monopolizing. Therefore the ATs are more likely to work with other AVs (especially the popular ones) as well as other ATs without causing obvious system instabiliites.

    4) Because of this ATs become more of a "second-line" of defense (e.g process scanning as opposed to file scanning) as it is more likely that AVs will have the first stab at catching the malware (this is what it seem like in my experiences).

    5) Playing "second-fiddle" is not a good place to be, if an AT desires to become a "must-have" technology that has legs and become a successful business - and not simply be overwhelmed by AVs. As AVs become more aggressive against spyware and trojans, ATs have to respond in kind by increasing the capabilities of their own heuristics engines and signature databases. Thus, the line between the two is becoming blurred. In time, we will probably see more and more overlap conflicts between these types of software, as each does what it needs to do to survive in a very competitive environment.

    As others have mentioned, I think in the current environment, AV vendors don't care about designing or testing their product against other AVs since their assumptions are that there will be only one AV and their prime objective is to catch malware at all costs. AT vendors at this time, have to assume there is at least one AV on the machine (most probably Norton or McAfee) and they are forced to design with these constraints in mind. How long this will last, I don't know.

    All of the above is conjecture based upon my own experiences. It should be interesting to hear from actual developers if they are able and willing to comment.

    Rich
     
Loading...
Thread Status:
Not open for further replies.