Workstation Virus Scanning Software-Antivirus

Protect yourself at all times with today's batch of antivirus software

Just in case you haven't heard, viruses can be fatal. Jeff Goldblum and Will Smith used one to wipe out an entire alien mothership in last year's hit movie Independence Day. In reality, viruses won't cause your computers to spontaneously break down, but they can be more than just a mere annoyance.

Like it or not, viruses (particularly those of the macro variety) are becoming more and more prevalent in everyday computing. People send files backand forth across the Internet all day, and these files eventually make their waydown the pipe to your computer. Because authenticating each downloaded file isdifficult, you have a slight chance of downloading something infected byviruses. Factor in other virus distribution vehicles, such as exchangingfloppies with co-workers and installing shrinkwrapped software, and you increasethe chances of infecting your computer. I've received infected files from themost unlikely sources: an infected executable on a store-bought application,infected Word documents from Microsoft Professional Developers ConferenceCD-ROMs, and an infected Excel spreadsheet from a coworker.

Although no native Windows NT viruses are in circulation, a simple bootsector virus can still wreak havoc on your NT systems. I've seen a boot sectorvirus continually kill NT, causing the Blue Screen of Death at almost regularintervals.

Thank goodness, NT virus scanners are available in abundance. In thisyear's virus scanner roundup, I looked at virus scanners available for NTWorkstation. The results might surprise you.

How We Tested
One question that comes up often when you evaluate virus scanners is, "Howdo you determine which one is the best?" I usually reply, "It depends."And it does. You can rate virus scanners based on their respective detectionrates. But with the current crop of viruses, you can assume that all virusdetection routines detect about the same number of viruses. More variables areinvolved when you're gauging which virus scanner outperforms the others. When you decide to purchase a virus scanner, your first priority is to make sure it finds the most common viruses. The more common the virus, the greater the chance you have of finding it. Playing the numbers game with virus scanners might look impressive on paper, but what if the virus scanner that can detect a million viruses just happens to miss the Lacroix Excel macro virus?

In this comparative review, besides detection rates, I'll look at features such as realtime scanning and automatic updates (see Feature Comparison). Let's face it, running virus scans is almost as much fun as, well, doing backups. If you do an informal poll within your organization, I'd bet my software that very few people run virusscans regularly, if ever. Most antivirus vendors recognize that mostprofessionals have too much work to worry about purifying their files daily orweekly, so vendors have added realtime scanning modules to their virus scanners.Realtime scanners are watchdogs that sit in the background, monitoring disk I/Ofor strains of viruses. When the system loads an infected executable, thescanner kicks in to clean the file.

In the past, virus scanners were dated as soon as they hit the street. Newviruses are discovered every month, and in the dark ages before the Internetbecame a viable global network, virus scanners had no way of knowing about thesenew strains. Today, nearly every antivirus vendor makes updates available fromits Web or FTP site. Automatic updating is simply an automated retrieval andinstallation process, making staying up-to-date on the latest viruses in thewild a bit easier.

Another requirement to consider is technical support. Although most modernvirus scanners are easy to use, cleaning infected files is a different story.For the more stubborn viruses, calling a specialist is not a bad idea. How thecompanies handle panic calls is almost as important as what type of virusestheir software can detect. My review also covers documentation included with thesoftware, the user interface, notification options, and scheduling capabilities.

Some virus scanners include new heuristics-based technology.Traditionally, virus scanners use definition files to detect viruses. Forexample, a typical definition file includes a string of unintelligible (at leastto human eyes) code that replicates the exact structure of a known virus. Whenscanning, the program compares the structure of each file against that string.When the program finds a match, it triggers an alert to let you know that it hasdetected a virus. This method has worked very well in the past, but newerviruses (such as polymorphic viruses and the ever-popular macro virus) laugh inthe face of definitions. With a heuristics-based scanning engine, a virusscanner can plow through files looking for virus-like behavior. Rather thanrelying on exact matches, virus scanners can now active-ly seek out potentiallydestructive code.

In theory, this method tends to generate false positives (showing that afile is infected with a new virus when it's not), but it provides an additionallayer of security, which is a good trade-off. In practice, however, thissituation happens so infrequently that it's not much of a concern.

Price is, of course, also a concern. Small businesses might find itdifficult to justify the cost of a multi-thousand dollar virus scanner withevery single feature known to humankind. The perfect virus scanner is priced tosell (that is, under $100).

For this review, I introduced a package of roughly 50 common viruses,Trojan horses, and macro viruses into the testing environment. The testingenvironment consisted of one 150MHz Pentium machine running NT Workstation 4.0with Service Pack 3. Some viruses were compressed and archived withPKZIP. I then zipped the ZIP files yet again in an attempt to catch the virusscanners off-guard. I installed each virus scanner independently of the othersto prevent conflicts between each application.

I designed the testing regimen to be as straightforward as possible: Iinstalled the viruses to a directory on the hard disk, triggering the flags ofany virus scanner that happened to be poking around in that directory. Althoughthis test might be less scientific than most conventional methods, it's alsomore representative of how users catch viruses. After all, all the poking andprodding in the world won't help if a virus hits your system when you loada file.

InocuLAN for Windows NT--Workstation Edition
Computer Associates' (CA's) InocuLAN has long been one of the finest NTServer virus scanners on the market. However, positioning itself as a servertool effectively priced InocuLAN out of the small office/home office (SOHO)market. Realizing this drawback, CA has issued an affordable workstation editionof InocuLAN that includes some important features of the server version.

InocuLAN ships on one CD-ROM and includes a comprehensive manual.Installation is simple: You insert the CD-ROM, feed a few directory names to theSetup program, and you're up and running. Although the manual lacks theencyclopedic information you get with other programs, CA makes a virusencyclopedia available on its Web site.

First, you'll notice the user interface lacks the glitz of rival utilities,as Screen 1 shows. What it lacks in aesthetics, however, is made up for inusability. Various options are scattered across multiple context-sensitive menusand dialog boxes, and setting up a scan is as easy as selecting the drives toscan and clicking the Go button.

Looks and usability are meaningless unless the scanning engine has thecleaning power to make it worthwhile. Fortunately, the capabilities underInocuLAN's hood are top-notch.

InocuLAN's scanning options are configurable to an extent. You can selectwhich files a scan will include or exclude, based on their file extensions. Youcan select from one of three scanning options: Fast Scan, Secure Scan, andReviewer Scan. I opted for the secure mode, and a default scan detected everyvirus in my test bed. This success rate included double-zipped files. Feelingparticularly sadistic, I rezipped the double-zipped files, giving the infectedfiles a three-layer compression shell. Again, InocuLAN plowed through thetriple-zipped files without incident. Much to my delight, InocuLAN also cleanedevery infected file without incident.

Unfortunately, InocuLAN's scanning engine doesn't support heuristics-basedscanning. InocuLAN can't detect some of the more recent and obscure viruses. Theslight upside to this shortcoming is that InocuLAN also generates few falsepositives. CA does have a heuristics-based version of InocuLAN in beta testing,and the final product might be available in the form of a virus definitionupdate by the time you read this.

InocuLAN's notification options shine. By default, InocuLAN logs allactivity in a text file, letting you call it up with just about any wordprocessor or text editor available. For advanced configurations, you can set upInocuLAN to send virus alerts to pagers, Simple Network Management Protocol(SNMP) managers, email mailboxes, and remote printers. Admittedly, most ofInocuLAN's notification features are overkill for small networks, but knowingthat CA treats the workstation market with the same consideration that thecompany gives the more lucrative server market is reassuring.

Likewise, InocuLAN's scheduling options feature is comprehensive, albeitslightly inaccessible. You can set InocuLAN to run once a day, once a week, oncea month, or multiple times daily. But the placement of its scheduling optionsmakes the feature difficult to use. To schedule a scan, you must go intoInocuLAN's Domain Manager, select your machine from the list of workstations onthe network, and fill in the pertinent information.

InocuLAN's Realtime Monitor deserves an honorable mention. This on-the-flyscanning component sits in the background, monitoring both incoming and outgoingfiles. Because InocuLAN is primarily a server-based antivirus package, RealtimeMonitor can scan network drives and email inboxes, if you useMicrosoft's Exchange or Outlook clients and have the CA E-mail module installed.When the program detects viruses, InocuLAN can either clean the file, move thefile, rename the file, or delete it. Interestingly, you can copy infected filesto a special protected directory on the server to quarantine them--isolatingthem from every other file on the network--to minimize the chances of spreadingthe virus.

Virus definition updates are available for free from CA's Web site, but theretrieval and installation applet is not integrated with the mainprogram. CA wants to give administrators more control by letting them disabledefinition updates. The purpose is to force some sort of standardization acrossthe network. (Don't worry, I didn't quite understand it either.)

Regardless of this arrangement, retrieving and installing updates isrelatively painless. The AutoDownload Manager, which you must start separately,runs as a scheduled service. You can set it to execute once a month, ensuringthat you always have the latest virus definitions installed.

InocuLAN is the most scalable package I covered in this roundup. If youanticipate the need to add more machines to your network, InocuLAN is your bestchoice. It accommodates your needs as your working environment grows.

F-PROT Professional for Windows NT 3.0
In the early '90s, when DOS still ruled, the two main shareware virusscanners were McAfee's VirusScan and Command Software Systems' F-PROT. VirusScanhas already made a successful transition from DOS to NT, leaving F-PROT with ahard act to follow.

F-PROT Professional ships on four permanently write-protected disks,preventing unauthorized tampering. Installation is straightforward. You let theprogram create a directory, select the components you want to install, and feedthe floppies to the computer. Four floppies later, you're ready to go. F-PROTProfessional comes with a thin manual that you can throw away once you'veinstalled the software.

Like VirusScan, F-PROT Professional is a task-based virus scanner. UnlikeMcAfee's offering, however, F-PROT includes several predefined tasks, as Screen 2,page 78, shows. This feature helps you get up to speed and send F-PROT in onthe war against viruses.

New tasks are easy to set up in F-PROT Professional. You click on the NewTask button to bring up a dialog box that asks whether the new task is auser-level or administrator-level task. You select the appropriate securitylevel to bring up the Properties dialog box that lets you specify which drivesto scan, which files to exclude, and how the program will act when it encountersa virus.

Once you have saved the task, you can schedule it with F-PROT's internalscheduling tool. This scheduling tool is not as comprehensive as the schedulersin other products, but it supports daily, weekly, and monthly scans. A uniqueoption in this scheduler is the ability to send F-PROT into action after aprespecified amount of idle time has elapsed.

F-PROT's detection rate was good, but not perfect. It detected 39 of the 40unzipped viruses (including all the Office macro viruses) and 9 of the 10double-zipped viruses. This score might be less important than it seems, becausethe 39 viruses it detected are some of the more common strains, such asJerusalem and Michelangelo. For detection of more advanced viruses, F-PROTincludes a heuristics analysis module, which is still considered experimental.In testing, this module generated many false positives because of itsalpha-level status, so I recommend turning it off.

F-PROT's realtime scanning module, Dynamic Virus Protection (DVP), isexcellent. It detects nearly every virus loaded and takes up very little CPUtime.

The program moves infected files immediately to a quarantine directory toawait treatment. This process isolates the infected files from the rest of thehard disk.

Cleaning the files was interesting to watch. F-PROT quite possibly has thebest disinfecting rate of any virus scanner on the market today. The other virusscanners in this review stumbled over at least four or five infected files, butF-PROT cleaned everything it detected (quite possibly invalidating the lowerdetection rate vis á vis the other virus scanners).

The notification options in F-PROT Professional are very good. The softwareuses a Messaging API (MAPI)-compliant notification module that supports emailnotification on systems that support the MAPI standard. Pager notifications aremissing, but you can send broadcast messages over a network when the programdetects a virus.

Command Software Systems makes electronic definition updates available toregistered users via its Web site. This method seems somewhat kludgey comparedwith the integrated update retrieval routines found in other programs,however. To make staying up-to-date with the latest viruses easy, F-PROTProfessional lets you enter custom virus strings.

In terms of technical support, Command Software Systems stands head andshoulders above the other vendors. A 24-hour, toll-free emergency hotline isavailable to all users. Here's hoping it sparks a new trend among antivirussoftware vendors.

F-PROT Professional is a good tool, but it simply doesn't have the pizzazzto make it a must-have. The program doesn't have many compelling fea-tures,making it only an adequate virus scanner.

Additionally, the alpha status of F-PROT Professional's heuristics scanningengine makes it a hindrance. That fact, combined with the lack of automaticupdates, knocks F-PROT Professional out of the running. Command Software Systemsis committed to refining F-PROT, and the product will be one to look for when itmatures.

Dr Solomon's Anti-Virus Toolkit forWindows NT
Dr Solomon's Anti-Virus Toolkit for Windows NT is a favorite among virusresearchers. And why not? After all, virus researchers designed the software.

Dr Solomon's product comprises several components. The version I testedships on a handful of permanently write-protected floppy disks, which includeversions for DOS and NT and a special virus detecting boot disk called MagicBullet. Dr Solomon's also includes a CD-ROM to make installation a bit easier.Before installing the software, I rebooted the test system with Magic Bullet inthe disk drive. Unbeknownst to Magic Bullet, I infected the system with a bootsector virus. When the system started, Magic Bullet immediately found theinfection and cleaned it.

To make sure everything's on the up and up, Dr Solomon's runs an immediatefull system scan after installation, detecting and nuking the infected files Iliberally sprinkled throughout my hard disks. Dr Solomon's also caught thedouble-zipped files. Further testing revealed that Dr Solomon's acts like, well,acid when it detects files that have been compressed multiple times. The scannereats and eats through the layers of compression until it gets to the real files.

More impressive, Dr Solomon's comes with several manuals that are more akinto books than instruction pamphlets. A very useful guide to evaluating antivirussoftware shows you the most important attributes to look for when you're tryingto find the right solution for your systems. Surprisingly, this guide lackstraces of bias. The words Dr Solomon never appear in the book. A massive(about 400-page) virus encyclopedia that includes information about most knownviruses completes the package.

When you load Dr Solomon's, you'll notice that the interface has beenstreamlined (which is impressive because the interface in older releases wasclean already). To launch scans, you select the drives in the Drives dialog boxand click Find (to detect viruses only) or Repair (to clean infected files), asScreen 3 shows.

Dr Solomon's WinGuard scanner handles realtime virus scanning. WinGuardruns quietly in the background until an infected file is executed. WinGuard thenautomatically repairs the file, making WinGuard an ideal program for servercomputers that run (usually without user intervention) 24 hours a day.

The new version of Dr Solomon's includes and uses a heuristics scanningengine to detect unknown viruses. By using a heuristics-based engine, DrSolomon's can look for suspicious strings in files to make the detection processmore comprehensive.

Dr Solomon's scanning services are excellent. In a few minutes, theprogram worked its way through my infected files, identifying each one anderadicating them. Not even double-zipped files made it past the good doctor.

As far as notification options go, well, in Dr Solomon's they are close tononexistent. You can have the program report whatever it finds to a text file ora printer, but nothing more. If you're using Dr Solomon's as a virus scanner fora standalone workstation, this level of reporting might be adequate, but it'sclearly not enough if you plan to have the software scan multiple machinesacross a network.

Dr Solomon's scheduling services, in contrast, are both excellent andflexible. The internal scheduler supports interval scanning, rather than justdaily or weekly scanning. You can set up the scheduler to do full system scanswhen your system is idle. For example, if you leave the office for lunch at noonevery day, you can have the program perform a scan from 12:00 pm to 1:00 pm,then again at 5:00 pm when you call it a day. The scheduler also supportsexternal applications, so you can use it as a more elegant AT command (NT'sinternal and slightly convoluted scheduling service).

Unfortunately, Dr Solomon's handles virus definition updates poorly. Eachbox of Dr Solomon's Anti-Virus includes quarterly virus definition updates thatare sent out on floppies. You can also retrieve these updates from Dr Solomon'sWeb site, but you must install them manually. With new viruses appearing almoston a weekly basis, issuing updates four times a year makes very little sense,especially when compared with other products that update monthly or even weekly.

Dr Solomon's Anti-Virus Toolkit is a first-rate virus scanner that keepsgoing and going and going. However, the quarterly update plan makes very littlesense to me. Other virus scanners in this review perform just as well as DrSolomon's and offer more frequent updates.

VirusScan for Windows NT 3.02
Although early versions of McAfee's VirusScan for Windows NT lackedessential features and were rough in their execution, many of the naggingshortcomings I encountered in last year's roundup (see "Virus Scanners forNT," October 1996) have been cleaned up in version 3.02.

VirusScan ships on CD-ROM and floppies, but because 3.02 was brand new, Iopted to download the code from McAfee's FTP server (at press time, the fileswere stored at ftp://ftp.mcafee.com/pub/antivirus/winnt/vscannt). Once Idownloaded and unzipped the 3MB file, I executed setup.exe and specified aninstallation directory to install the software. Because I already had a previousversion of VirusScan installed, Setup offered to upgrade the existing files(actually, it removed them). Note, though, that you must use an account withAdministrator privileges to install VirusScan if you intend to scan networkdrives. Unfortunately, the documentation with the retail package is skimpy.Aside from installation instructions, most of the good stuff is availableelectronically in a Help file.

VirusScan 3.02's user interface, shown in Screen 4, page 80, is nearlyidentical to that of version 2.5. Wrapped around the scanning engine is anintuitive console from which you can set up tasks, update virus definitions, andview the virus list.

Running a scan is a bit trickier than you would expect. You don't simplyclick on a drive and let the virus scanner work its magic. VirusScan requiresyou to create scan tasks, which are predefined jobs that let VirusScan knowwhich drives to scan. Although this approach might sound cumbersome, theexecution is more flexible than the conventional method. For example, I set upone task to scan all local drives, another to scan network resources, another toscan my download directory, and one to scan my incoming email directory, eachtask executing independently of one another. You can have VirusScan plow throughyour local hard disks and network hard disks once a week to keep CPU andbandwidth usage to a minimum. The two most active directories on my system aremy download and email directories--on a slow day, I pull in roughly 100files--so I have VirusScan check for viruses in those two repositories once anhour.

In addition to the ability to schedule scans to run during off-peak hours,you can adjust the amount of priority the scan process receives. Those who useIDE hard disks will appreciate this feature because it prevents VirusScan fromdraining all available CPU resources. On a typical SCSI-based system, TaskManager reported 60 percent CPU usage with high priority, 50 percent usage withmedium priority, and 35 percent usage with low priority. On EIDE hard disks, theCPU usage jumped up to 95 percent for high priority, 76 percent for mediumpriority, and 45 percent for low priority.

VirusScan for NT doesn't have many downsides. The only problem I have withthe program is that it fails to take advantage of the Win32 APIs multithreadingarchitecture, limiting its scanning engine to working on one drive at a time.With SCSI hard disks becoming more and more common in new systems, I'd likevirus scanners to tackle multiple disks concurrently. To be fair, I must saythat every product covered in this roundup works off of a single-threadedscanning engine.

VirusScan's notification options leave something to be desired. Most commonnotification methods, such as email, printer, or pager alerts, are conspicuouslyabsent. In fact, the only option that somewhat resembles a notification featureis VirusScan's Prompt on Detection option. If you set the scanning engine'sbehavior to prompt only, VirusScan emits a (rather obnoxious) alert and acustomizable message when it detects a virus.

In practice, VirusScan's detection rate is top-notch. In about 10 minutes,VirusScan plowed through 2GB of files and detected and cleaned infected Worddocuments, Excel documents, boot sector viruses, and polymorphic pests. Thefinal score was VirusScan 40, viruses 0. McAfee claims that VirusScan has a 100percent detection rate, but seeing the result was still surprising. So I threw10 double-zipped infected files at VirusScan. It found all 10 viruses, but itcouldn't clean them while they were in zipped format. VirusScan also logs allactivity in a plain text file, making viewing the results of the last scan easy.

VirusScan's high detection rate comes from its Hunter engine. The Hunterengine is a heuristics-based detection engine that focuses mostly on polymorphicand Office viruses. This feature is important because polymorphic viruses have anasty tendency to change forms to avoid detection, as their name implies. AndOffice viruses are becoming more and more prevalent as virus authors dabble inVisual Basic for Applications (VBA), Visual Basic (VB), and other macrolanguages to create malignant applets that target Office applicationsexclusively.

Additionally, VirusScan's realtime scanning module sits quietly in thebackground, monitoring all disk I/O activity. Just for fun, I ran an executableinfected with the Jerusalem virus. VirusScan immediately trapped the virus anddisplayed a notification message. I was also pleasantly surprised to see thatthe realtime scanner didn't negatively affect system performance.

VirusScan's AutoUpdate module lets you easily retrieve new virusdefinitions if your computer is connected to the Internet. AutoUpdate is a shellscript that connects to McAfee's FTP server to compare file dates between thedefinitions on your hard disk and the ones on the server. If the file dates onthe server are later than the ones on your hard disk, the script downloads anupdate module and installs it seamlessly. If you have a permanent Internetconnection, you can even schedule AutoUpdate to retrieve updates automaticallyat preset intervals.

You can access McAfee's technical support department via a messaging forumon their Web page and by calling a toll number. Users with a maintenanceagreement (which is available at an additional cost) have access to a toll-freenumber. Ideally, McAfee needs a toll-free number for all customers, but thetechnical support staff seems to be competent, and they usually resolve problemsin minutes.

McAfee has improved VirusScan enough to give it the edge over competingWorkstation virus scanners, giving it a permanent spot on my desktop. With itsflexible scanning options and high virus detection rate, VirusScan is excellentinsurance for any connected PC. For an additional $99, the company offers freephone support for 90 days, free program updates for one year, and unlimited freevirus definition updates.

SWEEP 3.0
Unlike the other programs in this review, SWEEP 3.0 is designed as anetwork-based virus scanner. However, SWEEP can run on a standalone workstation,which is the environment I tested the product in.

SWEEP ships on three write-protected floppies and installs with a standardinstallation interface. Because SWEEP uses a client/server architecture, Sophosrecommends that you install the server software (InterCheck) to a central fileserver and distribute the clients from there. If you're working on a standaloneworkstation, you can simply install both components to the same machine. SWEEPrequires a user account to run its services, so you'll either need to installwith Administrator privileges or have an Administrator create an account forSWEEP to use before you install the software.

The printed manuals that come with the product are excellent. In additionto the three standard user manuals (one each for DOS, Windows 95, and NT), youget a Data Security Reference Guide, which I've dubbed the Data Security Bible.Within the 420-page book, you'll find anecdotes on past viral and Trojan horseattacks, a comprehensive history of viruses that dissects the basic virus formatto demonstrate how viruses attack files, and Internet security tips. For thesecurity conscious, this book might be worth the price of SWEEP.

SWEEP's UI is basic but adequate. Everything you need is accessibledirectly from the main window. As Screen 5 shows, the main window has foursections: a toolbar, a drive list, a progress indicator, and a status indicator.The drive includes a scheduling tab to let you schedule scans, and the toolbarincludes an Alert button to let you specify how to send out notificationmessages.

SWEEP supports two types of scanning: quick and full. Quick scans arefaster, but the process looks at only the parts of files most likely to containviruses. Full scans take longer because they scan the entire file for viruses.SWEEP also includes two different priority levels, letting you choose betweenquicker scans that take less CPU time or more complex scans that come at theexpense of system responsiveness.

In practice, SWEEP's detection engine is first-rate. The program detectedevery virus in my test bed. Even eccentric and uncommon strains couldn't escapeSWEEP's watchful eye. However, SWEEP's virus detection routines are vigilant tothe point of being an annoyance. When SWEEP discovers a virus, it locks the fileuntil it gets a chance to clean it. It restricts copy, delete, and executecommands, which is inconvenient if you keep infected files for further analysis,as I do. Although I appreciated the security that this all-or-nothing methodprovides, this aspect became a hindrance. Also, SWEEP does not supportheuristics-based scanning.

Cleaning the infected files is another matter. Of the 50 viruses itdetected, SWEEP cleaned 48 of them, deleting the two that it couldn't recover.

The scheduling function is simple but powerful. A tabbed dialog box letsyou define the type of scan (quick or full) you want to run. You simply checkoff the days that you want to run the scan and set times for each day. BecauseSWEEP, like most virus scanners for NT, runs as a service, you can close theprogram and let the service kick in at the prespecified times, even when you arenot logged on to the system.

InterCheck, the realtime scanning module in SWEEP, scans crucial files andchecks them against a list of authorized codes (that are created the first timea scan is initialized) when you first log on to NT. Once the program is loaded,it sits quietly in the background, monitoring activity. When you are about toload an infected file, InterCheck notifies you and locks the file. Aside from abrief slowdown when your system first executes InterCheck, the program doesn'tseem to affect system performance.

SWEEP keeps a detailed log, viewable with NT's Event Viewer, noting whichfile has been infected with what. Recording activity in the system log is adouble-edged sword because it makes exporting the saved information difficult.However, the system log is a logically sound place to keep the data.

SWEEP's notification methods leave something to be desired. Missing optionsinclude email and beeper notification that have become commonplace in virusscanners. SWEEP does provide network notification features, but the features areuseless for standalone systems.

Updates for SWEEP are handled and distributed by Sophos' main distributor,Alternative Computer Technology. ACT places monthly updates on its Web site andmakes them available to all registered users (alternatively, you can receiveupdates via monthly mailings of floppies which usually include productrefreshes). Unfortunately, you must download these updates and install themmanually.

Sophos' technical support department is a long-distance call for mostusers. But the company's virus specialists generally eradicate problems inminutes.

SWEEP is a solid contender in the server virus protection market, but it isoverkill for standalone workstations and small peer-to-peer networks. To befair, SWEEP isn't aimed at the workstation/SOHO market, so look elsewherefor a better virus detection system if you fit the SOHO profile.

Norton AntiVirus 4.0
One popular virus scanner for NT introduced a new version just in time forthis year's roundup. Version 4.0 of last year's Editor's Choice award winner,Norton AntiVirus, is a bit older and a lot wiser, but the lack of new featuresis disappointing.

Norton AntiVirus ships on a CD-ROM loaded with InstallShield. The softwarecomes with a 30+-page manual filled with installation and executioninstructions, in contrast to the almost encyclopedic manuals that come with DrSolomon's and SWEEP. Like the other programs in this roundup, Norton AntiVirusinstalls as a service and an application. Unlike the other programs, however, itlets you install it as a plugin for Netscape Navigator (Norton AntiVirus doesn'tsupport Internet Explorer's ActiveX extension model). This feature is handy inlight of the growing popularity of the Web as a software delivery vehicle. Theprogram requires a reboot when you complete installation, so make sure your datais saved and safe before you install the software.

On the surface, Norton AntiVirus 4.0 looks and feels like its previousversion. You select which drives to scan by marking their respective check boxesand clicking the Scan Now button. As Screen 6 shows, Norton AntiVirus includesthree checkboxes to scan all floppy drives, local drives, and network drives,making systemwide scans a bit easier to perform. Tabbed dialog boxes categorizethe comprehensive options list, so you can easily get to what you're looking forwithout wading through a sea of menus.

Unfortunately, Norton AntiVirus doesn't support the task-based scanningmethod available in other virus scanners. Although you can specify certain filesand directories to include in the scan list, the program doesn't save them,making creating customized scan tasks difficult. For example, both VirusScan andF-PROT let me create tasks to scan through my download and email directoriesdaily. Performing the same customized scan with Norton AntiVirus requiresmanually scanning each directory.

The scanning interface is straightforward. A progress indicator shows whichfile the program is currently looking at, the number of boot records and filesscanned so far, and the number of viruses cleaned and detected. Norton AntiVirushad no problem detecting 100 percent of the viruses left in dropper (.exe and.com) format, but it choked on the viruses that had been zipped twice.Apparently, Norton AntiVirus checks archived files (including .pkzip, .lzh,.arj, and .rar), but it won't look at archived files within archived files. Keepthis point in mind if you double-zip files.

The most important new feature in Norton AntiVirus 4.0 is the BloodHoundheuristics scanning engine. Like McAfee's Hunter engine, BloodHound focuses onpolymorphic viruses. Unlike Hunter, BloodHound has three preset sensitivitylevels, letting you choose the level of aggression it uses to weed out virusesin those hard-to-reach spots. BloodHound is every bit as effective as Hunter,detecting the 40 infected files that were not zipped twice. The program cleanedeach file to my satisfaction.

To provide scheduling functions, Symantec includes a copy of the NortonProgram Scheduler with Norton AntiVirus. Norton Program Scheduler is afull-blown task scheduler, supporting most programs that you might want toschedule. This program scheduler is much more intuitive than NT's internal ATcommand. By default, the scheduler includes four event types: Display message,Run program, Scan for Viruses, and Run LiveUpdate. Scan for Viruses and RunLiveUpdate are self-explanatory; they are triggers for Norton AntiVirus. Displaymessage, however, acts as a poor man's appointment manager. When you enter amessage and set a time and date, Norton Program Scheduler displays a dialog boxto remind you of appointments. Run program lets you create tasks to run atspecified intervals. I used this tool to initiate weekly automatic backups of mydata hard disk to CD-ROM.

The logging functions in Norton AntiVirus are first-rate. Activity logs arestored as text files that you view using Symantec's log viewer. The log viewerincludes filtering features to separate the superfluous information from theessential.

The notification options in Norton AntiVirus are passable, but not muchmore than that. When the program detects a virus, it displays an onscreenmessage, sounds an alert, and forwards the alert to active Norton AntiVirusNetWare loadable modules (NLMs) on NetWare servers. I would like to see a pagerand email notification in a future release.

Virus definition updates are available through Symantec's proprietaryLiveUpdate tool, which requires a modem. If you have an active Internet account,you can send LiveUpdate to fetch updated definitions from Symantec's FTP site.If your computer is not connected to the Internet, LiveUpdate will callSymantec's toll-free BBS and download the updates. The company handles technicalsupport, however, on CompuServe or via a toll telephone number. My experiencewith Symantec's technical support department was favorable. They answered myquestions promptly even when I was in the guise of a bumbling first-timecustomer.

Norton AntiVirus 4.0 does not have many new features, but it's still agood, solid virus scanner. Unless you keep ZIP files within ZIP files,investigate Norton AntiVirus as a possible virus scanner. Its clean interfaceand advanced features make it a great fit for any system.

PC-cillin NT 1.0
TouchStone Software's PC-cillin has been a popular Windows 3.1 and Windows95 product for the past few years, winning multiple awards. With the help ofTrend Micro, TouchStone has developed a version of PC-cillin for NT. PC-cillinNT ships with support for Win95 and NT on one CD-ROM. Unlike many other virusscanners, the wizard-based installation program performs a full system scanbefore copying its files to the hard disk. A full installation, consisting ofthe virus scanner and the realtime scanners, takes about 13MB of disk space.Other vendors take note: PC-cillin offers to create or update your EmergencyRepair Disk after installation.

PC-cillin has the best interface of the products I tested for this review.Although aesthetics might not be as important in virus scanning as it is inother genres, PC-cillin's tabbed interface, shown in Screen 7, makes getting upto speed with the program simple.

PC-cillin's scanning engine detected all the zipped and unzipped viruses,but it stumbled on the double-zipped files. To be fair, double-zipping isn'tcommon, but a scanner's ability to handle such files makes me sleep better atnight. Heuristics support is missing from the scanning engine, placing PC-cillina step behind those programs that provide that support. I hope future versionsof PC-cillin will include a heuristics-based scanning engine. Anything theprogram detected, it cleaned immediately.

PC-cillin's scheduling service is rudimentary but adequate. Although youcan't set the virus scanner to kick in at prespecified intervals (such asmultiple times per day or during idle times), you can have the program executedaily, weekly, or monthly.

Smart Monitor, PC-cillin's realtime virus scanner, is excellent andprovides a high level of customizability. For example, from the Custom Monitordialog box, you can set the type of events you want the scanner to triggeritself on, the type of files to scan (including UUENCODED files), and the typeof extensions to scan for. With this ability, you can easily retrofit PC-cillinfor your working environment. Smart Monitor also logs all detected viruses,which is handy if you leave your PC unattended on occasion.

One of the most innovative features in PC-cillin is its integration withNetscape to provide online support. But rather than providing a link from theapplication proper to Netscape Navigator, or adding a bookmark to the browser,PC-cillin includes a copy of Navigator within the software program. Thisintegration with a Web browser makes downloading patches and receiving thelatest virus alerts easy.

PC-cillin does most of the work of retrieving and installing updates behindthe scenes, so you don't need to worry about downloading the updates andinstalling them. TouchStone Software offers three methods of retrieving updates:from its toll-free BBS, from its Web site, and from a floppy. Installing theupdates is as easy as clicking on the appropriate button. Unfortunately, youcan't schedule automatic updates, so you'll have to retrieve updates manually.

Finally, TouchStone Software offers electronic technical support. When youencounter a problem, you can fill out an electronic template that is sentdirectly to the developers. Turnaround time is estimated to be fewer than 48hours. Although this solution is less elegant than traditional telephone-basedtech support, it's better than posting a message on an open forum.

Overall, PC-cillin is a good, solid virus scanner with some innovativefeatures that the antivirus field has never seen before. The lack of aheuristics-based engine is a problem if you anticipate encountering macroviruses. This oversight aside, PC-cillin NT has a lot about it to like.

Editor's Choice
Surprisingly enough, I didn't find a bad apple in the bunch. Table 1 summarizes my findings for each product's features. I would gladly install anduse any of the virus scanners I tested in this review. However, only twoprograms excelled enough to get my vote for Editor's Choice: McAfee's VirusScanand Symantec's Norton AntiVirus. If you actively follow the antivirus market,you might find this observation amusing because Symantec claims that McAfee hasillegally copied Symantec's source code for use in its products.

Legal issues aside, you can't beat either product's price and feature set.With their excellent detection rates, user interface, and automatic updatefeatures, McAfee VirusScan and Norton AntiVirus passed my acid tests with flyingcolors. Additionally, both VirusScan and Norton AntiVirus had the edge overtheir competitors because of their heuristic-based scanning engines. Byemploying heuristics technology, Symantec and McAfee have some additionalinsurance for the future.

The only feature keeping InocuLAN out of the Editor's Choice race is thelack of heuristics scanning in the version of the software that I tested.InocuLAN's superior notification features stood head and shoulders above bothMcAfee VirusScan and Norton AntiVirus, and you can't beat the price. With theinclusion of a heuristics-based scanning engine, InocuLAN will definitely be acontender. Dr Solomon's Anti-Virus also fared well in testing, but the quarterlyupdate plan and relatively high price took it out of the running.

For now, VirusScan is my primary virus scanner because of its task-basedarchitecture, but Norton AntiVirus still kicks in every time I download a file. I have the best of both worlds.