Anti-virus software can generally be defined as generic, malware specific, or hybrid. Generic software commonly includes change detection software (integrity checkers), behavior monitors, and behavior blockers. It deduces the existence of a virus from a change in the environment or an infectable object (a file, for example), or from a process displaying behavior characteristic of malware. (Note that the term malware is increasingly used with particular reference to Trojan horses rather than viruses. Trojans are considered at length in Chapter 8, as is change-detection software.)
Malware-specific software checks infectable objects against a database of virus definitions. If a match is found, it alerts the computer user and might be able to remove the virus from the infected object. This is usually possible with boot sector and macro infectors. File viruses are sometimes harder (and sometimes impossible) to disinfect, and some vendors don't try, taking the view that it's always better to replace a binary executable than to risk disinfecting it unsuccessfully.
Scanners can be on-access (real-time or memory-resident) or on-demand. On-access scanners check files and other infectable objects as they are accessed (especially as they're opened for reading or writing), and can be implemented as a DOS TSR, Windows VxD, NT service, Macintosh System Extension, and so on. Most anti-virus packages include an on-access malware-specific component, but on-access change-detectors do exist. On-demand scanners are executed only when called by the user or by scheduling software. They do their job, then terminate.
Modern malware-specific scanners are better described as hybrid. Although they use more-or-less exact identification, most are also capable of a generic technique known as heuristic analysis, which is related to behavior blocking. Code is checked for characteristics that suggest a virus, either by passive analysis of the code, or by executing it under emulation, so that its behavior can be safely monitored.
Inclusion in the following list of anti-virus products doesn't necessarily constitute a recommendation. Products change, and what works for one PC, environment, or organization won't necessarily work well in another. However, these are all competent products. In general, URLs in this chapter have been modified since the previous edition of this book, so that only the relevant domain name is given. Experience indicates that actual pages move around a lot. For a comprehensive list of vendors, try http://www.virusbtn.com/AVLinks/.
AntiViral Toolkit Pro (AVP)
AVP has been licensed by a number of vendors, but its exact status is uncertain at the time of writing. However, this is a very popular product. Check the Kaspersky Labs site for information about Kaspersky Anti-Virus, at
Kaspersky also provides a useful virus information site with virus encyclopedia at
The NAI range includes the current incarnations of McAfee and Dr. Solomon's for a wide range of workstation and server platforms, including PCs/Windows, Apple Macs, and UNIX (including Linux). The brand names McAfee and Dr. Solomon's are now usually applied to the same software, but the Dr. Solomon's brand is normally only used for the UK/European market. NAI's Web site is at
Norton Anti-Virus is available for a wide range of workstation, server, and gateway platforms including DOS, Apple Macintosh, Windows 9x, and Windows NT/2000.
Eliashim, producer of eSafe and now part of the Aladdin empire, focuses primarily on gateway protection from viruses and other malicious software. Contact them at
PC-Cillin by Trend Micro can be found along with their InterScan gateway products at
Sophos is very focused on the corporate market. Products are available for a wide range of workstation, server, and gateway platforms, including PCs/Windows, Apple Macs, and UNIX (including Linux). Learn more at
Norman Virus Control
Norman Virus Control (NVC) by Norman Data Defense Systems can be found online at
A number of products have been based on the F-Prot detection engine. The original product (which is free for personal use) can be found at
The product formerly sold by DataFellows as F-Prot Professional is now known as F-Secure, and is available at
The Command Software version of F-Prot Professional is at
Integrity Master, by Stiller Research, combines an advanced change detector with conventional known-virus scanning. The Stiller Web site is a good source of general information (hoax information, for example) and is located at
There are hundreds of virus scanners and utilities. We have listed some previously because they have a good reputation, are easily available on the Internet, and are updated frequently. Viruses are found each day, all over the world. Most of them are unlikely ever to be seen In-the-Wild, but sometimes a formerly quiet virus will suddenly "get lucky" and go feral. New worms and other email-borne viruses like Melissa or LoveLetter can go from unknown to global within hours. Strange to think that only a few years ago, it was still normal for anti-virus software to be updated on a quarterly basis.
The second edition of this book included links to sources of freeware and shareware anti-virus utilities. These links have been removed. They haven't been replaced with more up-to-date links, as it would be doing the reader a disservice to imply that such utilities are still a realistic substitute for commercial software. This applies even for older machines, many of which are still supported by some vendors. In anti-virus as in real life, you generally get what you pay for, or sometimes less.