Virus Killers: Macworld Lab Tests Virus Software and Survives
By Bruce Schneier
Macintosh users ignore computer viruses at their peril. Viruses can cause irreparable damage to the system or destroy megabytes of data. Fortunately, unlike their biological namesakes, computer viruses are relatively easy and painless to control. With a leading virus-protection software program, it takes only a few minutes a day to remain virus-free.
Macworld Lab tested four antiviral products--the freeware application Disinfectant, Central Point Software's MacTools ($149.95), Symantec's Symantec AntiVirus for Macintosh (SAM, $99), and Virex ($99.95) from Datawatch--against every Macintosh virus known at the time of testing, 52 in all. We also looked at each product's features and measured how fast the programs detected viruses.
We found that all four programs effectively combat the most important and prevalent viruses, but not all could handle certain strains. And the products varied widely in how fast they operate, with Virex blazing a new performance standard for virus detection. At the speed of Virex, dealing with viruses becomes a virtually painless exercise.
Know the Enemy
To understand the relative quality of these products, first take a step back to consider your insidious opponent: computer viruses are software programs. But unlike normal software, viruses operate unseen, on their own initiative, often hiding inside other programs and running when those programs are launched.
Many Macintosh viruses are benign; they simply spread from computer to computer without doing damage. But others erase files and cause other mayhem. Viruses can be spooky because they rarely put up dialog boxes or prompt users for input--once your machine is infected, unseen damage can go on for some time until you notice a problem. By then it may be too late to correct. Other viruses leave files or applications untouched, but cause system incompatibilities that lead to crashes and other problems.
Computer viruses spread by modifying another program to include an executable, and possibly altered, copy of the virus. They enter your machine on removable disks, files downloaded from bulletin boards, files shared on servers, and sometimes even shrink-wrapped software or blank preformatted disks.
Typically, the virus code executes when a user launches the program the virus is attached to. The virus then attempts to infect other programs, thereby reproducing itself. A virus may start reproducing right away, or it may lie dormant until it is triggered by some event (the computer's clock registering Friday the 13th, for example). Some viruses duplicate themselves when you open an infected file. Others infect the system and infect other volumes when you access them.
All four antiviral programs are easy to install and use. Each consists of an INIT and an application. The SAM interface is slightly more complex--and therefore takes a bit more concentration--than the other products, but this shouldn't cause problems for most users. These are relatively simple applications, and each user interface is relatively easy to use.
All four products did a good job destroying the known viruses that they are designed to detect. Detection is relatively easy because each virus leaves a distinct signature--a string of bytes that uniquely identifies the viral code. Antivirus software merely recognizes these signatures.
When any of these products discovers a known virus, it informs you of the infection and asks if you want the virus removed. Say yes. The program then removes the virus and, to the best of its ability, restores your system to its previral state. We found that once any of the products detects a virus, eradication is 100 percent effective.
Differences between the products emerge, however, in what viruses they can detect (see "Antivirus Performance Factors"). All four detected Macintosh System viruses, the most common and dangerous strain. Only SAM and Virex detected HyperCard viruses, however, so if you routinely use HyperCard those two products represent your only viable options. Disinfectant cannot detect Trojan horses--stand-alone applications that must be launched in order to be activated, and that are similar to viruses in the damage they can cause.
Every virus program can scan files compressed with all driver-level compression products, including Fifth Generation Systems' AutoDoubler and Aladdin Systems' StuffIt SpaceSaver. When it comes to archiving programs, the virus-detection products are less effective. SAM scans archives compressed with both Aladdin Systems' StuffIt series and Compact Pro; MacTools scans Compact Pro archives but not StuffIt archives; and neither Virex nor Disinfectant scans compressed archives. Such deficiencies make it imperative to use other program features regularly to catch viruses that may be released when a compressed file is expanded.
Speed is a critical and clear-cut differentiating factor. Most people scan for viruses with diligent regularity only if the process is convenient and quick. All four products are convenient, but only Virex, with its impressive SpeedScan, is fast. Scanning operations that take SAM upwards of 5 minutes take Virex less than 30 seconds to complete. With Virex it is reasonable to scan your entire hard disk every time you boot up your Macintosh.
Detecting new or undocumented viruses is much harder. Since an antivirus program does not have unknown viruses' signatures to go on, it cannot scan for those signatures. SAM and Gatekeeper (a freeware program available on most online services, often used to supplement Disinfectant) continuously monitor the System for suspicious activity. (Disinfectant can monitor for activity by known viruses and their variants but not by new viruses.) Both SAM and Gatekeeper sit in the background, watching your other applications go about their business. When a virus danger signal pops up--a program writing to the System file, for example--SAM and Gatekeeper post an on-screen alert.
In contrast, Virex uses checksums--electronic fingerprints of files on your disk--to determine if a file has been modified, possibly by a virus. MacTools goes a step further, employing both checksums and continuous monitoring.
Both approaches work but can be more trouble than they are worth. When a program detects a possible virus, you then have to decide if there really is an infection or if it's a false alarm. (For example, some applications legitimately alter the System Folder on installation, triggering a suspicious activity alarm.) In general, you have little to base this decision on. False alarms are annoying to experienced users and can cause unnecessary panic among beginners.
And while both techniques can help you detect unknown viruses, they do not let you determine what virus it is or how to remove it. All you can do is restore your files from preinfected backups. In short, these methods are rarely worth the trouble.
While Intel-based-PC users face many hundreds of viruses and new ones all the time, the odds of a Macintosh user finding an unknown virus are slim. Partly because Macintosh viruses are relatively hard to write (just like legitimate Mac applications), there are relatively few known Mac viruses. Stick to detecting known viruses and you'll be fine more than 99 percent of the time.
Updating Software Is Vital
Still, the inventory of known Mac viruses is growing, if slowly. For example, after Macworld Lab completed its testing, we learned of two new viruses, Init 9403 and Init 29-B. Init 9403, a highly destructive virus that spreads only through Italian versions of Mac system software, attempts to erase all drives connected to the infected system. This example shows why it is vital that you keep your antiviral software up-to-date. New versions of antiviral software are released days (sometimes even hours) after a new virus is discovered. (All products should have long since added Init 9403 and Init 29-B to their roster by the time you read this.) If you're a registered user of one of the commercial programs, you're mailed a postcard that gives you the signature of the new virus; you have to enter that string into the program.
These signature strings are also available on America Online, on other services in some cases--CompuServe and AppleLink for SAM, and CompuServe for MacTools--and from the companies' own bulletin board services. All three companies can also, for a small fee, send updated software disks to registered users. Disinfectant users can get updated versions on network servers on the Internet, CompuServe, GEnie, and America Online.
SAM is the best antiviral program for network distribution. It allows a central network administrator to automatically install or update SAM on every machine on an AppleTalk network. MacTools requires that each user on a network download the new version from a server, but MacTools has a reporting feature so that an administrator can see which users have updated their antiviral software and which have not. Virex can be installed across a network. It currently has no network updating features, though Datawatch plans to add them in the next version. Disinfectant has no networking features.
Whichever product you select, you'll be safer if you employ some simple preventive antivirus techniques:
Fortunately, you shouldn't run into such problems too often--at least not as a result of viral infections. The Macintosh virus threat has diminished, both in the number of new viruses discovered and the number of reported incidents of infection. This is mostly due to the excellent quality of these four antiviral packages. So viruses can be an annoyance, or even an occasional problem. But if you use a little common sense, they should never become a computing nightmare.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.