Dump Your Virus Scanner
Which is worse, the virus or the scanner?
By Dave Methvin
February 26, 2001
- Virus signatures are updated too slowly.
- Virus scanners provide false security.
- Virus scanners decrease reliability.
- Virus scanners reduce system performance.
- Alternatives are available for experienced users.
- Alternatives are available for inexperienced users.
Now, I'm going to ask that you read this week's column completely before you send me a flame mail. If you work for a company that has set up the PC that you're using, this column is for informational purposes only; don't cause your IT people to blow a gasket by disabling your virus scanner. This column is for people who totally control what they do with their own PC, are not computer novices, and want a stable, fast and reliable setup. If you can't honestly answer "yes" to all three conditions, then you shouldn't try this.
Yesterday's Viruses
Most people don't update their virus signatures on a daily basis, yet the most recent viruses like IL0VEY0U and K0URNIK0VA have gone from unknowns to widespread phenomena in less than 48 hours. When email viruses spread quickly, some vendors have taken to sending broadcast messages to their customers and the press, warning them to update their virus signatures. These are all cases of closing the barn door after the cow is already out. (A few virus scanners look for behavior rather than a particular signature in a file, but these have their own set of problems because they can cause more false alarms.)Don't Worry, I Have Protection
If you're with me so far, you'd agree that the average virus scanner doesn't offer the most bulletproof protection for the kind of viruses we've seen lately. But users may feel that they're protected and take risks they wouldn't normally take. For example, an email comes that purports to be from someone they know, and it has an executable file attached. They figure, "If this is a virus the scanner will catch it, so I'll just run the thing." Pow, they're infected with a virus that the scanner didn't recognize.Anti-virus, Anti-reliability
To be able to catch viruses, antivirus software has to hook into quite a few important functions of the system. That provides plenty of opportunities for incompatibility with applications and the operating system. Add to that the hassle factor of false positives, where the antivirus software cries "wolf" about perfectly clean applications. If you want some examples, here are just a few from Microsoft's support database:Q265824 - Norton AntiVirus Error Message When You Install SP1
Q247821 - OL98: Error Message: "SPOOL32 Caused an Invalid Page Fault in Kernel32.dll"
Q187324 - Shutdown Problems When Auto-Protect Is Enabled in Norton AntiVirus
Q276443 - Computer Stops Responding When You Run a Thorough ScanDisk with McAfee VirusScan 5.1 Installed
Q268113 - Internet Explorer 5 and Outlook Express 5 Performance or Hang-up Issues
Q236772 - Receive Win32sys.exe Error Messages When You Start Your Computer
Q226313 - OLEXP: MSIMN Is Still Running After You Quit Outlook Express
Q216609 - WD2000: McAffee VirusScan Incorrectly Reports Virus in Calendar Wizard
Q163275 - OFF97: Macro Virus May Be Detected in WWINTL32.DLL
Wait, Let Me Check That
There's no such thing as a free lunch performance-wise either. If you want a virus scanner to check files whenever they're read or written, it will have to slow you down. A review by PC Magazine (May 9 2000, pp. 168) showed that Norton Antivirus slowed their benchmark scores by about 9 percent. I would contend that the effect is even more noticeable than that on disk-intensive operations, such as starting a program.Where Virus Protection Doesn't Go
Here are some tools and techniques that you may actually find more effective and economical than a retail virus tool:- Everyone using Outlook for email should put Outlook in the Restricted Sites zone and then be sure to lock down the Restricted Sites zone. This will prevent HTML-scripted emails from running before you have a chance to stop them. So do it.
- Always turn off the Windows option to hide file extensions! Virus writers use this feature to fool you into clicking attachments that look like images when they're really scripts. It's easy: start Windows Explorer and click Tools | Folder Options | View and clear the check box next to "Hide file extensions for known file types."
- If you do run a script accidentally, WinMag's own WatchDog scans any script that you run, including those in email messages, and warns you if they contain harmful script commands. Since Watchdog doesn't depend on a virus signature it can detect viruses that haven't been written yet!
- Virus scanners don't detect and remove BHOs and other spyware so you might want to use a utility like Ad-Aware on a regular basis to see if any intrusive software has made its way onto the system.
Scanning on a Schedule
I'm not against scanning the disk for viruses. In fact, I think you should check for viruses every so often, along with other important system maintenance such as ScanDisk and Defrag. Most of the performance and reliability hit from virus scanners comes from the "real-time" feature that is constantly resident in memory. It watches data going to and from the disk to see if it matches any known viruses. You can improve things significantly if you turn off these features and instead run the batch scanning tool that comes with most retail virus scanners. Or, start one of the free Internet scanners (see below) and go off to lunch. (It could be done while you're at your PC, but the scan really slows things down.) Make sure you have the latest virus signature files, get them right before you do the scan to make sure they're fresh. Combine this with good virus prevention practices and you won't need real-time scanning.Free Virus Scans
If you don't have a virus scanner and don't want to buy one, use one for free. My site, PC Pitstop, offers one. So does Trend Micro. If you don't like the idea of an online virus scanner, download a free one such as Inoculate-It.Virus Protection for Novices
As we've seen in the past few months, even a relatively up-to-date virus scanner can let viruses through. It would be great if you could get all users to follow some simple rules for avoiding viruses like the ones in the previous section. If that doesn't work, you can try the "nuclear option" and install tools like the Security Update for Outlook 2000 and Outlook 98 that do away with attachments altogether. As an expert I'd never install this kind of thing on my own PC, but it might be a very good option for the kids or novices who always seem to be tricked into running viruses.Okay, I hope I've made myself clear. If you know what you're doing, you don't need a real-time virus scanner insinuating itself into your system and reducing performance. By taking a few simple precautions and using free tools available on the Internet, you can make your system faster, more reliable, and still be safe. Even if you decide to keep your scanner running, remember that it can be the cause of system problems. When you experiences crashes or other strange system behavior, try disabling your virus scanner to see if it cures the problem.
Dave Methvin is a developer at PC Pitstop, a web site that automatically diagnoses and fixes common PC problems.
