What virus and malware protection can do for you

Anti-virus (AV) vendors like to imply that without them, you'd be lost. Or at least your data would be. Some Windows users hold the opposite view: Anti-virus tools reduce system performance, annoy users with unnecessary warnings and block perfectly harmless apps while actual malicious software may still slip through.

Even though anti-virus software can be extremely annoying, it does provide an essential safety net. Without anti-virus software, you would have be extremely careful about all interactions with others to prevent malware infection. To put it as succinctly as possible: Without anti-virus protection, no internet.

Current anti-virus programs are very similar in the way they protect users from malicious software, "malware" for short. Their real-time protection modules check all files as soon as they come in. A web protection module tries to prevent access to harmful sites. Finally, an on-demand scanner checks all local data for possible infections.

It's true that all these methods require computing power, i.e. they slightly reduce system performance. However, several methods are being used to reduce this impact. One of them is a multi-level approach to identify harmful software.

A brief primer: how anti-virus protection works

The most simple way to identify threats is by matching the code with "signatures" of known malware. Put simply, this boils down to checking whether the file being analyzed matches a checksum from a blacklist.

This approach has the drawback that attackers can bypass signature recognition through minor code changes. Enter heuristics analysis, where the anti-virus program widens the detection criteria by matching a broader pattern, such as a specific piece of code instead of the whole file.

Heuristic analysis has the advantage of easily catching variants of a threat. However... and there's always a however with anti-virus software ... since heuristics involve some degree of guesswork, they are prone to mistake valid applications for malware.

Another approach is a behavioral analysis. For this purpose, suspicious applications are first run within a "sandbox," isolated from the operating system. This detection method, however, is very resource-intensive – i.e. if run on your computer, sandboxing can significantly impact its performance.

To mitigate these issues, anti-virus developers have developed online reputation systems. If the local anti-virus program is unsure about a file, it can instantly contact its vendor's servers to check whether it is found in a centralized whitelist. If the code is known to be harmless, it will be allowed to run. Is the code unknown, it's sent as a sample to the manufacturer's servers for central analysis. There, the sample is run in a virtual Windows environment where its behavior is checked for unusual activity.

All of this usually happens without users having to worry about it. Think of anti-virus programs as kind little elves working in the background, keeping you safe. However, occasionally even elves can get things wrong.

When anti-virus tools go haywire

In spite of the safeguards of whitelists and online reputation checks, anti-virus software occasionally will overshoot its target. Harmless software isn't allowed to run properly, access to innocuous websites is blocked. These mistakes are called "false positives."

One recent example for a false positive is Comodo Internet Security Pro, which under certain circumstances prevents users from running SoftMaker Office 2018. Using standard settings, Comodo's integrated firewall may block access to SoftMaker's activation servers. As a result, the software cannot verify the validity of a license and activation fails.

Software developers affected by such an issue have little recourse but to contact the anti-virus manufacturer, convince them of the legitimacy of their software and request their product to be added to the company's whitelist. This can take time. In the meantime, users have to make do with workarounds.

In the case of Comodo Internet Security Pro and SoftMaker Office 2018, currently the only way to ensure successful activation is to deactivate the anti-virus suite's "Website Filtering" module. This is done by accessing the settings of Comodo Internet Security and navigating to Website Filtering. In this section, you should disable "Enable Website Filtering (Recommended)" and confirm your choice by clicking OK.

Generally speaking, you should be very careful when disabling elements of your anti-virus protection. The best solution is to create exceptions for specific applications – this essentially creates a local whitelist. However, before you add such an exception, you will want to double-check that this will not endanger the computer's security. Luckily, there are several free online services to aid in this assessment.

How to check whether a file is harmless

Some anti-virus applications are very draconian: Suspicious files are quickly deleted or sent to "quarantine," a special container where it can't do any harm. This usually happens even before the anti-virus program issues any kind of warning.

There are several ways to check whether such a file is a false positive or as malicious as the anti-virus software believes it to be. Often you will first have to restore the file from quarantine. Since the process is highly application-specific, you should check their anti-virus documentation for details. To avoid that the restored file is removed again right away, you may sometimes need to first create a temporary exception.

Then, you can upload the file to an online virus scanning service such as HerdProtect, Jotti's Malware Scan, Opswat Metadefender Cloud or VirusTotal. Be careful to never double-click a suspicious file before uploading! The service will proceed to check the upload using multiple virus scanning engines – this can take a few minutes.

The results of online virus scanners can be difficult to interpret. However, if more than a few engines agree that the file is malicious, your local anti-virus was probably right. Special care needs to be taken with results marked as heuristic results (commonly identified as "heur"). As mentioned previously, heuristic analysis is quite prone to errors.

Online virus scanning services aren't perfect: It can actually happen that all scanners fail to detect the maliciousness of an uploaded file. This can especially occur with files you may have received as e-mail attachments. This type of malware is often tailor-made to bypass virus protection.

Usually anti-virus makers catch on to the ruse within a matter of hours. Therefore, if you remain suspicious of a file after first analysis, leave it be for a few hours, then upload it again. This often results in markedly different results which should clear up any doubt.

Be wary of uploading personal data to online virus scanners, though. Most of them will forward suspicious files to the individual anti-virus vendors for further analysis. This is usually pointed out in the online scanner's conditions of use, which nobody ever seems to read.

How to choose your anti-virus

If you're a private user running Windows, Windows Defender is a decent anti-virus solution. It's developed by Microsoft, therefore it integrates seamlessly into Windows. Windows Defender relies both on signatures and online reputation checks. It tries to be as unobtrusive as it can be, even though it's free.

All other free anti-virus tools essentially are advertisements for their commercial brethren. This means that they spend more effort to call attention to themselves, because they have to sell a product. Windows Defender follows a different business model.

If you use your computer for business purposes, Windows Defender may not be the best choice. Usage of the software requires active participation in "SpyNet," Microsoft's somewhat awkwardly-named reputation service. Should Windows Defender find suspicious files on a computer, it will upload them to Microsoft without asking. This could potentially expose confidential data to third parties.

The reason for this behavior is that Microsoft also sells a commercial anti-virus solution called "Endpoint Protection" designed for corporate customers. Windows Defender essentially feeds Endpoint Protection with malware samples.

Professional users may decide to go with a commercial anti-virus solution instead. Most of them offer the choice to opt out of uploading suspicious files, even though this can reduce the degree of protection. In addition, they offer additional layers of protection – some of them useful, some rather questionable.

Commercial anti-virus vendors usually offer several packages with differing features and pricing tiers: The basic anti-virus program only offers essential functionality. The mid-range internet security suite includes additional features such as safe browsing environments for online banking, ad blockers, password safes and parental controls. A deluxe version will pile on even more goodies, many of them of questionable benefit.

When deciding which package to choose, you should first install a trial version to familiarize yourself with the application and decide whether it meets your needs. Take your time to check whether the application tries to "lock you in," i.e. force you to keep using their product.

Password safes, for instance, are a generally very good idea, but the ones bundled with internet security suites frequently lack the possibility of exporting the data into a format other password safes can read. In the worst case, you end up stuck with an inferior anti-virus program just because it holds your passwords hostage.

Tools to "tune" or "clean" the operating system are also of dubious usefulness, given that Windows already includes features such as "Disk Cleanup" and "Storage Sense" to recover hard drive space. A "registry cleaner" can actually damage the operating system and Microsoft has been known to decline support to customers using such tools.