What is the best antivirus program? None! Different products are more or less appropriate in different situations, but in general you should build a cost-effective *strategy* based on multiple layers of defense. There are three main kinds of antivirus software, plus several other means of protection, such as hardware write-protect methods (see D4). When planning your antivirus strategy you should also look closely at your backup policies and procedures (see 10). 1. ACTIVITY MONITORING programs. These try to prevent infection before it happens by looking for virus-like activity, such as attempts to write to another executable, reformat the disk, etc. An alternative term is BEHAVIOR BLOCKER. Examples: SECURE and FluShot+ (PC), and GateKeeper (Macintosh). These programs are considered the weakest line of defense against viruses on a system that does not have memory protection, because in such an environment it is possible for a tunnelling virus (see B12) to bypass or disable them. 2. SCANNERS. Most look for known viruses by searching your disks and files for "scan strings" or patterns, but a few use heuristic techniques to recognize viral code. Most now also include some form of "algorithmic scanning" in order to detect known polymorphic viruses. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program which is about to be executed. Most scanners also include virus removers. Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk Software's F-PROT, McAfee's VirusScan (all PC), Disinfectant (Macintosh). Resident scanners: McAfee's V-Shield, and F-PROT's VIRSTOP. Heuristic scanners: the Analyse option in F-PROT, TBAV's TbScan and ChkBoot (from Padgett Peterson's FixUtils). Scanners are the most convenient and the most widely used kind of antivirus programs. They are a relatively weak line of defense because even the simplest virus can bypass them if it is new and unknown to the scanner. Therefore, your virus protection system should not rely on a scanner alone. 3. INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides *generic* detection. On the other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which modifications are intentional and which might be due to viruses, although a few products give the user help in making this decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes called an INTEGRITY SHELL). A third implementation is as a SELF-TEST, where the checksumming code is attached to each executable file so they check themselves just before execution. It is generally considered a bad idea to add such code to existing executables (see F8). Examples: ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware), all for the PC. Integrity checkers are considered to be the strongest line of defense against computer viruses, because they are not virus- specific and can detect new viruses without being constantly updated. However, they should not be considered as an absolute protection--they have several drawbacks, cannot identify the particular virus that has attacked the system, and there are successful methods of attack against them too. 3a. Some modification detectors provide HEURISTIC DISINFECTION. Sufficient information is saved for each file so that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD module of V-Care and ThunderByte's TbClean. Note that behavior blockers and scanners are virus *prevention* tools, while integrity checkers are virus *detection* tools. Of course, only a few examples of each type have been given. All of these types of antivirus program have a place in protecting against computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you should arrange a combination of methods that cover each others' weaknesses. A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and Henrik Stroem's HS are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (CONFIG.SYS or AUTOEXEC.BAT), such as FluShot+ and/or VirStop and/or ChkBoot. A scanner such as F-PROT or McAfee's VirusScan and an integrity checker, such as Integrity Master, could be put into AUTOEXEC.BAT, but this may be a problem if you have a large disk to check, or don't reboot often enough. Most importantly, new files and diskettes should be scanned as they arrive *regardless* of their source. If your system has DR DOS installed, you should use the PASSWORD command to write-protect all system executables and utilities. If you have Stacker or SuperStor, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal. In this case a software write- protect system (such as provided with Disk Manager or The Norton Utilities) may help. Possibly the best solution is to put all executables on a disk of their own, with a hardware write-protect system that sounds an alarm if a write is attempted. If you do use a resident BSI detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source. The reason viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten due to most people's lax scanning policies. Organizations should devise and implement a careful policy that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them.