Antivirus: Free vs. Paid Detection

Taking care of your system these days seems to be a less complicated task than it used to be a few years back. Now, protection against malware begins the moment you install your operating system. Windows 7 offers some basic security through Windows Defender and also provides a better solution under the shape of Microsoft Security Essentials, which is free of charge and can be installed on systems passing genuine validation. So, going with Windows 7 may be the winning hand after all.

But let’s not forget that more often than not, paid security software is the way out for most users. The reason behind this choice is given by the extended set of options such solutions come with, but also by the myth that paid antivirus comes with better detection and elimination capabilities. Although the engine is the same, there are some differences between the paid and free versions of security software of the same company with regards to the protection components offered.

In other words, the engine components available in the products are what you are paying for. Thus, free apps may have antivirus or anti-spyware capabilities, but a paying customer definitely receives increased protection for the system through a bunch of components (such as email scanner, web shield, behavioral analysis, etc.) not included in the free edition of the product. Moreover, there are currently no freebies with a EULA that extends their use to corporate environment. So, you are bound to run them for personal use only.

To blast the misconception that freeware antivirus is not equally talented at recognizing malware as paid products, we grabbed five antivirus solutions for comparison and threw them in the ring with 16,704 malware samples (trojans, backdoors, exploits, spyware, worms, etc.). The purpose of the test was not to reveal detection differences between the free and paid product from the same company, but compare a free product from one company with a paid product of another.

In the freeware corner, there was Microsoft’s Security Essentials and Avira’s AntiVir Personal (version 9, as the test was conducted before version 10 came out). Paid products included Kaspersky Anti-Virus 2010 and ESET’s NOD 32 at first. The fifth product included has a little of both worlds: avast! Pro Antivirus 5.0 brings script shield and sandbox capabilities to the table on top of the features included in the free version. However, none of the two features were relevant for our experiment, which consisted in simply feeding the malware database to each of them and checking up the amount of threats left behind.

The malware database used during the tests was formed by both new and older threats, collected throughout a period of 2 years (2008 and 2009) and included vicious items like Waledac or Downadup. Prior to the experiment, all products were updated to the latest definitions available on March 1, 2010. A second test was carried out on March 22 in order to notice detection improvements with a new set of signatures.

All products benefited from the same treatment and scanned the database offline. To ease their job and quicken the entire process, we eliminated all archives, giving the threats full exposure. So, it all boiled down to the level of detection and elimination each product could offer.

With signatures updated on 3/1/2010, the first antivirus thrown in the malware cage was Microsoft Security Essentials. We have to mention from the beginning that MSE proved to be by far the most problematic of all tested products. Despite its intuitive interface, scanning and elimination of the threats took much longer than we expected. Scan results, however, were pretty good, as MSE managed to kick out more than 14,000 samples, leaving a total of 2,662 threats available on the test system.

Moving to Avira AntiVir Personal 9, the experience improved exponentially, as the application took a little under one hour and a half (1h23’) to clear 15,707 samples. In this case, there was no need for multiple scans as the application took care of the threats from the first pass. Out of the total amount of threats discovered, AntiVir Personal marked 61 as suspicious and they were automatically locked to quarantine.

Both MSE and Avira AntiVir Personal offer an intuitive interface that does not require any effort to handle. Malware management upon detection can be set to an automatic action of your choice, while scan scheduling is supported by both applications. One inconvenience on Avira AntiVir Personal’s side is the advertising window that pops after certain activities have completed. As for MSE, you cannot escape joining Microsoft Spynet and avoid sending anonymous information to Microsoft’s servers about detections and actions taken.
The first paid product put against the malware load was Kaspersky Anti-Virus 2010. All the options integrated in the application are the clear sign of paid quality. Besides anti-malware protection, this product can also scan incoming and outgoing mail messages for the presence of malicious code, check HTTP traffic, and verify data sent/received through IM programs. Anti-phishing, a component not seen in free security products, is included in Kaspersky Anti-Virus 2010.

Kaspersky Anti-Virus was also faced with our threat database and it did pretty well on the job, which took 3h49'23'' to complete. Although we expected outstanding results, or at least better than in the case of freeware products, there was nothing like that. The set of 16,704 samples was mutilated, leaving behind 1,523 threats.

Just like in the case of Kaspersky, ESET's NOD 32 brings a sturdier collection of options, which includes protection against threats coming through email (POP3 checking), HTTP/HTTPS, not to mention heuristics management. For testing purposes, the application was set up to maximum alert: ThreatSense parameters configured to check out all sorts of files, advanced heuristics enabled and the same goes for Anti-Stealth technology (rootkit detection).

Although we had our hopes up, with NOD 32, things did not get better either when it came to rooting the nasty stuff out of the system. On the contrary, the application managed to chop only 7631 threats in our database.

This sure looks like definite proof of inefficiency in protecting your system, but it is not exactly so because NOD 32 relies quite heavily on behavioral detection, which means that malware content had to be executed for the application to pick it up, which we did for the samples that would initiate the infection procedure immediately. To our surprise, they were promptly detected and eliminated from the damaged system. Unfortunately, because the testing process would have taken too long to complete, we chose to drop NOD 32 from the comparison experiment.

avast! 5 is kind of playing for both teams as the only limitations of the free version compared to the Pro edition are the lack of the script shield, sandbox, firewall and spam protection in the former. Despite the fact that none of these tamper with our experiment, we decided to go with avast! Pro Antivirus instead of the free edition.

With the application updated to the latest files available on March 1, we followed through with the trial. No more than 8 minutes and 13 seconds passed and the avast! lady announced the scan completed, while the Scan window agreed to the statement; we did the test again and this time glued our eyes on the process just to make sure nothing went wrong. With a processing speed of over 9MB of data per second, it couldn't have gone wrong.

The results were pretty encouraging, with a total of 15,305 dormant threats eliminated. That translates into 1,399 malicious items still present on the system. All this in a little over eight minutes.

After the first round of experimenting, the percents recorded were as follows: Avira AntiVir Personal 9 leads with 94% detection and elimination rate, followed by avast! Pro Antivirus with 91.6% and Kaspersky Anti-Virus 2010 with 91%. Falling on the last spot is Microsoft Security Essentials, with 84% detection and elimination rate. It looks like paid products stick close together, while the two freebies are a 10% gap apart.

Running the second test (on March 22) on the set of malware that had not been eliminated the first time made absolutely no change in the statistics. MSE managed to nab another nine samples; Avira reduced the remaining threats by five items, leaving 992 threats behind. Kaspersky had the greatest improvement in the second test because it succeeded in eliminating another 78 items from the test database, thus increasing detection/elimination rate to 91.3%. avast! Pro Antivirus registered the smallest improvement, as it eliminated only three samples after the update.

Conclusion

Judging strictly by the detection/elimination rate on a locally stored malware database, it looks like the freebies are in control. However, paid products, despite less powerful efficiency, provide protection against threats that come your way through various distribution means, such as drive-by downloads, email, scripts, etc.

Additionally, some of them (such as Kaspersky Anti-Virus 2010) feature behavioral detection of threats, which increases its efficiency as it can bust malware not yet signed. In other words, security software developers will integrate extra tools in different versions of the same application to convince you to open your wallet.

Security products under freeware license are not without flaws either. Some of them may come with nagging pop up screens, such as Avira AntiVir Personal’s notifier, or simply do not count in protection modules designed to increase security and improve detection. In the end, choosing between a paid or free of charge antivirus depends entirely on your needs and computer usage knowledge.

No comments:

Post a Comment