This posting will discuss which of the following three programs deserves the title of “best freeware antivirus program”: Avira Antivir, Avast, or AVG. My conclusion: all three are very worthy contenders that can hold their own or surpass any heavyweight for-pay antivirus; however Anitvir and Avast are definitely in the first tier, while AVG is a close second tier.

There’s been a vigorous debate going on in the little “cbox” message box (in the sidebar) over which freeware antivirus program is best. This posting will explore this issue more closely. The objective is to go beyond the ubiquitous “I have used program x for y years now and it has kept me completely virus free” to a more substantial comparison.

The findings presented here are not my original work but come from a single source: AV-comparative.org’s antivirus comparison tests conduced in Nov 2008 (test #20) and Feb 2009 (test #21), which are the latest as of this writing. It is somewhat difficult to reference these as sources because the av-comparatives site disallows direct linking to the test results and requests that all links be to its root domain (presumably because new tests are always published and they do not want links to results that may be obsolete).

By way of comparison and to provide some perspective I will also include some of the numbers for two of the best paid antivirus programs: Kaspersky and ESET NOD32.

Where AVG has a good advantage is in the number of false positives (lower than both Antivir and Avast, both of which exhibit comparable numbers of false positives). However, AVG scores another strike against it in terms of its scanning speed, which is significantly slower than the other two.

The freeware version of Antivir displays an advertisement on every update, which is rather undesirable; however, this can be easily disabled (look here, here, or here). It also “does not support email scanning”; however, this is also a non-issue in my opinion, a red-herring designed to scare less tech-savvy users into purchasing the paid version. The reason I say this is a non-issue is because although Antivir may not scan your email for virus as it downloads, it will still protect you from it afterwards, not just during normal scans as it will also intercept it once it is on-disk and/or if and when it tries to act up.  In fact email scanning as such may be completely redundant and a waste of time; see this article for more info.

Antivir is my favorite freeware antivirus. It is best in terms of performance and, with the recent addition of an antispyware component it has become even more desirable. However, if asked to recommend a freeware antivirus Antivir comes with too many caveats and explanations (the nag screen, the email scanning (non)issue). It is easier to recommend Avast, as it provides comparable protection and performance, and is an excellent product.

AVG is my third choice. It also provides excellent protection and has the edge with respect to the least number of false positives, but its performance and detection rates lag behind the other two.

The numbers (and other issues considered):

1. Detection Rate / on-demand scans
2. Detecton Rate / predictive “heuristic” detection
3. Number of false positives
4. On-demand scanning speed
5. Versions tested
6. Links and downloads

• Avira Antivir: 99.7% detection rate
• Avast: 98.2%
• AVG: 93.0%
• Kaspersky (*): 97.1%
• ESET NOD32 (*): 97.6%

* Note: no free version of these offered. They are listed here to give ’perspective’.

The data seems to show that overall the detection rates are very similar (the differences are unlikely to be meaningful), with the exception of AVG which has a somewhat lower rate of detection than the others.

• Avira Antivir: 71% (over 1 week), 67% (over 4 weeks)
• Avast: 40% (over 1 week), 39% (over 4 weeks)
• AVG: 43% (over 1 week), 40% (over 4 weeks)
• Kaspersky(*): 71% (over 1 week), 60% (over 4 weeks)
• ESET NOD32(*): 54% (over 1 week), 51% (over 4 weeks)

The results above seem to show that when handling yet unknown threats (malicious code that is so brand new that it has not been added to the program’s database), Antivir and Kaspersky have an advantage over the others.

• Avira Antivir: 24
• Avast: 28
• AVG: 17
• Kaspersky (*): 14
• ESET NOD32 (*): 13

Interestingly, Avast and Antivir have significantly higher false positives than the two paid programs, with AVG having the lowest number of false positives of all three freeware antivirus programs.

• Avira Antivir: 13.6 MB/sec
• Avast: 15.4 MB/sec
• AVG: 6.8 MB/sec
• Kaspersky (*): 13.3 MB/sec
• ESET NOD32 (*): 13.2 MB/sec

On this metric AVG significantly lags behind the others, who are otherwise very similar, with Avast having a slight overall advantage.

• Avira Antivir: 8.2.0.374 (test 21), 8.1.0.362 (test 20)
• Avast: 4.8.1335 (test 21), 4.8.1229 (test 20)
• AVG: 8.0.234 (test 21),  8.0.156 (test 20)
• Kaspersky (*): 8.0.0.506a (test 21), 8.0.0.454 (test 20)
• ESET NOD32 (*): 3.0.684.0 (test 21), 3.0.669.0 (test 20)

• Avira Antivir free: see my Mar 2007 review of Antivir here.
• Avast free: free registration required
• AVG free

  .

If there’s something that I am constantly on the look-out for it would be a freeware anti-spyware program that (a) is low (or medium-low) on computer resource consumption, (b) provides real-time protection, and (c) does a good job at protecting against unknown threats. From what I’ve seen and read about Threatfire, it might be just that program.

I’ve been using this program for just over a week now, running in conjunction with an anti-virus program (AVG free edition), and no other antispyware product. Aside from this period of living with and observing the program, my primary source of info comes from an excellent PCMagazine review of Threatfire and research I’ve done on this program in various other places.

The main strength of this program is its behavior-based (heuristic) detection of malware, and at that it does a better job than many signature based security programs. The difference between behavior based and signature based detection is that the former determines that a program is malicious based on observing its behavior and what it is doing within your system, making it ideal for intercepting threats that are too new or too rare to have been detected by the makers of anti-malware software. In contrast, signature-based detection is where a security program is told what to look out for through periodic updates to its database. Here are some more notes on this program:

• Background: Threatfire is released by PC Tools, makers of the excellent Spyware Doctor program. After acquiring Novatix and their"Cyberhawk" antispyware program, PC Tools based Threatfire’s behavior-based engine on that program’s technology.
• Threat identification: once a potential threat is identified Threatfire will in fact check its signature against a database for quick identification in order to quickly quarantine it without user intervention (and the program will perform auto-updates). Note that Threatfire cannot identify a threat until it takes action; so, for example, a dormant trojan on an obscure file buried in a directory that is never accessed will not be detected (which shouldn’t be a problem since it will not be a threat either).
• No configuration is required: all you need is to install and run. You will have to intervene periodically if a threat is detected and will be given the option to allow it if its a false positive (athough this is generally a rare occurrence). Threatfire can be ’taught’ that a certain program or programs are ok so it will ignore them from that point forward.
• Resources needed: the various processes that Threatfire runs in the background consume approximately 10 megs of RAM collectively. This is one of my main reasons why I like this software and stands in contrast to the hundreds of megs used up by many other antispyware products. What this means to you is that unlike these other programs, Threatfire will not slow your system down.
• Performance: for his review the PC magazine editor unleashed a battery of malware that Threatfire intercepted with a very high degree of success. The only programs which it was not 100% successful identifying were so called "rogue antispyware products" (i.e. apps that pretend that they’re antispyware program when they’re not). Aside from those Threatfire identified ALL other threats.
• False positives: are always a concern for a behavior based engine, but Threatfire does well in this regard compared to other products like it. Although I did witness a number of false positives with Threatfire, they were notably less that my experience with Comodo’s BOClean (another comparable free product that is fairly good, although I much prefer Threatfire).
• Before installing: make sure you have a clean system for best protection by performing both a virus and spyware scans. If you install Threatfire on a heavily infected system you will likely run into problems. Fortunately, there are many free products that do on-demand scanning very well, including Antivir Free, AVG Free, and Avast Home Edition for antivirus and Spybot S&D, Ad-Aware Free, Super Antispyware Free, and AVG Antispyware Free for antispyware. (Note: these antispyware products mentioned do not offer real-time protection as part of the free product, but in fact it is their on-demand scanning feature that you are interested in; Threatfire can handle the real-time aspect).
• Offers on-demand rootkits scanning: for more on rootkits go here.
• Safe mode: Threatfire reportedly doesn’t install and scan well in safe mode.

Differences between the free and paid versions: the paid "pro" version adds the ability to scan your hard drives for malware and the option of telephone customer support. On-demand scanning (in the Pro version) is not this program’s strong suite though and does not come recommended. Use another free security program for on-demand scanning (see "before installing" above).

The bottom line: this program adds an excellent layer of protection at very low system cost, and can well provide the real-time protection that many "free" antispyware products withold. Use it in conjunction with occasional on-demand system scans and you have the best of both worlds. I like that it is developed by PC Tools, a leader in the antispyware/PC security industry rather than some unknown developer. Highly recommended.

Version Tested: 3.0.1.3

Compatibility: Windows XP, 2000, 2003, and Vista.

Go to the download page to get the latest version (approx 14 megs). Also visit the Threatfire home page.

Rating

Version tested: 1.7.0.7502

Returnil creates a virtual system on your machine that completely mirrors your actual setup. It is designed to take the risk out of exposing your machine to all manner of software, websites, downloads, or anything else that might have adverse effects on your machine or infect it with malware. Once restarted, your system will revert back to its original state and all changes to your primary partition will disappear. It’s free for home users.

Don’t let this whole “virtualization” business put you off; aside from having a name that sounds like a pharmaceutical, Returnil is a very simple software to use that works really well. You can think of it as a system-wide “undo” function; once you turn it on, you can do whatever you want with your system; all changes to your primary partition will be temporary and will disappear when you restart the computer.

Here’s how to use this software:

1. Install Returnil: a very simple process. The only decision that is out of the ordinary is the option to create a virtual partition (the program will not need this partition, but you might; see point #4 below). During installation you can also set a master password to restrict access to the program.
2. Turn Returnil’s protection on, when you need to; no actual changes will occur on your primary partition once this happens; from this point onward everything occurs on a “virtual” copy of your system.
3. Do what you need to do: e.g. surf those dodgy internet sites, or install that piece of software that you want to test, or open the files you need to open, etc.
4. Save your data: you will have to save any files you are working with someplace other than the primary partition (e.g. a secondary partition, a thumbdrive, or upload your files on the internet, etc.) Or let Returnil create a virtual partition for you; its purpose is precisely to provide a place for you to save your data when protection mode is turned on, and you can set any size you want for it that you have space for on your hard drive. Any files/data saved on the primary partition will eventually be lost.
5. Restart the system: this is the only way ro turn Returnil’s protection off. Once this happens, any changes that happened when system protection was on will be gone; your system will look exactly the way it looked before you started.

Returnil works by cloning your system settings in memory and implementing any changes virtually into that cloned entity. By working within memory it purports to offer better speed and reliability than other virtualization solution. If you are wondering, as I did, how Returnil can handle, say, an 80 gig primary partition within 128 or 512 megs of RAM, the answer to that question as stated in the FAQ section of their website is something to the effect that since the actual 80 gigs will remain unchanged, there is in fact no reason whatsoever to hold this entire disk image in memory. My understanding of this is that, in fact, all the program needs from your actual system is a bunch of settings that it uses to replicate your it within a constructed virtual environment.

More notes on this program:

• Making changes permanent: you cannot make changes made while in protection mode permanent even if you want to (unlike, say, Sandboxie). The only way to do this would be to re-do the changes normally with system protection off.
• Testing software: while Returnil works extremely well for temporarily installing and testing programs within the virtual environment, programs that require a restart to install cannot be tested with Returnil as the restart switches off the virtual layer.
• Deleting data: any deleted data or programs uninstalled while protection is on will actually be preserved and will re-appear when system protection is turned off and your machine is restarted.
• The user interface: Returnil can be accessed through a system tray icon or a floating toolbar (see screenshot). You can use these to (a) turn system protection on, (b) mount/dismount the virtual drive, or (c) schedule system protection so it automatically turns on at specific times. You can also set a hotkey by which to activate system protection.

The verdict: as virtualization solutions go (see Altiris SVS and Sandboxie), Returnil is the simplest, most user friendly and intuitively comprehensible. As a user there are really only two things that you can do with this program; (a) turn system protection on, and (b) turn it off via a system restart. This not only makes Returnil extremely easy to use, but also contributes towards limiting any so-called ’leaking’ that sometimes occurs with virtualization programs where data meant for the virtual layer ’leaks’ into the actual system.

This one is my favorite amongst all the free virtualization solutions mentioned above that I have come across so far. I highly recommend it. [Thanks go to reader Brockman for tipping me off about this program].

Compatibility: Windows XP, 2003, VISTA 32 bit.

Go to the program page to get the latest version (approx 1.7 megs).

Version tested: 1.1.0.42

[Note: this review was written by my friend Mohammed Raei from Amman, Jordan; see his personal blog here - The Freewaregenius]

AVG Anti-Rootkit Free is a program that scans your computer for rootkits and removes them.

Trojans, keyloggers, and worms can sometimes hide from conventional Anti-virus software inside "rootkits", rendering them useless in the face of such threats. This is where AVG Anti-Rootkit Free comes in. This is a very small and fast program that you should run before you do a virus scan, because virus killers do not detect or protect from rootkits. Once you ensure that your computer is free from rootkits your antivirus software can take it from there and prevent the installation of future rootkits.

I was able to run a standard scan in under 4 min and an in depth scan in about 14 min on my 5 years old Athlon XP 2000. I was not able to find any rootkits on my system, so I cannot comment too much on its efficacy. Suffice it to say that I now feel much more confident that my computer is free of rootkits than I was before.

This program lacks any sort of scheduler because in theory, you only need to run it once. That being said, it would not hurt to run it every once in a while. Make sure to manually update the program first as it does not auto-update.

Compatibility: Windows 2000, XP

Go to the program page to get the latest version (approx 120K). Also visit the program home page.

Version tested:  2.0.62

Arovax Shield is a free memory-resident program that offers protection against malicious software such as spyware, adware, browsers hijacks, trojans, viruses, worms, keyloggers, and other malware. It functions as a kind of a ‘firewall’ for the system/registry.

Most real-time antispyware protection software scans for traces of known code and/or applications that receive or send data over the internet. Other antispyware ‘immunizers’ prevent infection by modifying the places in the registry where the spyware would normally reside. Arovax Shield takes a little bit different approach in that it it does NOT scan your hard drive or memory for traces of code but keeps on the lookout for the different actions that malicious code typically performs in order to install itself on a computer; it will then foil these attempts, thereby preventing the successfull installation of malware. To quote the Avorax website “It blocks programs that attempt to launch automatically at Windows startup, prevents browser hijacking, protects the Registry, and stops various other stealthy installation techniques.”

Once it finds any suspicious activity, Arovax Shield can either ask the user to intervene in allowing/disallowing a certain action to take place (much as a firewall would when an application tries to access the internet), or it can ‘automatically’ make these decisions for you. I personally prefer the former, as most of the actions intercepted will invariably be perfectly legitimate applications. Running Avorax Shield initially feels very much like you’ve installed another firewall, and like a firewall Arovax Shield will ‘learn’ and remember your decisions so that you only have to make these once.

There are a number of good freeware antispyware and antivirus programs out there that offer real-time protection from both known and unknown threats. Still, because of the interesting technology behind Avorax I am inclined to add Avorax Shield to the list of staple security programs that I run on my machine (currently AVG free antivirus, Spyware Terminator, Spyware Blaster, and Comodo Free Firewall). I feel especially that Avorax Shield can potentially be the last line of defence in the case of a brand new threat that may slip in unidentified by any of the other aforementioned programs. During the few days that I have had this program installed I have kept close watch on its memory use and I am happy to report that it does NOT seem to require a lot of resouces to run in the background; it had no noticeable effect on my system performance despite the fact that I had many programs running at the same time.

Verdict: this software is a keeper.

Go to the program download page for the latest version. The developer’s home page.

Spyware Blaster is NOT a memory-resident antispyware program that continually scans for Spyware. What it is is an “immunizer” that prevents spyware from being installed. It modifies your system/registry in a way that tricks malicious websites into thinking that the spyware is already installed, thereby preventing its installation. It works with both IE and Firefox.

Rating: 5 

Version tested:  3.5.1

What this means, essentially, is that in you can use Spyware Blaster in conjunction with a memory resident scanner such as Spyware Terminator without using more of your PC’s resources. Highly recommended for added protection.Spyware Blaster also provides the functionality of saving a snapshot of your system that in case you encounter any problems and/or infections and you need to revert back to the earlier state. I don’t forsee that many people would need this feature, however, as the program seems to do what it does really well.

The makers of Spyware Blaster have designed the program such that spyware database updates have to be done manually (i.e. you have to open the program and click on the update button), in order to encourage users to buy the autoupdate version ($9.95 annually). That being said, I have found that manually updating the program every few days is very quick and works quite well. (I would’ve normally deducted 1 star off my rating for this, but in this decided not to in this case).

Go to download page for latest version. The Developer’s home page.

This is one of the most exciting free programs I’ve come across in a while. Finally a very good antispyware program that you can install and forget, knowing that you have effective real time protection with automatic live updates.

Rating:  

Version tested:  1.5.00.740 

This might not sound so revolutionary but it is, because most good freeware antispyware programs, including well known titles such as Spybot Search & Destroy, Ad-Aware, and Spyware Blaster do not feature automatic updates unless you switch to the paid version. For me this always meant that there really isn’t a good freeware antispyware, and that a better option would be the (commercial) SpySweeper or Spyware Doctor. Until now, that is.I’ve been using this program for a while and am very satisfied with it. My brother recently had a nasty spyware infection that some of the other (free + non-free) antispyware programs could not effectively handle, but that Spyware Terminator resolved beautifully.

Note: Spyware Terminator integrates a free open source antivirus software named ClamVir to scan your computer. Although this is a good feature that I recommend, ClamVir does not offer memory resident antivirus protection and you should not consider it to be sufficient antivirus protection. (I.e. use Spyware Teminator for Spyware protection and install another Antivirus program for protection against viruses).

The following are some of Spyware Terminiator’s features:

• Fast Scan, Full Scan, Customized Scan, Scheduled Scan
• ClamAV antivirus integration (including ClamAV database updates)
• Effective removal of threats, including blocked files on reboot. Quarantines threats. Allows removal of locked files
• Real Time Protection with autmatic live updates.
• HIPS function monitors files for suspicious changes and asks user to intervine if changes to system are not recognized in it’s database.
• File analysis option allows sending of suspicious files to the developers for deep analysis. 
• Restore computer to earlier or default setting

Visit the features page from the developer’s site for in-depth features. Scroll to the bottom for a comparison chart. 

A free alternative to: SpySweeper, Spyware Doctor, etc…

Go to the program download page for the latest version. The developer’s home page.