The first point to consider when selecting a detection product is the type of viruses likely to be encountered. Approximately 95 percent of all virus infections are accounted for by a small number of viruses. The viruses that constitute this small set can vary geographically. The common viruses can be distinct on different continents, due to the paths in which they travel. Of course, different hardware platforms will be at risk from different viruses.
International organizations may be vulnerable to a larger set of viruses. This set may be obtained by merging the sets of viruses from different geographical regions where they do business. Organizations with contacts or installations in locations where virus writers are particularly active [] are also more likely to encounter new viruses.
Risk from new viruses is an important consideration. Scanners are limited by their design to known viruses; other detection tools are designed to detect any virus. If your organization is at high risk from new viruses, scanners should not be the sole detection technique employed.
Another important criteria to consider is the number and type of errors
considered tolerable. The tolerance for a
particular type of error in an organization will vary according to
the application. Table 1
shows the types of errors which should be expected. An estimate
of the frequency that this class of error is encountered
(Infrequent, Frequent, or Never) is also given for
each class of tools and error type. All anti-virus tools are subject to errors,
but their relative frequencies vary widely. Scanners probably have
the lowest overall error rate. Checksummers do not produce false negatives.
The third and fourth items to consider when selecting anti-virus tools are the ease of use and administrative overhead required for each tool. Questions to consider are:
includes a general evaluation of the ease of use and administrative overhead imposed by each class of tools.
If several tools still appear to be candidates, consider the
functionality of these tools beyond virus detection. Viruses are
only one of the many threats to computer security. All detection tools
except scanners have general security applications beyond viruses. Scanners
are limited in application to viruses, but have the added functionality
of virus identification.
Consider the added
functionality which is most needed by your organization and choose accordingly.
The alternatives are outlined in table 3.
The final selection criteria to be considered is when does the tool detect
viruses. Proactive detection tools allow the user to keep viruses off a system
by testing incoming software. These tools only allow one chance of detecting a
virus (upon initial introduction to the system). Active detection tools
intervene during the replication phase itself. Reactive detection tools can
be used any time after a virus has entered the system. Additionally, reactive
tools are not as rigorous in their demands on system performance.
Table 4 shows when these different tools detect viruses.