Accuracy
Properly implemented and used, change detection programs should detect every virus. That is, there are no false negatives with change detection. Change detection can result in high numbers of false positives, however. Programs tend to store configuration information in files containing executable code. If these files are checksummed, as they should be, a change in configuration will trigger the change detector. Additionally, the system must be virus-free when the checksums are calculated; resident viruses may fool the change detection software.
Ease of Use
Change detection software is more challenging to use than some other anti-virus tools. It requires good security procedures and substantial knowledge of the computer system. Procedurally, it is important to protect the baseline. The checksums should be stored off-line or encrypted. Manipulation of the baseline will make the system appear to have been attacked.
Analysis of the results of a checksumming procedure is also more difficult. The average user may not be able to determine that one executable is self-modifying but another is not. False positives due to self-modifying code can discourage such a user, until the output of the change detector is ignored altogether.
Administrative Overhead
Change detection software is easy to install and it requires no updates. The baseline must be established by a qualified staff member. This includes the initial baseline, as well as changes to the baseline as programs are added to the system. Once in operation, a high degree of support can be required for the average end-user, however. A qualified staff member must be available to determine whether or not a change to a particular executable is due to a virus or simply a result of self-modification.
Efficiency
Change detectors do not impose any overhead on general system use. There is, however, some storage overhead for the baseline checksums. These are best stored off-line with the checksum program.
The calculation of checksums is computationally intensive; the mathematical functions must be calculated on at least a portion of the executable. To be exhaustive, the function should be calculated on the entire executable.