Talk:Antivirus software

Merge with zero-day virus

The issue of zero-day virus needs to be more thouroly discussed in this article. Sections of the zero-day virus article is just a condensed version of sections from this article. If zero-day virus was merged with this article, it would receive more exposure. TechOutsider' (talk) 21:09, 6 April 2009 (UTC)

zero-day virus is discrete and relevant enough to merit an article - maybe migrate some content from here to there and reduce duplication? Qbeep (talk) 21:06, 9 April 2009 (UTC)

It should at least be linked from this article, either from a short section of "See also" - Ahunt (talk) 15:10, 11 April 2009 (UTC)

It seems that there is no consensus to merge, so the tags will be removed. I have linked zero-day virus in this article. - Ahunt (talk) 16:43, 14 April 2009 (UTC)

Can you help me 103.62.155.151 (talk) 22:57, 24 May 2023 (UTC)

@TechOutsider I quite agree 45.212.9.201 (talk) 16:16, 16 February 2023 (UTC)

Antivirus vs. Virus

This article seems to have a lot of information that applies specifically to viruses, not virus scanners. Should we migrate some of this? Qbeep (talk) 02:05, 10 April 2009 (UTC)

In reading through the article I don't see a lot of information on viruses that isn't required at a basic level to explain antivirus software, so perhaps you can point out what you think is beyond the scope of this article? Obviously anything that isn't needed here could be moved to Computer virus. - Ahunt (talk) 12:47, 10 April 2009 (UTC)

as a top-of-the-head example, it's not necessary to name all the variations of virus polymorphism. The general concept of polymorphic virus detection may be cleaner without it Qbeep (talk) 00:06, 11 April 2009 (UTC)

a more concrete example. Consider the following:

"Powerful macros in word processors such as Microsoft Word presented a further risk. Virus writers started using the macros to write viruses that attached themselves to documents; this meant that computers could now also be at risk from infection by documents (with hidden attached macros) as programs. Later email programs, in particular Microsoft Outlook Express and Outlook, became able to execute program code from within a message's text by simply reading the message, or even previewing its content. Virus checkers now had to check many more types of files. As broadband always-on connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently; even then, a new virus could spread widely before it was detected, identified, a checker update released, and virus checkers round the world updated."

we're looking at an unwieldly mix of history and virus classification; with some careful editing (and possibly relocation of some content to other parts of the article) this could be trimmed down to about two sentences without harming the utility of the article. Qbeep (talk) 00:14, 11 April 2009 (UTC)

Makes sense to me to trim that down and make it more concise, then. - Ahunt (talk) 13:17, 11 April 2009 (UTC)

Antivirus security issues?

The inherent risk associated with having an antivirus product running as a privileged user isn't unique to virus scanners, has no commonly-used exploits that I've ever heard of, and seems to take up a lot of space in this article. Maybe we should run a fine-toothed comb over sources (and seek counter-sources?) Qbeep (talk) 00:53, 11 April 2009 (UTC)

You are right, if this isn't an issue and essentially doesn't exist then it should be trimmed out. As you indicate, the key would be what the refs say, if it isn't supported there then it shouldn't be in the article. Feel free to get out the scissors! I will also have a run through the article, perhaps later on today and see what I can do to tighten it up. - Ahunt (talk) 13:21, 11 April 2009 (UTC)

Okay I see you are reworking the article at Talk:Antivirus software/project, so will hang off doing anything to it until you post your changes to the main article. Incidentally creating a new page like that is probably not the best way to rework an article. If you want to take it somewhere and work on it you can create a "sandbox" page in your own user space (like I did here to work on templates). I have also copied articles into a text editor offline and worked on them there. The danger even then is that other editors may change the base article while you are working on a copy elsewhere, meaning if you copy your new version over the existing one it will eliminate all changes made since you made your copy. It may be best if you want to work on an article uninterrupted for a while to just tag it with {{inuse}} instead. That produces the box below: - Ahunt (talk) 14:50, 11 April 2009 (UTC)

{{inuse}}

Too late - it has been mostly re-written! ;) - Ahunt (talk) 21:50, 14 April 2009 (UTC)

I don't know where to stick my comment on this discussion board. I have had Norton security for over 9 years. I have NEVER had an automatic renewal and have never been asked to have it either. I went to the link #22 and it went to the Norton website. I did look under the section, 'updates and renewals' and didn't see anything about automatic renewals. I could have missed it, of course. Maybe the sentence should read that automatic renewals are available...Mylittlezach (talk) 23:54, 16 February 2011 (UTC)

Cloud AV

Is it just me, or does this section seem more like an advertisment? FSBDavy (talk) 17:29, 31 May 2009 (UTC)

I agree, it certainly does. - Ahunt (talk) 17:37, 31 May 2009 (UTC)

Have a look now and see if that is an improvement. - Ahunt (talk) 17:59, 31 May 2009 (UTC)

Better! But- does it belong in the "Issues of concern" section at all?218.166.149.111 (talk) 18:35, 31 May 2009 (UTC)

That is a very good point! In looking at it, I agree and have moved to to its own section. Have a look at it, though perhaps it would better fit in elsewhere? - Ahunt (talk) 18:46, 31 May 2009 (UTC)

Do we really need citations absolutely everywhere?

Oh well done the Needs Citation spammer. That is SO irritating, especially when it is next to plain and simple facts such the statement on Word macro viruses emerging. I was there. They did. What's to cite? Posted by an alarming normal user - not a Wiki head so please don't flame me for having the temerity to suggest the page is now hard to read and commenting on it in this unsophisticated style. ...That posting needs citation at the end of every paragraph is annoying is a simple fact also. I use Wiki a lot as a reader and other pages don't suffer from this.

I take it that reaction was due to the potential for AV manufacturers to interfere with and bias the page. Fine. All I am saying is it's gone a bit far / crudely applied to every para whether a company is mentioned or not.

—Preceding unsigned comment added by 84.92.230.173 (talk) 08:44, 14 June 2009 (UTC)

That is a good question. The reason the cite tags are there is because this article has been, and largely still is, filled with unsourced opinions. Have a read through WP:V. As that makes clear anything that has been challenged or is likely to be challenged has to be cited or removed. Jimmy Wales, quoted on that page sums it up best:

I can NOT emphasize this enough. There seems to be a terrible bias among some editors that some sort of random speculative 'I heard it somewhere' pseudo information is to be tagged with a 'needs a cite' tag. Wrong. It should be removed, aggressively, unless it can be sourced. This is true of all information, but it is particularly true of negative information about living persons.

–Jimmy Wales ^[1]

1. Jimmy Wales (2006-05-16). ""Zero information is preferred to misleading or false information"". WikiEN-l electronic mailing list archive. Retrieved 2006-06-11.

The key thing is that the tags warn readers that the text is unreliable. So we can easily get rid of the tags anytime by removing the text that is tagged or by providing references. It is probably time that this article was completely cleaned up anyway.

As far as the "I know, I was there" line of reasoning goes, have a look through WP:OR. Original research is fine on a blog, but is not acceptable on Wikipedia. - Ahunt (talk) 12:04, 14 June 2009 (UTC)

Of note I have started going though this article and looking for references for each section. This will take a while, so feel free to help out! - Ahunt (talk) 23:58, 19 June 2009 (UTC)

In regards to your links to antivirusworld .com and virus-scan-software .com; antivirusworld .com is copied from pandasoftware.com, and virus-scan-software .com is copied from a paper by Eugene Kaspersky called "Computer Viruses - what are they and how to fight them?". Per Wikipedia:Copyrights, the official English Wikipedia policy on copyrights: "... if you know that an external Web site is carrying a work in violation of the creator's copyright, do not link to that copy of the work." --HamburgerRadio (talk) 00:21, 20 June 2009 (UTC)

Okay I wasn't aware those were copyright vios. Let's see if we can find the originals and link to those instead. Do you have those links handy? - Ahunt (talk) 01:12, 20 June 2009 (UTC)

I couldn't find a non-copyvio version of Kaspersky's paper on the web, but it's still citable even if it's not online. Panda's paper appears to be from [3]. The reason I looked into it and found the copvios was because it didn't seem to meet WP:RS. In a fast-moving technical area, I don't think one should be too strict about WP:RS, but until I looked into the ultimate source, I didn't see any reason to consider them reliable sources. --HamburgerRadio (talk) 05:54, 20 June 2009 (UTC)

Well if you can cite Kaspersky's paper (I don't have a copy) then I will change the other link. - Ahunt (talk) 12:24, 20 June 2009 (UTC)

I changed the reference to something I had all the publication information for. But it's unfortunately not online. If you can find a reference that's online and meets WP:RS, go ahead and change it. --HamburgerRadio (talk) 18:16, 20 June 2009 (UTC)

That is just great! Thank you for your help. If you have more refs that would help this article please do add them! - Ahunt (talk) 01:19, 21 June 2009 (UTC)

Sorry to jump on your edits again, but tipsoninterview .com is copied from Wikipedia. The similarities are most striking if you look at some older revisions, say around http://en.wikipedia.org/w/index.php?title=Antivirus_software&oldid=263035106

Also again, the reason I looked into it was because the site didn't seem to meet WP:RS. isoftwarereviews .com also seems to not meet WP:RS, but I thought I'd give you a chance to defend that before reverting. --HamburgerRadio (talk) 22:09, 7 July 2009 (UTC)

Nope I am not defending anything - just trying very hard to find some worthwhile refs for this article full of hearsay. It is incredibly hard to find anything reliable that backs up what is written here. As you noted, much of what is available is cribbed from this article, creating a circular form of reality. It is tempting to remove all the challenged text instead. - Ahunt (talk) 22:29, 7 July 2009 (UTC)

Well, I referenced it a bit more. I stopped because the text just seemed rambling and repetitive. Probably should be trimmed down before trying to reference it more. --HamburgerRadio (talk) 23:14, 7 July 2009 (UTC)

That is the main problem I encountered here - the article is a disorganized and unreferenced mess. I figured if I could find refs then it could be cut down and rearranged, but perhaps you are correct and it should be cut down and re-written first and refs added afterwards. I work much better writing articles from the refs rather than trying to find refs for doubtful statements and claims, especially in a field like this where there is no seminal textbook available. In a way Wikipedia has become too successful and well-known for that latter method to work anymore - all you find are websites with text swiped from the article. I recently saw a case where text was removed from an article as a "copyright vio", but it turned out to be the otherwise round, the Wikipedia article came first, the other site copied it. If you have the interest and the refs please do tear into this - it needs a total rewrite, but from the refs this time around. - Ahunt (talk) 00:46, 8 July 2009 (UTC)

Well there has been little work on this problem since July and in fact the amount of unreferenced hearsay has increased as mostly IP editors have dropped more unsourced "rumour-level" text in here. Overall I think the article is getting worse, not better. I realize that some of the unsourced text may well be correct, but it is hard to prove. Does anyone with sufficient technical background in this area want to go through it, remove the incorrect information, re-organize the article, tighten up the language and find sources for everything that is retained? If not I propose that all the unsourced text be removed, the article then be reorganized and after that let's see if we can grow the article from there, with refs this time to ensure that it isn't just a collection of opinions. - Ahunt (talk) 13:28, 24 November 2009 (UTC)

Okay since we have a consensus for this proposed plan I will proceed in four phases: 1. Removing unsourced text, 2. detagging, 3. Confirming that the existing refs support the remaining text, 4. Reorganizing the remaining text. - Ahunt (talk) 17:50, 29 November 2009 (UTC)

The basic work described above is now complete, so if anyone else would like to wade in on reorganizing please go ahead and do so. I still have some work to do, like formating bare references, but I can do that in the background. - Ahunt (talk) 18:20, 29 November 2009 (UTC)

(Unindent) Okay I am done now. The article still needs some work by a subject matter expert, but in reply to User:84.92.230.173 who started this thread, you can note that the tags are all gone now! - Ahunt (talk) 18:53, 29 November 2009 (UTC)

I understand the value of this project

Hi HamburgerRadio (talk), I understand it very well that Wikipedia uses nofollow tags, and its external links do not alter search engine rankings. However, I thought that referring to http://personalfirewall.comodo.com/download_firewall.html will help users to get the information that Comodo offers through its Antivirus Software. Please let me know your take on this context. Lakshmi VB Narsimhan 07:08, 4 August 2009 (UTC)--

Please see some of the links included in my message, particularly WP:EL and WP:SPAM. Perhaps in a different context, such as a List of antivirus software, it would be appropriate. --HamburgerRadio (talk) 08:15, 4 August 2009 (UTC)

Additional if you check WP:EL you will see that external links are not used in article text, specifically to avoid this sort of spamming. - Ahunt (talk) 12:39, 4 August 2009 (UTC)

Noted, thank you. Shall consider these points in my future contributions. Lakshmi VB Narsimhan 07:33, 7 August 2009 (UTC) —Preceding unsigned comment added by Lakshmin (talk • contribs)

Images

I have restored the images to this article. As explained in the edit summary it would be ideal to have examples of all kinds of anti-virus software in this article to illustrate it, but US copyright law doesn't allow that. Copyrighted images can only be used under "fair use" provisions to illustrate articles on that particular software and all anti-virus is copyrighted except Clam, which is GPL. That means that the only images that can be used in this article are Clam and its deriviatives. The images here widely represent the range of antivirus, on Windows, Linux, command line. If anyone has a solution to the copyright problem then I would support replacing some images with new ones, otherwise the article is duller and poorer with fewer images. Incidentally it is generally accepted on Wikipedia that the use of free open source images is not spamming, since these are the only ones that can be freely used. - Ahunt (talk) 14:17, 8 February 2010 (UTC)

Hello, thanks for explaining, and I agree that the fair-use thing is a good reason for using an image of Clam. However, I don't believe it's a reason to use four images when all each one illustrates is the same programme running on a different platform. The images may be free, but I believe they are being overused in this case, leading to the appearance of the article favouring this particular AV, and it is this appearance that concerns me. I propose that we have just one image to show what an AV prog looks like - it is the AV we're illustrating after all, rather than the operating systems on which it runs. Miremare 18:34, 8 February 2010 (UTC)

When I found the article a while ago it had no images and looked very dull and unappealing to the casual reader. The addition of the images was intended to create some interest and to break up the otherwise dense text. Clam got used because of copyright laws, as explained. I'd be in favour of cutting it down to one GUI image and one command line image - most Windows users will have never seen anti-virus running from the command line and the images are different enough in appearance, I think, to retain some interest in the article. - Ahunt (talk) 19:02, 8 February 2010 (UTC)

Well, that's kind of another thing that would concern me... you're right that most readers would have never seen a command line antivirus, which leads me to wonder whether it's important enough to include an image of one, especially given that there's no mention of command line AV programmes for the image to illustrate. Miremare 19:21, 8 February 2010 (UTC)

My thought is that Wikipedia is here to educate - there probably should be a section on interface types. As you may well know the majority of anti-virus is run as server daemons. - Ahunt (talk) 19:34, 8 February 2010 (UTC)

I have to say I disagree with your assessment. US copyright laws and Wikipedia policy do not in any way forbid screenshots of copyrighted software. You automatically hold the copyright to any images (including screenshots) you take, excluding any copyrighted content in the screenshot (such as a photograph, but not a image of software, since that falls under fair use). This can be demonstrated by looking at almost any article on software already on Wikipedia, for example: Microsoft Windows, Mac OS X, Google Chrome, AutoCAD, Adobe Photoshop, and notably Symantec Endpoint Protection, McAfee VirusScan, AVG and Malwarebytes. I have taken the liberty of including pictures of these antivirus programs in the article, since they're already on wikipedia and (in my humble opinion) these products represent a far more accurate picture of the average AV product than ClamAV (which I've never heard of) running on Ubuntu (which isn't generally hard hit by viruses). If you still have a concern about the copyright of these images, you should take it up on the discussion pages of the images, and see about having them removed to ensure Wikipedia remains compliant with copyright law. dimo414 (talk) 08:40, 7 March 2010 (UTC)

It would also be nice if someone took the time to position the pictures or rephrase the content such that these pictures are a more valuable addition to the article. Both the previous and current versions feel like the pictures are just thrown in to make the page prettier (which they do) but it would be nice if they correlated with the content better.dimo414 (talk) 08:59, 7 March 2010 (UTC)

Read the licencing carefully for those images that you have inserted you will find that they are all copyrighted and can only be used on the pages that fair use can be legally justified under US Copyright laws, which means articles specifically about that software, which is why Microsoft Windows screenshots can be used in Microsoft Windows articles, etc. You will notice that none of them are licenced for fair use for this page, nor can they be as this is a general page that does not specifically deal with those applications. This all means that they will be removed by the fair use image bot in the near future, unless you want to remove them yourself first. As mentioned before, the use of Clam images is because they are the only free images that are available and therefore the only ones that can be used on this page. If you don't like them then the article will have to go with no images. Incidentally just because you haven't heard of Clam doesn't mean it isn't common - I don't know anyone these days that pays for commercial anti-virus software. Around here everyone I know runs Clam and other freeware. - Ahunt (talk) 12:40, 7 March 2010 (UTC)

Since there is no reason to remove existing free images I have restored these. - Ahunt (talk) 13:43, 7 March 2010 (UTC)

There's no reason why there shouldn't be a fair-use image of one of the market leading programs such as McAfee or Norton, as these really do illustrate the article's subject in the best most recognisable way. We just need to add a fair-use rationale for this page to the chosen image. More than one wouldn't really work for fair-use, but in the interests of balance, I don't think there should be more than one of Clam either. We shouldn't be allowing the free status of certain applications to prejudice the article. Miremare 17:12, 7 March 2010 (UTC)

I just put them all back in because the non-fair use copyrighted images will get deleted from the article soon and that will leave it bare. I said above I would be in favour of "one GUI image and one command line image" for Clam. As far as justifying one copyrighted image as fair use on this page, you can try it and see if those who assess fair use will buy it, but since the article isn't about that specific product I have my doubts whether it would survive. I agree that getting away with more than one is very unlikely. - Ahunt (talk) 14:06, 8 March 2010 (UTC)

Fair use does not equate only to "articles specifically about that software". Showing screenshots of antivirus software in an article on AV absolutely falls under fair use. Examples of generic subject articles with non-free content under fair use include Personal computer and Spreadsheet. In any case however, even if public consensus is that the page is better off without proprietary content, we do not need vast numbers of pictures of ClamAV. This is software that is neither popular nor representative - my metric is that personally, I've never heard of it, and that the vast number of AV users are running Windows, which at present Clam does not support, despite the implication of such support that the Windows XP image implies. While I have no objection to ClamAV, there is no need for dozens of pictures of different AV products in this article, and I do not feel that pictures of Clam benefit the article at all. I would like to see all of them removed, however as an attempt at compromise, I have left one image in the article. Just because an image could be put in an article is not a good enough reason to do so, nor is anticipation of future edits. dimo414 (talk) 09:25, 16 April 2010 (UTC)

That is fine, I see you have licenced the copyrighted images for this article under "fair use". I'll leave it to some image-savvy admin to review that to see if it is acceptable or not in this application. Clam is actually widely used by Unix, Linux and BSD desktop users and also is very widely used on servers. Most of the Windows users I know use ClamWin, the Windows GUI version of it. The only image note I would add is that I think the command line image should be reinstated - the article is not overly flooded with images, especially now that there are just three of them and most Windows desktop users will have never seen a command line scanner, even though that is what is most commonly used on servers. - Ahunt (talk) 12:57, 16 April 2010 (UTC)

Okay it has been a week since I proposed adding back in the image of the command line scanner above, so as per WP:SILENCE we have a consensus to do that. - Ahunt (talk) 14:30, 23 April 2010 (UTC)

No single anti-virus/anti-malware package is 100% effective!

Countless times I've seen Windows computers infected with malware, despite having anti-virus software installed, running permanently in the background AND fully updated.

No matter what anti-virus package is installed and watching the computer at all times, Windows can - and does - get infected, when it shouldn't. No single anti-virus package is 100% effective. With suitable "ref" links, I think this needs to be added to the section "Issues of concern".

Once infected, you need to run another anti-virus/anti-malware program OUTSIDE of Windows (example AntiVir Rescue System boot disc) to disinfect the system. A lot of malware, viruses etc. are so clever that you can't remove them when Windows is running and the malware itself is running, although you can try booting into safe mode. Perhaps this also needs adding to the section "Issues of concern" - that sometimes you can only disinfect the system by running the anti-virus/anti-malware tool from a boot disc (created on another computer that's clean of malware) or disinfecting Windows in safe mode.

I'm glad I use Ubuntu 99% of the time. :)

TurboForce (talk) 23:28, 30 March 2010 (UTC)

You make some good points here, if you have some reliable refs that discuss this I think it would make a good addition to the article. I am glad I use Ubuntu 100% of the time! - Ahunt (talk) 02:28, 31 March 2010 (UTC)

I'm glad my points have been noticed. I will need help here as trying to find "suitable" ref links is tricky in itself. This is the same problem I've been arguing like mad over in the talk page: Talk:Criticism_of_Microsoft_Windows from point 10 onwards on that page. Yes I use computers all the time I've and spent thousands of hours on computers and sorting out many problems, but trying to prove them with "ref" links is very taxing. In the case of anti-virus software, no single anti-virus/anti-malware product will make your computer like a bank safe, but more than one running at a time can create conflicts and cause Windows to malfunction. As for Windows Defender, I think that's just snake oil and all it does is slow the computer down without providing any real benefits; yes I've seen computers infected with Windows Defender installed and running - it's just lame. It's a question of how many layers of protection you can safely use without causing system problems and not slowing down Windows too much, since one product alone doesn't work effectively. TurboForce (talk) 14:24, 31 March 2010 (UTC)

All a convincing argument not to use Windows! Perhaps there are some overall view type articles or columns that deal with this sort of issue that would make good refs? Although I am not sure where to find something like that, perhaps others watching this page have some suggestions. - Ahunt (talk)

An overview should include or refer to behavioral, physical, and browsing/email hygiene components of security, as well as user accounts & rights management, how to blend active (real-time) and periodic scan programs, other means of recognizing infection or damage, and (in addition to following the limited instructions of the AV program) how to recover from the damage left after the AV program is 'finished'. That leads to the security issue & complexities of file backup (manual or sfw or cloud), and preventing backup from being contaminated before or after the damage is detected or repaired.

- Wikid (talk) 16:44, 2 Feb 2012 (UTC-5)

It's been 2 weeks and I've not seen any changes to the article yet. I know finding the suitable "ref" links can be tedious, but I have to reiterate that NO single anti-virus/anti-malware program or suite will stop Windows becoming infected. This week alone I've had to deal with a Windows Vista installation that was destroyed by viruses, despite it having an UP TO DATE anti-virus package installed and its real time protection running at all times!

Perhaps we could also explain the purpose of AppArmor in Linux and how it helps protect the system from zero-day attacks (source: click here).

Re: Ahunt - I use Ubuntu 'only' 99% of the time because I have to use VirtualDub, which doesn't support Linux (yet?), hence the dual-boot setup comes in handy. I see you've made lots of edits to Wikipedia, maybe you have more time than me to find "ref" links and edit the anti-virus article to prove to the world that no single protection will make Windows totally immune. I've seen Windows' files vaporised by viruses/malware too many times, despite the so-called protection being active and up-to-date. TurboForce (talk) 15:46, 13 April 2010 (UTC) <- (Time shown here is one hour behind due to British Summer Time).

Excellent points! I am having a busy couple of weeks here myself, but let me see what I can find. - Ahunt (talk) 15:52, 13 April 2010 (UTC) (Zulu time doesn't do daylight savings time!)

Thank you for your quick response Ahunt. I see your timestamp is 1 hour behind actual UK time. I don't know if other users in different countries have this problem with the timestamps on Wikipedia? Slight correction in my previous post, i.e. "it's been 2 weeks and still nobody's mentioned that having just a single anti-virus/anti-malware suite does NOT provide 100% protection and Windows can still become infected". Phew. This is not the only article that requires more information relevant to today's computing needs, other pages include the IRQ discussion page. Where can we find lots of experts out there who can help us? TurboForce (talk) 16:15, 13 April 2010 (UTC)

Hopefully people are watching the pages or on the WikiProject Computers or Software pages, but if not then it becomes a do-it-yourself project! - Ahunt (talk) 16:36, 13 April 2010 (UTC) The time stamps are actually UTC (or GMT if you prefer) so they aren't local time, but universal time.

I did find a useful ref with one idea why this might be so and have added a new section at Antivirus_software#New_viruses. - Ahunt (talk) 19:25, 14 April 2010 (UTC)

Thank you Ahunt, I'm very pleased to read your latest contribution. Your latest edit in the article proves that anti-virus software alone is not 100% effective at catching viruses/malware. Perhaps someone could briefly explain how sandboxing helps e.g. AppArmor in Linux, as I can see there is a link to "Sandbox (computer security)" in the "See also" section. I know what sandboxing is and know that it limits what programs can do, but trying to explain how this prevents viruses taking over the operating system is tricky for me to write in a way that newbies can understand. I would say this approach is similar to the principle of least privilege; basically like the over-tight "limited" account in Windows XP which prevents viruses/malware from having unlimited access to the rest of the operating system, but using the "limited" account in Windows XP stops certain programs from working properly source. As I'm learning more about Linux, I know that you have to be a "root" user to run system tasks, which hinders the ability of viruses to infect Linux, in addition to AppArmor which comes with Ubuntu (I don't know much about AppArmor, other than knowing what it is and its intended purpose). TurboForce (talk) 20:50, 14 April 2010 (UTC)

I just found another recent ref and so have added further text on this subject. I'll keep an eye out for more refs available. - Ahunt (talk) 20:08, 17 April 2010 (UTC)

Another good source of data might be the proactive tests from http://www.av-comparatives.org or the latest proactive tests from Virus Bulletin. --HamburgerRadio (talk) 16:44, 18 April 2010 (UTC)

Thank you. :) TurboForce (talk) 18:53, 18 April 2010 (UTC)

User:HamburgerRadio: Nice to hear from you, thanks for those tips. I used the first one to expand the text on effectiveness. - Ahunt (talk) 23:16, 18 April 2010 (UTC)

I was thinking it would be good information to write something fact-based. Something like "When faced with malware they hadn't seen (the proactive test), the antivirus programs with the best detection caused many false positives [depending on whether the consensus is that it's generally true], while popular antivirus programs x and y detected x% and y% of the unknown malware." --HamburgerRadio (talk) 00:36, 19 April 2010 (UTC)

"Issues of concern" - more could be added.

More could be added to the section Issues of concern, with the appropriate "ref" links, such as:

• One single anti-virus/anti-malware program or suite does not provide 100% protection, as discussed above.

• Disinfecting the computer of viruses and malware can damage or remove essential files; note this is already mentioned before the contents (with a "ref link), quote: "In one case, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot."

There was another case when Symantec's Norton anti-virus mistakenly identified a Pegasus Mail file as a Trojan. Source.

• I'm aware that Windows Service Packs may not install properly (or totally refuse to install) if there are viruses/malware already on the computer. Even when the anti-virus software is permanently enabled, dormant infected files can still be disturbed.

If the "ref" links can be found, there's plenty more we could be adding to the antivirus software page, especially the Issues of concern section.

TurboForce (talk) 19:14, 18 April 2010 (UTC)

2 of the "Issues of concern" are mentioned before the contents in the article: 1) the faulty signature issued by Symantec which resulted in essential operating system files being removed and thousands of PCs unable to boot. 2) The avenue of attack opened by having the anti-virus software running at the kernel level of the operating system - both of these have "ref" links and they belong in the "Issues of concern" section. I would like to add to that section the case of Norton anti-virus removing a clean file from Pegasus Mail, having falsely detected it as a Trojan, as I mentioned above. This is another case of anti-virus software damaging essential files and it rightly belongs in the "Issues of concern" section. What do you readers think? TurboForce (talk) 19:34, 20 April 2010 (UTC)

Makes sense to me. - Ahunt (talk) 20:55, 20 April 2010 (UTC)

I've just done a little work on the "Issues of concern" section; please compare the revisions. I think more needs to be done though, but I'm a little unsure now if the avenue of attack opened by having anti-virus software running at kernel level belongs in the "Issues of concern" section, as it's only one sentence, unless we can say a bit more about it. I've finished editing for today. Cheers. TurboForce (talk) 21:56, 20 April 2010 (UTC)

I checked your change and it looks fine to me. There are probably some other parts of this article that could use reorganizing as well. - Ahunt (talk) 22:41, 20 April 2010 (UTC)

Cheers. It made sense to move the part about Norton anti-virus killing the operating system boot files into the "Issues of concern" section. There is another major problem with anti-virus software in Windows: viruses that are running can stop the anti-virus program from actually working! I was only talking about this today with someone experiencing this problem; they have AVG detecting infections, but the viruses are clever enough to stop AVG from actually disinfecting the system. This issue of concern requires you to create a bootable disk on another CLEAN computer and then run a virus cleaner on the infected computer outside of Windows by booting off the disk, for example: Avira AntiVir Rescue bootable CD/DVD disc. Even having anti-virus software installed and running won't stop your Windows installation from being hijacked! This also shows that having just one anti-virus program is not 100% effective, but you can't install and run 2 (or more) anti-virus programs simultaneously without causing system problems. I would like to add this to the article, if I can find the "ref" links. This is not original research, this is what can and DOES happen. TurboForce (talk) 16:17, 21 April 2010 (UTC)

You're right, and this should be added. Viruses that are running indeed (can) have the power to prevent proper disinfection. It's a fact that once a PC has been infected, it can never be (fully) trusted again until a full reinstall is done. But this situation only happens after anti-virus software has already failed: it should have prevented the viruses from running in the first place! And that's the main issue we're talking about here (IMO): once an anti-virus software misses (for whatever reason) a virus, it can be (and often is) impossible to "clean up" after it. The focus of the new text should (IMO) be on the "miss one, lost all" aspect, not on the difficulty-to-clean-up-after-it-misses-one. --DanielPharos (talk) 19:17, 21 April 2010 (UTC)

That makes sense to me - if you have a ref please do add something on that. - Ahunt (talk) 19:41, 21 April 2010 (UTC)

I agree with DanielPharos above. Once infected, trying to remove the infection(s) is very difficult, sometimes impossible and the PC cannot be trusted again until Windows is re-installed. If you have the original installation CD (and it ain't scratched lol), you could also create a DBAN boot disc or floppy on a clean computer, wipe the hard drive clean on the infected PC and re-install Windows and everything again. I've performed that tedious task more times than I can remember! Unfortunately, it's not always possible to wipe the hard drive because the user hasn't backed up files or the recovery software is on a hidden partition etc. Why not go back to using typewriters, at least they don't break as often as computers!! Please add whatever you can to the article — computer virus/malware writers seem to find more ways of wreaking havoc and evading detection. TurboForce (talk) 20:49, 21 April 2010 (UTC)

Forgot to mention: is there any method which everyday users can apply to prevent viruses/malware from simply taking over the operating system e.g. sandboxing, AppArmor etc? Okay, the "issue of concern" here does not focus on anti-virus software itself, but the computer security as a whole. If the operating system is stored in a read-only ROM chip e.g. RISC OS (and I think AmigaOS on the old Amiga computers was stored on ROM??), the operating system cannot be tampered with by software. There's no point "just" having anti-virus software without other security measures in place. Worth a mention? TurboForce (talk) 21:07, 21 April 2010 (UTC)

The best thing I've found so far is: [4]

Even if the OS is bullet-proof (read-only for instance, as you suggest), your personal files can still get infected. Think macro virus. It will be fundamentally possible to disinfect though, since you cannot lose control of your OS. But you can still lose all your data, and spread the virus.

Sandboxing is a good way, until the sandbox is broken. I remember VMWare fixing some exploits related to exactly this. If sandboxing is going to be applied widely, it's going to be "just another" hurdle. They'll find a way to go around it! And again, everything in the sandbox is still at the mercy of the virus-infection. And the sandbox cannot prevent the user from moving an infected file across the sandbox boundary, and bypassing it that way.

Actually, from a fundamental point of view: if you allow the PC to run non-whitelisted, non completely verified software (if such a thing can even exist, is another discussion), you're allowing it to run malware. I don't think there's going to be any 100% solution in this case. --DanielPharos (talk) 21:24, 21 April 2010 (UTC)

Also, check out the news. McAfee did something nasty, like not testing virus definitions at all. :O This one should be easy to source! --DanielPharos (talk) 21:28, 21 April 2010 (UTC)

This discussion/talk page is getting very interesting. I'm glad the anti-virus page/article is being updated to keep up with the times. I know that anti-virus software alone is not the solution for today's computer security and if people want to break into computers and destroy your files etc., they will. I think the anti-virus page/article could include a mention about other computer security measures to help avoid malware, instead of just relying on anti-virus software to do everything. PLEASE include that thing about McAfee not testing virus definitions — that is VERY BAD!! Apologies for excessive typing; I mention this on my own user page. TurboForce (talk) 21:44, 21 April 2010 (UTC)

All good points and worth including in the article with refs. "is there any method which everyday users can apply to prevent viruses/malware from simply taking over the operating system" - yeah use Linux instead of Windows. - Ahunt (talk) 21:57, 21 April 2010 (UTC)

@TurboForce: I'm an excessive typer myself, so don't worry about that. :)

The McAfee thing: OK, the not-testing is WP:OR, or better, an educated guess. We should probably wait till the dust settles on this issue before adding it to the article: right now, it's not clear what caused McAfee to release this broken update. Here's a link explaining the issue: [5]

@Ahunt: Using Linux won't help, only reduce: linux malware. And configuring Windows right will make it about as secure as Linux; however, almost nobody does that. But as I said, there no fundamental way to prevent malware from slipping through the cracks. I guess regular backups, and a known-good external disk image are the best way to protect your data and recover quickly. But to protect your current install... AV, firewalls, nothing seems to provide decent safety-coverage these days. Well, except maybe hiding out in Linux-world, as you suggest. :D --DanielPharos (talk) 22:05, 21 April 2010 (UTC)

I have done quite a bit of the writing on the Linux malware, so I know what you mean there - even if you run Linux you can install a virus if you try. It helps that there are no Linux viruses in the wild and that they are much harder to install and run and even then can do less damage. Essentially though Computer viruses = Windows viruses. - Ahunt (talk) 22:13, 21 April 2010 (UTC)

I'm sure Linux and Unix don't get hijacked by viruses or malware as long as the user never allows anything malicious to run at "root" level. Mechanisms in place prevent programs simply doing what they want to Linux and Unix. Most everyday users can use a computer 'normally' on Linux e.g. Ubuntu Linux without ever having "root" access. Try giving a home user a "limited" Windows XP account and watch them lose their temper before the end of the week because they can't use the computer 'normally' e.g. install new programs! I use my Ubuntu Linux computer everyday and I don't need to use "root" access to get my work done. The package manager also makes it safer to install new programs. So yes, the anti-virus page or article could be updated to include information about additional security measures required to avoid infection, instead of relying on "just" the anti-virus/anti-malware software. TurboForce (talk) 22:59, 21 April 2010 (UTC)

Careful guys, you're making bold statements here. Are there really NO Linux viruses in the wild, ever? Are there really no "remote code execution" exploits in Linux, ever? And don't forget about Mac OS, Unix, BSD, Solaris... Also, even though running with a limited user account in Windows can be problematic, it DOES make Windows much more safe. There was a report a few weeks ago that more than 50% of all (Microsoft-code based) exploits over the past year wouldn't have been exploitable if running without admin(root) privileges in Windows 7.

Limiting the power to run arbitrary software indeed will stop some viruses, but exploit-based ones (mainly, remote code execution ones) cannot be prevented this way. Using Data Execution Prevention-like technology will reduce their effectiveness. In Windows, there's Address space layout randomization. I'm sure Linux has similar technologies in place. We could mention those as factors in reducing the attack surface size. And (as TurboForce mentioned) we could add something about sandboxing in Internet Explorer and Java. --DanielPharos (talk) 05:12, 22 April 2010 (UTC)

It's not quite that it "wouldn't have been exploitable". It's that the effects would be mitigated to just the user that encountered the exploit. That's probably cold comfort to the user though, whether it's Windows or Linux, since the most valuable thing on their computer is their data, not their operating system. --HamburgerRadio (talk) 06:02, 22 April 2010 (UTC)

Just for the record I didn't say that there never have been any Linux viruses in the wild ever, just that there are none identified at the present, nor have there been in the past five years, for that matter. Like OS-X and BSD, Linux is a very difficult virus target for reasons explained at Linux malware, making it apparently not worth targeting at present. - Ahunt (talk) 12:34, 22 April 2010 (UTC)

Rootkits

There is currently no mention of rootkits in the anti-virus page. I've also done a search on the page using <CTRL> and <F> and found no mention of "rootkit" or "rootkits". Given the VERY serious nature of rootkits and their ability to stealth and evade detection, it's probably worth mentioning rootkits. Anti-virus software now scans for rootkits, so let's keep the anti-virus page up to date with the times. It could also be another "issue of concern" because rootkits may not be detected, especially rootkits which hide in firmware (see the rootkit page, which explains all this in detail). TurboForce (talk) 21:29, 25 April 2010 (UTC)

If you have a ref then let's add some text! - Ahunt (talk) 01:13, 26 April 2010 (UTC)

I've added a small paragraph about rootkits. TurboForce (talk) 10:51, 26 April 2010 (UTC)

Looks good - I just added a slightly longer explanation of what they are, taken from the main article. - Ahunt (talk) 20:10, 26 April 2010 (UTC)

Thank you Ahunt. I see you corrected a mistake I made when I typed that paragraph. I was a bit rushed at the time. It shows how Wikipedia is meant to work i.e. many people work together improving pages, spotting errors and fixing them etc. I wish my web browser included a grammar checker, as it flags spelling errors!

I'm considering adding a bit more to the rootkit section, as it doesn't mention that rootkits can hide in firmware and thus become undetectable by any anti-malware software; this could actually be an "issue of concern" and maybe belongs in the "issue of concern" section? Nearly forgot, here's a .pdf file about rootkits and firmware (found on the rootkit page): [6]. TurboForce (talk) 20:44, 26 April 2010 (UTC)

Yes indeed that is what makes Wikipedia work so well - collaboration! Sure that sounds good to add, just to elaborate on the subject some more. - Ahunt (talk) 20:47, 26 April 2010 (UTC)

I agree with you about collaboration :) and yes I need to elaborate on the subject of rootkits, however the rootkit page itself goes into enough depth, so there's no point me adding too much on the anti-virus page. I would be able to edit pages better if this editing background was a different colour and the user could choose a colour, such as light grey to make it less tiring on the eyes!! TurboForce (talk) 21:27, 26 April 2010 (UTC)

What some people do is write the section or article on a text editor or even word processor and then copy it into the article. That way you can work in an environment of your own choosing. - Ahunt (talk) 00:26, 27 April 2010 (UTC)

I've added a paragraph about rootkits to the “issues of concern” section and it's disturbing to read! Perhaps we could add an external link which educates users on how to avoid virus/malware/rootkit infection on their computers. I would like to thank DanielPharos for the link about rootkits, in the previous section above i.e. “The best thing I've found so far is: [7]”.

Credits also to Ahunt for your corrections and suggestions. I like your website Ahunt – Adam Hunt. :) I'm now typing my edits in the OpenOffice.org Writer with a 10% grey background and size 18 font, using Ubuntu 9.10 (64-bit) of course. Much easier on my eyes – thank you for your suggestion about using an external editor (why didn't I think of something so obvious?). :) TurboForce (talk) 13:48, 27 April 2010 (UTC)

I am glad that was helpful! That is the advantage of collaboration on Wikipedia - no matter how good any one editor is, a bunch of good editors working together are even better! - Ahunt (talk) 15:42, 27 April 2010 (UTC)

How to avoid virus/malware infection.

Maybe we could include an external link on how to avoid infecting the computer in the first place? Having anti-virus software alone will not provide total protection, unfortunately!

The anti-virus software page could also be linked to the Computer virus page on Wikipedia?

What do others think? TurboForce (talk) 17:25, 28 April 2010 (UTC)

Those sounds like good ideas to me - if you can find the refs go ahead! The one thing you will want to be aware of though is that as per WP:NOTMANUAL we can't write a "how to" manual. - Ahunt (talk) 17:52, 28 April 2010 (UTC)

That's why a good external link on how to avoid malware infection would be a good idea. The external link can provide the “how to” manual style or at least give good tips. Prevention is better than cure, especially with rootkits!! TurboForce (talk) 18:13, 28 April 2010 (UTC)

Part 1 of 2 is done: the anti-virus software page now links to the Computer Virus page. Please could someone help me with the second part of my work i.e. to find a good external link which educates users on how to avoid malware. TurboForce (talk) 20:56, 28 April 2010 (UTC)

I'll have a look around. - Ahunt (talk) 21:13, 28 April 2010 (UTC)

A Google search turns up hundreds of articles. How about any of these:

• How to Avoid Malware and Viruses
• Help avoid viruses and malware
• How To Avoid Malware And Keep Your PC Error Free

- Ahunt (talk) 21:30, 28 April 2010 (UTC)

I've just had a look at them. The first and last links look good. The second one is from Microsoft and encourages the use of Microsoft's own products! Ideally an external link educating users on avoiding malware will be platform independent. I've been very busy the past 24 hours, but I will come back to this. Cheers for looking and helping. :) TurboForce (talk) 23:09, 30 April 2010 (UTC) ← It's actually after midnight here lol. Ignore any typos. Thanks.

I did think that the middle one, by Microsoft, was a bit ironic as it is their "defective by design" Windows operating system that causes the entire virus industry to flourish in the first place, but Google suggested it near the top of the list and in reading though it I thought it had some merit! - Ahunt (talk) 01:50, 1 May 2010 (UTC)

Ahunt, you said it perfectly about "defective by design"! Well done. :D I'm glad I don't have worry about malware and constant computer maintenance tasks like defragmenting (yes I've edited that page too lol) as I don't use Windows very often - quite rare now that I ever need to use Windows.

I have found a link from Intel's website about avoiding viruses:

• How to Avoid Viruses information from Intel on how to avoid viruses.

Would that be a good one to include in the "External links" section? TurboForce (talk) 12:00, 1 May 2010 (UTC)

The Intel link looks pretty authoritative! - Ahunt (talk) 13:33, 1 May 2010 (UTC)

Well, WP:EL gives some ground rules, but there may be some judgment calls too. The pcsourcepoint.blogspot.com for instance, there's no information on why they're authoritative or even a name.

If you click on the credit line at the bottom of the intel.com article, it appears to be written by an outside writer with no indication of why they're authoritative. --HamburgerRadio (talk) 03:23, 2 May 2010 (UTC)

I agree that the blogspot article may not be the best choice, but in the case of the Intel.com article I believe that fact that Intel published it is an endorsement of its content. - Ahunt (talk) 11:05, 2 May 2010 (UTC)

What would be acceptable as an external link which can educate users on how to avoid computer viruses? Unfortunately, people assume their anti-virus program will take care of everything and it's safe to take risks. TurboForce (talk) 11:23, 2 May 2010 (UTC)

McAfee, Microsoft, and Symantec have all recently put out reports saying that web browsing is the top source of infections, especially plugins like PDF viewers.[8] The Intel article says nothing about patching plugins or even about installing security patches at all. Say what you will about their software; McAfee, Microsoft, and Symantec at least do research and put out original content. --HamburgerRadio (talk) 17:24, 2 May 2010 (UTC)

I'm still looking for a suitable external link. TurboForce (talk) 21:57, 2 May 2010 (UTC)

Is this one any good?: Tips for Avoiding Malware Infections Possible external link. TurboForce (talk) 21:46, 3 May 2010 (UTC)

Just my opinion: while there may cases where a blog is the best source, there doesn't seem to be anything unique here. All of it would be better cited to something closer to a reliable source, ie. peer-reviewed paper, technical publication, journalist consulting with experts. --HamburgerRadio (talk) 18:07, 8 August 2010 (UTC)

This link How to Avoid Viruses is a joke. It mentions "Can erase your hard drive" as the worst consequence of a virus infection, and doesn't mention the single most important anti-virus measure (Restricted account) at all. Forget it! —Preceding unsigned comment added by Intrr (talk • contribs) 02:57, 14 November 2010 (UTC)

You will note that that link is not currently used in the article. - Ahunt (talk) 13:03, 14 November 2010 (UTC)

Points missing.

In response to this small paragraph under the "Effectiveness" section:

Independent testing on all the major virus scanners consistently shows that none provide 100% virus detection. The best ones provided as high as 99.6% detection, while the lowest provide only 81.8% in tests conducted in February 2010. All virus scanners produce false positive results as well, identifying benign files as malware.

Maybe we could add that it's possible to install extra anti-malware software that can safely co-exist with anti-virus software (with "ref" links). For example, in Windows Vista and higher, Windows Defender runs by default and it happily runs alongside anti-virus software. (It's a lame anti-malware product as I've never seen it identify anything malicious on a Windows computer that's riddled with malware!)

One important point missing in the anti-virus software page is the fact that you can disinfect Windows from an anti-virus boot disk (created on a clean computer), which deals with the malware outside of Windows so the infections can be removed when dormant. That said, I've always found it best to wipe a hard drive clean with DBAN, which also eradicates the malware files or use the "recovery" software included by the computer manufacturer which erases the hard drive and malware, then re-installs Windows with the manufacturer's junk.

Don't forget that Windows users are the target of over 2 million pieces of known malware! TurboForce (talk) 11:55, 20 June 2010 (UTC)

Don't most anti-virus products nowadays include a malware scanner, or the same manufacturer has one that can be integrated? Actually, I think the term "anti-virus" is kinda outdated, since the largest threat today usually is from trojan horses, not virusses. --DanielPharos (talk) 13:29, 20 June 2010 (UTC)

Sadly, no single product or suite of security programs in one package from the same manufacturer will stop Windows becoming infested with tons malware. I've seen that happen too many times, regardless of security/anti-virus/anti-malware from one manufacturer that's installed, running in real time AND updated, Windows still manages to get infected. Even visiting the wrong website can be disastrous! Unless the user runs in a restricted account, but then finds he/she can't even change (or look at) the time and date, can't install critical updates and so on. My point is that NO single product or no suite of different products bundled together by a single manufacturer is enough to protect Windows. Provided that different makers' anti-malware programs can co-exist and run at the same time without conflicts, you gain some extra protection at the expense of a slower computer. Many times I've had e-mails 'sent' to me with just a link - that's obviously malicious, then I contact the sender and tell them they have viruses and they are surprised and tell me they have anti-virus software! TurboForce (talk) 21:42, 20 June 2010 (UTC)

You seem to be missing my point. Anti-virus software (for strict definitions of anti-virus) is obviously not enough, but most anti-virus software nowadays includes an anti-malware part. Most so-called anti-virus software today is actually anti-malware software already. Which makes what you want to add ("it's possible to install extra anti-malware software that can safely co-exist with anti-virus software") largely irrelevant, since nobody is running anti-virus without anti-malware anymore. --DanielPharos (talk) 14:05, 21 June 2010 (UTC)

I'm not missing your point. Yes anti-virus and anti-malware come in the same package. My point is that for improved protection, a Windows user needs another anti-malware package FROM A DIFFERENT SOFTWARE MAKER such as Malwarebytes' Anti-Malware which can co-exist with the anti-virus suite they already have installed. Windows Defender is another example of an anti-malware program designed to co-exist with almost any other anti-virus program, albeit that Windows Defender is a useless tool and a resource hog! Sometimes the anti-virus program maker may advise against using other products, so worth checking first. Even with extra protection installed, I've still had to disinfect Windows! Any program can do what it wishes and Windows doesn't complain. Windows won't complain if something randomly edits the registry or deletes files from the \Windows folder! What a stupid mess and it's made worse because many users think their computer is invincible just because anti-virus software is installed!! TurboForce (talk) 17:18, 21 June 2010 (UTC)

I'll ignore all the irrelevant ranting...

Ah, so what you and I want to say is that by overlapping multiple packages, you'll get better coverage. You (usually) can't install multiple anti-virus programs, since they'll conflict. So you'll end up with 1 anti-malware suite, and N anti-malware-no-anti-virus programs. --DanielPharos (talk) 19:48, 21 June 2010 (UTC)

Thankfully, I don't have to face this daily nonsense of worrying about where and when the next Windows malware will wreak havoc, as I don't use Windows. You don't seem to accept that programs can co-exist with anti-virus software, such as ThreatFire and many others. This is 2010 and like I said earlier in this discussion page, no single anti-virus program or package from one vendor will provide complete protection, so ideally a user needs another anti-malware program that can SAFELY co-exist with anti-virus software and yes I know it's dangerous to install more than 1 anti-virus program as they will cause major problems. As I keep saying, Windows still gets infected when anti-virus software is present!! TurboForce (talk) 23:16, 21 June 2010 (UTC)

Again, missing my point. Well, it's a nitpick anyway, so let's just forget about it, OK?

Ontopic: Scanning with multiple anti-malware programs usually indeed finds more malware than using just a single program, so I guess this point can be added to the article (properly sourced, of course!). --DanielPharos (talk) 09:15, 22 June 2010 (UTC)

Spot on! Multiple anti-malware programs will find more malware than just one. Many of these anti-malware programs can safely run alongside traditional anti-virus software. Windows Defender is enabled by default in Windows Vista and higher, even when anti-virus software has been installed. In fact, some don't need to run permanently in the background, but must be run by the user to scan the hard drive(s) and removable media for malware occasionally as part of the regular Windows maintenance routine.

Don't forget a point I mentioned earlier about removing viruses/malware from a bootable disk e.g. a bootable anti-virus CD disc, which runs outside of Windows and removes infections when they're dormant. Avira AntiVir Rescue System is an example. The user downloads an .iso file on a clean computer and creates a bootable CD from this .iso file using CD writing software, then boots the infected computer from this disc and it runs outside of Windows (the disc is Linux-based) to remove the infections from Windows.

Finally, I forgot to mention until now that anti-virus vendors have specialist tools to remove stubborn infections. You can download a tool from an anti-virus vendor's website to remove certain infections better with one of these specialist tools compared to using an anti-virus program to clean up the mess.

All of these points are missing from the anti-virus software page as I write this. TurboForce (talk) 11:40, 22 June 2010 (UTC)

All good points - if you can cite refs then by all means feel free to add them. - Ahunt (talk) 13:37, 22 June 2010 (UTC)

That's the tedious part and I seem to be alone with my efforts. TurboForce (talk) 23:03, 24 June 2010 (UTC)

No my intention to make you feel lonely doing this. I am keeping an eye out for refs! - Ahunt (talk) 23:07, 24 June 2010 (UTC)

Thanks. It's finding them ref links (to prove statements are valid) that's so tedious. It's all well and good providing the "correct" information, but useless if there are no refs.

To be added to the anti-virus software page: 1) Having another anti-malware product that can safely co-exist with an anti-virus program improves the chances of catching malware. 2) A bootable anti-virus disc can be created on a CLEAN computer, then used to disinfect an infected Windows computer. 3) Stand alone tools exist to remove certain types of malware e.g. Trend Micro Rootkit buster, VundoFix and tools available from anti-virus vendors that remove specific infections. TurboForce (talk) 16:49, 25 June 2010 (UTC)

QUICK QUESTION READERS: In example 3 above, would them external links serve as suitable ref links? I will come back to this sometime later cos it's summer here in the UK and I'm making the most of it! :) TurboForce (talk) 12:29, 26 June 2010 (UTC)

System disinfection

The page doesn't talk much about disinfecting the viruses. When you have to clean a typical Windows installation heavily contaminated with malware (literally!), you are "disinfecting" it. I don't know if the word "disinfect" is outdated when we talk about today's anti-virus products in action?

Thank you Ahunt for "tidying up" my ref links. It's an arduous job finding the ref links in the first place and I don't know how to make the ref links at the bottom of the page show the proper date, title etc.

One thing I've not added to the page as yet is an explanation of anti-virus boot discs which boot and operate outside of Windows, running Linux, to clean up (disinfect?) the entire Windows drive. This method is more thorough and the viruses can be removed when dormant. This avoids the possibility of viruses stopping the anti-virus program.
TurboForce (talk) 17:24, 13 July 2010 (UTC)

Those are all good points and well worth including I think! No problem on the formatting refs. If you like you can insert web refs in this format:

<ref name="UniqueNameOfRef"> {{cite web|url = http://www.something.com|title = Title of Article|accessdate = 14 July 2010|last = Name|first = Name|authorlink = |year = 2010|month = July}}</ref>

...which will save me doing it! - Ahunt (talk) 19:17, 13 July 2010 (UTC)

Blimey, that looks complicated. I'll try next time, but will probably botch it up lol. :P TurboForce (talk) 21:04, 13 July 2010 (UTC)

No problem - I will watch and help out. It is quite simple - just replace the items to the right of the "=" signs and all will be well. - Ahunt (talk) 21:16, 13 July 2010 (UTC)

What "+" signs, where?? I'm in the process of creating new content for the page. TurboForce (talk) 21:23, 13 July 2010 (UTC)

I've edited the page now. I can see why ref links need to be correctly formatted, but finding ref links can be a big job in itself. For example, I added 3 sections to the Criticism of Microsoft Windows page — sections 1.4, 1.5 and 1.6. Being a controversial page, it needed perfect ref links to prove every statement, which I already knew were true. :D

As you can see, ref links 8 - 20 on that page are not formatted correctly, but the content is there. I will focus on finding ref links, but until I can format them properly, I'm afraid someone will have to do that for me, sorry. :-( —Preceding unsigned comment added by TurboForce (talk • contribs) 22:12, 13 July 2010 (UTC)

No sweat - "bare refs" (ie just links) are accpetable to leave there, they just look nicer and are easier to read when formatted! - Ahunt (talk) 23:15, 13 July 2010 (UTC)

Stuxnet worm

If you've seen the news lately, you've probably learned about the Stuxnet worm. I'm wondering how you would "disinfect" this worm from the industrial devices it exploits, which are using... (drumroll please) Microsoft Windows! In fact, incorrect removal can cause even more problems!! Siemens: Stuxnet Worm Hit Industrial Systems (Skip the ad on that ref page.)

What do you readers think about this and how it relates to anti-virus software? TurboForce (talk) 23:05, 29 September 2010 (UTC)

Some background here on that particular malware: Stuxnet worm attacks industrial targets, could be aimed at Iran and Iranian power plant infected by Stuxnet, allegedly undamaged. I think we ought to include something on this here in this article, but I am not clear what that should be. - Ahunt (talk) 00:56, 30 September 2010 (UTC)

I think we could add that this malware directly affects hardware it can't actually run on. I mean, it's designed to reprogram PLCs! Even after the virus is removed completely, the "effect" of the virus might still be there. Anti-virus software cannot fix that (or even detect that). --DanielPharos (talk) 09:39, 30 September 2010 (UTC)

Disinfecting is "easy": Since this is a rootkit-worm with auto-update-like features (if I'm not mistaken), you'll have to format the PC (standard practice after any infection) to get rid of it. And the article you quote says how to remove it from the PLCs: "Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe." So nothing special there. --DanielPharos (talk) 09:39, 30 September 2010 (UTC)

I think the anti-virus software page could cover the Stuxnet worm as an example of malware that can attack an industrial PLC. This would mean the main page would cover all computing areas affected by malware in the 21st century. I think malware was a likely factor in the Spanair Flight 5022 accident. We're not just talking about malware on personal computers anymore, sadly. TurboForce (talk) 10:28, 30 September 2010 (UTC)

That seems like a good way to proceed. - Ahunt (talk) 11:47, 30 September 2010 (UTC)

I am also wondering if this ref shouldn't be used as well in adding something on the Spanair Flight 5022 crash. It really is a threat story and not an effective anti-virus story. - Ahunt (talk) 11:55, 30 September 2010 (UTC)

I think it proves that anti-virus software is necessary for more than just personal computers. I don't know what operating system was in use on the computer system on Spanair Flight 5022? TurboForce (talk) 22:42, 30 September 2010 (UTC)

Since it picked up a Trojan it does kind of beg the question, doesn't it! I can't believe that McDonnell Douglas would have run an airliner on Windows! Final approach = BSOD. It would be interesting to see what Boeing and Airbus are using today, not sure where to source that, though. I am certain like the International Space Station they use their isolation from the internet rather than anti-virus as protection, though. - Ahunt (talk) 23:39, 30 September 2010 (UTC)

Very interesting discussion. :) It's alarming that malware can find its way into anything that runs a program and nearly always on something running Windows! Looks like Microsoft's insecure design and having their fingers in too many pies has resulted in all this chaos. I hate to think what damage will ensue from the next big malware infection or a critical mistake in an anti-virus program! TurboForce (talk) 00:48, 1 October 2010 (UTC)

I agree, good points all around. What shall we include in this article from all this? - Ahunt (talk) 12:06, 1 October 2010 (UTC)

I think the page could include information on how anti-virus software is necessary on ANYTHING that runs Microsoft Windows, not just a standard desktop computer (or laptop or netbook) in a home or office. If Microsoft has a total monopoly, this malware havoc will have the power to destroy things and we—the consumers—will end up paying for this mess. I also suggest that we mention that anti-virus software is not the only defence against malware, but using Windows with great care, a good example: use a non-administrator account at all times, if possible (this is standard on Ubuntu Linux for instance, since the Ubuntu "root" account is locked by default). This will at least limit the damage caused by malware. When I've added this paragraph and checked it, I will be adding another link to my user page about the perils of vendor lock-in. TurboForce (talk) 14:34, 1 October 2010 (UTC)

Could the stuxnet worm have been avoided by using anti-virus software? How do you check industrial and embedded systems for malware compared to a personal computer? TurboForce (talk) 22:35, 2 October 2010 (UTC)

That is a very good question. It would be worth including if we had a reference on that subject area. The articles indicate that this was a zero-day threat, so that seems to imply that it could have been defended against if anti-virus had been present and had definitions or heuristics that could have caught it. It sounds like it was spread via USB sticks and that seems to imply that the devices are not internet connected or otherwise networked. Back in the early 1990s we had a worm spread through a series of non-networked military PCs via a floppy disc that contained an infected game, so anytime outside devices can be connected there is a risk. I wish we had better refs on this. - Ahunt (talk) 22:45, 2 October 2010 (UTC)

If you find any good refs, this would be interesting to research. I remember when I was learning computing at one particular place, we were prohibited from using our own disks (floppy disks back then!) for that same reason i.e. to avoid viruses. Anti-virus software is supposed to scan removable media, but as we all know, viruses can sneak past anti-virus software and other anti-malware software and then it's game over! Perhaps the page could mention the dangers of infected removable media. Anti-virus software should scan removable media like USB pendrives, CD ROMs etc. when they are inserted. If ref links can be found, this is all very useful. Cheers. TurboForce (talk) 10:07, 3 October 2010 (UTC)

I think talking about the Stuxnet worm focuses more on computer security rather than anti-virus software. I've added a sentence to the page to make it clear to readers that the page does not discuss security implemented by software measures. It's not just bad software you have to be careful with... also fake hardware that could be dangerous!. Cheers. TurboForce (talk) 15:44, 13 October 2010 (UTC)

Anti-virus software on Linux

Why do we have a link to "Linux malware", but nowhere does the main page say that Linux does or doesn't need anti-virus software running in the background? I don't have anti-virus software in Linux, but in Windows XP SP2 and later, the "Security Center" will warn you if anti-virus software is not installed.

Do we need a section about anti-virus software and Linux? TurboForce (talk) 21:14, 22 October 2010 (UTC)

Linux malware has its own page because it is so rare! Sure we can add a section on Linux anti-virus software, it could just be an intro para and then send people to Linux malware where it is explained in detail. - Ahunt (talk) 21:19, 22 October 2010 (UTC)

Cheers Ahunt. I agree about the rareness of Linux malware; such a breath of fresh air without the constant worry of malware infection and without having cumbersome anti-virus software running in the background.

Before I forget to say, I still need to learn how to format "ref" links properly. I don't mean to leave you with the job of doing that every time. Cheers. :) TurboForce (talk) 21:44, 22 October 2010 (UTC)

Refs are quite easy to format - I have three easy to copy formats at User:Ahunt/Tags for general web refs, web news refs and paper refs. - Ahunt (talk) 21:58, 22 October 2010 (UTC)

I see that and I come across this on your page:

<ref name="UniqueNameOfRef"> {{Cite web|url = http://www.something.com|title = Title of Article|accessdate = 14 October 2010|last = Name|first = Name|authorlink = |year = 2010|month = October}}</ref>

Maybe an example of an existing formatted ref link with that would be good. I wish I had more time to learn Wikipedia formatting. There are not enough hours in the day. :( It takes long enough to provide the facts alone.

Back to Linux and anti-virus software. I do know it's necessary when handling Windows files e.g. when e-mailing Microsoft Office files that were edited by someone else previously, as you don't want to unknowingly pass on an infected file, even though it won't infect your Linux machine. The anti-virus companies will scare users into wasting money on security software they don't need. TurboForce (talk) 22:28, 22 October 2010 (UTC)

Well here is a real world example of what a ref in that format looks like: <ref name="FAA"> {{cite web|url = http://registry.faa.gov/aircraftinquiry/acftinqSQL.asp?striptxt=Airbike&mfrtxt=&cmndfind.x=0&cmndfind.y=0&cmndfind=submit&modeltxt=Airbike|title = Make / Model Inquiry Results|accessdate = 27 July 2009|last = [[Federal Aviation Administration]]|authorlink = |year = 2009| month = July}}</ref> if that is any help. If you need more on this write to me on my talk page and I will be happy to get you started. - Ahunt (talk) 23:03, 22 October 2010 (UTC)

I think that, nowadays (2013), virus for Linux are not anymore that rare (e.g. Android). Farqad (talk) 19:01, 13 January 2013 (UTC)

Merge MALWARE SCANNER article into ANTIVIRUS SOFTWARE article

Support: It was proposed some time ago to merge Malware scanner into Antivirus software. I want to support that because the scanner article is only a few lines that can be given a small section with the main article. It seems pointless to have a separate article. 71.229.185.179 (talk) 18:20, 27 October 2010 (UTC)

Makes sense to me - they are the same subject. - Ahunt (talk) 18:36, 27 October 2010 (UTC)

Since that tag has been a round for a long time with no objections and since the article has no useful or referenced content o have redirected it to this article, - Ahunt (talk) 18:39, 27 October 2010 (UTC)

Office conflict

Anti-virus programs can cause conflicts with other programs. For example, Microsoft reports that anti-virus programs are known to cause conflicts with [[Microsoft Office]].<ref>{{cite web|url=http://support.microsoft.com/kb/835404|title=An out-of-date antivirus program may cause errors when you try to open an Office document or to start Outlook|date=2010-11-27|accessdate=2011-2-16}}</ref>

This article described Office notifying a user of an infected file. Calling a successfull prevention (note: but not cleaning the file) of a malware infection "a conflict" is a bit of a stretch by any measure... I'm not sure if this text is salvagable? --DanielPharos (talk) 20:40, 16 February 2011 (UTC)

@DanielPharos I quote from that ref page in the "SUMMARY" section:

“

This article describes an error message that you receive in Microsoft Office that states that an antivirus program is preventing you from opening a file. You may receive this error message for the following reasons: There is a compatibility problem between your antivirus program and Office. The file that you are trying to open is infected with a virus that your antivirus program was unable to remove. The file that you are trying to open has been damaged.

”

Bold emphasis added to the relevant text. It proves that active anti-virus software running in the background increases the chances of failures. The TrueCrypt troubleshooting page reports in several places that anti-virus software causes problems, which they clearly point out is not a bug in TrueCrypt (click here to read it all). TurboForce (talk) 00:05, 17 February 2011 (UTC)

And the very next line: "To resolve the first two problems, you have to update your antivirus program". So it's an outdated (or old, the article isn't clear) anti-virus program that's being buggy and causing this, not a 'real' conflict. You do realise what you just highlighted is classic Microsoft-talk for "we know of certain badly written programs of vendors, who shall remain nameless, that were fixed in later versions"?

TrueCrypt: Now that are true conflicts. I suggest using that ref instead. --DanielPharos (talk) 08:17, 17 February 2011 (UTC)

Primary sources

I've just noticed that many of the article's sources are primary. For example, a mention of the AVG Rescue CD has a source from AVG Technologies. This is an example of primary sourcing. A better approach would be to introduce secondary sources to the article. They are preferred because they second-hand accounts and they have no stake in what's being said. In other words, some of the references being used here are similar to refspam and having secondary sources talk about these items in with independent, reliable sources would improve the quality of the article. I'll place the template on the article and I can help with improving the refs. Dawnseeker2000 22:27, 24 February 2011 (UTC)

No objections to that, as long as you have the refs then have fun! - Ahunt (talk) 23:53, 24 February 2011 (UTC)

Looks like hours of work are still not good enough. Even the correct ref links are said to be wrong, not just on this page. Is there any point editing pages on Wikipedia? TurboForce (talk) 23:32, 25 February 2011 (UTC)

Everyone has different opinions of the usefulness of refs. User:Dawnseeker2000 has replaced many primary refs with third party ones, which is a lot of work. Personally I would have added the third party refs and left the primary ones in there, but that is just my opinion. - Ahunt (talk) 00:23, 26 February 2011 (UTC)

I've always believed it was right to include a ref link that just proves what is being said is true? What's this about "primary" and "third party"? I'm totally bamboozled here! So the mention of AVG rescue CD links to a page to prove it really exists and the article is telling the truth. Why is that wrong? TurboForce (talk) 12:07, 26 February 2011 (UTC)

It isn't wrong to use those link, just that third party refs are preferred. As it explains at WP:RS: "Articles should be based on reliable, third-party, published sources with a reputation for fact-checking and accuracy. This means that we only publish the opinions of reliable authors, and not the opinions of Wikipedians who have read and interpreted primary source material for themselves." - Ahunt (talk) 14:42, 26 February 2011 (UTC)

I have always made it habit to only add material to articles if the subject matter has been covered by a third party. And for this article I just happened to have a snow day and so I had tons of time. I had noticed that a user had added a few primary sources and it caught my eye. Well, it turns out that the IP was registered to Symantec and at least one of the additions that the user made wasn't entirely correct. I thought it was interesting that someone closely related to the Antivirus software industry would introduce a tidbit that wasn't exactly correct. Anyway, that's what the short story on what I did the other day. That kind of work isn't very glamorous, but I have always thought that articles aren't worth much if the reference section is lacking. Dawnseeker2000 16:07, 26 February 2011 (UTC)

Links

The link to Anti-spyware coalition is defunct. Perhaps it might be removed.Teacherstudent27 (talk) 06:18, 2 September 2011 (UTC)

If you are referring to the link to Anti-Spyware Coalition in the nav box at the bottom, it still links to that article. - Ahunt (talk) 12:11, 2 September 2011 (UTC)

Ref links dispute

I'm VERY annoyed that FleetCommand has ruined my recent edits because he/she doesn't like The Register ref links being proof.

What that user has basically done is ruin perfectly valid edits. It's like writing on a piece of paper and then someone comes along, rips it to shreds and throws it on a fire. WHY did YOU not bother to find ref links for it BEFORE you decided to wipe my edits, which took me somewhat longer than the few seconds required for you to undo/revert my edits? As for The Register links not being good enough - I've used The Register for ref links on other Wikipedia pages I've edited and nobody else has a problem with them.

I'm VERY annoyed by this and I get the impression you're lazy because you didn't go to the same trouble I did in finding them ref links and editing the page with great care and perfection. I better stop typing as I could say some things which will offend!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TurboForce (talk) 00:13, 23 October 2011 (UTC)

I don't see why it was removed either. There is at least one other reference in the article now that points to The Register. There's a link to a Symantec article right in The Register article that confirms the statements that are made regarding the Mebromi virus that affects the MBR code. What's the problem here? Dawnseeker2000 00:30, 23 October 2011 (UTC)

I don't get this "the Register is not a RS" either. It is as reliable as any news source is. I have also reviewed the Symantec article ansd it also seems to support the text. I propose this be restored. - Ahunt (talk) 11:16, 23 October 2011 (UTC)

Before just plainly restoring them, risking an edit-war, I suppose you've actually *asked* FleetCommand why (s)he removed it, right? For the record: what was his/her answer? --DanielPharos (talk) 09:36, 29 October 2011 (UTC)

That is why we are having this conversation here, to come up with a consensus. - Ahunt (talk) 12:18, 29 October 2011 (UTC)

So has anybody invited FleetCommand into this discussion then? Because it seems obvious (s)he will have something to say about this... --DanielPharos (talk) 13:30, 29 October 2011 (UTC)

Well normally when someone has enough interest in a page to revert a bunch of stuff they will watch the page for future developments, but feel free to specifically invite them if you think they aren't watching the page. - Ahunt (talk) 14:13, 29 October 2011 (UTC)

Hello guys.

First and foremost, The Register has two issues: (1) It is a tabloid and is far from the standards of a reliable source. (You guys have actually read WP:RS, haven't you?) (2) Its article contains novel statements that do not appear in the Symantec source. It uses shock and awe tactics to gain readership: It is giving doomsday predictions about how the computing world is coming to an end with this new malware while Symantec source makes it clear that this tactic is not new -- albeit rare. (Well, tabloid after all...)

Second, no, nobody asked me why, though I did try to contact Escape Orbit and explained why. So far, he has not replied, so I assume he is satisfied with my revert.

Third, I do not understand what this fuss is about: The article is still saying exactly the same thing. It still says "This is a major concern, as an infected BIOS could require the actual BIOS chip to be replaced to ensure the malicious code is completely removed." What I removed in the revert was redundancy + questionable citation.

Fleet Command (talk) 19:58, 29 October 2011 (UTC)

Okay, I re-studied my message to Escape Orbit and actually remembered what give me the incentive to revert: The contribution says "Currently, anti-virus software cannot remove malware that has successfully modified the BIOS EEPROM." Excuse me, but which source says "cannot"? Even The Register never says anything so explicitly; it just throws suggestive comments like "the malware stands a better chance of surviving attempts by antivirus programs to remove it" and "Developing an antivirus utility able to clean the BIOS code is a challenge" but never says "cannot".

And "Anti-virus software"? How do you know that it applies to all antivirus products? And "currently"? Well, this is a minor issue but see WP:RELTIME. Fleet Command (talk) 20:22, 29 October 2011 (UTC)

The main point of that edit was to prove 2 things: 1) that anti-virus software cannot stop new malware from writing to the BIOS EEPROM, until the anti-virus program has been updated with new signatures which detects that malware. 2) If an EEPROM chip has been infected by malware, that malware cannot be removed from the chip by anti-virus software YET. Here's what I added to the page at that time - the bold text showing what was added to the existing sentence (ref link numbers removed):

Anti-virus software is not effective at protecting firmware and the motherboard BIOS from infection by new malware before the anti-virus software is updated to detect and deal with such malware. Currently, anti-virus software cannot remove malware that has successfully modified the BIOS EEPROM.

The keywords being "new malware" and "currently". It implies that today's anti-virus software can't protect your BIOS from being flashed by new malware and cannot remove malware from the flashed BIOS, but it MAY do in future. If The Register is not suitable for ref links (I disagree with that), then who is prepared to find the refs and help put my (valid) edits back in the article? TurboForce (talk) 11:26, 30 October 2011 (UTC)

Neither I do believe a word of what you say nor your sources (even The Register) support them. In fact, the Symantec source says the complete opposite: It says that it is now capable of dealing with this new threat. Your constant use of weasel words and vague adverb of time only makes the case worse. Fleet Command (talk) 07:43, 31 October 2011 (UTC)

Okay then, prove to me the following 3 points:

• That anti-virus software can protect the BIOS from being altered by a new piece of malware before signatures are updated to detect it.
• That anti-virus software can remove malware from the BIOS chip.
• Prove to me that anti-virus software can scan firmware for malware.

If you can prove all them points, then my statements were wrong. If you can't prove those 3 statements, then my disputed edits about firmware issues are indeed valid (which I know anyway). TurboForce (talk) 13:00, 31 October 2011 (UTC)

Wel, the first point is trivially addressed: heuristics. Accessing the write-functions of the BIOS-chip requires certain calls, which can be scanned for. So even without specific signatures, executables attempting to access the BIOS chip can be identified. These executables can then be prevented from executing, thus stopping the malware threat. For the other two points: I'd have to do some research... Maybe FleetCommand can answer this more quickly. --DanielPharos (talk) 13:30, 31 October 2011 (UTC)

It does mean that a legitimate BIOS update program for Windows requires the anti-virus software protection to be temporarily turned off, to avoid the heuristics from interfering. Although there are better options i.e: create a bootable disk to update the BIOS or - if available - use the updater in the BIOS settings to flash the BIOS with a new update from a single file on a storage medium. In my experience, sometimes the BIOS update can only be performed in Windows, especially with laptops. Also, other devices' firmware updates (e.g. Nokia phones) are nearly always tied to using Windows in order to update the firmware. Anti-virus software and firmware issues are major concern as a result of possible conflicts and the problem of scanning firmware and removing malware from firmware. I'm not aware of any anti-virus or other anti-malware program which can scan and remove malware from a BIOS chip, so the only way to remove malware from the BIOS requires replacing the chip, if possible, or the motherboard! TurboForce (talk) 01:31, 1 November 2011 (UTC)

No, TurboForce. The burden of evidence lies with the editor who adds or restores material -- which is you. So, far you have failed to supply a reliable source for your doomsday statement. Your evidence so far, consists of "I am not aware of a [noun] that [verbs] such and such". There are a lot of things that you are not ever of; but that does not mean that they do not exist. Fleet Command (talk) 06:18, 2 November 2011 (UTC)

Considering that malware has been able to infect the BIOS, such as the Chernobyl (CIH) virus, it is a 'doomsday' reality that has occurred and proof shows it can still occur. I had already supplied the proof that anti-virus software is useless when the BIOS has been infected. As you didn't like the ref links that linked to the pages on The Register website, all you have done is remove the sentences and not found the ref links yourself. Anti-virus software never protects against dumb users who download things like "smiley faces", free screensavers etc. I have seen Windows computers clogged-up with malware during the past 10 years and it still happens all of the time. Don't tell me I don't know what I'm talking about! TurboForce (talk) 13:14, 2 November 2011 (UTC)

TurboForce, let us stay polite and do it by the book: You have made contribution to the article that is backed up by original research and an unreliable source that does not even affirm your statement. Therefore, your statements has no merit for inclusion in Wikipedia, no matter how true it is and how great an expert you are. I think I have said all I have to say and I see no point on re-expressing again and again how I disagree with your contribution that fails verification against its unreliable source. I think it is clear that we do not have a consensus. Regards, Fleet Command (talk) 20:46, 2 November 2011 (UTC)

Some anti-virus software can run before boot-up (though rarely), so I cannot take your claim as valid, TurboForce. Rootkits do have software designed to remove them, and I don't see where The Register is getting its information.Jasper Deng (talk) 21:47, 2 November 2011 (UTC)

Are you forgetting that the BIOS is accessed the moment the computer is powered on and performs the Power-on self-test? If malware has infected the BIOS, that malware is run before any anti-virus, anti-rootkit software etc. On old computers, the BIOS used to have weak "anti-virus protection" that only checks the MBR and in the end, this was removed by later BIOS makers (or disabled by default) as it would conflict when installing the OS. This is the very last time I say this: anti-virus software DOES NOT remove malware from FIRMWARE.

If I come across any refs that don't link to The Register (to save disputes, god knows why you have a problem with The Register?????) then I will add it to this discussion page first. To save confusion - I must make it clear that firmware refers to all types of firmware accessible by the computer e.g. the firmware in DVD drives, not just the motherboard BIOS. Finally, the edit was NOT "original research", as I've already read about this happening and the Chernobyl (CIH) virus proves that malware can write to the BIOS and that same malware was hiding in the firmware of a CD drive manufactured by Yamaha click here to read about it. TurboForce (talk) 16:46, 3 November 2011 (UTC)

Please refrain from shouting. If you don't want us to think your edit is original research please cite your source. There is no proof that antivirus software can or cannot remove these, since there are such things as rootkit protection. You may also want to take a look at the secure boot requirement of Windows 8.Jasper Deng (talk) 16:58, 3 November 2011 (UTC)

Help correcting the Refferance section

I added to the "history" and "identification" sections text which cite the same reference:

http://www.research.ibm.com/antivirus/SciPapers/VB2000DC.htm An Undetectable Computer Virus (academic paper)

I'm not familiar with this task so it appears as number 10 and 16. Please, anybody help to correct it.

Also, please find the article which describes this result and find a way to include it in a way it fits best.

Please, do not revert my edits, but correct and adapt them. Academic work hosted on www[.]research[.]ibm[.]com should be viewed as a reliable source. — Preceding unsigned comment added by 79.119.11.171 (talk) 11:32, 16 February 2012 (UTC)

I made a number of fixes, including combining your refs (see how I did that in the page history for future use). Your one paragraph there and one other claim require refs to be cited as tagged. - Ahunt (talk) 13:31, 16 February 2012 (UTC)

Thank you.

Please, someone also review the edit I made in the Heuristic section. If anyone knows what I am talking about, please add the example. Note that it may look like original research so, if the claim is not widely accepted, move it to the discusion page

Also, please clarify the difference between "computer virus" and "malware" at the beggining of "identification techniques". — Preceding unsigned comment added by 79.119.11.171 (talk)

I did review it and tagged it as needing a reference. Please see WP:ONUS. - Ahunt (talk) 13:55, 16 February 2012 (UTC)

Thank you for your help. As some of my edits were tagged as needing reference, if no reference shows up in a decent amount of time, pleas someone move them to the discussion page section.

I made a request for Cohen's result to be added to the Computer virus page. My request it's on the talk page of that article.79.119.11.171 (talk) 14:28, 16 February 2012 (UTC)

I don't work on that article, but I am sure someone will respond as it is well-watched. - Ahunt (talk) 14:36, 16 February 2012 (UTC)

Thank you. Sorry for crossposting. 79.119.11.171 (talk) 14:40, 16 February 2012 (UTC)

No problem at all - better too much information than not enough! - Ahunt (talk) 14:43, 16 February 2012 (UTC)

I made a small edit at the beginning. Please also review at least the 3rd sentence. I feel the way as the combination of "malware" with "threats" points to "computer security threats" does not correlates well with the intentioned meaning that the page does not discuss computer security but malware79.119.11.171 (talk) 14:49, 16 February 2012 (UTC)

Fret not, every edit on every article gets reviewed by someone. - Ahunt (talk) 15:07, 16 February 2012 (UTC)

As a temporary improvement, I added bolding to the 3rd phrase. I hope someone more experienced than me will help. Thank you again. It was a pleasant collaboration.79.119.11.171 (talk) 15:11, 16 February 2012 (UTC)

Anti virus

Who really created the first antivirus?-170.185.129.17 (talk) 15:39, 21 August 2012 (UTC)

The section Antivirus_software#History pretty much answers that question. - Ahunt (talk) 15:43, 21 August 2012 (UTC)

Actually it is pretty difficult to state who really create the first antivirus. This is mainly because in the beginning security experts just start to write programs specifically developed to remove single viruses. But, depending on the definition of antivirus, there could be a different between the effective foundation of the first antivirus firm and the development of the first antivirus. Just some examples:

• Friðrik Skúlason founded FRISK Software International only in 1993, but he create the first version of his F-Prot AV back in 1989.^[1] And, according to him he wrote the first program to remove a virus even before.
• The same happened to Gianfranco Tonello. He founded TG Soft in 1991, but he creates the first version of his VirIT AV one year before.
• In 1988, Dr. Vesselin Bontchev produces his first freeware AV program.^[2]
• F-Secure claims to be the first AV firm to establish a presence on the World Wide Web.

But, the section Antivirus_software#History should be quite correct. Farqad (talk) 19:28, 13 January 2013 (UTC)

References

1. [1]
2. [2]

Data mining in AV technologies

Data mining techniques for malware detection are one of the latest approach in AntiVirus software. These algorithms use file features, that are extracted from binary programs, to classify an executables as malicious or benign. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14]}

I think this should be added to the article. Farqad (talk) 19:33, 13 January 2013 (UTC)

References

1. A Machine Learning Approach to Anti-virus System
2. Data Mining Methods for Malware Detection
3. Data mining and Machine Learning in Cybersecurity
4. Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection
5. A survey of data mining techniques for malware detection using file features
6. Intelligent automatic malicious code signatures extraction
7. Malware Detection by Data Mining Techniques Based on Positionally Dependent Features
8. Data mining methods for detection of new malicious executables
9. IMDS: Intelligent Malware Detection System
10. Learning to Detect and Classify Malicious Executables in the Wild
11. Malware detection using statistical analysis of byte-level file content
12. An intelligent PE-malware detection system based on association mining
13. Malware detection based on mining API calls
14. "Andromaly": a behavioral malware detection framework for android devices

Comparison of AntiVirus software

What about add a section on the comparison of AV products?

An old discussion has been whether or not AntiVirus products are useless and just waste of money. In November 2012 Imperva, a fairly discussed security firm, published a study in which they state that less than 5% of antivirus solutions were able to initially detect previously non-cataloged viruses.^[1][2] This study has been deeply criticized not only by almost every AntiVirus firm but also by many other security companies.^[3][4][5] The main criticism was on the sample size of the study. In fact, the test has used less only 84 samples out of the millions of existing Windows malware. Another main criticism was that the study compared only detection in VirusTotal reports rather than in the actual products and, as the same VirusTotal stated: "At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being...". ^[6] This is mainly because the engines that AntiVirus firms provide to VirusTotal are not exactly the same configuration as are in the real-world product.^[7] Moreover, VirusTotal does not try to execute the files with actual products being installed. This means that any run-time heuristics, behavioral monitoring, and memory scanning are out of the game. And thus the detection results are meager when compared to full products. Another aspect that has been criticized has been the "relevance" of the samples. In fact, the sample set should only include things that have been verified to have infected customers. Extrapolating current AntiVirus protection by way of testing samples that pose no danger simply makes no sense.

For this, and other reasons, the Anti-Malware Testing Standards Organization (AMTSO) provides guidelines to the testing of anti-malware and related products.^[8] Farqad (talk) 19:33, 13 January 2013 (UTC)

• There is already an article Comparison of antivirus software with redirects from List of antivirus software but it's undated (doesn't mention specific versions) so may be years out of date. Because this antivirus software article doesn't mention examples of any such software by name, I have added a Hatnote link to antivirus software (examples) as mentioned below. LittleBen (talk) 10:25, 22 January 2013 (UTC)

References

1. [www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf "Assessing the Effectiveness of Antivirus Solutions"] (PDF). Impervia. {{cite web}}: Check |url= value (help)
2. [www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-effectively.html?pagewanted=2&_r=2&ref=technology "Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt"]. The New York Times. {{cite web}}: Check |url= value (help)
3. "On the Topic of AV Being Useless". F-Secure.
4. "That Anti-Virus Test You Read Might Not Be Accurate, and Here's Whys". Intego.
5. "Do you really need Anti Virus protection? Go on uninstall it then". AVG.
6. "BAD IDEA: VirusTotal for antivirus/URL scanner testing". VirusTotal.
7. "On the Topic of AV Being Useless". F-Secure.
8. "Anti-Malware Testing Standards Organization". AMTSO.

Hatnote links to Vulnerability to malware, Antivirus software (examples), and Virus removal

People who are searching for "antivirus software" most likely suspect a virus or other malware; they are really looking for practically-useful guidance—such as the (1) need to fix vulnerabilities in browser plugins / avoid insecure browsers that lead to infection, (2) examples of good (preferably free) antivirus software, and (3) virus removal (as well as backup & recovery strategies). Viewed from this perspective, this article is pretty useless—the major part of the article is "issues of concern": potential disadvantages of antivirus software. I have added hatnotes to useful articles on these three topics, because most people will otherwise give up on such an article before reading to the "See also" at the end. There have been huge recent pageview peaks. Ditto for the computer virus article. The Template:Malware Navbox at the bottom of the page, with links to related articles, might best be updated and recreated as a long and narrow sidebar template at the side of the page, like Template:HTML—to help people quickly find what they're really looking for. LittleBen (talk) 02:58, 22 January 2013 (UTC)

If you think it is really necessary there, personally I think it clutters the article up too much. - Ahunt (talk) 12:29, 22 January 2013 (UTC)

• The hatnotes link to essential information that should have been in the body of the article years ago, as discussed above.   If your comment refers to the template, an example of the use of Template:HTML is here.   LittleBen (talk) 14:54, 22 January 2013 (UTC)

• Wow, 3.7M / 4.7M pageviews per day is awesome. LittleBen (talk) 12:13, 23 January 2013 (UTC)

The January stats look spurious to me. If you check the last complete month, December 2012, it shows 52,116 pages hits in that month, which is still a lot. - Ahunt (talk) 12:40, 23 January 2013 (UTC)

• Yes, it appears that the pageviews tool is broken, as discussed here and here. LittleBen (talk) 14:17, 31 January 2013 (UTC)

Remember that Wikipedia does not provide "how to" information. The article cannot teach users, e.g. "use this web browser", "use brand X anti-virus software" and "to remove malware, you must do this and that". TurboForce (talk) 21:22, 31 January 2013 (UTC)

Firmware issues: BadUSB

I see there's a new threat which anti-virus software is currently unable to detect: BadUSB. Is it worth a mention in "firmware issues"? MetalFusion81 (talk) 16:28, 11 October 2014 (UTC)

It seems worth adding. - Ahunt (talk) 16:52, 11 October 2014 (UTC)

References

Malware signature generation

The signature-based detection section didn't read right--it lacked an explanation of how a digital signature could also be a malware signature. Ideally, there would be a malware signature page, or the info would at least be included in the malware or the digital signature pages. Since it's not, I added a reference link to a signature generation article. The article is old (2006) so someone will probably eventually add a reference to a newer article. When they do, I hope they'll leave in my current reference, because it was the clearest explanation I could find on the topic. Katharine908 (talk) 15:52, 1 June 2015 (UTC)

Origin of virus definitions?

It would probably be nice to put something in this article about the origin of virus definitions, as in if each company makes their own or there are shared databases or if companies share databases between themselves.

Thanks.

--86.27.232.103 (talk) 14:46, 7 June 2015 (UTC)

All we need is a reference and this can be added. - Ahunt (talk) 18:40, 8 June 2015 (UTC)

There are shared antivirus engines, e.g. BitDefender seems the most popular according to http://www.av-comparatives.org/av-vendors/ Tgeorgescu (talk) 21:38, 8 June 2015 (UTC)

Early history: Disinfectant for Mac OS

One item that seems to be missing from the early history is the free Mac OS application Disinfectant, written by John Norstad of Northwestern University. The early Macs did endure a few mostly harmless viruses along with a few malicious ones that were never widely distributed. Disinfectant stamped them all out (and included an Easter egg animation of a large Pythonesque foot doing just that).

This out-of-date page at the University of Northern Arizona website has a brief description of how the last release of Disinfectant was installed, along with another INIT (boot-loaded app) called Gatekeeper.

If I can get a screen capture of Disinfectant and some documentation of its history I will add both to the article. — ℜob C. alias ALAROB 04:13, 8 January 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 2 external links on Antivirus software. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Corrected formatting/usage for http://www.microsoft.com/security/resources/antivirus-whatis.aspx
• Added archive https://web.archive.org/web/20141107045334/http://www.caro.org:80/users/igor.html to http://caro.org/users/igor.html
• Added {{dead link}} tag to http://sciencelinks.jp/j-east/article/200505/000020050505A0076928.php

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

Y An editor has reviewed this edit and fixed any errors that were found.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 18:32, 15 October 2016 (UTC)

- Ahunt (talk) 00:10, 16 October 2016 (UTC)

Requested move 27 December 2016

The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section.

The result of the move request was: NO CONSENSUS. While there's not generally an agreement here that the article should not be moved, this proposal did not gain consensus. Ivanvector (^Talk/_Edits) 13:54, 3 January 2017 (UTC)

---

Antivirus software → Antivirus – WP:COMMONNAME. SSTflyer 03:33, 27 December 2016 (UTC)

The redirect from Antivirus to this article appears to have been in place since 2004. Why the sudden change? I'm certainly not saying "no", just trying to understand why the "software" part of the article's name should be dropped. --DanielPharos (talk) 08:21, 27 December 2016 (UTC)

Comment if "software" is going to be dropped from the title, shouldn't the article be rewritten for a broader scope to include non-software antiviral strategies, such as those focusing on operators and hardware? Reidgreg (talk) 16:14, 28 December 2016 (UTC)

• Oppose – Antivirus alone is less WP:PRECISE and might be construed as relevant to biological antiviral proteins or antiviral medication. Actually, I think the 2004 redirect should be questioned. — JFG ^talk 22:56, 2 January 2017 (UTC)

---

The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.

•  Administrator note to follow up on this discussion, I have listed Antivirus at redirects for discussion. Please see the discussion if you are interested. Ivanvector (^Talk/_Edits) 14:00, 3 January 2017 (UTC)

Suggestion for an external link

On the subject of antivirus testing, this is an aggregator of AMTSO-certified lab test scores. — Preceding unsigned comment added by MrDennis (talk • contribs) 10:33, 15 March 2017 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 8 external links on Antivirus software. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Corrected formatting/usage for http://www.viruslist.com/en/viruses/encyclopedia?chapter=153311150
• Added archive https://web.archive.org/web/20120317052525/http://www.bitdefender.co.uk/site/Main/view/product-history.html to http://www.bitdefender.co.uk/site/Main/view/product-history.html
• Added archive https://web.archive.org/web/20071215031743/http://www.clamav.org/2007/08/17/sourcefire-acquires-clamav/ to http://www.clamav.org/2007/08/17/sourcefire-acquires-clamav/
• Added archive https://web.archive.org/web/20150602055929/http://www.avgsecurity.co.za/technology-overview to http://www.avgsecurity.co.za/technology-overview
• Corrected formatting/usage for http://www.extremetech.com/article2/0%2C2845%2C1154648%2C00.asp
• Corrected formatting/usage for http://www.kaspersky.com/faq?chapter=170710015&qid=173727547
• Added archive https://web.archive.org/web/20110512220132/http://www.stevelarkins.freeuk.com/bthomehub_softwareupgrade.htm to http://www.stevelarkins.freeuk.com/bthomehub_softwareupgrade.htm
• Added archive https://web.archive.org/web/20120929003659/http://www.support.com/blog/post/how-antivirus-software-can-slow-down-your-computer to http://www.support.com/blog/post/how-antivirus-software-can-slow-down-your-computer
• Added {{dead link}} tag to http://www.staysafeonline.org/blog/small-and-medium-size-businesses-are-vulnerable

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 10:44, 7 July 2017 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 2 external links on Antivirus software. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20090517083356/http://vx.netlux.org/lib/atc01.html to http://vx.netlux.org/lib/atc01.html
• Corrected formatting/usage for http://www.kaspersky.com/faq?chapter=170710015&qid=173727547

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 14:48, 3 September 2017 (UTC)

history: first implementation of firewall

first implementation of firewall needs to be included in history --Johnny Bin (talk) 00:15, 7 June 2018 (UTC)

I think that would be off-topic. Would it not be better at Firewall (computing), where it seems to already be? - Ahunt (talk) 00:17, 7 June 2018 (UTC)

Independent quality testing

"Although methodologies may differ, some notable independent quality testing agencies include AV-Comparatives, ICSA Labs, West Coast Labs, Virus Bulletin, AV-TEST and other members of the Anti-Malware Testing Standards Organization."

OK, they are notable. But are they trustworthy? --MisterSanderson (talk) 19:45, 9 April 2019 (UTC)

Years behind?

"Additionally anti-virus software is 'years behind security-conscious client-side applications like browsers or document readers', according to Joxean Koret, a researcher with Coseinc, a Singapore-based information security consultancy."

This isn't sufficiently clear! Is it saying that document readers and web-browsers are more secure than ani-virus themselves?--MisterSanderson (talk) 19:51, 9 April 2019 (UTC)

What he is trying to say is that anti-virus scanners are out of date technology in terms of being themselves well protected against exploitation. The ref says, "Anti-virus software is an ideal target for a would-be attacker, according to Joxean Koret, a researcher with Coseinc, a Singapore-based information security consultancy. “If you write an exploit for an anti-virus product you’re likely going to get the highest privileges (root, system or even kernel) with just one shot,” Koret told The Intercept in an email. “Anti-virus products, with only a few exceptions, are years behind security-conscious client-side applications like browsers or document readers. It means that Acrobat Reader, Microsoft Word or Google Chrome are harder to exploit than 90 percent of the anti-virus products out there.” I'll add that last part of the quote for clarity. - Ahunt (talk) 22:11, 9 April 2019 (UTC)