On the question of multiple engine antiviruses and the like

I have posted an explanation as to why I discourage the use of multiple engine antiviruses or antiviruses that try to be too much (and the same goes for other applications) in the Unthreat forums after seeing a (request?) post about Unthreat to become multiengine. I wish to know your opinion on this and would like to hear from you.

See post here: http://www.unthreat.com/forums/topic/435-antivirus-multiengine/

So you won’t have to go there and load the page, here is what I had posted:

It will be difficult to maintain a relatively low memory usage (especially during scans) with a dual engine antivirus. In addition, it would greatly affect performance which I suppose is the highlight of VIPRE and Unthreat.

While it is good theoretically to have two engines under the idea of two heads are better than one, I don’t believe that it will in any way increase security in real-life application. While engine A may detect what engine B cannot, in reality, what most engine A detects is also detected by engine B and vice versa. The small percentage of malware that can be detected only by either engine is relatively small and quite complex in nature, viruses that are rarely encountered given that the user is an average user, less so if security conscious and lesser still if an expert. Moreover, it poses problems concerning productivity and management of the application, particularly since using multiple engines posits the problem of seamless integration. The more complex a code becomes, the more it becomes open to bugs. Practically speaking, multiple engines are more of a want rather than a need.

It would be better, I think, to incorporate other modes of detection rather than engines of the same kind (signature+behavior+HIPS rather than signature+signature). And if it were to be insisted the need for multiple engines, I do believe that it is better perhaps to install two separate engines (one of course, designed to be such like Malwarebytes, Hitman Pro, Immunet or Spyshelter) rather than having them in one application because then, whatever problem one engine encounters will not affect the other. A completely independent engine is more capable of adding to protection than incorporating two or more in one application. This also allows for better memory management and productivity (no added startup time, chances of app crashes are reduced, memory usage is maintained, such and such), real second opinion (because you can create two log files and compare them or post them on two separate forums which extends the help that you can get and with both sides unaffected by the other so their conclusions will be genuine) and lesser risks of data loss (because if one application crashes and a reinstall is necessary, you would have had to configure the application again and at the same time, your system is open to threats during the span of time you were without protection).

In all practicality, it is better to have a single engine antivirus rather than a multiple engine antivirus or an embellished antivirus (I mean to say those with a lot of features trying to cover unnecessarily all “vulnerabilities” which causes the application to be a problem itself being too bloated, no longer catering to the needs of users, but merely to gain market share no matter how it’s put). We must understand that the concept of protection does not lie solely on the application itself but on the user as well. You can compare security products to a lifevest. You really wouldn’t have much need for it if you knew how to swim, much less if you were a sports swimmer and only truly need it if you are completely incapable of swimming at all. Just the same still, if you did not know how to use the life vest, it could fail miserably and drown the user, so it was designed to be as simple to use as possible. At the same time, you don’t add another lifevest to a lifevest in hopes of floating better. If you did, you would risk getting snagged, reducing your mobility, uncomfortability, risk your air pathways and so forth which, in any case, would reduce your chances of survival. You do add, however, things like a whistle or a small flashlight. Relatively small, but important additions. Not a churchbell or a lamp. While the latter does the same as the former, they don’t really fit the context for which the lifevest was designed.

To conclude, we don’t really need an all-in-one antivirus with multiple engines. We also have to look at the context for which an antivirus is originally designed for (that is to keep a safer working environment) and not overinterpret what it is (that is an all-encompassing application that prevents outside attacks, creating a utopian working environment for work and play). We have to appreciate simplicity. If this were a vote, I’d vote for no.

Have a look at this link.

I keep an open mind really.

Theoretically speaking, they are correct. But…

The success of these viruses is, to a large part, linked to the flawed logic and inherent weakness of protection strategies that are based on a single scanning engine to assess the threat of incoming files.

The use of multiple virus engines also enables security administrators to be vendor-independent when it comes to virus scanning,

no, not necessarily, because there is no guarantee that the engines you use will be in any way reducing the time.

it is never the same company that delivers protection the first.

Time differences may also occur that are not the result of the quality of the work or the competency of the lab, but reflect their geographic location and time zone related factors.

as you can see, there are other factors. This is just one of them.

The only effective way to assure the highest level of safety and security is by a multi-layered in-depth defense which can be achieved by using multiple antivirus engines.

A multi-layered defense is best achievable through blending different technologies. Not through a long similar list.

Furthermore, from time to time, erroneous antivirus engine updates might seep through since antivirus vendors are constantly trying to release updates as quickly as possible to combat an outbreak. Relying on one single antivirus engine will fail in such an event as viruses might bypass the erroneous single antivirus protection, whilst multiple antivirus engines will provide a backup

The more complex a code becomes, the more it becomes open to bugs. Practically speaking, multiple engines are more of a want rather than a need.

It would be better, I think, to incorporate other modes of detection rather than engines of the same kind (signature+behavior+HIPS rather than signature+signature). And if it were to be insisted the need for multiple engines, I do believe that it is better perhaps to install two separate engines (one of course, designed to be such like Malwarebytes, Hitman Pro, Immunet or Spyshelter) rather than having them in one application because then, whatever problem one engine encounters will not affect the other. A completely independent engine is more capable of adding to protection than incorporating two or more in one application. This also allows for better memory management and productivity (no added startup time, chances of app crashes are reduced, memory usage is maintained, such and such), real second opinion (because you can create two log files and compare them or post them on two separate forums which extends the help that you can get and with both sides unaffected by the other so their conclusions will be genuine) and lesser risks of data loss (because if one application crashes and a reinstall is necessary, you would have had to configure the application again and at the same time, your system is open to threats during the span of time you were without protection).

Multiple layers are used in all other forms of security It is unlikely that you will find an organization that relies on a single security guard or alarm system to protect its most valuable physical assets from a variety of different threats such as theft, vandalism, fire and natural disaster. Instead, there is a multi-layered defense that might consist of security guards, surveillance cameras, sprinkler systems and vaults – all of which have backup systems in the event of failure. An organization’s data, the most valuable asset of all, requires the same multi-faceted defense system and that can only be provided by multiple antivirus engines. You cannot afford to trust any other method.

True enough, but those systems do not use similar methods, but a variation of methods. (The whitepaper was talking about multiple signature based antivirus engines.) If one method fails, why on earth would you trust that method to work again?

Plus, it should not incorporate itself on one product because that would lead to multiple vulnerabilities and bugs. It’s not using multiple engine antivirus, but using multiple antiviruses that could help. Memory you say? That would be the fault of the software, not the user. The user’s less knowledgeable about software code. Decreased performance is a guarantee for using multiple antivirus engines, but the impact relies on the software not on the user.

Then, if one malware is capable of turning an antivirus off (which was a case a few years ago), then it would have taken out all other engines with it. But with two separate programs, the opportunity the white paper promised will be provided for. As I see it, that whitepaper is no more than an advertisement manipulating facts.

2 engines or any number of engines they can never provide protection like multi-layered approach with different technology. AV’s 2 or 10 they are not enough & the benefit is not much.

Multi-layered & innovative techology is the way. CIS 6 is the future.

Great feedback (:CLP)

It’s quite possible to have decent protection without any resident av.

Exactly.

Sure. I was talking about other 50% of population who just use firewall and av.

Oh sorry. I didn’t mean to sound too zealous. :-[

It still applies though. an av with multiple antivirus engine does not provide you the promised increase in security. the percentages remain the same. Only that the results vary simply because it’s a controlled environment. In the wild, anything can happen. If the av gets taken down, one way or another, all engines are taken down. It’s pointless. Two years ago Bitdefender came in our institution and I wanted to test something out. So I asked for some help. In a test laptop, we recorded a set of instructions that would terminate the antivirus. I won’t say what brand we downloaded, but after three tries, we were successful and the av was taken down. engines? since one failed, the others broke.

We tried it on bitdefender. After taking down Bitdefender, the virus couldn’t send anything and was blocked. Why? Threatfire was on. That’s a difference, don’t you think? That is my experience and why I’m not too fond of multiple engine antiviruses. Oh, and here’s another thing. The reason why I no longer run my signature-based av is this: a legit program can actually be used to confuse the system and cause a BSOD. One of those keyboard/mouse recording software that generates a portable *.exe file. Given the proper conditions, it can cause your system to reboot repeatedly. Portable programs are scary. Since then, I gained less trust in signature-based av’s and more for customizable HIPS and BB’s (but I’m still not running any; only a firewall and on-demand).