Antivirus Software- A "how to pick" for the slightly nerdy user

Disclaimer: By using this tutorial, you are not necessarily going to be given the absolute best protection possible. What this guide will walk you through is how I personally pick out the best performer for my personal picks of antivirus software. I don't hold any real tie to a single AV, as a user or otherwise. Also, it is advised that you use multiple sources, if you want the absolute best pick of AV software. I like to use AV Comparatives (referred to as AVC) due to their comprehensive reports that are openly posted, as well as their interactive chart that makes some things easier to see for the layman. As always, use this tutorial at your own risk. How you use your AV software will determine how well your AV software performs, and can overthrow the lab test results in real-world scenarios. Ultimately, YOU determine how well the best AV software works, and how well it protects you. However, this tutorial will help you find the most reliable AV software, based on AVC's test results.

Disclaimer 2.0: This tutorial is for those who are willing to spend a little time reading lab test results, skimming for the juicy facts, and applying them to a more realistic scenario for the reader/user. This tutorial is not for the faint hearted. Numbers, maths, and fancy language is used!


Okay. So you want to find the best performing AV software around? Well, while there may be a lot of people telling you which one is better, and which one has the best interface, or which one has a better ad blocking software, all of these people have different criteria for "the best." My criteria for "best performer" is purely based on lab testing, and nothing else. If you want to pick the prettiest, most appealing software, this tutorial is not for you. This tutorial is to help you find the best real world protection possible, with minimal false positive results, and keep as much of the malicious blocking automated and out of your reach. User interference can lead to more problems, and this means that software that gives you more choices to block/allow a possible threat gets nudged aside... almost. If you want clarification, just ask. Ready? This will not be a five minute job.

First off, visit this website- AV Comparatives. Have a look around at the Comparatives section, and get a little familiar with the layout of where things are. I'll use some links, but this way you can find everything better on your own; either during this tutorial, or in the future.

Next, I want you to navigate towards the "Real World Protection Tests" page, and click on the graphic with the graph on it. Under the graph, it says, "Monthly Results." This link will be a nice, basic workhorse to get started. Now, let's dive into the fun facts, and start weighing pros/cons and making some decisions. I'll give you my 2 pennies where it's personal choice, but stick with my guidelines if you're unsure where you should draw a line.

Time for work!

So, once you have the interactive graph opened up, make sure it's displaying the latest results for Real World Protection. Once that is verified, click the drop down menu labelled "Sort," and select "by value." Make sure this is how the graph remains for each graph we look at, as it will make this process much easier. Personally, I tend to change the view of the graph by clicking the zoom feature, and selecting "80-100%" when available. Do what you like, though.

Now, here's what I normally do. Write down/make a mental note of every AV that maintains a protection rating of 98% or higher, and disregard the rest. From there, look at the bottom of the chart at the yellow points made in the graph. These represent false positives for both domains (ie: web pages) and files being downloaded/installed, which are blocked wrongly (ie: they are not malicious, but still flagged). This is explained in more detail in the PDF copy of the report (on the Real World Protection Tests page). From the names that have a protection rating above 98%, I tend to ignore any software that has a higher false positive score of 5. Depending on when you do this, there may/may not be a single software with that low of a score. If that is the case, try to keep the false positive limit as low as possible. As a personal rule, for the current numbers reported, I go for a maximum of 3. That keeps your likelihood of false positives very low, and more likely that you'll not encounter a problem when your AV is installed. After you've narrowed those down, focus on the yellow parts of the graph; these are "user dependant" threats. The yellow bar represents the percentage of threats that rely on you to categorise them as harmful. My personal rule is to limit that to zero, if possible. I do consider some AV software that has up to a 1% user dependency rate, however. Cross off software that breaks the 1% threshold, and you're done with this graph.

So, to recap, make note/write down all AV software that falls into these categories: above 98% detection rate, under 5 false positives, and under 1% user dependent protection. Once you have that, click the drop down menu marked "Test," select "Heuristic Behavioural Test," then select the latest test using the drop down menus. Here, we will basically cross reference with our previous list, comparing it to the results of the heuristics testing. If you need a little explanation of what a heuristics engine is, read the 'Description' (section 2) in the latest report on the "Heuristic / Behaviour Tests" page. This will explain what results you're looking at.

For heuristics testing, I'm willing to be lenient on poor protection, as long as all scores are relatively low. However, I typically want the heuristics engine to block 80% of threats at the bare minimum. At the time of writing this, many antiviruses are not present in AVC's heuristics testing. If you have any software in your list that is not on this chart, it is up to you to skip past this step, or discard the software not included in this testing. Personally, I like a strong heuristics engine, so I'd recommend scratching out any names not included in the testing. If you want to cross reference with other AV testing labs, you'll need to be cautious of the criteria used. Now, once you've narrowed down your selection again to an 80%+ protection rate, scratch off the names of software that do not make the cut (according to the graph).

The next graph you want to cross reference with is the "Performance Test." Again, use the drop down menu to select the test, and your latest test results. This graph is more or less going to give you an idea of how much resources it will take to run your AV software; therefore, comparing these scores is more or less speculative. As a personal guide, I use Bitdefender as a baseline. It's one of the lightest weight AVs I've used, and that software has been recurring on AVC's testing. For me, any contenders on my list must be at, or below, the same score as Bitdefender. Depending on your computer, these scores may not be extremely relevant. For this test, I usually say, "When in doubt, beat Microsoft!" If it's below the MSE (Microsoft's out-of-box antivirus) baseline comparison, you'll probably be okay for overall computer performance. Again, cross reference your list of acceptable software, and mark out any poor contenders.

Next up is the "False Alarm Test." Again, use the drop down menus to select the latest test results. For my personal uses, I tend to stick with a score of 10 or below. I have many reasons for this particular number, but it is always negotiable. At the most, I would probably allow 15-20, though that would be a stretch for my personal comfort. Once again, cross reference your list, and knock out any poor contenders. At this point, depending on when the tests were done, you may have between 1-10 AVs to choose from, depending on your personal criteria. The next part gets much more involved...

The Dirty Work

Now, it's time to dive in deep, and start looking at the gritty details behind what we have left on paper. At the time of writing this, my current list would contain: Bitdefender, Kaspersky, ESET, and Tencent (if you skipped the heuristics test). To help aid in explanation, I'll be linking some test results that are current AS OF WRITING THIS. If you're reading this in 2016, or later, I recommend you recreate my examples with the latest test reports. With that out of the way, let's continue.

For this examination, we are going to navigate our way to the "Comparatives" section of the website (easily found via the homepage). Once on this page, click "view" for the "False Alarm Tests." Open up the latest PDF, and navigate to page 2 (first one after the title page). Here, you will see a colour scale. Read the text regarding this chart, and stop reading once you get to the first set of results. Once you are somewhat clear with the colour ranking system, start looking for the names remaining on the list of AV software you created earlier. This is where we cross off the last few names, if any. Here, you want to look at how many false alarms were generated, and weigh the pros/cons of each one. For a personal rule, I tend to allow up to 5 false alarms that go beyond a "level 3". For total false alarms, I will typically say no more than 20. This will be very dependent on your computer use, so be sure to pay attention to what causes these false alarms.

Here, I'm going to use a screenshot of the latest report for Bitdenfender, just to make some points.

BD_test_results.png


In this example, Bitdefender has three specific level 3, or higher, false alarms. These three are packages from CrazyTaxi, Google, and Poker (unsure if that's a generic package name). You'll also notice two packages highlighted in red. These packages were digitally signed, and therefore should not be flagged as harmful. Personally, I don't like to see any red entries on this test. However, depending on where the package originates, I may or may not care if the entry is red. Personally, I don't mind if these two red entries are flagged by my AV, so I will ignore that. If you do care, then take that into consideration with each test result you look at.

When looking at the level 3+ entries here, you'll notice that two of them relate to a game. Personally, I don't play online poker, so I am not put off by that. CrazyTaxi is another game I'm not interested in. Google... I don't like Google as it is lol. So, in this instance, we have practically nothing really worrying that catches the eye. However, under level 3, we see some interesting entries. If you want to know what they are, then please feel free to use Google (and block their cookies too, just as a fun rebellion for Bitdefender!). If you see nothing that looks familiar, then you probably have nothing to worry about. Use a little common sense, do a little research, and figure out if these false alarms will cause any disruptions in your daily use. Most likely, having about 10-15 entries under a level 3 is probably not going to be very detrimental. When you break that threshold, and have either a high number of entries over a level 3, or upwards of 20 entries under a level 3, you're much more likely to run into some issues at some point.

Now, here is where I start making some good reasons to look here... Tencent has a few interesting entries.

Tencent_test_results.png


You'll notice that Adobe (very common software brand), Avast (the antivirus), and OpenOffice (known for being the free alternative to Microsoft Office) all have entries for false alarms. Depending on the software you use, and how you use it, these may cause some issues. For example, if you previously had Avast installed on your computer, and you now are running Tencent, there's a chance that some remaining bits of Avast might be considered a virus. There's also a chance that running Tencent with Avast still installed will cause the same problem. Also, because Adobe and OpenOffice are there, there's a good chance some of these products might be recognised as harmful. While the latter two are considered a level 1 (very few people will likely have these packages installed), if you're one of those unlucky people, this might be a problem. Also, to add a little sceptical speculation, who's saying that an accidental block of this supposed "threat" won't cause any problems to your programs? This is the kind of careful consideration you need to take before buying your AV software, and making that commitment. Some people have a lot of software they use daily, and rely on it to work flawlessly. If you are one of those people, take these kinds of false alarms into consideration.

What you do need to understand is that I'm not here to tell you not to install an AV because of a single false alarm that's related to your daily use. I'm also not trying to say you will be that unlucky person who blocks something, and everything stops working. I'm simply showing you the information, and explaining possibilities. How you mitigate these risks is up to you. Personally, based on my daily computer use, I'd avoid Tencent based on this information. I'd rather not take a chance, and I have three alternatives without this kind of false alarm.

Of the three AVs left on my list, I now have Bitdefender, Kaspersky, and ESET. From this point, I would recommend looking at the pricing, seeing which user interface suits me, and start browsing through various reviews on ease of use/etc.. After that, shop however you like, and stick with your selected AV software for at least a year. If you develop problems with your AV, I always recommend contacting the software company directly, and trying to be very thorough with your issue. They are going to be the most likely people to help fix your problems. If that fails, well... you know where else to post a question.

Sit back, and relax. You made a choice!

There you have it! That's how I would choose an antivirus! Sure, it's a little bit lengthy of a process, but it gets you engaged, aware of what is happening on your computer. It also keeps you more informed about what your AV software is doing, albeit only slightly. When my subscription to Webroot has ended, I'll be using the same criteria to select my next full time AV. Is this the perfect solution? Absolutely, positively, NOT. This is my criteria, and it's going to be different from many other users. I have found this to be the best method when I finally found AVC's website, but that is for my recommendations only. After a few months of toying with it, debating test results, and helping a few people understand my significantly higher standards for an AV, when compared to more "average" users (due to my personal education and more extensive computer use), I figured I'd try to make the AV selection process seem a little less daunting. Yes, this is lengthy. Yes, there is some work involved. Yes, I do believe this should help you find the best protection for your computer, with the least amount of user error possible, and the least amount of false flags/false alarms. Just remember one thing: every user experience is going to be different.

If you have any questions, please ask! If you have any points you'd like to debate, I'm very open to that. I'm happy to update this, should it need a revision, as I've been heavily involved in computer security for many years. While most of my experience is not directly related to antivirus programs, I think this kind of guide should be taken seriously by those who truly want a quality AV on their computer.

Thanks for reading, and hope this helps you pick out your next antivirus. Remember, this is picking an AV purely on overall protection, based on publicly published lab test results, and nothing else!