In association with heise online

The correct usage of antivirus software

In our link section, we provide a collection of links to antivirus software. The speed at which vendors provide signatures for new malware is a key selection criterion for such software. Relevant numbers can, for instance, be found in the tests conducted by c't magazine. It is important to adjust the software settings to ensure that it checks for new updates and downloads at least once a day and installs them correctly.

Basically, antivirus software distinguishes between two scan methods. To conduct an on-demand virus scan, the user must explicitly instruct the program to examine the computer; this can also be done at predefined times (via a scheduler). The fully automated on-access scan is executed as soon as files are accessed, such as when an email is opened, and so forth.

One important factor to ensure the efficiency of the antivirus software is its configuration. Some scanners have default settings that do not examine all file types. Users should check their settings to find out if compressed files (.zip, .rar) and less common file types such as .scr (Windows screen saver) are also examined. To be on the safe side, users should test all files regardless of their file type.

What to do if a virus has been found?

If malware is detected on the computer, antivirus software usually offers various options. While viruses in emails should simply be deleted, viruses on the hard disk should be handled with more care. Most products offer a quarantine option that allows users to recover files that have been deleted by mistake and this should be the preferred option, rather than deleting the files. A workaround would be to rename files, for instance, by changing the file extension. If an infected file, which may for example have been received by email, has not been executed or opened, the computer is clean again once this file has been deleted. To ensure system health, users are advised to perform a complete scan of the whole system.

A signature might also include harmless programs. If users suspect a false alarm, they are advised to get a second opinion by loading the respective file into one of the free scanners available online. If, for example, Virustotal reports that all other scanners mark the file as clean, there is a high degree of probability of a false alarm. In most cases, vendors remedy such errors with the next signature update.

Once malware has been activated on the system, for instance because a mail attachment with an unknown virus has been opened, it must be separated from the network immediately by unplugging the network cable. This prevents further dissemination of the malware and downloads of other damaging routines. If the evidence is clear, it may even be advisable to unplug the power cable immediately before the virus can do even more harm.

The infected system should not be restarted, but booted by means of a clean emergency CD to secure key data and files. The best solution would be then to reinstall the compromised system, since this is the only way properly to ensure that everything is safe again. If this is not a viable option, users can test and clean the system from an assured and clean CD such as Knoppicillin or Bart PE.

It is not advisable to boot the infected system itself to clean it with the installed antivirus software. If users do so, despite all warnings, because this is the easiest way, they should at least boot Windows in safe mode, which can be selected by pressing the F8 key during start-up. Under Windows XP, you should also disable the automatic restore system option in the desktop properties window. With such rescue attempts, there is always some remaining risk since part of the infection may not have been eliminated.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit