dslreports logo

There are many reasons why your new anti-virus scanner and anti-virus monitor package might not work right, might make your system run more slowly, or might make your system hang.

What follows is a checklist that you can print-off and go through one item at a time.

First some definitions:

Anti-virus monitor/Real Time Monitor/RTM: The part of the anti-virus product that normally runs all the time checking files before they are executed (run). Some also check files before they are renamed, copied, displayed or edited.

Anti-virus scanner/On demand scanner: The part of the anti-virus product that runs on demand, or on a scheduled basis, and checks all files, or all files that have certain file types (executable files), for any virus, or for any virus that has ever been in the wild.

Email anti-virus scanner: An extra part of the anti-virus product that scans email and email attachments before they get to the email product (email viewer). Logically it sits between the real email server (at your ISP) and the email client (Outlook Express or whatever).

There are other parts to AV products, including the: control panel, updater, quarantine facility, and sometimes instant message attachment scanner, rescue disk maker, and reporting facility.

The checklist:

1. Usually you can only run, or have installed, one AV monitor at a time. AV monitors have "hooks" into the operating system that cause the AV monitor to scan a file before it gets loaded for execution (and sometimes before it is renamed, copied, edited, etc.).

When you have two AV monitors installed these hooks can interfere with each other, causing the system to hang or slow down. (Also, it used to happen to that one monitor would see the other monitor's signatures in memory and sound a false alarm.)

The solution is to disable one of the AV monitors.

If problems remain, uninstall one of the AV monitors.

2. If you are running an AV scanner from one company, it may be necessary to disable or pause the AV monitor if the monitor is from another company in order to avoid lockups. (If you are running an Internet based AV scanner, you wont have lockups, but the scanner will run scan faster if you disable the AV monitor.)

If you do this, do not work on the computer until the AV scanner has completed its work and the AV monitor is re-activated.

To avoid software conflicts, it is preferable and cleaner to completely remove the old AV product before installing the new AV product. Many AVs do not work well when another AV is installed.

3. Check that your system meets the minimum requirements of the AV package.

These requirements are usually on the box or on the website. Requirements usually increase with newer versions.

4. Run a utility to completely uninstall your old AV product.

Your old AV product may not be completely uninstalled by the standard Add/Remove Program function.

The website and support email of your old AV product is the first place to look for help on uninstalling the old product.

The website and support email of your new AV product is the second place to look for help on uninstalling the old product. Some vendors will email you an un-installation script for removing a rival's particular product cleanly, so you can use their product.
AV makers whose products dont uninstall cleanly using the normal Add/Remove programs interface do make utilities that will remove most of these registry entries and left over files.

Some products, like Norton Internet Security, have both an AV part and a firewall part. They may require 2 or 3 utilities be run to remove all the components.

Be sure to get the removal utilities for the exact product and version of your old AV, and for the particular operating system version you are using. Read the instructions on the utility download page top-to-bottom before starting.

Symantec Knowledge Base:
»www.symantec.com/search/

Removing Norton Anti-virus:
»service1.symantec.com/SU ··· _sch_nam

Removing Norton Internet Security:
»service1.symantec.com/SU ··· _sch_nam

Removing Norton System Works:
»service1.symantec.com/SU ··· _sch_nam

McAfee Support:
»ts.mcafeehelp.com/default.asp

Removing McAfee VirusScan:
»ts.mcafeehelp.com/defaul ··· 1024x768

Panda Software Support:
»www.pandasoftware.com/

If you still have problems:

a) Manually rename directories and files for the old AV that are no longer needed. (I put xx at the front of the name, and a few days later run a search on xx* to find things to cleanup.)

b) Download and install SpyBot S&D (see the Security Software Updates topic at the top of the BBR Security Forum for a link).

c) Update SpyBot S&D.

d) Backup your entire registry (or in XP create a System Restore Point):

- How to back up a registry:
»service1.symantec.com/SU ··· _doc_nam (XP, 2000, NT, Me, 98, 95)

- To create a System Restore point in Windows XP, go to Start / All Programs / Accessories / System Tools / System Restore. Select Create a restore point and click Next. Type in Removing AV registry entries as the name of your restore point, and click Create. Wait a minute while the restore point is taken, and click Close.

e) After backing up your registry, run a scan with SpyBot S&D.

f) Now you have a choice. Either:
(i) Use SpyBot S&D to remove the registry entries for parts of the old AV product that no longer exist (do not change other registry entries at this time) -- OR --
(ii) Make a note of the registry entries and email the support for your new AV product asking for their advice (they may write a script to remove them for you, or they may tell you the entries dont matter).

5. Run the updates and check for new versions of your new AV.

Most (all?) AV products can update the virus signatures completely automatically. And most can update significant parts of their programs automatically. But some require manual downloads to update to new versions or to make major updates to the version you are licensed for.

So visit the support section of your new AV makers website to ensure that you have the latest program updates. They may cure your problems.

(See the Security Software Updates topic at the top of the BBR Security Forum for a link. For Kaspersky check here: »www.kav.ch/ )

6. Scan for disk corruption.

From Windows Explorer, right-click on the disk drive, select properties, select tools, and check for errors. (Do not normally select recover damaged sectors.)
»support.microsoft.com/de ··· ct=winxp

7. Reinstall your new AV.

There may have been a system problem or conflict while you were installing your new AV product. Re-installing your new AV product, and re-updating it, should cure this kind of problem.

8. Don't run test versions of things.

If you are running a test version of the AV package, or your operating system, or something else, there may be compatibility problems. Finding compatibility problems between different versions of products from different vendors is the main reason for running public tests.

If you are running a test version, you are in the test program. Be sure to let the vendors of the test product (and in later test stages, the vendor of the other product) know you are having a compatibility difficulty so they can address it.

9. Use other tools to check for malware.

Some malware waits until there is no AV monitor running to fully deploy. This type of malware can come to life during the gap between disabling your old AV and getting all the updates for your new AV.

Or, if you just upgraded your operating system, you may have gotten infected because your system wasnt patched or behind a firewall when you first connected to the Internet.

And some malware particularly targets AV, anti-trojan and firewall products, shutting them down, or leaving them running in a disabled state.

10. If none of these things resolves your problem, post your details, including operating system, old AV product, and new AV product in the BBR Security Forum, and ask for help.

Follow the checklist here:
/faq/8428

Other Links:

The EICAR anti-virus test files (you can use these regularly to test that your AV is working):
»www.eicar.org/anti_virus ··· file.htm

Anti-Virus Product Developer Index:
/faq/3128

How to restore a registry:
»support.microsoft.com/de ··· duct=w98
»support.microsoft.com/de ··· ct=winxp
»service1.symantec.com/SU ··· _doc_nam

System Restore in Windows XP:
»support.microsoft.com/de ··· ct=winxp
»support.microsoft.com/de ··· ct=winxp


Expand got feedback?

by keith2468 See Profile
last modified: 2005-02-26 16:05:08