Security → Re: Your opinion about running 2 real time AV/Antimalware

Comments based on what I know so far in testing/evaluation, you are making some assumptions that are incorrect, and I wil explain why but I am short on time and might have to come back to this later;The reason for this is that WSAE will take a 'backseat' to another security product, in effect remaining silent until the other product cedes control of the threat. For example if you have KIS2012+WSAE installed, if KIS2012 grabs the threat, WSAE will remain silent. This can 'seemingly' make it out as not being effective, but if you disable KIS2012, and repeat the same thing, WSAE will take over the threat. If you RELEASE the threat from KIS20120, WSAE will acquire it, and deal with it. PG has full control because it is being ceded full control, this is by design from what I can see, and what some technical sheets say.No need to have both of these doing the same thing. But I suspect they haven't added exclusions to that product. You could try manually adding exclusions.That's good, it's supposed to scan. It takes 2-4 minutes to scan an entire PC, how is that a bad thing? Personally this just blows past so fast, it's a non-issue. Emsisoft, and many other products conduct a scan immediately on installation. Seems normal to me.You are missing the point. IF it finds something, it places it into MONITORED mode, which then allows you to 'allow/deny/remove/block'. This is actually superior to normal AV's in my opinion because the threat is tossed into a sandbox immediately, not impacting the system at all until a decision is made. What's wrong with this method?Not true, once a threat is found, if you 'uncheck' remove, you can then declare how to handle the threat. It's placed in monitor mode simply because it was discovered. I feel this is a superior method simply because REGARDLESS of what the user clicks, it's still in monitored/protected mode BEFORE they make that final decision. The decision windows aren't evident, perhaps you missed them?I haven't had one FP yet, but it's early.. I will see after a month or two of testing. So far so good, with heuristics maxed.But it does do this, you missed it! As I said it simply tosses a threat, or potential thread into monitored mode. If you click the dialog, you get options to allow/block/remove/monitor. But once detected, it's now setup to allow it to run, but it is sandboxed for safety. This doesn't negatively impact it, but allows it to be rolled back to remove infections.I hate this too, thankfully you can disable it notifying you of this. I haven't seen it since installation. No more nags, but the cloud aspect is still fully functional.I actually paid $29 per 3 PC license for the Essentials version. Some nice links out there with coupons!

No, it is not taking a back seat to ProcessGuard because there is no "threat" except WSAE which keeps trying to modify Explorer.exe and ProcessGuard blocks it. PG, until I tell it otherwise, considers what WSAE wants to do to be a "threat". My point, which you missed, was that if this is so great an anti malware product then it should be fighting with PG for control. Yeah, I can avoid the fighting by telling PG to allow WSAE to modify explorer.exe but I am not impressed by programs that can't stand up to PG. As far as I know, there are NONE that can. WSAE would have to hook the kernel at ring 0 and start earlier in the boot process than PG to have control over PG and the computer. PG starts extremely early in the XP boot process (I can see this from booting while using Bootlog XP program).

As for Proxo, you cannot add exclusions for a local proxy. The only way ANY of these Webguards/shields/etc can work with Proxo is for me to CHAIN Webshield to Proxo so that after Webshield filters then Proxo will filter. That means unbelievable slowdown in surfing. Plus, I don't need a webshield as everything on the web is being filtered by Proxo and it kills web bugs, defangs malicious iframes, places toggle switches on Java and Flash Player so they cannot start automatically, kills all ads so no worry about infections from ads, and a lot of other things. I just need an outstanding real time scanner and on demand scanners. I don't need any gimmicks which is what the majority of AV programs today are made of primarily.

It is very poor practice and AGAINST MICROSOFT RECOMMENDATIONS that any AV immediately perform a scan after being installed and before the user has a chance to exclude such folders as System Volume Information. I rely on System Restore and Microsoft warns that AV should NEVER be allowed to scan System Volume Information folder because if it finds a virus and deletes it then ALL restore points are RUINED. Maybe it is different in Windows 7, I don't know because I still use XP. If I had allowed it to run a scan at first startup, it would have found "viruses" in System Volume Information folder because I have a bunch on the computer and they are not encrypted. It would have ruined System Restore. I don't ever run a full scan. I have no viruses running on the computer but I do have files of viruses. Besides, with its high rate of FP's it would find a ton of those I am sure. Avira, when I got it in Jan 2007, (and it was the last time I ran a full scan on this computer) found 45 viruses. They were all FP's. I don't know what WSAE's policy is on such things as key finders. Avira will flag them as viruses because Avira wishes to play moral policeman (this is even after it partnered with ASK toolbar sleazeware) and doesn't believe there is any legit use for a key finder. Anyhow, there are many reasons why I don't run full scans. Trying to put all those "threats" into exclusion folders is a hassle.

A threat is nothing UNTIL it executes. Why would a threat that has been found need to be thrown into a sandbox? That is unnecessary hoopla designed to impress the ignorant of computer users and make them feel safer. There is no danger until execution, but AV have always tried to mislead users in this regard. As long as the AV blocks access, which it should do by default, when it finds a "threat" then there is no need for any other action. Avira is set to block access each time it "discovers" or "rediscovers" a "threat". Nothing else needs doing. Besides, Process Guard would not allow the threat to execute. I would have to expressly tell PG that it was ok for that executable to execute and I would not do that.

You are forgetting about the high false positive rate if you think there is no potential problem in monitoring and throwing in a sandbox anything WSAE thinks is malware. What if it throws a critical Windows file (or maybe 100 critical Windows files) into a sandbox for monitoring before you can stop it? You now have a crippled computer. Maybe the risk is worth it for the ignorant of computers users but for more knowledgeable users there should be a setting so that the user has full control which means WSAE does nothing except pop up right in the user's face...not a tiny unreadable box in the lower right corner of the screen ...a box that says "xxxxxx is abctrojan.exe" what action do you wish to take? At this point if this is a false positive on a critical Windows file nothing at all has happened so your computer is not being wrecked by your AV program. You make your choice and, if a critical windows file, I would choose "ignore" or "block" and then I would turn off the AV and submit the file to Virus Total, Jotti, etc. before deciding what to do next.

But the reason it wasn't finding a threat was because I had not allowed PG to allow WSAE to modify Explorer.exe. I allowed that and then I went to a file that is "malware" (a proof of concept that is detected now by all AV - dll.dll) and did a right click on demand scan of the file. It is very fast scanning which is nice but not essential. So, I finally got to see the "remove" box and window. I unchecked that and then it now thinks the file is safe! That is ridiculous. I want it to alert on that file EACH time and then I will decide what to do. There is no setting for this. There is for Avira 8 and 9. Avira 10 changed everything and many old-timers left the program at that point or continued to use the older, better versions of Avira. The way WSAE is set up reminds me of Avira 10 (12 I suppose also but I can't test it because it won't run on XP Pro SP2). There is too much clicking as the menu should be provided immediately. There is no "Ignore" setting. That is the setting I want. Ignore for now in other words but alert again later or ignore until reboot, or ignore for x number of minutes, etc. There should be some kind of "ignore" setting.

It didn't throw the file into a sandbox. What are you talking about? Infections occur after an executable is on the computer and ONLY when it is allowed to execute so I don't understand about "threads" - oh, I guess that was a typo and you meant "threats" - but still why would it put this file sitting on my computer into a sandbox when I told it to scan the file? That makes no sense. The file is not doing any harm. It is only if I decide to allow it to execute that harm may occur.

It appears to be mightily confused. Since I chose "allow", if I rescan the file it says no virus found, BUT then a few seconds later a slideup states that a virus has been found! That is both absurd and dangerous. There needs to be an "ignore for now" setting! THIS SERIOUS PROBLEM ALONE WOULD MAKE IT IMPOSSIBLE FOR ME TO USE OR RECOMMEND THIS AV. I think this AV is only for ignorant of computers users as there are no advanced settings and it works ok only if you leave it at default settings which are settings for those totally ignorant of computers.

Another question is why does it NOT alert IMMEDIATELY upon opening Explorer and getting anywhere near the infected files? I can put my mouse right on the file and it won't alert! I have to right click and choose scan with WSAE for it to notice there is a threat. I scanned a second infected file and it did the same weird thing: I had to choose allow because I don't want it deleted nor do I want it monitored and there is no ignore. A few seconds later, there was an alert slide up saying the file is infected. But when I went back and rescanned it because I told it to allow WSAE found nothing. However, a few seconds later, I got a second slideup saying it had found a virus in that file. This is dangerous and ridiculous. It can't make up its mind and it has bad settings since there is no Ignore. Plus, I don't understand the monitor thing. Why would I want a file "monitored"? Either I have a virus or I don't. There is no reason to "monitor" the file. If later, the virus definitions/heuristics/in the cloud whatever detect a virus but they don't now...well, my goose is still cooked if I believe the scanner that says the file is ok and then I let it run and get infected. How does "monitoring" make a difference in that hard fact?

I can't see where one would change the "allow" either if I were to change my mind. The Help file is one of the worst I have ever encountered. It requires you be online to view it (I HATE that sort of help file but there are a lot that are sloppy like that these days). I don't want a help file opening in a browser. It should be downloaded to disk and open on the computer. Plus, the help file when clicked on the ? does NOT open to the section where you clicked the ? Avira's opens directly to the help section that you were on when you clicked the ? With this help file, you have to stumble all over trying to find where the help is for the question you have!

The Help file is in an extremely tiny font as is portions of the main GUI for WSAE. I can't read the settings for the modules without using a magnifying glass. My reading vision is perfect now so it not "bad" eyesight. Somebody just really goofed with the font size both for the main GUI and the Help file. (They need to take a lesson from Avast 5 or 6 -don't know about 7 as I haven't tried it - as the Avast 5/6 Help file and configuration screens, etc are the best I have ever seen for any AV and the font is a nice size not tiny and unreadable). Anyhow, I can't find where I look on the GUI to see the last file scanned or where to change a decision like "allow". I did find, yesterday, where it is that you add exceptions for the scanners, but I can't find it again now. It is so painful to try and read that ultra tiny font they use that I won't look further. Besides, that help file displays in a grayish font not crisp black which may be because it is on a virtual machine running on VMWare Workstation 7. Surely the font is dark black on non virtual machines! Tiny font is bad enough but grayish instead of dark black makes it even harder to try to read.