The Anti-virus Times

Tuesday, August 29, 2023

The market offers an array of anti-virus programs. Indeed, users definitely have much to choose from: there exist both free products and comprehensive solutions designed by domestic and foreign vendors. Before buying, many people study the results of various tests and assess which anti-virus in the list detected more malicious samples. These tests don’t show the real effectiveness of digital defenders, but it’s noteworthy that often every anti-virus misses a certain number of test files. In this regard, some users may think: what if I install several anti-viruses on my computer to neutralise the maximum number of viruses? After all, if one anti-virus fails, the second one will certainly "protect", and if the second one for some reason misses the threat, then the third one will surely save the device from infection. In today's issue of the Anti-virus Times, we will recall why installing multiple security products is a bad idea, and at the same time, we will find out what the exceptions to this can be.

So, you've decided to install two fully functional anti-viruses. Here we'll acknowledge straightaway that it is not always possible to do this, but let's assume that you’ve managed to. Each anti-virus is a complex program that simultaneously interacts with the operating system at several levels, the lowest of which will be the OS kernel level. For their work, both of them need to get a certain amount of system resources and install their drivers in order to intercept Windows system functions and have access to files for scanning. Also, each anti-virus will try to control the launched programs and services, the created processes, and, of course, the network connections. At the same time, each product will have a completely different implementation, and the "structure" of anti-virus software is very complex.

As a result, the situation will arise when the two programs will try to access the same Windows functions, and when that happens, this OS won’t be able to parallelise operations so that the two anti-viruses interact correctly at the same time. In the best-case scenario, this will slow down the computer and reduce the protection of the entire system. In the worst-case scenario, various software failures can occur: from the network becoming unavailable to the OS not being able to load normally.

You've probably heard stories of two downloaded anti-viruses in a system that conflicted with each other and tried to remove each other. Such a scenario is possible, since from a technical point of view, the correct operation of one anti-virus will be perceived by the other anti-virus as malicious behaviour. This is due to attempts to intercept system functions and gain access to the OS kernel, which at the same time should be under the protection of both programs. Of course, anti-viruses cannot show each other "a pass card" and decide which of them will interact with the digital environment and in what order. Therefore, two working defenders will almost certainly “delight” you with frequent false positives. However, as mentioned above, it is not always possible to simply install two anti-viruses into a system. It is highly likely that the installer will detect the presence of the other anti-virus and ask you to uninstall it in order to continue. That is why when you install a third-party anti-virus solution, the built-in Windows Defender will be disabled and transfer its authority to the new performer.

In general, experiments with the installation of multiple anti-virus programs can lead to unpleasant surprises in a system’s operation. First, every self-respecting anti-virus has a self-protection option. Second, some programs can leave a certain amount of digital residue, which, at a minimum, clogs the system, and at a maximum, prevents the installation of another anti-virus or completely interferes with the normal operation of Windows. When two or more anti-virus programs are operating simultaneously, it is very difficult to predict how the self-protection will behave and what amount of residue will remain after one of them is removed. Therefore, almost every anti-virus has a special utility for complete removal that is downloaded separately. However, even it is not always a panacea. For example, after one well-known free anti-virus is removed, some folders containing files and drivers of virtual devices remain. Another similar case occurred with one system administrator with the very same product, whose files ended up being damaged by malware. It could not be permanently deleted since the uninstaller reported on the changed files and stopped working. At the same time, a special utility detected the uninstalled anti-virus and required that a standard uninstaller first be run. Meanwhile, the self-protection mentioned above blocked the manual deletion of anti-virus files. This resulted in a vicious circle that could only be broken after a great deal of mumbo-jumbo.

In general, in order to avoid this, it is better not to try to make two or more anti-viruses co-exist on friendly terms in one system. But there is good news for those who want to maximise the protection of their device. We’ve already mentioned "classic" anti-virus programs that generally work according to the same principle. But there also exist auxiliary solutions that work perfectly as an addition to the main protection. One of these products is Dr.Web KATANA — a non-signature anti-virus that does not conflict with its "colleagues", even those from other vendors. Dr.Web KATANA specialises in detecting and neutralising unknown threats and uses behavioural analysis technologies to do this. Therefore, even if your main anti-virus is not working properly for some reason, Dr.Web KATANA will neutralise threats without interfering with the work of the other defender. And don’t forget about Dr.Web CureIt!, which we wrote about in this article. If you suspect malicious activity, you can always scan the file system and, if a threat is detected, cure your computer.