Ondrej Vlcek

17 July 2009

avast’s Top 5 Hidden Gems

Most users are not able to tell the difference between various antivirus software applications. They consider all the applications pretty much equivalent (function-wise) and usually decide which one to use according to subjective things like prettiness of the user interface, ease of use or lightness on system resources (and of course, the price).

More experienced users sometimes try to search for independent reviews and pay attention to detection rates measured in comparative tests. The problem is that these reviews and tests often produce conflicting results, making the situation even more confusing. In addition, most of these tests only perform on-demand scans, completely ignoring the on-access (and pro-active) parts of the product.

In this article, I’d like to pinpoint 5 features of avast! that we feel are pretty unique, and differentiate us from the pack.

1. Boot-time scan. The boot-time scan is a unique feature in avast that allows you to perform a full hard drive scan before Windows boots. The principal advantage here is that at the moment the scan runs, the vast majority of malware is still dormant (hasn’t been chance to activate yet) and is thus easily detected, and removed. Moreover, the boot-time scan uses direct disk access (bypassing the Windows file system drivers), allowing us to see even the most stubborn rootkits. Therefore, it is wise run the boot-time scan whenever there’s a suspicion that the system may be infected.

In order to run a boot time scan, open avast’s user interface (run avast e.g. from the desktop icon), and from the right click context menu, select “Schedule boot-time scan”.

Note: the boot-time scan is currently available only on 32-bit operating systems.

2. Antivirus screensaver. Another avast! favorite, the antivirus screensaver is basically a special screensaver that is able to run a full system scan when it makes most sense – i.e.when the system is idle. It can run on top of another screensaver (with just a small top-level window showing the scan progress), so you don’t have to sacrifice your favorite screensaver in order to use it.

To enable the avast! screensaver, open the system screensaver properties window, and select “avast! antivirus” from the list.

3. Unrivaled detection of script malware. Five years ago, most viruses were distributed by means of email. These days are now gone, with the World Wide Web taking over. Indeed, the vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.

4. Strong antirootkit shield. Starting with version 4.8, avast has a built-in antirootkit scanner. It is based on GMER, one of the most respected specialized antirootkit applications available (in fact, the guy who created the original GMER now works for us). We’re constantly improving the internals of this component so that it’s able to detect and remove even the latest threats, including e.g. the infamous MBR rootkit.

Normally, it’s not necessary to perform any manual rootkit scans as these are done automatically each time you restart your computer. Uses of the Professional Edition can run a manual rootkit scan by creating a task in the Enhanced User Interface and selected Rootkit scan in the Scan Areas section.

5. Malware submission system. This is one of the lesser-known features of avast!, but an equally important one. Under the hood, avast deploys a number of sensors that monitor the file system, registry and other components of the operating system. On top of these sensors, there’s a module that analyzes all the data reported by the sensors and if it concludes there’s something suspicious, it immediately alerts the user. However, it doesn’t tell the user that the system is infected. Instead, it just reports that something fishy is going on on the system and that these and these files/programs are the suspects. And, most importantly, allows the user to submit these files to our virus lab for further analysis (the submission process is then automatic, all we ask for is the consent to send the files).

This way, we’re able to have a continuous feed of the latest samples right from our own user community. And since the community is so huge, it all works very well, moreover with the community being self-sufficient.

By the way, in avast 5, the core of the malware submission system have been refactored into something we call the “Behavior Shield”. More on this later.

Tips, Security News