The first point to consider when selecting a detection product is the type of viruses likely to be encountered. Approximately 95 percent of all virus infections are accounted for by a small number of viruses. The viruses that constitute this small set can vary geographically. The common viruses can be distinct on different continents, due to the paths in which they travel. Of course, different hardware platforms will be at risk from different viruses.
International organizations may be vulnerable to a larger set of viruses. This set may be obtained by merging the sets of viruses from different geographical regions where they do business. Organizations with contacts or installations in locations where virus writers are particularly active [] are also more likely to encounter new viruses.
Risk from new viruses is an important consideration. Scanners are limited by their design to known viruses; other detection tools are designed to detect any virus. If your organization is at high risk from new viruses, scanners should not be the sole detection technique employed.
Another important criteria to consider is the number and type of errors considered tolerable. The tolerance for a particular type of error in an organization will vary according to the application. Table 1 shows the types of errors which should be expected. An estimate of the frequency that this class of error is encountered (Infrequent, Frequent, or Never) is also given for each class of tools and error type. All anti-virus tools are subject to errors, but their relative frequencies vary widely. Scanners probably have the lowest overall error rate. Checksummers do not produce false negatives.
The third and fourth items to consider when selecting anti-virus tools are the ease of use and administrative overhead required for each tool. Questions to consider are:
includes a general evaluation of the ease of use and administrative overhead imposed by each class of tools.
If several tools still appear to be candidates, consider the functionality of these tools beyond virus detection. Viruses are only one of the many threats to computer security. All detection tools except scanners have general security applications beyond viruses. Scanners are limited in application to viruses, but have the added functionality of virus identification. Consider the added functionality which is most needed by your organization and choose accordingly. The alternatives are outlined in table 3.
The final selection criteria to be considered is when does the tool detect viruses. Proactive detection tools allow the user to keep viruses off a system by testing incoming software. These tools only allow one chance of detecting a virus (upon initial introduction to the system). Active detection tools intervene during the replication phase itself. Reactive detection tools can be used any time after a virus has entered the system. Additionally, reactive tools are not as rigorous in their demands on system performance. Table 4 shows when these different tools detect viruses.