Selecting a Scanner

Scanners are implemented in several forms. Hardware implementations, available as add-on boards, scan all bus transfers. Software implementations include both non-resident and resident software for the automatic scanning of diskettes.

Non-resident software is sufficiently flexible to meet most needs; however, to be effective the user must execute the software regularly. Hardware or resident software are better choices for enforcing security policy compliance. Resident scanners may be susceptible to stealth viruses.

Although most scanners use similar detection techniques, notable differences among products exist. Questions that potential users should consider when selecting a scanner include:

• How frequently is the tool updated? A scanner must be updated regularly to remain effective. How frequently updates are needed depends on which platform the scanner is used. Update frequency should be proportional to the rate at which new viruses are discovered on that platform.
• Can the user add new signatures? This can be very important if a particularly harmful virus emerges between updates.
• Does the tool employ algorithmic detection? For which viruses does the tool use algorithmic detection? Algorithmic detection is preferable to the use of multiple signatures to detect polymorphic viruses.
• How efficient is the tool? Users are less likely to use a slow scanner. There can be a significant difference in performance between different search algorithms.
• Does the vendor develop their own virus signatures, or are the signatures based on published search strings? There is nothing particularly wrong with published search strings, but it indicates the level of resources the vendor has committed to the product.
• What is the level of documentation? Some packages arrive with large fact-filled binders; other packages are a single floppy disk with a few ASCII files describing installation and parameters.