Common Antivirus Issues from an AV Tester’s Perspective

Our Antivirus Experience

At MRG Effitas, we have a great deal of experience working with antivirus (AV) software. While preparing our quarterly AV test reports we have to install AV agents, configure policies both on the local GUI and on remote consoles, maintain update procedures, check if the update has indeed succeeded, etc.

While we do this, we try to keep various user perspectives in mind, empathising with the everyday home user as well as corporate administrators.

Here we highlight the commonest issues and complaints, the ones that give our Testing Team the most headaches. These problems are no doubt also experienced by regular users (those lucky folks, who have to maintain one single antivirus product, not the usual fifteen, as our Testing Team does!), so we thought that this overview might give the AV vendors that create the antivirus software some feedback and suggestions for making their products as streamlined and user-friendly as possible for the everyday user.

In An Ideal World

Ideally, an antivirus product should share the characteristics of a well-designed calculator app. It should require the user’s attention only when it is really needed (i.e. when some kind of risk has been detected). In all other cases, its entire operation should be constant and transparent. Updates should be going on smoothly in the background, and the protection should not cease – not even when new signatures are applied or the actual AV agent is being updated. On a related note, the actual operation of the software should not require significant (noticeable) resources on the OS side.

Life On the Test Bench

As I’m sure our fellow testers will agree, the reality is often far from ideal, and many antivirus products suffer from some kind of shortfall in one or more respects.

As an AMTSO compliant testing house and a team of practising IT professionals, most of the time we can work our way around these problems during the testing and dispute phase, and our test participants usually happily lend us a hand with solving technical difficulties.

However, even though these issues usually do not result in any measurable change in efficacy related metrics, we believe that the following areas should be considered when selecting development priorities by AV vendors.

Antivirus Update Issues

Signature and AV software updates are essential features of any decent AV product and usually, the update process is straightforward, at least in theory. The local agent connects the vendor servers, downloads the update and finally, the update is extracted and installed into the local signature database.

Sounds easy, right?

Well, in practical terms, we often encounter typical issues with this seemingly simple process:

  • Update takes too long. One of the most frustrating stages of testing is to fine tune the test bed and wait for the AV to finish the update process. Taking a look at our 360 performance charts, it is quite easy to see that the more sluggish AVs take several minutes before a regular update is finished, whereas the more efficient ones take just a couple of seconds.
  • Update takes alot of computing resources. As the update package needs to be extracted and processed, the main CPU is burdened with this task which, from a user’s perspective, is a complete waste of resources. CPU usage, network bandwidth, disk I/O are all affected by the update, therefore, an inefficient update mechanism can take its toll on the overall user experience.
  • It is hard to tell whether or not the signature/training set update has succeeded. When the update process is finished, our Testing Team needs to be able to tell whether or not the signature update process has succeeded. As our experience shows, sometimes this is really hard to tell, as there are no clear indications on the GUI and without a standardised (and uniformly used!) interface, we have to resort to digging through log files – a time consuming and troublesome process. For the security conscious user, this should be something that can be decided with a simple glance on the app GUI.
  • Update renders the protection temporarily disabled. The above issues are minor nuisances from a wise man’s perspective, however, this one is unforgivable. We often find that while the update is happening and the AV is doing heavy weight lifting under the hood, it ceases its actual anti-malware activities leaving a couple of minutes gap in the security posture of the workstation. This is especially prevalent in AV products that have several background
  • Windows services running. In order to do a successful update, a tightly choreographed dance needs to be performed to make every service stop prior to their binaries being updated.

UX issues

An AV is essentially a security product and, as such, a deep level of technical understanding is required to be proficient in its use. Thankfully, corporate users usually do not have to do this themselves, that is what IT administrators are there for. Furthermore, efficient policies and other settings can make the AV operation absolutely transparent for the end-user, with a remote console doing all the necessary legwork for them. However, with home users, this is more complicated. As they don’t have an entire IT department in the basement to help them, they have to manually make decisions and set up the AV product themselves.

A well-designed GUI can make things straightforward. In turn, a bad GUI design can leave even seasoned IT professionals puzzled! Note that these issues are not uncommon in any kind of software – however, in an IT security-related product, such problems can easily have dire consequences.

  • Unclear GUI language. As a general guideline, the language and the wording used in AV products should be concise and accurate, and it should be clear to the user what are the consequences of their decisions. In many cases, AV products utilise their own philosophy and nomenclature and, as such, phrases such as ‘detected’, ‘quarantined’, ‘eliminate the threat’, can have their own unique shades of meaning. Our Testing Team members have to map out exactly which product means what on these terms.
  • Unclear GUI logic. A common problem with GUIs is that they apply their own logic, and that this logic should be communicated through a visual language to feel intuitive. However, we often see horrible examples of GUI design, where the internal logic is counterintuitive, or there are discrepancies with the overall consistency.

To find out more about the efficacy of the antivirus software we test, check out the Tests section of our website. For quality assurance support and certification of your antivirus product please get in touch with our team.