Hello Dmitry:
DM>     So, the first class and the most popular anti-viruses are
DM> scanners/removers (S/Rs). It is the first defence line in the anti-virus
DM> strategy. All incoming files are to be checked by S/Rs. But what S/R is
DM> to be used? There are different answers for different regions becouse
DM> scanner should include information about the latest viruses in the
DM> region. Of course, there is collection exchange between anti-virus
DM> developers, so after one or two months all scanners will know viruses
DM> from your region. But to minimize risk it would be better to use
DM> scanner developed in your region. It is a good idea to use a group of
DM> scanners. For example, for Russia the best choice is DrWeb with good
DM> heuristik analizer and wery short reaction time for Russian viruses and
DM> some scanner with a big viruse database, for example Dr.Solomon, F-Prot
DM> or AVP.
Respose time is relative. I know for a fact Eugene (AVP) and I am
sure Igor (DrWeb) as well can provide same day or within 24 hours
service there in Russia. We to can provide 24 hour turn around for
new viruses if need be. The heuristic's within DrWeb are comparible
to AVP. The problem with depending on the heuristic's of a virus
scanner to protect your system is that the quality of the rules
alogrithms is dependent on the quality of the programmer. Heuristic's
are not perfect. I agree on a multi-product approach though. You
raised a intesting point,  regional differences can be slightly
significant but not important.  Many products today are
multi-national in that the developers have international officies or
international distributors that feed the virus database world wide.
The virus collection maintained at KAMI (AVP) for example is
supported and supplied from distributors and dealers world wide thus
eliminating the regional differences. This has many advantages to the
end users.
Using products that are regional today can needlessly expose the user
to the possibility of obtaining virus infection. Sadly, the internet
has increased the availablilty of a vast more number of viruses than
ever before.  Regional outbreaks still do happen but the frequency of
these regional attacks has increased. We see many viruses that are
not on any "In the wild" lists in these "regional" outbreaks.
This is why products like AVP, F-Prot, Dr Solomon's have vast
databases. You cannot predict the exact virus that will infect a
users computer. It may be harmless, or it may not be.
DM> The second defence line is integrity checkers. They should be used
DM> at the every computer to be sure that there is no viruses in the
DM> system.
Integrity checkers are a third level of defense but should be used
with a quality antivirus scanner and resident protection on every
computer.  The problem with Integrity checkers is that they cannot
tell a user that a program is infected with one of the 10,000 or so
known different viruses or not. They only detect a change wether that
change is a virus or not the integrity checker cannot determine.
We have seen a few large installations of integrity checks here in
the US and all were removed and replace with antivirus scanners and
TSR's.  Why?  In all cases over 70% of the time the end user ignored
the warning because without expert knowledge the end user could not
determine if the warning was a virus infection or not. The integrity
checker only gave a warning not a specific message.
Integrity antivirus products *can be* a powerful tool but require
expert knowledge to be used effectively. They also, require the end
user to keep his programs fairly static in that he cannot constantly
add or change software. If the end user did his integrity databases
would be constantly changing thus weakening the generic detection of
the Integrity checker. Keeping a integrity database current can be a
excessive task for a end user.
DM> The 3-rd class is resident monitors. They were not very popular
DM> under DOS and Windows 3.xx enviroment. But under Win 95, written as
DM> VxD, resident monitor may be very useful. I can't now talk about
DM> concrete monitors for Windows 95 becouse I did not test them. But I
DM> think that it is very perspective class of anti-virus programs.
DM> Teoretically virus can deceive resident monitor, so for computers
DM> which need the most reliable protection, resident monitors with
DM> hardware support should be used.
Active protection is the most powerful line of defense and is the
secondary line of defense for PC's. The reasoning is simple. Given
the fact the resident protection can prevent infections and acts in
almost real time with the end user, viruses are caught prior
infecting a computer. No virus clean up is required. Lasty comes the
integrity checker that catches anything thing that was missed and is
post (after) infection.
You see Dmitry the best defense is to catch viruses before they enter
the PC. Virus scanning diskettes using a high quality virus scanner
or active real time protection TSR's, VxD's and even NLM's offer
the end user ease of use and a powerful tool to prevent infections.
Lastly comes a integrity checker that detects changes viral or not.
This is why Integrity checker are not popular like virus scanners.
They can be powerful but require expert knowledge to be used
effectively and cannot prevent infections. They only detect viruses
post infection when you are most vulnerable to data loss.
Sincerely,
Keith A. Peer
... Central Command Inc. U.S. Distributor for AVP and HS
 * Silver Xpress V4.01 SW12662
--- InterEcho 1.19
---------------