Data Doctors: xtra layer of virus protection comes with caveats

Q: One of my nerdy friends told me that I should install a program called ThreatFire because it can do things that my anti-virus program can’t do.

Is this true and should I install it? — Samantha

A: When it comes to protecting your computer from viruses and other malware (malicious software), there are two approaches to guarding your computer in the anti-virus arena; signature-based and behavior-based.

The most common programs use signature-based scanners that look for known signatures of malicious code in any file that is being scanned. Most of the name brand anti-virus programs on the market (Norton, McAfee, CA, AVG, Panda, Webroot, etc.) are signature-based scanners.

Signature-based antivirus programs are very good at detecting malware because they are looking for the known signs at the code level for known malicious software. The hole in the signature-based scheme is that new threats can’t be detected until the infectious code has been discovered and added to the “signature” file of the anti-virus program (which is why it is so critical that you keep your anti-virus program up to date.)

This is also why anti-virus software can’t always protect you from infections, especially when opening file attachments or manually downloading “free” software, because new threats have to infect systems before they become known. Once the new threat has been identified, the race is on to update the detection signature file and get it out to all the users before they come in contact with the new infection.

In the past, new vulnerabilities would be discovered and we would start to see exploits appear a couple of months later. This gave the anti-virus companies ample time to create updated signature files and get them out to their users. Today, it is very common to see “zero-day” exploits, which means as soon as a new vulnerability in any operating system or software program is discovered, some bonehead on the Internet has written malicious code to take advantage of the hole the same day that the exploit was discovered.

In general, you shouldn’t run two signature-based anti-virus programs on the same system because they will detect each other as potential threats and can cause various other system maladies. More is not better, in this case.

The latest type of anti-virus protection is based on behavior-based scanners that look for specific types of behavior that are common with malicious software programs. This behavior-based approach has a better chance of catching unknown threats that a signature-based scanner would not be able to detect until it was updated with the signature information.

The downside to behavior-based programs is that you’re more likely to get “false positives” on legitimate programs.

ThreatFire (www.threatfire.com) is a free behavior-based anti-virus program from the folks at PC Tools that can be added as an additional layer to systems that are already running a signature-based anti-virus program.

I would not recommend running it on its own or adding it to a computer that is already infected, is on a dial-up connection or is experiencing performance issues. ThreatFire’s value comes from proactive protection against future threats, not current infections.

Generally speaking, if you have a signature-based anti-virus and you are very careful about what files you open and what Web sites you visit (heaven help all of you with teenagers in your house!), you will be just fine.

If you decide to add ThreatFire for additional protection, make sure your computer is completely clear of any malware before adding it (or any security software, for that matter) or you could stand the chance of causing system lockups or reduced system performance.

Ken Colburn is president of Data Doctors Computer Services — www.datadoctors.com. Listen to the award-winning “Computer Corner” radio show online.