Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 11696 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using more than just Sophos...Why not?

Skeptic

My experience with antivirus and antispyware programs has been that sometimes one program finds suspicious or 'dangerous' items that another program does not find. So I like the idea of having several such programs installed.  However, most advise against using more than one program. For example, Microsoft Security Essentials' installer warns, 'If you have other antivirus or antispyware programs installed on your computer, they may conflict with Security Essentials and prevent it from working properly. Having multiple antivirus or antispyware programs may also cause severe performance issues on your computer."  How valid is this warning? It sounds ominous, but the cynic in me wonders if this might also just be a way to intimidate users into avoiding competitors' products. Does Sophos expressly warn against installing MIcrosoft Security Essentials? I also have MalWareBytes Premium installed, and so far it does not appear to be causing any problems with Sophos (and vice versa). But, then again, how would a person know? Does Sophos expressly advise not to use Microsoft Security Essentials on the same computer?  Why not make them mutually compatible, in view of the fact that past experience has shown that sometimes one program will miss a threat while another program detects it. Same goes for programs like Ad-Aware.  Sophos is the Cadillac product in this class, and I am not criticizing Sophos in any way....I'm just instinctively skeptical about putting all my eggs in ANY one basket, even if it's supposedly woven out of Gold and Silver. What's the user community's Best Practice advice on this subject? 

:53907


This thread was automatically locked due to age.
  • 0

    HI,

    It's an intersting thought, the answer sadly is a tricky one in as far as two may play nicely together one day and fallout terribly the next.

    Security software relies on system hooks of various shapes and forms to intercept files, network traffic, API calls,  For example:

    • To monitor file reads/writes to disk you might have a file system filter driver.  
    • To monitor network traffic bieng used by a process you might have a LSP or a WFP callout driver.  
    • To load your DLL into a process you might use the detoured approach.  

    As there are only so many hooks available and with most security products using the same for one task or another, there is a chance that they occasioanly step on each others toes.

    Taking filter drivers as an example, to intercept file opens, which is the main job on a realtime scanner, you might write a mini filter, like SAVOnAccess.sys.  This could potentially be one of many on the system, all with different altitudes in the stack. You can run fltmc.exe to see this on a Vista+ computer.

    Install another AV vendor and you get another, at this point you have one of the filters on top that will intercept the request and pass it probably to a user mode scanning engine.  That engine might return the file is clean, the request might then get sent off to the next AV filter, which calls another scanning engine, again it could come back clean.  AV scanning is not a cheap inline operation so you'd probably start to notice the file being scanned twice, especially if the file was large and complex.  Most likely you'd get a few hangs from applications in this scenario, depending on the file type/size.  Maybe if the disk IO was good and you had plenty of memory you'd get away with it most of the time.

    If you were to install one vendor, disable all the active hooks and just run scheduled scans, then three is a good chance that 2 could happily co-exist.  One doing all the realtime and scheduled scans, the other just schduled scans for example.  The problem is no one is likley to test their product with every other product and as security applications update so often, unless you know what you're doing to disable these hooks and keep them disabled, they may re-install themselves.

    I hope that convers the main points and why it's generally not recommended to have two, lets say "realtime" AV products installed at the same time.

    Hope it helps.

    Regards,

    Jak

    :53911
  • 0

    We have published an article on the question too...

    http://sophos.com/kb/13814

    :53925
  • 0

    Hello Skeptic,

    Jak has already summarized the main points but allow me to add my two cents.

    The problem is mainly, as Jak has pointed out, with real-time components interfering. Not going into the (intricate) details - there's no standard to reliably layer certain functionality like AV (other examples are encryption or HSM). Furthermore the existing framework lacks the semantics to communicate the results of a scan.

    One might think of (email) gateways where often more than one AV product is employed. This is, however, on demand scanning where a suitable interface is defined and a calling process controls the engagement of the different providers, the aggregation of their results and the eventual action. More or less random interception by several parties which have no knowledge of each other is not the same and even "correct behaviour" within the existing framework can lead to incompatibilities especially when different strategies are pursued.

    With the products going beyond pure AV the risk of undesired interactions increases. Product B might deem the perfectly legitimate instrumentation utilised by product A at least suspicious. And product D might not like the unstoppable service product C implements ... spooks from different "agencies" suspecting each other.  

    Why not make them mutually compatible

    "Someone" would have to define an appropriate framework/standard - unlikely that this could be achieved without the vendor for proprietary OSs or distributions. It seems their stance is still that (third-party) AV is more or less unessential. 

    Christian

    :53933
  • 0

    Many thanks for the thoughtful and informative, helpful comments.  I think I'll let Sophos handle all active threat prevention and use MalWareBytes as a secondary scan only, as advised. 

    :53951