Virus Scanners for NT

Defend yourself against the bad guys

When was the last time you had a cold? Some little germ invaded your body and made you tired, achy, and chilled, but you were probably still functioning. You probably had a major irritation but not a life-threatening situation. Your doctor most likely gave you antibiotics and scolded you for not getting a flu shot three months ago.

Everybody knows the analogy between human and computer viruses, but you usually hear about computer viruses only in dire terms--Ebola instead of a cold. The bad news is that computer viruses are rampant on the Internet and intranets and in this network-happy world. The good news is that a surprisingly small percentage of users ever suffer a loss from a virus. Most computer viruses are just plain annoying, much like the common cold. Few evolve into destructive strains.

To protect your computer from catching a cold or something worse, you need to scan for viruses. Most virus scanners perform two tasks--detecting viruses and inoculating your computer against them.

Virus scanners have gone through many generations of change to keep up with the new virus strains. Many of the latest viruses aren't even executable files. Malicious pranksters have written Word and Excel macros that attach themselves to documents. You can infect documents on your system and not realize what you've done until it's too late. For example, at a Professional Developer's Conference, Microsoft recently distributed a CD-ROM that was infected with the Word Prank macro virus.

With the booming popularity of online software distribution, you now have the tools to purge sophisticated new viruses soon after they hit. So, many virus scanner vendors now distribute minor upgrades on the Internet. Because new viruses emerge weekly (sometimes daily), virus scanner vendors need to let you download an update with the latest virus definitions monthly. For example, when the recent Laroux virus (the first Excel macro virus) made headlines, McAfee and Symantec offered detection and cleaning routines on their Web sites.

If you connect to any network, you need to invest in a virus scanner and schedule regular scans. Whether the release of virus scanners for Windows NT signals its growing popularity or is a sign of the times, NT virus scanners have been appearing at an amazing rate during the past year. At press time, as many virus scanners are available for NT as for Windows 95, which is incredible given the installed base of each OS. Small start-up vendors are diving into the NT pool, and established companies such as McAfee, Symantec, and S&S Software International are porting their virus scanners to NT.

NT alone protects itself from viruses that can infect other operating systems: NT's built-in protection can ward off viruses attempting to directly access hardware such as a hard disk. But what happens when NT isn't running? Boot-sector viruses can still affect systems because their damage occurs during boot-up. Viruses that exist on the system before you install or upgrade to NT can cause installation problems--the dreaded Blue Screen of Death. Unfortunately, the scanners in this review can't clean your system before you install NT, so you will want to scan your system with a DOS or Win95 virus scanner before installing NT for the first time.

No one has detected any NT-specific viruses at press time. Still, you need a virus scanner to catch boot-sector viruses that can affect NT systems and any viruses that are on your hard drive.

Putting Scanners to the Test
Selecting a virus scanner that best meets your needs can be a challenge. So to help you evaluate the pros and cons of each package, I've gathered and evaluated six leading scanners for NT. I reviewed Carmel Software Engineering's Carmel Anti-Virus, S&S Software International's Dr Solomon's Anti-Virus Toolkit, Cheyenne Software's InocuLAN, Symantec's Norton AntiVirus Scanner (NAVSCAN), Sophos's SWEEP, and McAfee's VirusScan with NetShield. All the scanners in this roundup offer sufficient virus protection and deserve a spot on your NT system. But which ones pull ahead of the pack? Table 1 rates each scanner's features. The sidebar, "Editor's Choice," on page 59, explains how I reached my selections.

I installed each application on a late beta build of NT Server 4.0. Most of the virus scanners ran on NT 4.0 and on NT 3.51; however, some choked on NT 4.0, and McAfee's offerings refused to install on anything other than NT 3.51. In those cases, I ran the scanners on NT 3.51 Server. The test system was a 133MHz Pentium with 32MB of RAM.

The tests focused on ease of use, network support, and virus detection rate against a test bed of common viruses. I also looked at less apparent features, such as configuration, scan scheduling, and--most important--product updates.

To test each scanner, I compiled a random list of 207 stealth, polymorphic, and boot-sector viruses in the wild and compressed them in PKZIP archives. Some of these viruses were new when I tested for them.

Carmel Anti-Virus 1.6
For the past year, Carmel Software Engineering's Carmel Anti-Virus for Windows NT has been popular. Carmel provides excellent local virus protection and decent network protection for NT, but other scanners have leapfrogged Carmel in terms of looks and feature set.

I downloaded the beta version of 1.6 from Carmel's Web site. You can find it at Installing the software was easy, although the installation program doesn't have NAVSCAN's or InocuLAN's flashy splash screens.

Carmel's user interface is intuitive and simple in appearance. Carmel takes a bare-bones approach to file scanning. Rather than trying to entertain you with paper flying between folders, Carmel simply displays a status box containing the number of files scanned, the number of viruses found, and the name of the file the product is scanning.

Carmel maintains a database of NT system files on your hard drive and performs cyclical redundancy checks (CRCs) against that database on every scan. Screen 1 shows this verification process.

During the tests, Carmel crashed occasionally. In all fairness, I was running beta code, but seeing the program crash during a routine scan concerned me.

Carmel is clearly for local desktop use. Network options are limited to scanning mapped drives, and notification features are all but nonexistent. In fact, Carmel lacks remote alert support, so you have to read separate log files for each Carmel installation. At the very least, a centralized log system would make Carmel more convenient on a network.

Carmel Software Engineering offers virus definition updates on its online sites (GO CARMEL on CompuServe and on the Internet). Unfortunately, the definitions I found there were almost three months old, which is ironic because the company states on the same Web page that new viruses emerge weekly. Carmel detected 140 of 207 viruses with the most recent (April) virus definitions.

Although Carmel lacks other scanners' sophisticated features and high virus detection rate, Carmel has distinct advantages that make it a good choice for desktop use with a network scanner. For example, Carmel's file checksum verification is a handy feature that can help ensure your system's safety. If you need a standalone or network scanner, however, look elsewhere.

Dr Solomon's Anti-Virus Toolkit 7.60
Dr Solomon's Anti-Virus Toolkit for Windows NT from S&S Software International has several advantages, including a flexible event scheduler and concise manuals. Dr Solomon's ships with both a DOS and an NT version. The DOS client is a nice touch if you dual-boot between NT and DOS/Windows 3.1x or Win95.

Installing the scanner was as easy as inserting two floppies and pointing the installation program to a local directory. The installation program lets you set the event scheduler service to start scanning automatically on every boot, or manually.

For some reason, Dr Solomon's scans the system executables after it copies its program files to the hard drive. Although the Dr Solomon's program disks are permanently write-protected (the disks don't have a write-protect tab), you can replicate certain viruses in DOS simply by copying files.

Dr Solomon's network support is on a par with the other scanners in this review, but less capable than InocuLAN's domain and notification support. Dr Solomon's lists mapped drives in a drives dialog, so you can select and scan them and your local hard drives. Because Dr Solomon's supports command-line options, you can scan network shares that have universal naming convention (UNC) filenames. Notification features are available as a command-line switch that lets you set up a batch file to automatically broadcast a network message when the program detects a virus on the network.

The Dr Solomon's user interface reminds me of the old Central Point PC Tools virus scanner for Windows. Commonly used features appear as buttons, so you can quickly scan or repair files without going through a series of menu selections. For all the features Dr Solomon's supports, it does a good job of keeping the user interface clean and uncluttered.

Unfortunately, the Dr Solomon's configuration lacks certain important features such as file exclusion and inclusion by extension. You can, however, include or exclude predefined file types (such as executable files, data files, and compressed archives): Select Find Virus options, which is tucked away in the user interface. The options dialog is easy to miss if you work with the program's buttons rather than the menus. Although most default settings are good, I prefer a more flexible and comprehensive configuration that lets me set up the Toolkit to my liking.

Dr Solomon's puts the other virus scanners to shame by successfully detecting 186 of the 207 viruses on my hard drive, the most of any scanner in this review. By default, Dr Solomon's disables support for compressed archive files, including the popular pkzip format, because virus files must be unzipped to execute. I re-enabled it by selecting a check box in the Find Virus options dialog. The viruses I tested for were zipped in individual archives, so Dr Solomon's would have skipped those files in a real situation.

Rather than hooking into the NT Scheduler service, Dr Solomon's installs its own scheduler, which is similar to the Win95 System Agent. This scheduler adds an extra service to NT (and thus, additional overhead) but provides a console to schedule jobs and adds features that NT's Scheduler service lacks. Dr Solomon's scheduler supports several user-specified events, including everything from launching applications to broadcasting messages over a network. As Screen 2 shows, with an easy-to-use console, you can set up events such as a weekly full network scan.

Dr Solomon's scheduler is the most versatile one in this review. Whereas the other schedulers let you run a daily or weekly virus scan, Dr Solomon's gives you more opportunities to run events at regular intervals. For example, the scheduler can scan when the PC is idle at the 10:00 am coffee break, lunch, and the 2:00 pm coffee break.

One of Dr Solomon's most welcome features is missing from other software packages: a set of hard-copy reference manuals. This set includes one program manual for NT and one for DOS and Windows versions, and a hard-copy virus encyclopedia of common virus definitions. Chapter 1 of the program manual describes a virus and its characteristics and is a must-read for anyone on a network or online service.

Unfortunately, Dr Solomon's Anti-Virus Toolkit falls short when it comes to program updates. Rather than offering electronic updates, S&S Software has a subscription service to deliver quarterly or monthly updates, depending on your subscription plan (quarterly updates are free the first year). Clearly, this approach isn't acceptable because media updates are far less convenient and cost effective than electronic updates. However, S&S puts field updates on the Web in case of emergency.

Dr Solomon's Anti-Virus Toolkit is well respected in the virus research community, and the program detected more viruses than any other antivirus package in this review. However, I can't overlook its deficiencies, including its lack of configuration options and electronic updates. If you're looking for a good, solid virus scanner and are willing to pay for updates after the first year, Dr Solomon's is an excellent choice. If you prefer flexibility and inexpensive, easily accessible updates, consider other options.

InocuLAN 1.01 (build 48)
Cheyenne Software's Inocu-LAN for Windows NT was one of the first virus scanners for NT and remains one of the finest on the market. InocuLAN offers top-notch detection routines and a powerful network server interface.

Although InocuLAN's manual pales in comparison to Dr Solomon's, the documentation is good, but technical. The documentation includes a hard copy of common virus definitions that's not as comprehensive as Dr Solomon's Virus Encyclopedia. Still, it's a welcome addition to the package.

Installing InocuLAN was easy. I inserted the CD-ROM (as part of the ARCserve data recovery package) and ran setup.exe. From there, I selected the program directory and let the installation program copy the files and create the program groups. I had some initial problems with InocuLAN and NT 4.0: The scanner froze when I tried to use it. Installing the latest build of InocuLAN (from rectified that problem. As Screen 3 shows, InocuLAN truncated long filenames into 8.3 filenames in the build I tested, but Cheyenne has fixed this in the newest build.

InocuLAN is easy to customize. You can tweak most execution aspects, such as which drives to scan and how much CPU time a scan can consume. These options also extend to scheduled tasks. For example, during the day, InocuLAN can run a background network scan that takes as little CPU time as possible and at night, run one that takes as much of the CPU as the scanner can get.

InocuLAN is primarily a server product, so it installs as a service and has a client/server architecture. InocuLAN for Windows NT Server installs on an NT server and manages the InocuLAN services. The server component also maintains scan times on the network, so you can create and schedule scan jobs on other NT machines. The other component, InocuLAN for Windows NT Manager, is the client that performs the scanning. This client gives users enough access rights to scan their workstation without administrator or server intervention, but the server still tightly controls privileges. InocuLAN groups machines into domains, usually with one primary server and other member servers controlling the clients. The program stores and manages all information on the primary server to keep the other machines' configurations synchronized.

InocuLAN's notification options are without equal. With Alert Manager, you can set the server to email, page, broadcast a message, send a Simple Network Management Protocol (SNMP) trap, or print a trouble ticket when the scanner detects a virus. The pager option is handy, but the coded messages are cryptic, so I recommend the pager alert only when it's absolutely necessary. Because of InocuLAN's domain model, you can have the program notify groups of users when the scanner detects a virus.

Cheyenne Software regularly provides virus definition updates for InocuLAN at its online sites (GO CHEYENNE on CompuServe and CheyTech/Download/virussig.html on the Internet). I downloaded the version 3.20 definitions and set InocuLAN loose on the test viruses. InocuLAN scanned the zipped archives and detected 153 of 207 viruses. According to Cheyenne Software, the next version of InocuLAN (4.0) will have an automatic definition update feature like Symantec's LiveUpdate.

InocuLAN, as its name implies, is an excellent tool for heterogeneous networks driven by NT servers. The product's advanced notification features and excellent client/server architecture make InocuLAN an essential utility for any network. For desktops, however, InocuLAN is probably overkill.

Norton AntiVirus Scanner 1.0
When I reviewed Symantec's Norton AntiVirus Scanner (NAVSCAN) for NT in April, it stood up well to the competition. That fact surprised me for one reason--NAVSCAN is free (it's also available as part of the commercial Norton NT Tools package). For comparison, I reviewed the initial release of NAVSCAN for NT, although Symantec plans to release an update (possibly commercial) by the end of this year. It will feature parity with the Win95 version of NAV.

I downloaded the 1.8MB file from Symantec's site at public/software/win95nt/nav and ran the self-extracting installation executable. Installing NAVSCAN was easy. First, the installer ran a system scan. Then, a series of wizards helped me point the setup program to a directory to extract the files from and set up a common program group on the Start menu.

At first glance, NAVSCAN appears to be a simple application that lacks sophisticated features of the other scanners in this review. But NAVSCAN's simple interface is deceiving. You can do full system and network scans with the click of a button. As you delve into the program, you find advanced features that let you include and exclude files, customize detection notification, edit event logging, and change alert messages. You can even customize NAVSCAN's virus detection notification options. By default, NAVSCAN displays a dialog that prompts you to delete, clean, or ignore an infected file. From the options box, you can set NAVSCAN to automatically delete, clean, or skip infected files.

For scanning network drives, NAV-SCAN includes only the bare essentials. It views each mapped drive as a local drive, letting the software scan all drives connected to the server equally. Unfortunately, NAVSCAN doesn't support remote notification, so the server can't notify an administrator if the program detects a virus. Also, you can't update all versions of NAVSCAN on a network from a centralized location.

Unlike its Win95 counterpart, NAV-SCAN for NT uses the NT Scheduler service, so you need administrator rights to schedule scans. Unfortunately, NAVSCAN supports only one scan a week. You can set up unattended scans to run more often, but you have to write a batch file or set up an AT task.

Symantec places monthly virus updates on its online sites (GO SYMNEW on CompuServe, keyword SYMANTEC on America Online, and or on the Internet). These updates are usually comprehensive and add detection and cleaning capabilities for the latest viruses, including Word and Excel Prank macros.

One feature I'd like to see Symantec carry over from the Win95 version is LiveUpdate. It automates Symantec product updates by connecting to Symantec's BBS or FTP site, downloading the update files, and installing them behind the scenes. With NAVSCAN for NT, you have to update manually.

With the August 1996 definitions, NAVSCAN detected 153 of the 207 test viruses, which is good considering some of the viruses were new as of late July. NAVSCAN had no trouble detecting the zipped viruses. My only complaint about NAVSCAN's detection routines is that it doesn't save log files in a plain text format.

Documentation for NAVSCAN is available electronically as an Adobe Acrobat Portable Data Format (PDF). You can also download the manual from Symantec's online sites. As Screen 4 shows, NAVSCAN comprehensively describes viruses, covering virus characteristics and sizes, how widespread the viruses are, and what they infect.

NAVSCAN is a good all-around virus scanner. Although it lacks crucial administrator features for network use, as a desktop virus scanner, NAVSCAN is the pinnacle of power and simplicity.

SWEEP 2.88
I was surprised to see that Sophos assigned a version number of 2.88 to its latest revision of SWEEP. This new version contains enough features to safely call it SWEEP 3.0. The most significant addition is a GUI. Previous versions were console-mode applications.

Unlike SWEEP 2.75 (for a review, see Tim Daniels, "Virus Scanners," October 1995), SWEEP 2.88 includes an installation program with a mock wizard interface. You can install a local scanner or a server scanner. I opted for the server installation, and with a few clicks of the mouse, I had the program ready to run.

For a first-generation user interface, SWEEP's GUI is incredibly functional and aesthetically pleasing. A toolbar (complete with a novelty radar status indicator) lets you access commonly used functions. Below the toolbar, three tabbed dialogs let you schedule scans and select which drives to include.

SWEEP's configuration options are brief but cover the essentials. You can easily modify the standard configuration options with SWEEP's tabbed dialog, but Sophos also threw in several unique options such as the ability to check only parts of files that might contain viruses and the ability to set how much CPU time to give the scanner. SWEEP can even scan for Macintosh viruses, a capability that comes in handy on heterogeneous networks.

Like InocuLAN, SWEEP has a client/server architecture for its network support. The NT Server component, InterCheck, installs on a central server (SWEEP also ships with InterCheck for Win95), and SWEEP clients install on all other machines. Sophos also ships DOS and Windows clients, so non-NT machines can communicate with the InterCheck server. SWEEP takes digital fingerprints of every file on each client machine and stores these fingerprints on local and remote databases. This process is fairly lengthy (my clients have 2GB to 4GB disks, and the process took almost 45 minutes per gigabyte), but you have to go through this fingerprinting only once. SWEEP excludes inoculated files during system checks unless it detects a discrepancy between the file and its database. When you add new files to the system, SWEEP runs the same fingerprinting routine and then inoculates the files.

SWEEP's notification options aren't as strong as those of its primary competitors, InocuLAN and NetShield. As Screen 5 shows, you can set SWEEP to broadcast messages over the network, but the program doesn't support beeper or email notification. SWEEP does, however, write to the Event Log and store logs in flat ASCII format in a shared directory on the server. So you can use a text editor to analyze data in the logs.

SWEEP's scheduler is less comprehensive than that of Dr Solomon's. To set up a job, you simply click SWEEP's Add button on the Schedule tab and configure the scheduler with a set of tabbed dialogs. The scheduler can set up a job to run on multiple days or run multiple jobs to check different files at various times on different days.

SWEEP detected 149 of the 207 test viruses. S&S Software and Sophos are the only vendors whose scanners require hard updates. Rather than sending out definition updates, Sophos sends new software installation disks. Because you can update all clients from a centralized server, incorporating these updates isn't a problem--except for the inconvenience of having to install the program every month. SWEEP definitions are pure ASCII text strings that Sophos calls its Virus Description Language. Because SWEEP uses these text strings for its definitions, you can receive urgent updates via email or fax and essentially create your own definitions.

Sophos rebounded from a mediocre 2.75 release to a strong 2.88 release, and SWEEP (on evaluation/sweepnt) is worth consideration. Unfortunately, better and more cost-effective server and workstation scanners prevent SWEEP from pulling ahead of the pack. Sophos has packed a lot into what appears to be a maintenance upgrade, so keep your eyes open for the promising 3.0 release of SWEEP.

VirusScan 2.5 with NetShield 2.5
McAfee's VirusScan has a long, proud heritage in the DOS world. Although the company has offered top-notch versions of VirusScan for DOS and Windows 3.x for years, the NT version is disappointing.

The VirusScan NT manual suggests you install NetShield on NT Server and use VirusScan on NT Workstation. I found out this recommendation isn't just a suggestion--it's a requirement. VirusScan NT is strictly for NT Workstation, and NetShield is for NT Server, which the setup application enforces. Although other virus scanners installed and ran well under NT 4.0, VirusScan NT did a strict version check to make sure I'd installed the scanner on NT 3.5x. Because NetShield includes VirusScan (which McAfee calls the console component), I based my review on NetShield running on NT Server 3.51.

NetShield installs as a service, with the program acting as a console from which you scan and clean infected files. Although the console doesn't provide one-click scanning, you can easily work with the tabbed dialogs, context menus, and toolbars. To scan connected hard drives (local or network), you launch VirusScan NT from the console.

You also configure scheduling from the console. NetShield uses the NT Scheduler service, and the Scan Wizard makes scheduling a scan task easy: You simply follow the prompts and fill in the scan times. To configure the scan tasks optimally, you have to access five properties sheets, as opposed to one dialog in NAVSCAN. But NetShield's vast dialog options allow greater scanning flexibility than NAVSCAN. You need administrator privileges to do full system scans.

NetShield's notification options come close to matching InocuLAN's. You can configure NetShield to send broadcast messages, pager alerts, SNMP, email notification via a Simple Mail Transfer Protocol (SMTP) server, or a print-out when the scanner detects a virus. NetShield logs information in the Event Log but doesn't record specifics. For example, VirusScan doesn't log the number of viruses it finds on a hard drive but inserts an Infected Files Found message in the Event Log. NetShield with the latest updates detected 147 of the 207 test viruses--the second lowest detection rate of the scanners in this review.

The NetShield and VirusScan NT manuals are excellent. This documentation isn't as comprehensive as that of Dr Solomon's, but step-by-step instructions tell how to install, configure, and run the products. Although McAfee doesn't provide printed virus definitions, the company publishes a list of viruses on its Web site.

McAfee updates virus definitions monthly for NetShield and VirusScan NT on its site at antivirus. NetShield and VirusScan NT offer an AutoUpdate feature, as you see in Screen 6. It runs a script to automatically update the scanners.

NetShield and VirusScan NT are decent products, but they seem less refined than the other products in this offering, partially because of their poor integration with NT's services. For example, VirusScan needs to provide more detailed information (such as the number of viruses detected) in the Event Log and have more flexible scheduling options. McAfee's version checking can be a problem because you have to update the software every time you upgrade NT.

McAfee offers 30-day trial versions of VirusScan for Windows NT and NetShield for Windows NT on its Web site, so you can give them a spin. Both programs are excellent scanners with good network support, and I have no doubt that McAfee will continue to polish the code until it shines. But for now, you can find better solutions that do more with less hassle.

TABLE 1: Comparison of Features
Carmel VirusScan/
Anti-Virus 1.6 Dr Solomon's 7.60 InocuLAN 1.01 NAVSCAN 1.0 SWEEP 2.88 NetShield 2.5
Electronic Updates Poor n/a Excellent Excellent n/a Excellent
Installation Good Excellent Good Excellent Good Excellent
Configuration (Ease of Use) Good Good Good Excellent Good Good
Configuration (Flexibility) Poor Poor Excellent Excellent Good Excellent
Notification Poor Good Excellent Good Good Excellent
Scheduling Good Excellent Excellent Good Good Good
Cleaning Good Good Excellent Excellent Good Good
Network Support Poor Good Excellent Good Good Good
Detection Rate* 140 186 153 153 149 147
*Out of 207 test viruses

I was pleasantly surprised at the versatility and quality of the scanners in this review. Although some scanners run only on NT 3.51, I'm confident that the vendors will update their products for NT 4.0.

Most of these virus scanners are first-generation NT versions, so I'm not surprised that each program has unique strengths and weaknesses. The most important factor in this review is virus detection, and Dr Solomon's Anti-Virus Toolkit, InocuLAN, and NAVSCAN clearly lead the others. Although Dr Solomon's detected the most viruses, its lack of electronic updates and poor network support kept it out of the running for editor's choice. I have to give the editor's choice to InocuLAN for its superior enterprise support and NAVSCAN for its ease of use, regular updates, and­best of all­its price. With Cheyenne and Symantec both offering electronic updates, I'm confident these packages will catch up to Dr Solomon's excellent detection rate while maintaining the same solid features that both packages are known for.

Carmel Anti-Virus for Windows NT 1.6:
Carmel Software Engineering (Israel) * 972-48-416976
Email: [email protected]
Price: $129 (each for fewer than 10 users)
Dr Solomon's Anti-Virus Toolkit for Windows NT 7.60
S&S Software International * 800-701-9648
Email: [email protected]
Price: $79 to $89 (estimated)
InocuLAN for Windows NT Server 1.01
Cheyenne Software * 516-465-4000 or 800-243-9462
Email: [email protected]
Price: $995
Norton AntiVirus Scanner for Windows NT (NAVSCAN) 1.0
Symantec * 408-253-9600 or 800-441-7234
Price: Free (also available with Norton NT Tools)
SWEEP for Windows NT 2.88
Sophos (Alternative Computer Technology) * 513-755-1957
Email: [email protected]
Price: $293
VirusScan 2.5 for Windows NT Workstation
NetShield 2.5 for Windows NT Server
McAfee * 408-988-3832
Price: $65
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.