My story with the anti-virus programs goes like this. First I used EZ eTrust 6.1.7.0 a SHAREWARE anti-virus program from Computer Associates for quite some time, but later I discovered that this particular 6.1.7.0 version of EZ eTrust anti-virus program, and probably its driver-level protection was causing an annoying FILE_SYSTEM BSOD on every shutdown/reboot/logon/logoff. Of course, I first blamed other software and it has driven me to countless installations/un-installations, modifications, tests, reboots, etc., before I realised it was EZ eTrust's fault.


So I first switched to a FREEWARE version of AVG 6, but it was just at the time of upgrading the program to version 7, and then I somehow didn't like this new AVG 7 version's interface. Therefore I switched once more and started using a Personal Edition of also FREEWARE program called AntiVir. It is more and more popular and trusted anti-virus program from H+BEDV company, located somewhere in Germany, Europe. I use it now for more than half a year, and I have no complaints at all. Infact I've never got any BSOD since running it and there were various "stressful" situations where I might have expected it. While its VDF files (virus definitions) are updated on almost daily-basis and the best thing is that other program files (like scan-engine library, shell-extension libraries and main-program files) are also updated/patched by this online procedure, so you don't need to download full package too often. AntiVir is simply the best anti-virus program for my personal needs.


Here below are the two most crucial things (well, recently I added also a third one, but that one is not so crucial) that I soon noticed and now I just couldn't live without them. Oh yes, beside that it's a totally non-conflicting program and light on resources and that the general feeling about it is just right.

1. The "Filters" feature, which enables you to exclude up-to 12 processes from real-time scanning/protection. I think that this one doesn't require further explanation on why it is useful.

2. The "Activate/Deactivate" feature through system-tray icon (compare to for instance un-checking all the protection features in AVG), I do that generally when I am off-line (quite often as a dial-up user), but especially before defragmenting my hard-disk, before software installations, driver-updates and all the similar "low-level" procedures.

3. As mentioned I lately discovered another awesome AntiVir's feature. It has a scheduler that is not only an "internal one" (updating its virus-definitions), but it actually works as a "full Windows scheduler", i.e. it's capable to execute arbitrary programs.


But somehow in the middle of testing various anti-virus programs (to find the most suitable for me), I've actually run my computer without ANY anti-virus protection, because well, true geeks don't need any anti-virus program, simply because we are to smart to get infected in the first place. However, there was one case when running it might actually be worth. You see, I was infact infected with a Bagle.AF worm (with anti-virus program installed and running, but with its on-access protection/monitoring disabled), and certainly it was all because of me and my ignorance, and not because of the lack of knowledge or whatever. The thing is that I often examine viruses/trojans for export functions, and which libs they call etc. So this time, I right-clicked on one of the files containing trojan-horse (or worm) I got recently by mail (before moving them to my "collection of nasties" in the encrypted volume), but unfortunately this time, I was to quick clicking it, so I mistakenly chose "Open" instead of "View Dependancies" (to send it to the Dependancy Walker), or "Send To -- BinText", to send it to BinText Foundstone's program to see the file strings/contents.

Luckily I was running Sysinternals' Filemon and Regmon programs at that particular time, so I later simply reversed all the settings made by worm without any problem. I simply deleted the created run registry key, and deleted SYSXP.exe file that was created and executed as process after "infection" (and noticeably slowing the system), and few other related files. And even if I wouldn't ran those programs - there is a common pattern of few things that almost every malicious software does. In most cases, the file is executed and therefore visible running as a process, and second this process usually creates a registry entry under HKLM or HKCU, one of the Run subkeys.


P.S., If you want to, you can read more about my "principles" regarding all these "security" programs on my home-site, the http://users.volja.net/tayiper/security.html page or check out the thread on Winforums (my nick is also satyr there): Do we really need software updates?
http://forums.winforums.org/showthread.php?t=6303& page=1&pp=10


greetings all, Tadej