The antivirus marketplace for protecting Windows computers is crowded. Go back 15 years, and there were two or three well established players whose products were becoming increasing bloated and slow, and then a handful of new providers that were leaner but with varied effectiveness.
Comparing Anti-Virus Products: Most Are Good
Those days are long gone. There are two websites I find most helpful it you wish to appraise the various available products: AV-Comparatives and AV-TEST. The latter tests products in 3 regards: protection (how effective it is at detecting malicious software without blocking harmless files), performance (how much your computer is slower because of the virus checker), and usability (how easy it is to find your way around the program and its settings). Each category has a maximum of 6 points, giving a maximum total score of 18. In a recent test of 22 products, 8 scored the full 18 points, and 8 scored 17.5, leaving just 4 at 17 points or below.
This means it's rarely a matter of finding the one or two products that do the job without slowing your computer to feel like wading through treacle; instead, almost all are perfectly good. So it's the small things that set them apart.
Bitdefender
For 3 years, I've used Bitdefender. I had used them about a decade earlier, and found their detection good but their user interface clunky. When I came back to them 3 years ago, things had improved a lot. It made no noticeable impact on my computer.
A False Positive
Annoyingly, I've just renewed for another year, but a few weeks back it detected a "false positive" for the first time. A false positive is when an anti-virus program detects something harmless to be malicious. This is something that the anti-virus testing processes look for. However their reviews will only tell you how many false positives occurred during their tests, not what happens on your computer if you get one. It was at this point that Bitdefender failed me, and because it doesn't come up in the statistics-driven review sites I linked above, it's worth sharing here.
The file that was detected was a simple one, Wallpaper.exe. It was a simple program I'd written myself. All it does is download an image from a particular website, save it to my local computer, and then set it to be my desktop wallpaper. It's written in C#, and I can recompile it in seconds, using Visual Studio, at any point. So, clearly not a virus then. But Bitdefender detected it as being infected with "Gen:Variant.Bulz.148220".
False Positives: What Should Happen
Here's what should happen when Bitdefender hits a false positive.
1. Train your computer that this file is actually OK. Within the Bitdefender Notifications Window, find the entry where it tells you it's quarantined a malicious file. There's an option there to click "Restore", and the file will be put back. (If the "Restore" button is grey, you need to run the Bitdefender application as a computer administrator before you can restore files from quarantine.)
2. Train Bitdefender that this file is actually OK. According to their online documentation, you submit the file for their consideration. When you do so, you receive a message that the file will be analysed within 72 hours. The documentation page then says that the virus definitions will be updated "within hours" to ensure the harmless file is not detected again.
That's what should happen. What actually happens? It differs from the ideal in 3 ways, and eventually I had to uninstall Bitdefender to be able to compile any programs in my C# project.
1. Bitdefender Doesn't Learn
The first thing that happens is that Bitdefender doesn't learn.
Having told it that my Wallpaper.exe was, in fact, harmless, I tried to compile it again to a different directory. (See the second problem I encountered for why I had to try and do this.) It deleted it again.
So it's not learning that Wallpaper.exe is harmless; it's simply putting that one file back. The next time it scans, it will just remove it again.
2. File System Locking
The first time I asked Bitdefender to restore the file from quarantine, it did so.
However, the C# compiler needs to overwrite that file each time I recompile something, and at that point the "fun" began. Visual Studio would throw an error that it was unable to compile the project because it could not write the output file. That's the error it would give if, for some reason, you've chosen an output location that you don't have permissions to write to. Only I do have permissions to write to that directory, so something else has happened.
It seems that Visual Studio first deletes the old executable program, and then writes the newly compiled one. However, Bitdefender had placed a lock on that filename. You can restore the not-infected file from quarantine once. Thereafter, if you delete that file and try to create any other file, in the same directory with the same filename, Bitdefender will stop you from putting a file there. Presumably it believes that location is still somewhere a virus might get put, so it's protecting your computer from being reinfected. (Or so it thinks: It should know that the "virus" that was once there wasn't actually a virus, because I've told it so).
I was able to verify this, by creating a new file in the directory where it originally found the "virus". Call it "New Text Document.txt", if you like. But if I then try to rename it to "Wallpaper.exe", I get stuck in an endless loop of Windows asked permission to rename the file, and you can never get it to succeed. You can never again have a file in that directory called Wallpaper.exe.
Uninstall and Reinstall
So if I try to compile to a different location, the file gets deleted again. If I try to compile to the same location, Bitdefender has placed a lock over that location.
So the only solution is to uninstall Bitdefender, using their Uninstall Tool. Given by this time it had been over 4 days since I reported the false positive to them, I should be able to reinstall it, with fresh virus definitions (that won't detect Wallpaper.exe), and move on.
I've already gone off Bitdefender. Uninstalling and reinstalling is a 20 minute job, including a 600 MB download, so not something I want to do with every false positive. But their false positive detection rate is low, so I decided to humour them and try it out.
3. Slow False Positive Processing
You have probably guessed what happened. I did the 20 minute thing, then recompiled Wallpaper.exe. Instantly detected as a virus.
There's a really good website you can use to see which anti-virus products detect any file as malicious, called VirusTotal. At time of writing, you can still see their report on what I submitted HERE. But in case they only keep the history for some time, here's what you see.
Notice 2 things.
Firstly, Bitdefender still detected it.
Second, so did a number of other products. Most are obscure that I'd never have thought to use, but some I have heard of. I'd conclude that some of those other products use Bitdefender's engine under the bonnet, so I've learnt that anti-virus products are grouped. If you have problems with one of them, make sure another is actually different before switching to it.
They finally got back to me on the 9th day after reporting the file: "The provided file is clean and currently not detected by our engines". VirusTotal confirmed they did not detect it any more.
9 days, during which the only way to use Visual Studio was to have Bitdefender uninstalled.
No Ticket History
One other issue is worth mentioning.
Bitdefender have a very good customer account part of their website called "Bitdefender Central". You can access Support there, and send them an email. When you do, it opens a helpdesk ticket. But the one thing they don't have in Central is access to your support ticket history, something most companies do. So although you can open a ticket in Central, to respond you have to reply via email, and your reply is piped into the support ticket system.
I like email piping for ticket replies, but not being able to see the ticket history means I have no way to check that they got my reply, and no way to make sure that a reply from me was appended to the existing conversation rather than opening a new ticket.
This is not a deal-breaker on its own. But if you're fighting the anti-virus product because it's stopping you using your computer freely, and if you're receiving radio silence from their support staff for days at a time, it would be really reassuring to see that whole conversation in one unified place, and know that they can see the same.
Enter Kaspersky
So Bitdefender is gone. I asked them to update me when they fix the file-locking problem, and haven't heard back yet.
In the meantime, I'm trying Kaspersky for 30 days. It's another one I'd used previously, but then I hit blue screen problems after a Windows 10 Feature Update. Apart from that, I was always very happy with them. So we'll see how they go.
I still have a Bitdefender license, so if Bitdefender come back to say they've fixed the file locking issue I can switch back to them. If my Kaspersky 30 day trial expires before I hear, I'll just pay for Kaspersky and never look back.
Kaspersky has a long history of being very good. Here's a 10 year chart I downloaded from AV-TEST showing their score out of 18. You'll see that for 7 years the worst they've ever done, in quarterly tests, is 17.5. That's a very consistent track record.
I've just checked the obvious thing. There's a harmless file called the "EICAR Anti Malware Testfile". It's designed so that anti-virus vendors, security researchers, and others can check anti-virus software. It does no harm, but should be flagged as malicious by all anti-virus products.
I created a text file, filled it with the required 68-character string, and save it as "testfile.txt". Kaspersky duly removed it for me. I then created another empty file, in the same directory, named "testfile.txt". Kaspersky made no attempt to stop me having a file with that name.
So on that front at least I'm safe.
Over To You
Thanks for reading, and I hope this helps someone.
If you've had similar problems with recovering from false positives (with Bitdefender, or any other anti-virus program), please use the comments below to share.
Add new comment