11-27-2011 09:25 PM - last edited on 12-19-2011 02:33 AM by Cleo_Lenovo
Is there anyone here running 2 Security Solutions at the same time?
From what I know, few of my lecturers are running AVG and Avira, or Avira and MSE. (All free)
According to their theory, school-licensed Symantec Endpoint Protection slows down the system too much till a point that it is slow or unable to detect the threats. 1 antivirus is not good enough, 2 antivirus would be able to detect 100% of malware.
For my school labs computer, they are running both Symantec Endpoint Protection and Microsoft Security Essential at the same time.
Does 2 security solutions or more helps your computer to be risk-free?
(Current: W520 4284-A99) (Refunded: W510 4876-A11)
Does someone’s post help you? Give them kudos as a reward, as they will do better to improve
Mark it as solved if the solution works for you, so it could be reference for others in the future
Dolby Home Theater v4 (ThinkMix V2)!
Solved! Go to Solution.
11-28-2011 01:41 AM
Generally speaking, you should not run two security programs together at the same time which run in "real-time," e.g., they are actively monitoring the system. The reason for this is that the various real-time components (on-access file system scanner, network traffic filter, and so forth) may interfere with each others operations as they both attempt to access the same bits at the same time. This can lead to all sorts of strange system behavior, such as slowdowns, program crashes, failed downloads and lock-ups.
If you are going to do this, make sure you disable the realtime scanning components of one program, or use one program to actively monitor the system and the other to periodically perform an scheduled or manual scans on demand.
11-28-2011 02:13 AM
This has always been a long standing question on all online security forums. I would say that it does guarantee an all around protection to have 2 or even more Anti-Malware or Anti-Virus solution in a theorectical sense. But in reality having two or more AM/AV software will not bode good fortune for the PC in the long run.
Based on my experience alone and having tested numerous AM/AV installed in different combinations on a Virtual Machine, Laptop and Desktop systems, what I can say:
1. System Lockup - Having several Windows opened will "not respond"
2. Hangs - System rendered useless until a hard shutdown or restart
3. File and Folder Permission errors - Unable to access a file or folder "Access is Denied" errors
4. Installation Errors - Windows Installer based software were unable to install
5. Windows Update errors - Numerous errors such as, 0x80070643, 0x80070005, 0x8007064B, etc, etc.
6. 100% CPU Usage when seen through Task Manager
7. Corrupted User Profiles - Errors seen after login: "You have been logged on a temporary profile"
8. System Services affected and corrupted - Cryptographic , Firewall, Windows Instrumentation and Management just to name a few
There are other things but that was comes as frequently and on top of my head. I have experienced these and no matter how well the system was designed or built i.e. AMD/Intel latest CPU, 8GB RAM, ATI/nVidia GPU; doesn't really matter and overtime the symptoms will progress.
I have always believed that there is no 100% Overall Security. Sooner or later Malware developers find ways in circumventing any designed protection and once your system gets compromised and depending on the type of infection it can stay that way (more info). What counts most is prevention through education of where, when and how an infection can start.
11-28-2011 04:53 AM
It is important to know the difference between the type of scanners:
On-Access (Realtime) Scanners
As the name implies, are scanners that run in the background all the time when the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on the machine.
As the name implies, are scanners that only run when the user asks them to.
Those would be scanners such as:
Online Scans and scanners that run on a machine but are not actively scanning until someone chooses to do so manually.
If there are more than one anti-virus programs running in realtime on the same computer, there is a chance for conflicts if a virus gets on the machine. In that case, each of the anti-virus programs wants to "control" the situation and in some cases, the task of removing the virus does not get done at all.
As mentioned above, the user will also experience slowdown as each is trying to run in realtime. He runs the risk of data loss from a system crash that the instability can cause.
I feel that a better option would be to keep one good anti-virus on the system, keep it current, and use it as designed.
If a second opinion is needed, use one of the online virus scanners.
If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
Microsoft MVP - Consumer Security
Member of Alliance of Security Analysis Professionals
11-28-2011 12:40 PM
Agreeing with all the above points, I would rather see one up-to-date antivirus software with a second third-party anti-malware program.
Peter's comment "1 antivirus is not good enough, 2 antivirus would be able to detect 100% of malware." has validity when understanding that it isn't necesarily that a particular antivirus software isn't able to detect 100% of malware. Rather, detection cannot occur until samples are obtained, analyzed and defintions created, tested, and released.
In addition, programs have different methods of detection, with some using HIPS (Host-based Intrusion Prevention), others not.
11-29-2011 01:42 AM
As already been explained by other posters the downside of having 2 AVs, a system should never have 2 antivirus installed in the system.
Whereas, with regards to anti-malware it's okay to have 2 anti-malware installed in the system if you wish as long as only one has a real-time protection and the other is only use as an on-demand scanner.
11-29-2011 08:02 AM
You are correct, rpggamergal. Having a second on-demand anti-malware is fine.
Whatever programs are used, be sure to update the program prior to scanning and shutdown/restart the computer prior to running the second scanner.
11-29-2011 11:50 AM
I agree with all posters; running two real-time protection products at the same time is a recipe for trouble.
Most security products prevent installation when they detect other security products already on the system, or at least warn you about potential problems if you proceed.
This is both a technical and a practical problem; some operations performed by security products interfere with one another, and security product vendors do not test their products with other security products installed on the same system, so the behavior is unknown.
Also, keep in mind that if you are lucky and get both products installed and running, statistically detection rates are not additive, e.g. a 50% detection rate plus another 50% detection rate does not mean a 100% detection rate, at worst it is still a 50% detection rate, but the machine is twice as slow.
A good defense is to run a good security product, and to be an educated and aware user.
11-29-2011 12:27 PM
"This is both a technical and a practical problem; some operations performed by security products interfere with one another, and security product vendors do not test their products with other security products installed on the same system, so the behavior is unknown."
Although I understand your point and agree that having multiple real-time scanners can cause conflicts and slow the computer. It particularly makes sense when both products are antivirus programs. However, I've seen many users confused and frustrated by products that "prevent" installation in cases where they have other security products installed.
In fact, the recent product version update of one particular antivirus product allegedly objects to the presence of SpywareBlaster, WinPatrol, Secunia's PSI, SpyBot, AdAware, SAS, MBAM, and Comodo's firewall (among others). Products, such as WinPatrol, SpywareBlaster and Secunia's PSI are neither antivirus nor anti-malware applications.
Security product vendors may not test with other security products installed on the same system to determine if there would be conflicts, but the vendors must have the executables in the installation file in order to be able to detect the presence of those products. In such cases where it is not another antivirus product, I think a warning with a link to a KB article explaining the reasons for the warning would be appropriate.
11-30-2011 10:54 AM
I think it would be useful to provide for those reading this topic a brief technical explanation of why security software can create conflicts, and even system instability. I am going to greatly simplify this explanation so it is more understandable, so forgive me if I "play loose" and slide over many of the technical points for the sake of clarity.
First, almost all operating systems, including Windows, Linux, etc., have what is called a kernel. The kernel performs basic computing functions for other programs. Those basic functions are generally common to all programs, and as a consequence it is preferable, and far more efficient, for the operating system to perform those basic functions that are common. Take such simple common functions as read a file, write a file, paint a pixel on the monitor, interface with your network connection, etc. Basic, common functions most all programs need to perform. These basic functions could be left to each program developer to create; or, the operating system developer, in this case Microsoft, could program these functions into the OS and provide access routes for software developers to call upon these standard functions when needed.
Now, for example, take real time malware scanning. What the scanner developer needs to do is to watch for all drive reads (or network access, etc.) and interrupt the process so that their scanner will examine the file being read before it is released to whatever program asked for the read to be performed. In order to make sure this happens every time any program asks for a file to be read, the scanner will have to hook into the operating system kernel somewhere during the read process and examine every file being called for by every program. Otherwise, some files being read will bypass the scanner, which leaves the system unprotected. To make this possible, the kernel permits these kinds of hooks to be established, but only in safe ways, and only at a limited number of points within the (in this case) the read process.
Imagine now if you will, multiple scanners competing for those limited number of hooks. And, by their very nature, those hooks have to hold on tight, since otherwise malware, say, could break the hooks and prevent the scanner from working properly. Hooks like that are generally established early in the boot process, immediately after the kernel is loaded. The faster they are established, and the tighter they hold on, the less likely that malware also loading early in the boot process can deny access to the read hook by the scanner. The same is true for a second scanner. Both scanners will compete for the same hooks, but only one can be successful in capturing each of them.
Next, it is important to realize that the boot process is somewhat dynamic. By this I mean that the order that programs execute during the boot process can change when multiple programs are all ordered to load at the same point in the boot process. What this means if you have multiple scanners competing for the same hook, is that sometimes one will capture it, other times the other one will get there first. That assumes that both scanners are ordered to load at the same time. In other cases, one will always load first, so the second one will never load at all.
Now, remember that files can be opened differently, and are loaded by different parts of the kernel with different hooks, so if you have two or more scanners all competing for the multiple hooks all at the same time, some will be captured by one scanner, others by a different scanner, and neither will capture all of them like they should to operate correctly. The results of this all out competition for the same hooks means that none of the scanners will be functioning correctly, they will be operating at cross purposes, and that means potentially big problems for the system. One boot the system could work correctly, the next one it could be unstable, the one after that it blue screens, and so on. Not a good situation at all.
This problem is particularly difficult where security systems are involved since, as I indicated earlier, security systems will fight hard to capture and retain control over the limited number of hooks within the kernel for each process. They have to do that to be effective in protecting against malware, which will also fight hard to capture those same hooks, and will use the same boot time opportunities to capture them. That is why we call this type of malware a rootkit - root being synonymous with kernel in technology jargon for historic reasons.
As I said at the start, this is a difficult subject, and this explanation is somewhat loose with the actual methods for the sake of clarity and understandability, so I apologize in advance for that necessary simplification.