Investigation of x64-compatible anti-virus programs

Information
2006-Apr-04 | Tags: antivirus

Start64!Last time we tested security software providing any kind of a solution on the x64 platform. The test left some uncertainty regarding the extent of compatibility. In this additional test we make sure about compatibility.

For anti-virus programs containing both 32- and 64-bit codes it is very important to know what they are actually compatible with. On the level of processes shown by the Task Manager we saw only 32-bit processes in case of all four products; we merely believed and supposed the existence of 64-bit components, operating in deeper layers. In case of security software caution is essential; we can only take protection for granted if we also make sure of the factors that are plausible or presumable. The basic problem is that the system32 folder is hidden for 32-bit processes under x64; instead, requests directed to it are redirected to the syswow64 folder by the system. Accordingly, a purely 32-bit anti-virus program, even if it could be installed and would function under x64, would not be able to provide protection for the system, because the system32 folder is hidden from it and it could not give protection against infections in this folder.

Considering the problem the other way round, if a mostly 32-bit software containing the supposed 64-bit component executes a real test on the system32 folder, it means it really contains that 64-bit component somewhere. In this case the given anti-virus program is able to provide the same security under 64-bit that it provides under 32-bit Windows. Probably it does not provide the same protection against 64-bit code viruses as native 64-bit anti-virus products. This latter is an assumption; perhaps time will show how things really are in this matter.



We installed all four anti-virus programs on the test system and performed the investigation of the system32 and syswow64 folders. Each program produced a summary of the results of the investigation, displaying the number of scanned elements. The system32 folder contains significantly more files than the syswow64 folder. Thus, the number of scanned elements allows us to conclude whether the investigation of the system32 folder really examined the contents of this folder or perhaps it had been redirected to the syswow64 folder as a result of 32-bit access. 

 

The results 

 

All images are also available in original size

 

Avast! system32
Avast! - system32 - 6253 files

Avast! syswow64
Avast - syswow64 - 1654 files

 

AVG system32 
AVG - system32 - 5521 files

 

 AVG syswow64
AVG - syswow64 - 1588 files

 

 NOD32 system32
NOD32 - system32 - 6954 files

 

 NOD32 syswow64
NOD32 - syswow64 - 1706 files

 

Norton system32
Norton - system32 - 6215 files

 

Norton syswow64
Norton - syswow64 - 1661 files


The test revealed that the programs do not all scan the same quantity of elements in the specified folders. They, however, surely contain the 64-bit component that we have presumed so far, as they perform a real scan in the system32 folder.

Of course, it has no sense to perform this test in case of products containing native 64-bit code, i.e. eTrust Antivirus r8 and eTrust Antivirus r7.1 x64.


facebook-3 twitter-3 rss-3 email-3

logo-bottom