44

A century old adage: The more the merrier.

In general, does this adage hold true in regards to the number of anti-virus software you should have on your PC?

Are there any limits before it actually has the opposite effect?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Computernerd
  • 2,391
  • 9
  • 23
  • 30
  • 25
    More like "too many cooks spoil the broth". – Zano Mar 04 '14 at 12:11
  • 3
    There used to be an antivirus (actually, more of a zero-day protection mechanism) called Threatfire which was specifically designed to coexist with full antivirus suites. So back in the day I would have Threatfire, whichever free antivirus (MSSE, Avast/avira/avg), and MalwareBytes (non-real-time). But, as most people have said below, having multiple real-time antivirus programs on your machine at one time is a Bad Idea (tm). Being smart about where you browse, and using something like noscript, abp, and ghostery will keep you safer than any antivirus – Ross Aiken Mar 04 '14 at 16:04
  • 35
    Somebody once described it to me as "hiring two people to sweep an airport for suspicious characters but not telling them about each other." – Hovercouch Mar 04 '14 at 19:15
  • Have to agree with @Ross that there are - very occasionally - exceptions where extra products can provide additional protection (significant enough to justify having both). Malwarebytes for example, including its pro real-time protection (which is batch rather than on-access), can run alongside AV and extends the range of software detected in practice. – itscooper Mar 04 '14 at 20:07
  • 1
    @Hovercouch your comment planted a very funny scenario in my head. Thanks :) – uSeRnAmEhAhAhAhAhA Mar 05 '14 at 18:18
  • The answer is not generally. However, I run Windows Defender and Malwarebytes on the same box. Weekly scans using MB, realtime with Defender. Works fine, but most others will fight over things. – jrg Mar 06 '14 at 16:28

8 Answers8

54

Most anti-virus vendors advise not to use their products together with those from others. That's not (just) because they fear competition. Live virus-scanners scan files on access. When they notice that a process accesses a file, they try to access it before the process to scan it. They even try to do that when that process is another virus-scanner.

When you have two live-scanners on a system, both will try to be the first to open a file. When virus scanner A detects that scanner B opens a file, A will try to access it first to protect B from any viruses in it. B will register this attempt to read the file, and in turn will try to scan it before A does. The result is that both virus scanners are caught in an infinite loop.

This problem, however, only applies to live-scanners. When you use on-demand scanners which don't monitor file access and only scan a filesystem when they are prompted to do so, you can use multiple of them one after another.

nhahtdh
  • 131
  • 1
  • 8
Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 10
    +1 for noting the difference between real-time/"active" and on-demand/"passive" scanning. Unfortunately (IMHO) anti-virus and anti-malware products seem to increasingly assume they'll be installed in "active" mode. – David Mar 04 '14 at 13:15
  • I wonder if AV products really scan files on access: the performance hit would be huge. I believe they scan files on creation instead. Therefore, I'm not sure that there could actually be an infinite loop as you described. – executifs Mar 06 '14 at 09:05
  • 1
    Yes the performance hit is often huge, unfortunately. – izb Mar 06 '14 at 13:38
  • 1
    (part 1 of 3) The above (and many other answers) is more or less completely wrong. Short and verifiable: try for yourself, install multiple AV on a (virtual) machine and see if works just fine – David Balažic Apr 09 '15 at 20:37
  • 1
    (part 2 of 3) Long: Windows* has an API for hooking into file access that is reliable. Several programs can use it without conflicts or infinite loops. Not only two, but 3 or 4 on-access scanners can be installed at the same time and will work fine (tested it). To clear any doubts, anyone can setup a test, for example by creating a virtual machine with one of the free VM software, install a free trial version of Windows and install free or trial versions of AV software, all done in less than an hour. – David Balažic Apr 09 '15 at 20:37
  • (part 3 of 3) * most users use Window on a PC, also AV software is predominantly used on Windows. The OP did not specify OS, neither did he indicate interest in OS neutral answers. PS: On-demand scanners can be used at the same time too (may lower the performance, but can be done. It might even improve the performance, depending on a lot of factors.). PPS: That does not guarantee there will be no conflict or incompatibilities. Those happen sometimes software products be they of AV kind or not. – David Balažic Apr 09 '15 at 20:37
  • PPPS: There are a lot of AV programs that combine multiple AV engines under a single product package. For some examples, see http://www.wilderssecurity.com/threads/list-of-multi-engine-antivirus-suites.157824/ (a bit old, but it gets the point thru) – David Balažic Apr 09 '15 at 20:39
36

I would advise against it.

In order to perform its job, an antivirus software has to root itself very deeply inside the system, hooking everything, installing drivers and you-name-it. In order to do so, it ends up using techniques similar to malware authors, which will be flagged as highly suspicious by other products. Even if it's not the case, it is likely that the two programs will hinder each other and prevent at least one of them from functioning properly.

And as far as signatures go, I'm not sure that a second engine will make much of a difference.

If you're really serious about protecting your computer, don't expect magic bullets to do the job for you. You'll probably be better off changing your browsing habits (how about trading those Flash/Java plugins for NoScript?).

executifs
  • 4,772
  • 4
  • 23
  • 25
  • 14
    Also, aside from minor timing differences (mostly around speed to market) the majority of AV products have the same signatures list (upwards of 96%) so you won't get a benefit. – Rory Alsop Mar 04 '14 at 12:19
6

No.

In theory, two antiviruses are better than one, in that there may be viruses in the database of one that aren't in the database of the other, or one may use scanning techniques that the other doesn't. In practice, however, because of the way they work, antivirus programs tend to detect each other as viruses.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 1
    Not true (about detecting each other a viruses). It is the core purpose of AV software to properly identify other software. Such misdetection would ruin the vendor fast. See [here](https://www.virustotal.com/en/file/97946b2b539585519fa959988eea377aeb663fd3cbf0ead40d2c9f63ecd0a5b9/analysis/1428580224/) an example, how not one AV detects stinger32 (on demand scanner) as malware. – David Balažic Apr 09 '15 at 20:30
  • @DavidBalažic: Thank you for this. I've downvoted Mark's post. – unforgettableidSupportsMonica Jun 22 '15 at 00:32
6

To be honest this question is a bit like asking 'Do two condoms give me better protection than one?'.

Ostensibly yes, but the practicality of there being two of each make it difficult to operate normally and there are issues which this sort of protection is not able to safeguard you from (e.g. social engineering, lack of encryption, shifty/outdated plugins etc.).

As pointed out, it's more important to review browsing habits and use common safety precautions.

Personally, I've turned off all plugins and simply enable them if I feel comfortable with the site I'm visiting.

I also have a virtual machine installed for when I want to test something I'm not certain is perfectly safe to run/do.

Nobilis
  • 221
  • 1
  • 2
  • 9
  • 13
    Incidentally, using two condoms actually makes you less safe because it increases the chances of the condom splitting. Stay safe; don't double-bag. – Jack Aidley Mar 04 '14 at 16:51
  • 1
    @jack, this study found the opposite: breakage prevalence of 1.8% for single versus 0.2% for double gloving: http://www.ncbi.nlm.nih.gov/pubmed/9052727. – faustus Dec 04 '15 at 09:54
2

When talking about securing a network or a big organization that really needs security I usually advice on that. Using two firewalls from different vendors or two AV from different vendors is a good practice since a vendor may have some bugs/vulnerabilities that the other vendor doesn't have, so when you detect a threat for one appliance you can disable it temporary meanwhile fixing it and you can go with the other one.

But, for a personal PC I can't see any advantages, the threats a normal user faces (malware, phising, viruses... ) are usually spotted by most AVs.

In this case I would say one is enough.

kiBytes
  • 3,450
  • 15
  • 26
  • If you use 2 firewalls in unison, you shouldn't disable one of them if it gets a threat. The only result you get from that is that any threat which is only handled by that firewall (but not the other) is given an open door. – Nzall Mar 04 '14 at 12:51
0

Short answer: No.

Instead of more anti-virus software you should use more common sense :)

Besides that, the use of more than one anti-virus software is causing conflicts between the programs, in most cases. Also I doubt that anti-virus programs offer any benefit at all. In my experience I haven't seen one case where they have saved a windows machine from getting infected.

klingt.net
  • 101
  • 2
0

No, two anti-viruses aren't better, But it depends on what you mean by BETTER... more than one scanner will slow your system down, by the simple way that real-time scanners work.

First, the scanners are sitting in memory waiting for you to access a file, from downloading or double-clicking an icon, to simply opening the file viewer to look at folders on your computer, this triggers the real-time scanner of your anti-virus to start working.

When each real-time scanner detects that a file is to be accessed, (downloaded, listed or actually opened or read) the scanner that sees it first, LOCKS the file, and scans it, while the other scanner madly tries to hit it AT THE SAME TIME (slowing down your system). Once the first scanner has finished, the second leaps in to lock and scan it, and THEN, if neither detected problems, you get to see it/open it.

Possibly more secure. Slower, for sure. Now, what I recommend is a good Virus scanner, like AVG, and a spyware detector/preventer like Spybot. Good dual coverage, gained by looking at the problem from different perspectives, one from a file POV, and the other from a startup POV.

corsiKa
  • 253
  • 3
  • 10
Neil P
  • 1
  • 1
0

It is not best process to have more than one active AV program. As others have mentioned, this may produce false-positive readings from both AV programs as they see another process is accessing a file. This is of course without mentioning the drag on system resources from running two at the same time.

HAL
  • 153
  • 11