I am (was?) a long time Kaspersky user and I've always been happy with KAV.
Up until recently, when BSODs with stop code 9F started randomly appearing on two different machines, my production PC and my HTPC, just before entering suspension.
The minidumps pointed to the LAN card drivers, but the two PCs have completely different ethernet adapters and thus completely different drivers, so it seemed a bit strange. Also, those drivers had been in place for months without a hiccup so again it appeared weird they would cause problems simultanously all of a sudden. The only thing they had in common was Kaspersky, so I thought an update from them introduced the BSOD.
To test my diagnosis, I replaced Kaspersky with MS Security Essentials on my HTPC (which has very limited internet access anyway) and activated a SecureAnywhere Antivirus trial on my production machine. The BSODs are so far gone, so I was probably right in my assumption.
Weberoot's software felt immediately very next-gen compared to Kaspersky. Light, fast, well thought out. I've researched the theory behind SA, so I understand why it doesn't shine in tests, at least until they provide a testbed than keeps its characteristics into account.
But this is my production machine, which means that here I write and compile software for my customers.
Kaspersky is heavy but has always proven effective, if a bit too invasive. Now before I commit to WebRoot I need to fully understand its protection model and be sure it fits my needs. As you can imagine, an infection on this machine could propagate to my customers through the software I write and prove disastrous.
So, my questions: as I understand it, with WebRoot signatures aren't all that important because besides allowing or blocking a process it can "suspiciously allow" the process, monitor what it does, and in case it proves malicious revert all the changes it did to the system. Which means you don't have to identify a threat the second it lands on your PC to still protect it.
That on paper sounds wonderful and it's an elegant concept. But. What if a malicious software introduces some changes to the system that make it unusable? Or make it impossible for WebRoot to revert the change? I mean, ok, your software is journaling all the malware is doing, but those changes are still happening. How can you ensure they don't damage the system in a way that reverting all of them is impossible for some reason?
Another thing: on my machine I'm using a software I wrote to manage remote files on my automatic update server. SA correctly put it on "monitor" because of course it can't be on your database. Will it always stay on monitor, potentially creating a neverending journal, or will it be promoted to "allow" when it's run long enough without doing anything dangerous? If so, how long can it take?
I apologize for the wall of text, but I hope you guys understand that for me it's critical to make an informed decision that could impact not only myself but also the companies I supply.
Best answer by explanoit
View original