If 1 AV is good, 2 is better...right?

[Paul Adams]

Wrong.

I've heard it argued both ways that having 2 anti-virus products running on the same machine can be better for security and worse for system stability.

Until yesterday I assumed the worst that would happen would be to double the amount of on-access scanning done by the AV engines, and occasionally error message popping up when AV 1 puts a file into its quarantine and then AV 2 gets upset when it wanted to work with the now non-existent file.

What happened yesterday? A visit to my wife's cousin's apartment in Stockholm, following a frantic phone call involving the words "virus", "update" and "can't use Windows".


As it turns out there was no virus, and never had been, the story is this...

Windows XP SP2 running "Norman" Anti-Virus and Personal Firewall (bundled with laptop purchase), connecting to the Internet by dial-up - has been operating fine for some 3 years based on the dates of various OEM folders I found.

Friday night, while connected to the Internet, the AV product comes to update itself and throws out a spurious error about "files1.txt more than 10000 lines!".
Fearing the worst (AV go boom now), the owner of the laptop downloaded a Norton Anti-Virus trial and installed it.

On rebooting, Windows logged into the desktop as normal, but the Start button, task bar and system tray were unresponsive.
Clicking any of the myriad of icons on the desktop briefly brought up an hourglass on the mouse cursor, but no program launched.

CTRL-ALT-DEL did nothing, only the mouse cursor moved and keyboard was responding.
(This in itself is an odd combination, as the secure attention sequence is owned by winlogon.exe and not related to explorer.exe, and should never been hooked - only unresponsive if the machine has suffered a hard lockup.)

Booted into safe mode and everything was (within expectation) fine.
Due diligence was taken to ensure no rootkits or other nasties were present.

Services tab showed Norman AV services and Norton/Symantec services.
Add/Remove Programs listed Norman AV & Personal Firewall, but trying to uninstall just reported some missing file.
There was no Add/Remove entry for Norton to be seen.

Set the Norman AV services to disabled (couldn't see anything obviously Norton-related) and rebooted - system now functioned.

Not having any refernece to Norton on the system, and having disabled Norman, I installed Avast! and rebooted.
On rebooting, Avast! warned that as it found another conflicting product - Symantec AV - it would not load all its resident protection agents.

Found the uninstall string for Norton in the registry and tried to run it - got told the MSI package had to be launched via setup.exe.
Hunted around and found the setup files in a temporary folder in the user profile - had to actually install Norton again as it thought it wasn't there, then rebooted an uninstalled it again via the newly-installed Add/Remove Programs entry.

Manually eradicated all traces of Norman I could find in the registry and the disk, leaving Avast! as the system protection (connected to the Internet and updated it to make sure everything was hunky-dory).


My assumption is this:
Norman was running, failed to update for whatever reason, but was still running with 1-week old signatures.
User tried to install Norton, thinking Norman was a goner - installation "kind of" worked, but there were no shortcuts or entries in Add/Remove Programs - system was now restarted (possibly had to be hard reset) and now 2 sets of AV services were battling for supremacy.

Theory: CTRL-ALT-DEL did not bring up Task Manager as these 2 AV services were deadlocked and blocking every single new process/thread from being created while they tried to sort it out - possibly as they were both trying to set themselves as the very first entry in the IRP (I/O Request Packet) stack.

Once either one of the services was crippled, the other could insert itself into the I/O mechanism and allow things to function again.


The same could easily occur with multiple personal firewalls, so think twice before trying to make your system ultra-secure by making it impossible to actually do anything.

[iranu]

I have heard that running two firewalls or anti-virus suites is a bad idea. I did it once to test a new program and had no problems but it's not advised.

In my experience NAV is a really nasty aggressive piece of software. Even if you remove it from your pc in the normal add/remove programs alot of it stays behind eating system resorces. Just this week I had a friend try to sort a mates machine out where NAV was causing the problem. It also came pre-installed on a Dell machine for my old man's work, which took 5 minutes to boot on a brand new machine! It was slow as hell with 1gb of memory in. I removed NAV and installed something better, now it works like a dream. I now consider Norton AV to be malware and recommend that people stay well clear.

[RavenNight]

Yep I too was fixing a PC with Norton this week, it reall cripples them. Not only that but it missed stuff! I ran NOD32 on it and and picked up several nasties that Norton could do nothing about. Worst of all somethiing seems to have infected the Norton system files so that Auto-pritect doesn't run, it can't be uninstalled and shoves up auto-protect isn't on messages every two minutes. It was also blocking the majority of the net, and because none of the settings worked nothing could be done about it.