Anti-spyware, anti-virus on collision course?

A software vendor's new technique for snuffing out spyware is raising questions over whether products such as it could crash computers by clashing with antivirus tools that have used such methods for a decade.

Aluria announced it has added what it calls Active Defense Shield to its software to intercept files and detect and eradicate spyware before it resides on a machine.

This type of antimalware technique is known as kernel-driver or on-access scanning. Many antivirus vendors have embraced the method because it opens a file to wipe out malware before it lands.

But the drawback is that if two or more vendors' products try to scan at once, the machine can crash.

As the new guys on the block, anti-spyware vendors have held back from using this scanning technique in order not to be accused of interfering with antivirus scans. But with antivirus vendors now pursuing the fast-growing antispyware market as well, pressure is on anti-spyware specialists to improve their products whatever way they can.

Aluria, which IDC says owns 7.5 percent of the approximately US$97 million anti-spyware market, has tested its software on computers running anti-spyware and claims its scanning technique will not interfere with others'.

But participants in the $3 billion antivirus market are not so confident.

Joseph Telafici, director of operations at McAfee's Avert Labs research arm, says on-access scanning is part of virtually all antivirus products today and helps explain why corporations do not try to run more than one antivirus product on the desktop at the same time. "It's not pretty," he says. "It'll lock up the system and crash it."

McAfee will use on-access scanning, Telafici notes. McAfee also sells anti-spyware software as an add-on to its antivirus software.

Vincent Weafer, senior director of Symantec security response, says it is quite likely a customer would experience compatibility issues, whether the scanner is for antivirus or anti-spyware.

"We wouldn't recommend running two on-access scanners," he says.

Symantecs's anti-spyware and antivirus products use the same kernel-level drivers. "They're one set of scanners and one set of agents," Weafer says.

Anti-spyware vendor Webroot doesn't use kernel-driver scanning to intercept files but plans to add that to its anti-spyware products in the first half of next year. Webroot's technique scans files as they are loaded into memory so that spyware is prevented from running, says Mike Greene, director of product management. "We have the foundation to move into kernel-level detection," he adds.

Greene says collisions between scanning software can present a problem, which could be solved if the industry came up with a technique to recognise a secure handoff to a second scan.

If collisions between anti-spyware and antivirus products become a noticeable problem, the result might be to push buyers toward a single vendor for both.

Some antivirus vendors girding for the anti-spyware battle acknowledge that possibility as a potential endgame.

"There's no co-existence problem using our products," McAfee's Telafici notes.

Sam Curry, vice president of product management for eTrust Solutions at Computer Associates, says the company's anti-spyware software does not yet use on-access scanning, though the anti-spyware SDK it licenses to developers does, and it has been tested to coexist with many anti-virus products.