|
All antivirus products have complicated engines with a large amount of attack surface increasing your risk. So ensure you do not add such complicated software to your TCB.
If you want to know if a particular executable is flagged as malicious, you should probably just install a few in a couple of different virtual machines, or use virustotal.
However virustotal does not have the more CPU intensive desktop versions of many antivirus and so the unpacking/emulation functionality built into most desktop antivirus is not present, so running them yourself in different virtual machines makes sense.
Awhile ago I tested a few different antivirus to see how good they were at detecting flagged code that I obfuscated with simple methods. I found that kaspersky and f-secure had the best unpacking/emulation functionality.
At the end of the day, the features you might need for your antivirus are specific to your use case. (do you need good historical signatures of DOS malware or not?) (do you need signatures for esoteric platforms like z/OS?) (do you need high quality centralized administration to manage a large corporate network?)
|