AV-Comparatives Why you should never have multiple antivirus programs on your computer

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Life is often about multiplicity. The more the merrier. Two heads are better than one. Strength in numbers. You get the idea. But when it comes to antivirus, it’s more a case of too many cooks in the kitchen.

We often hear from users who assumed that installing multiple antivirus solutions on their computer would improve their chances of detecting any malicious files before they do any damage. However, while it is a good idea to have multiple complimentary security products in place if you take your security seriously, this doesn’t extend to multiple full antivirus solutions. Having several antivirus products in place won’t do much to improve your machine’s security – in fact it’s likely to cause you some serious problems.

Competing for computer power

Conducting full system scans can be a resource-heavy process at the best of time – indeed system performance during scanning is one of our main testing criteria. Running two antivirus products at the same time means twice the drain on your computer’s resources. Even if each solution boasts a low level of performance impact, together they will almost certainly slow your machine down and possibly cause other issues. In fact, the solutions might use even more resources than normal as they compete with each other

Butting heads

The impact is much worse if an actual threat is found on your machine. Each antivirus will attempt to go through its own processes to identify and quarantine the suspected malicious file- and they’ll both do it at the same time. Picture two enthusiastic dogs chasing the same rubber ball and then butting heads and fighting over it when they catch up. This will result in a major drain on your machine’s resources and can cause erratic behaviour including freezing or even full-on system crashes. In some cases, competing products can get caught in an endless loop. One antivirus will copy a file to a temporary folder for scanning, and another solution will notice the activity and be prompted to make its own copy. The first product may then notice this and make another copy… and so on, until the system runs out of memory.

There can be only one: what to do if you have multiple antivirus products

If you have more than one solution on your machine, you should look at cutting back to a single choice before you run into any serious issues. It’s worth noting that this generally only applies to software that conducts scans of your entire operating system. More specific solutions like email scanners are less likely to be an issue and will probably be able to coexist without any problems. Nevertheless, it’s worth going through any security tools on your system to make sure they are compatible.

When deciding which solution to keep, you should take the opportunity to make sure that your products are working correctly to make sure it’s a fair comparison. Check out this post for some advice on making sure your antivirus is functioning properly.

You should be particularly on the lookout for the possibility of one of your antiviruses actually being a rogue program. These rogues appear to be genuine, but it’s only surface deep. Behind the scenes they will be conducting malicious activity such as installing keyloggers or backdoor access to your machine.

When you’re sure all the antiviruses on your machine are genuine and working as they should be, it’s time to pick a winner. If you’re struggling to decide, we can help you. Take a look at our tests for some insight into which antivirus product is the best one for your needs.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
One must consider HOW an AV works before assuming that no combination of AV products should be run concurrently, as some are much more intrusive than others. Some will constantly scan in the background (and multiple of these certainly would not yield optimal results!) whereas others are more of on access detectors, so combinations of these shouldn't be any problem when run together.

Also one should take into account what an AV DOES with a malicious item when detection occurs. For instance WD upon malware detection sequesters the file for a time before actual deletion, while WVSX deletes it immediately (those running WD-WVSX combination may note that if WD detects it first, WV will be blocked out until WD is finished with that file, only deleting it if WD fails to do so).

Personally I run with what amounts to triple AV coverage, with WD enabled, WVSX at default, and CF (remember CF has VirusScope and cloud) at preferred settings, and all live very happily together. It's actually kind of cute to view how they operate together by doing simple tests like unzipping a malware archive to note who detects what and how quickly, and actual on malware run who kills what when. Everyone has to wait if WD detects things first, WV is swift unless AI is needed, CF contains all else (and sometimes even will delete malware via the AV function!), with WV sometimes deleting something especially nasty from within Containment. In short, triple AV redundancy here is not something to be avoided, but something to which one should aspire.

Finally, needless to say running an on demand scan with multiple AV's simultaneously is never a good idea (actually running an on-demand full system scan with proper protection at any time is pretty much pointless).

m
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hi @Gandalf_The_Grey, & thanks for the enlightening post.
I have a question: is my security in order?
BTS+VS+SWH are they compatible?:unsure:
An Expert opinion never hurts.(y)
In my opinion VS and SWH try to do more or less the same.
Protect the system for when your main AV fails.

SWH is passive protection if something gets blocked you can only see it in the logs.
And VS is active protection, you will get a popup if something is blocked.

A problem can be that you need to judge the popup yourself and when chosen wrong you can open your system to malware.
So, for example for my mother-in-law I would go with SWH and my son prefers VS.

There are 4 great options to add protection to your system next to your AV:
1) Simple Windows Hardening or Hard_Configurator from @Andy Ful
2) VoodooShield from @danb
3) Comodo firewall with the settings from @cruelsister
4) OSArmor and/or SysHardener from @NoVirusThanks

I would choose just one of these options to make troubleshooting easier for when something doesn't work / gets blocked on your system.
 
F

ForgottenSeer 92963

@simbatippe1234

I agree with @SecureKongo, SWH uses a Windows build-in mechanism only blocking risky extensions in user land folders while allowing exe. msi and tmp to execute. VS lives in kernel and monitors all executables (like exe, msi, executables disguised as temp files and indirectly also risky extensions, because it monitors command lines of scriptors}, so they are complementary IMO
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@simbatippe1234

I agree with @SecureKongo, SWH uses a Windows build-in mechanism only blocking risky extensions in user land folders while allowing exe. msi and tmp to execute.
EXEMSI/TMP files are also blocked in some risky situations:
  1. The executable has been dropped into the user Startup folder.
  2. The executable is going to be run directly from the archive.
  3. The executable is going to be run directly from the email client.
SWH and VS can be used together, because both solutions block files on different levels. The situations of overlapping will be very rare.

But the gain for VS is not so big. If the user understands well the VS alerts and does not allow blindly the execution (especially LOLBins), then SWH can be skipped.

On the contrary, when using at-home SWH + Defender (ConfigureDefender with ASR rules) + SmartScreen, one can probably skip VS.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
SWH is passive protection if something gets blocked you can only see it in the logs.
...

Yes. The concrete information about blocked events can be seen only via SWH Logs. But, in most cases, Windows shows an alert that the file has been blocked by Administrator. For example:

1. Alert when the script is blocked.

1647344082556.png



2. Alert for EXE file packed in the archive or run from email client.

1647344259509.png



3.Alert for MSI file packed in the archive or run from email client.

1647345768261.png


4. SmartScreen alert for EXE/MSI files downloaded from the Internet.

1647353622708.png


If SmartScreen is set to Block:

1647353787675.png


*************************************************************************************

Usually, such alerts are displayed when the user tries to manually open/run the restricted files. There is no option in these alerts that could allow the file (except SmartScreen). If one wants to run/open the blocked file, then it must be whitelisted or the protection temporarily switched off.
The silent blocks may occur sometimes when the file (usually non-executable) is going to be opened by the already running process. These blocks are very rare in SWH, they can be more frequent in Hard_Configurator set to Strict_Recommended_Settings.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Anyway, the OP is mostly unrelated to SWH and VS, but to AVs. In most cases, the new AV will refuse to install or will remove the previous one (mostly Defender).

You should be particularly on the lookout for the possibility of one of your antiviruses actually being a rogue program. These rogues appear to be genuine, but it’s only surface deep. Behind the scenes they will be conducting malicious activity such as installing keyloggers or backdoor access to your machine.

Of course, this does not apply to CF (it is not a full AV) and other well known solutions.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top